Networking

Refer a Friend!

COMPUTER SCIENCE

Sep 17, 2023

COMPUTER SCIENCE

Networking

Sep 17, 2023

COMPUTER SCIENCE

Networking

Sep 17, 2023

COMPUTER SCIENCE

Networking

Sep 17, 2023

The most fundamental building block of a basic network is the network connection, which can be wired or wireless. Wired connections use physical cables to connect devices, while wireless connections use radio waves to connect devices.

Another important component of a basic network is the network protocol, which is a set of rules that govern how devices communicate with each other. The most common network protocol is TCP/IP (Transmission Control Protocol/Internet Protocol), which is used to connect devices to the Internet.

A basic network also often includes network services and servers, such as file servers, print servers, and email servers, that provide shared resources and services to the devices on the network

🗼 I. Types of Networks

I.1. Local Area Network (LAN)

A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). LANs are typically used for single sites where people need to share resources and information.

A LAN typically includes a group of interconnected devices such as computers, servers, printers, and routers that are connected to a shared medium such as a wired or wireless network. LANs can be connected to other LANs or to a wide area network (WAN) to form an enterprise network.

A LAN allows devices to communicate and share resources such as files, printers, and internet connection. This improves productivity and allows for the sharing of information.

The most common type of LAN is a Ethernet LAN, which uses a wired Ethernet connection to connect devices. Another common type of LAN is a wireless LAN (WLAN), which uses wireless radio waves to connect devices.

Video: What is a Local Area Network?

I.1.a. Types of LAN

There are several types of local area networks (LANs) that are commonly used, each with their own advantages and disadvantages:

Ethernet: The most common type of LAN, Ethernet networks use a wired connection and can support high-speed data transfer. Ethernet networks use a variety of cabling options, including twisted pair and fiber optic cables.
Token ring: This type of LAN uses a token passing method for data transfer. In this method, a token (a special packet of data) is passed around the network, and only the computer that holds the token can transmit data.
FDDI: Fiber Distributed Data Interface (FDDI) is a standard for data transmission on fiber optic lines in a LAN that can extend in range up to 200 km (124 miles).
Wireless LAN (WLAN): A wireless LAN uses radio waves to transmit data between devices, eliminating the need for physical cables. WLANs use the 802.11 standard, which includes a variety of different options such as 802.11a, 802.11b, 802.11g, and 802.11n.
Bluetooth: Bluetooth is a wireless technology that allows devices to communicate over short distances using radio waves. It is commonly used for connecting peripherals such as keyboards, mice, and headphones to a computer.
Powerline: Powerline networks use the electrical wiring in a building to transmit data, allowing devices to connect to the network through a power outlet.
HomePNA: Home Phone Networking Alliance (HomePNA) is a standard for networking over existing telephone lines.
Zigbee: Zigbee is a low-power wireless communications protocol used primarily in building automation, industrial control, and medical device networks.

Each of these types of LANs has its own unique set of features, capabilities, and limitations, and the best choice will depend on the specific needs of the organization and the environment in which the LAN will be deployed.

I.2. WAN (Wide Area Network)

WAN (Wide Area Network) is a type of computer network that spans a large geographical area, such as a city, a country, or even the world. WANs connect computers, servers, and other devices over long distances using high-speed communication links, such as leased lines, satellite links, or public communication networks, such as the internet.

I.2.a. Types of WAN

Circuit-switched WAN: uses dedicated connections for each transmission.
Packet-switched WAN: breaks data into packets and routes them to the destination.
Cellular WAN: uses cellular data networks for wide area connectivity.
MPLS (Multiprotocol Label Switching) WAN: uses labels to route data and prioritize traffic.
Satellite WAN: uses satellites for wide area connectivity.

I.3. MAN (Metropolitan Area Network)

A Metropolitan Area Network (MAN) is a computer network that spans a metropolitan area and interconnects several LANs (Local Area Networks) within a city. A MAN is typically larger than a LAN and smaller than a WAN (Wide Area Network). It is used to connect users within a specific geographic area, such as a city or university campus. A MAN often uses high-speed fiber-optic or microwave transmission technology to provide high-bandwidth connectivity between different LANs.

I.3.a. Types of MAN

SMAN (Switched Metropolitan Area Network): a high-speed network that provides dedicated connections between various sites within a metropolitan area.
DMAN (Distributed Metropolitan Area Network): a network that interconnects several LANs over a metropolitan area and provides connectivity between LANs.

I.4. SAN (Storage Area Network)

SAN (Storage Area Network) is a specialized, high-speed network that provides block-level access to data storage. It connects storage devices with servers in a single data center or across multiple locations, creating a dedicated and isolated network for storage traffic. SANs use Fibre Channel or iSCSI protocols to deliver high-speed data transfer and improve storage performance, security, and scalability.

I.4.a. Types of SAN

Fibre Channel SAN: It uses Fibre Channel technology and dedicated optical fibers to provide fast and secure data transfer between storage devices and servers.
iSCSI SAN: It uses Internet Protocol (IP) and SCSI commands to transfer data over Ethernet networks.
FCoE (Fibre Channel over Ethernet) SAN: It combines Fibre Channel and Ethernet technologies to provide a unified data storage network.
NAS (Network Attached Storage) SAN: It uses Ethernet networks to provide network-based data storage access to clients.

I.5. VPN (Virtual Private Network)

VPN (Virtual Private Network) is a technology that allows you to create a secure and encrypted connection over a public network (typically the internet) to access a private network or internal resources. It provides secure remote access to internal network resources, such as servers, databases, and applications, as if you were physically connected to the internal network.

I.5.a. Types of VPN

Site-to-Site VPN - connects two or more fixed locations to share resources
Remote Access VPN - allows a user to access the network from a remote location
Mobile VPN - provides secure access to a network for mobile devices
Intranet VPN - connects separate company locations to share resources within the company
Extranet VPN - connects separate company locations and partners to share resources
Cloud VPN - connects a company's on-premise network to the cloud network.

I.6. Internet

The Internet is a global network of interconnected computers and servers that allows the exchange of information and communication between individuals, businesses, and organizations. It was created in the late 1960s and has since grown to become one of the largest and most important technologies in the world. The Internet allows for communication, data transfer, and access to information from anywhere in the world with an Internet connection.

I.7. Intranet

An intranet is a private computer network that uses the Internet protocols and network connectivity within a company, organization, or institution. It allows organizations to securely share information and resources among employees, departments, and other affiliates. Intranets are designed to be accessible only by authorized users and can be used to support internal communication, collaboration, and knowledge management.

I.8. Cloud Computing Network

Cloud computing network is a network infrastructure used for delivering cloud computing services over the internet. It provides users access to virtualized computing resources, such as storage, processing power, and software applications, on demand. Cloud networks can be public, private, or hybrid, and are maintained by third-party service providers.

📟 II. Internet Protocol

An Internet Protocol (IP) is a communication protocol used for connecting and transmitting data across a computer network. It is responsible for routing packets of data from one network to another and enabling communication between devices over the Internet. IP is a key component of the Internet Protocol Suite (TCP/IP) and provides a unique identifier for each device connected to the network.

II.1. Types of Internet Protocol

IP (Internet Protocol): A set of rules that govern the format of data sent over the Internet. It's responsible for routing data packets between networks.
TCP (Transmission Control Protocol): A reliable and connection-oriented protocol that ensures that data is transmitted and received in the correct order.
UDP (User Datagram Protocol): An unreliable and connectionless protocol that does not guarantee that data is transmitted and received in the correct order.
ICMP (Internet Control Message Protocol): A protocol used to send control messages between devices in a network.
ARP (Address Resolution Protocol): A protocol used to map an IP address to a physical address, such as a MAC address.
DNS (Domain Name System): A protocol that translates domain names into IP addresses, allowing users to access websites and other Internet resources by name rather than by IP address.

II.2. IP Addressing

IP addressing refers to the method used to assign IP addresses to networked devices, allowing them to communicate with each other. IP addresses are numerical labels that are assigned to each device connected to a network, allowing it to be uniquely identified and located. There are two main types of IP addresses: IPv4 and IPv6. IPv4 uses 32-bit addresses and is the most widely used, while IPv6 uses 128-bit addresses and provides a much larger address space. IP addressing is a critical component of networking, as it enables devices to communicate and exchange data with each other over a network.

IPv4 and IPv6 are the two versions of the Internet Protocol (IP) used for transmitting data over the internet. IPv4 uses 32-bit addresses and can support approximately 4.3 billion unique addresses. IPv6 uses 128-bit addresses, allowing for a much larger number of unique addresses and improved security and scalability. IPv6 is gradually being adopted as the replacement for IPv4, as the increasing demand for unique IP addresses is making IPv4 addresses scarce.

II.3. Subnetting

Subnetting refers to dividing a network into smaller sub-networks, or subnets, each of which can be assigned a unique IP address range and be configured with its own network parameters. The primary purpose of subnetting is to increase network security, improve network performance, and reduce network congestion by breaking up large networks into smaller, more manageable sub-nets.

II.4. Routing

Routing is the process of directing the flow of data packets between devices on a computer network. Routers, which are networking devices, use routing algorithms to determine the best path for data packets to travel from one network to another. They use routing tables, which store information about the network topology and the best routes to different destinations, to make this decision. The goal of routing is to ensure that data packets are delivered to their intended destination in a fast and efficient manner, while minimizing the amount of network congestion and reducing the risk of data loss.

🌐 III. Network Topology

Network topology refers to the physical and logical layout of the devices and connections in a computer network. It describes how the devices on the network are arranged and how they communicate with each other.

There are several different types of network topologies, including:

Bus topology: In this topology, all devices are connected to a central cable or bus, which acts as a backbone for the network. All devices can communicate with each other through this bus.
Star topology: In this topology, all devices are connected to a central hub or switch. The hub or switch acts as a central point of communication for the network.
Ring topology: In this topology, devices are connected in a circular fashion, with each device connected to two other devices. Data is passed from device to device in a circular fashion.
Mesh topology: In this topology, each device is connected to every other device in the network. This allows for multiple paths for data to travel, providing redundancy and fault tolerance.
Tree topology: In this topology, the network is arranged in a hierarchical fashion, with a central device connected to multiple other devices, which in turn can be connected to other devices.
Hybrid topology: As the name suggests, is a combination of multiple topologies, combining the advantages of different topologies.
Wireless Topology: It is a topology that is designed to connect devices in a wireless network. These topologies include ad-hoc, infrastructure and mesh wireless topologies.

The choice of topology depends on the requirement of the network and the number of devices that will be connected. For example, a bus topology is simple and easy to set up, but it can be less reliable, while a mesh topology provides multiple paths for data to travel, making it more reliable.

Video: Network Topologies (Star, Bus, Ring, Mesh, Ad hoc, Infrastructure, & Wireless Mesh Topology)

💻 IV. OSI (Open Systems Interconnection)

The OSI (Open Systems Interconnection) model is a framework for understanding how data is transmitted over a network. It is divided into seven layers, each of which serves a specific function in the process of transmitting data. The seven layers are:

Physical Layer: This layer is responsible for transmitting the raw bits of data over the network medium, such as copper or fiber-optic cable.
Data Link Layer: This layer is responsible for creating a reliable link between two devices on the network. It adds a header and trailer to the data to create a frame, which is used to identify the source and destination of the data.
Network Layer: This layer is responsible for routing data between different networks. It adds a header to the data that includes the source and destination IP addresses.
Transport Layer: This layer is responsible for ensuring that data is delivered reliably and in the correct order. It adds a header to the data that includes information such as the source and destination ports, and a checksum to detect errors.
Session Layer: This layer is responsible for establishing, maintaining and synchronizing sessions between applications on different devices.
Presentation Layer: This layer is responsible for the translation and compression of the data, so that it can be understood by both the sender and receiver.
Application Layer: This layer is responsible for providing a user interface and supporting services to the application. This layer is where the common application protocol such as HTTP, FTP, SMTP, DNS, and Telnet runs.

Each layer of the OSI model communicates with the layer directly above and below it, and together they provide a complete framework for transmitting data over a network.

Video: How the OSI Model Works | Network Fundamentals and What is OSI Model?

🎮 V. TCP/IP (Transmission Control Protocol/Internet Protocol)

The TCP/IP (Transmission Control Protocol/Internet Protocol) model is a set of communication protocols used for connecting devices on a network. It is the most widely used network protocol in the world, and is the foundation of the internet. The TCP/IP model is divided into four layers:

Network Interface Layer: This layer is responsible for the physical and data link connections between devices on a network. It includes protocols such as Ethernet and Wi-Fi.
Internet Layer: This layer is responsible for routing data between different networks. It includes the Internet Protocol (IP), which is responsible for addressing and routing data to its destination.
Transport Layer: This layer is responsible for ensuring that data is delivered reliably and in the correct order. It includes the Transmission Control Protocol (TCP), which is responsible for creating a reliable connection between devices, and the User Datagram Protocol (UDP), which is a simpler, connectionless protocol.
Application Layer: This layer is responsible for providing a user interface and supporting services to the application. This layer includes protocols such as HTTP, FTP, SMTP, DNS, and Telnet, which are commonly used for web browsing, file transfer, email, and other internet services.

The TCP/IP model is different from the OSI model in that it is more focused on the practical implementation of network communication. The OSI model is more abstract and defines a broader set of functions that are needed for network communication. Both models are used for understanding and troubleshooting the network communication.

Video: TCP/IP Model (Internet Protocol Suite) and TCP IP Model Explained | TCP IP Model Animation | TCP IP Protocol Suite | TCP IP Layers | TechTerms

🔐 VI. Network Security

Network security refers to the measures taken to protect a computer network from unauthorized access, theft, and damage to its resources and components. It includes hardware, software, and policies that protect sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction. The goal of network security is to provide confidentiality, integrity, and availability of information and data within the network.

VI.1. Security Concepts

A security concept is a set of principles, guidelines, and policies that dictate how an organization should protect its assets, including its data, systems, and networks, from unauthorized access, use, disclosure, disruption, modification, or destruction. A security concept can include measures such as access controls, encryption, firewalls, and security monitoring. Its goal is to ensure the confidentiality, integrity, and availability of the organization's assets and to prevent unauthorized access to sensitive information.

Here are some key security concepts that a reviewer should be familiar with:

Confidentiality: Ensuring that sensitive information is only accessible to authorized individuals or systems.
Integrity: Ensuring that information and systems are protected from unauthorized modification or alteration.
Availability: Ensuring that systems and information are always accessible to authorized individuals or systems.
Authentication: Verifying the identity of an individual or system before allowing access to information or resources.
Authorization: Granting access to information or resources based on the authenticated identity and the assigned role or permissions.
Non-repudiation: Proving that a specific individual or system is responsible for a specific action.
Access control: Managing and controlling access to resources and information.
Risk management: Identifying, assessing and mitigating risks to the organization's information and assets.
Incident management: Managing and responding to security incidents in a timely and effective manner.
Compliance: Ensuring that the organization's security practices conform to legal, regulatory, and industry standards.
Encryption: Protecting data at rest or in transit by converting it into a format that is unreadable by unauthorized parties.
Network security: Implementing security measures to protect against threats targeting the organization's networks.
Endpoint security: Protecting the organization's endpoints, such as laptops and mobile devices, from threats.
Cloud security: Protecting the organization's data and applications hosted in cloud environments.
Supply Chain security: Ensuring the security of the entire supply chain of an organization, from the manufacturing of components to the delivery of products or services.

It's important to note that this list is not exhaustive and new security concepts may appear over time. Additionally, some of these concepts may overlap or be used in combination

VI.2. Threats to Network Security

Malware: Virus, worm, Trojan, spyware, ransomware, etc.
Man-in-the-middle (MITM) attacks: eavesdropping, hijacking network traffic, etc.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks: overloading a network or server with traffic to prevent normal operation.
SQL injection: unauthorized access and manipulation of a database through malicious inputs in a website or application.
Phishing: tricking users into revealing sensitive information through fake emails or websites.
Buffer overflow: exploiting a software vulnerability to overwrite data in a buffer, potentially leading to arbitrary code execution.
Unsecured Wi-Fi networks: unauthorized access to sensitive information transmitted over a public Wi-Fi network.
Social engineering: using psychological manipulation to trick users into divulging confidential information.

VI.3. Common Network Security Measures

There are several common network security measures that organizations can implement to protect their networks and data:

Firewalls: A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on a set of security rules. It can be hardware- or software-based and is used to prevent unauthorized access to a network.
Intrusion detection and prevention systems (IDPS): An IDPS is a system that monitors network traffic for signs of malicious activity and can take action to block or alert on it.
Virtual private networks (VPNs): A VPN allows remote users to securely access a private network over the internet. It uses encryption and authentication to protect the data being transmitted.
Encryption: Encryption is the process of converting plaintext into ciphertext to protect data from unauthorized access. Common encryption methods include AES, RSA and SSL/TLS.
Security information and event management (SIEM): SIEM systems collect and analyze security-related data from various sources such as logs, network traffic, and system status, to detect and respond to security incidents.
Anti-virus and anti-malware: Anti-virus and anti-malware software are used to detect and remove malicious software from computers and devices on a network.
Access control: Access control is the process of ensuring that only authorized users can access resources on a network. This can be achieved through the use of user accounts, passwords, and other forms of authentication.
Network segmentation: Network segmentation is the process of dividing a network into smaller, isolated segments in order to limit the potential impact of a security incident.
Public Key Infrastructure (PKI): A security system that uses a combination of public and private keys to secure communications and establish the authenticity of digital certificates and transactions. It enables secure exchange of sensitive information through encryption and digital signatures. PKI is used in applications such as SSL/TLS for secure web browsing, digital signatures for electronic documents, and secure email communication.

These are just a few examples of the many security measures that can be used to protect networks. It is important to use a combination of measures and tailor them to the specific needs of an organization.

Video:

VI.4. Security information and event management (SIEM)

SIEM is a security management technology that helps organizations centralize and analyze log data from various devices and applications in real-time to identify security threats, incidents and potential security breaches. SIEM technology provides real-time monitoring and alerting, incident response and reporting, and forensic analysis capabilities to help organizations detect, investigate and resolve security incidents quickly.

VI.4.a. Components of SIEM

Data Collection: Collects security-related data from multiple sources such as network devices, servers, and applications.
Data Analysis: Analyzes the collected data and detects any security threats or anomalies.
Event Correlation: Correlates the events and identifies the relationships between them.
Threat Intelligence: Uses threat intelligence data to provide context to the events and improve the accuracy of threat detection.
Alert Management: Generates alerts based on the analyzed events and categorizes them based on their severity and risk.
Incident Response: Helps to automate incident response processes by providing the necessary information and tools to respond to security incidents effectively.
Compliance Management: Supports compliance with various security regulations and standards.
Reporting and Dashboards: Provides reports and dashboards to help monitor and manage the security of the network.

VI.4.b. Two Main Deployment Option for SIEM

On-premises deployment: involves installing and maintaining the SIEM software on the organization's own servers.
Cloud-based deployment: involves using a cloud service provider to host the SIEM software and store the collected data.

VI.4.c. Challenges and limitations of SIEM

SIEM solutions are designed to provide comprehensive security information and event management capabilities, but there are several challenges and limitations that organizations may face when deploying and using these systems, including:
Complexity and scalability: SIEM solutions can be complex and difficult to set up, manage, and scale.
Integration challenges: SIEM solutions need to be integrated with multiple sources of security data, including firewalls, intrusion detection systems, and security information and event management systems.
False positive and false negative alerts: SIEM systems can generate false positive or false negative alerts, leading to security breaches or inefficient use of resources.
Performance and capacity issues: SIEM solutions can impact network performance, particularly in high-volume environments, and may require significant storage capacity.
Data privacy and compliance: SIEM solutions can collect and store sensitive information, which can raise data privacy and compliance concerns.
High costs: SIEM solutions can be expensive to implement and maintain, especially for large organizations with complex security requirements.

VI.4.d. Best practices for SIEM implementation and management

To ensure effective SIEM implementation and management, some best practices are:

Define security objectives and goals: Identify what you want to achieve with SIEM and align the system to meet those needs.
Plan your deployment: Consider the size of your organization, the number of devices and systems, and the complexity of your network environment.
Choose the right hardware: Make sure your hardware infrastructure meets the requirements for a SIEM deployment.
Invest in training: Provide your staff with the necessary training to effectively use the system.
Establish clear policies and procedures: Establish clear policies and procedures for the use of SIEM in your organization.
Configure the system correctly: Configure the SIEM to correctly identify and collect relevant data from your network environment.
Regularly maintain and update: Regularly maintain and update your SIEM to ensure optimal performance and security.
Regularly review and audit logs: Regularly review and audit logs to ensure the system is functioning as intended and to detect any security breaches.

VI.4.e. Network and Endpoint Forensics

A reviewer for forensics for network and endpoints should be familiar with the various techniques and tools used to collect, analyze, and preserve data from networks and endpoint devices in order to investigate and understand security incidents

Network Forensic

Network forensics is the process of collecting, analyzing, and preserving network data in order to investigate and understand security incidents. It involves capturing and analyzing network traffic, system and application logs, and other data from network devices such as routers, switches, firewalls, and servers. The goal of network forensics is to identify the causes of security incidents, understand the scope of an incident, and identify the actors behind an attack.

Network forensics can be used to investigate a wide range of security incidents, such as data breaches, denial of service attacks, and advanced persistent threats. The data collected and analyzed during a network forensics investigation can also be used to improve an organization's security posture by identifying vulnerabilities and weaknesses in their network.

Here are some key concepts that a reviewer for network forensics should be familiar with:

Traffic capture and analysis: The process of collecting and analyzing network traffic to identify malicious activity and understand the scope of an incident.
Packet analysis: The process of examining individual packets of network data to extract information about the source, destination, and content of the traffic.
Log analysis: The process of examining system and application logs to identify unusual activity and understand the actions of attackers.
Flow analysis: The process of examining the flow of network traffic to identify patterns of malicious activity and understand the scope of an incident.
Malware analysis: The process of examining network traffic to identify and analyze malware samples and understand their capabilities.
Attribution analysis: The process of examining network data to identify the actors behind an attack, the infrastructure used, and the purpose of the attack.

Video: Network Forensic

Endpoint Forensic

Endpoint forensics is the process of collecting, analyzing, and preserving data from endpoint devices such as laptops, servers, and mobile devices, in order to investigate and understand security incidents. The goal of endpoint forensics is to identify the causes of security incidents, understand the scope of an incident, and identify the actors behind an attack.

Endpoint forensics can be used to investigate a wide range of security incidents, such as data breaches, advanced persistent threats, and malware infections. The data collected and analyzed during an endpoint forensics investigation can also be used to improve an organization's security posture by identifying vulnerabilities and weaknesses in their endpoint devices.

Here are some key concepts that a reviewer for endpoint forensics should be familiar with:

Disk imaging: The process of creating a bit-by-bit copy of a hard drive or other storage device for analysis.
File system analysis: The process of examining the file system of an endpoint device to identify and analyze files and artifacts related to an incident.
Memory analysis: The process of examining the memory of an endpoint device to identify and analyze malware or other malicious code that may be running in memory.
Registry analysis: The process of examining the Windows registry to identify and analyze configuration changes and artifacts related to an incident
Timeline analysis: The process of collecting and analyzing data on the system to determine the sequence of events that occurred during the incident.
Forensically sound methodology: The process of following the best practice guidelines for collecting and preserving evidence to ensure that it is admissible in court.

Video: Understanding Endpoint Forensics

VI.4.f. Incident Response Scenarios

An incident response scenario is a hypothetical situation that organizations can use to test and practice their incident response plan. These scenarios simulate different types of security incidents, such as data breaches, malware infections, and advanced persistent threats, and provide a way for organizations to evaluate the effectiveness of their incident response procedures.

An incident response scenario typically includes a detailed description of the incident, including the cause of the incident, the systems and data affected, and the potential impact on the organization. It also includes a set of tasks and procedures that incident responders should follow to contain and resolve the incident, such as identifying the cause of the incident, containing the attack to prevent further damage, and recovering systems and data.

Some examples of incident response scenarios include:

A phishing email that leads to a data breach
A ransomware attack that encrypts files on a network
A Distributed Denial of Service (DDoS) attack that disrupts network services
A malware infection that exfiltrates sensitive information
A supply chain attack that compromises a 3rd party software

These scenarios help organizations to identify their incident response weaknesses and strengths, and to develop a plan that can handle different types of incidents. It also help incident responders to be familiar with their roles and responsibilities during an incident, and to be able to perform their incident response tasks in a timely manner.

VI.4.g.Elements to be Addressed

Identification: The incident response plan should clearly outline the procedures for identifying and reporting security incidents. This should include guidelines for identifying unusual or suspicious activity and procedures for reporting incidents to the appropriate parties.
Containment: The incident response plan should include procedures for containing security incidents to prevent further damage or data loss. This should include guidelines for disconnecting affected systems from the network, isolating compromised devices, and implementing other containment measures as necessary.
Eradication: The incident response plan should include procedures for eradicating the cause of a security incident. This may include steps for removing malware, patching vulnerabilities, or other remediation steps as necessary.
Recovery: The incident response plan should include procedures for recovering from a security incident. This may include steps for restoring systems and data, testing systems to ensure they are functioning properly, and returning systems to normal operations.
Lessons learned: The incident response plan should include a section on post-incident review and lessons learned. This should include a review of the incident response process, identification of areas for improvement, and recommendations for future incident response procedures.
Communication: The incident response plan should include procedures for communicating with stakeholders during and after an incident. This should include guidelines for communicating with employees, customers, and other stakeholders as well as incident status updates.
Drill and Exercise: The incident response plan should include a section on incident response drill and exercise. This should include a schedule of incident response drill and exercise, roles and responsibilities, and evaluation criteria.
Compliance: The incident response plan should include a section on compliance. This should include a review of the incident response plan against regulatory and industry standards and guidelines.

It's important to note that incident response scenarios are different, and the incident response plan should be flexible enough to handle different types of incidents. The plan should be regularly reviewed, tested and updated to ensure it remains effective in the face of new and emerging threats.

VI.4.h. Examples of Incident Scenarios

Data breach: A data breach occurs when an attacker gains unauthorized access to sensitive information, such as personal data, financial information, or confidential business information. In this scenario, incident responders would work to identify the cause of the breach, determine the scope of the incident, and contain the attack to prevent further data exfiltration.
Malware infection: A malware infection occurs when a device is compromised by malicious software, such as a virus or trojan. In this scenario, incident responders would work to identify the malware, determine the scope of the infection, and remove the malware from infected systems.
Denial of Service (DoS) attack: A DoS attack occurs when an attacker floods a network or system with traffic in order to disrupt service. In this scenario, incident responders would work to identify the source of the attack, determine the scope of the incident, and implement countermeasures to mitigate the attack.
Advanced Persistent Threat (APT) attack: An APT attack occurs when an attacker establishes a prolonged and targeted presence on a network in order to steal sensitive information. In this scenario, incident responders would work to identify the cause of the attack, determine the scope of the incident, and remove the attacker from the network.
Insider Threat: This scenario occurs when an individual or group with authorized access to an organization's assets misuses or abuses their access to commit unauthorized actions. In this scenario incident responders would work to identify the cause of the attack, determine the scope of the incident

A basic network is a collection of devices, such as computers, servers, and routers, that are connected together to allow the sharing of resources and the exchange of information. The most common type of basic network is a local area network (LAN), which connects devices within a small geographic area, such as a home or office.

Video: Practice and prepare for Incident Response

🔌 VII. Wireless Networking

Wireless networking refers to the use of wireless communication technologies, such as Wi-Fi, cellular, or Bluetooth, to create a local area network (LAN) or a wide area network (WAN) that allows devices to communicate with each other without the need for wired connections. Wireless networking offers mobility and convenience, but also introduces security concerns such as the need to secure data transmission, protect against unauthorized access, and prevent interference from other wireless devices.

VII.1. Types of Wireless Networking

WLAN (Wireless Local Area Network) - A type of wireless network that covers a small geographical area like a home, office or building.
WPAN (Wireless Personal Area Network) - A type of wireless network that covers a small personal area like a single room or a person's desk.
WMAN (Wireless Metropolitan Area Network) - A type of wireless network that covers a metropolitan area, connecting multiple LANs and providing internet access to a large number of users.
WWAN (Wireless Wide Area Network) - A type of wireless network that provides internet access over a wide geographical area, often through cellular data networks.
Wi-Fi Direct - A type of wireless network that allows devices to directly connect to each other without the need for a central router or access point.
Wi-Fi Hotspot - A type of wireless network created by a router or access point that provides internet access to multiple devices in a public or private location.
Wi-Fi Mesh Network - A type of wireless network that uses multiple interconnected nodes to create a single large network.

📱 VIII. Network Devices

A network device is any hardware device that is part of a computer network and plays a specific role in enabling communication between different network devices. Examples include routers, switches, firewalls, access points, hubs, bridges, and modems.

VIII.1. Types of Network Devices

Router: directs and manages data flow between networks
Switch: directs data flow within a network
Firewall: provides network security
Bridge: connects multiple networks
Access Point: enables wireless devices to connect to a wired network
Modem: connects a computer to the internet
Hub: connects multiple devices in a network
Repeater: amplifies signal strength in a network
Gateway: serves as the entry and exit point between networks.

⚙️ IX. Network Performance Optimization Techniques

Network performance optimization techniques are methods used to improve the efficiency, reliability, and speed of a computer network. These techniques aim to minimize latency, maximize bandwidth utilization, and minimize network downtime.

Bandwidth Throttling - controlling and limiting the amount of data that can be transmitted over a network connection.
Load Balancing - distributing network traffic evenly across multiple servers to improve performance and prevent downtime.
Traffic Shaping - controlling the flow of network traffic to optimize performance and prevent bottlenecks.
Quality of Service (QoS) - prioritizing certain types of network traffic to improve performance for critical applications.
Caching - storing frequently accessed data on a local device to reduce network latency and improve performance.
Compression - reducing the size of data being transmitted over a network to improve speed and efficiency.
Network Virtualization - creating virtual networks to improve performance and increase flexibility.
Hardware Upgrades - updating network hardware to increase speed and capacity.
Network Monitoring - continuously monitoring network performance and identifying bottlenecks or potential issues.
Network Maintenance - regularly performing maintenance and updates to keep the network running smoothly.

The most fundamental building block of a basic network is the network connection, which can be wired or wireless. Wired connections use physical cables to connect devices, while wireless connections use radio waves to connect devices.

Another important component of a basic network is the network protocol, which is a set of rules that govern how devices communicate with each other. The most common network protocol is TCP/IP (Transmission Control Protocol/Internet Protocol), which is used to connect devices to the Internet.

A basic network also often includes network services and servers, such as file servers, print servers, and email servers, that provide shared resources and services to the devices on the network

🗼 I. Types of Networks

I.1. Local Area Network (LAN)

A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). LANs are typically used for single sites where people need to share resources and information.

A LAN typically includes a group of interconnected devices such as computers, servers, printers, and routers that are connected to a shared medium such as a wired or wireless network. LANs can be connected to other LANs or to a wide area network (WAN) to form an enterprise network.

A LAN allows devices to communicate and share resources such as files, printers, and internet connection. This improves productivity and allows for the sharing of information.

The most common type of LAN is a Ethernet LAN, which uses a wired Ethernet connection to connect devices. Another common type of LAN is a wireless LAN (WLAN), which uses wireless radio waves to connect devices.

Video: What is a Local Area Network?

I.1.a. Types of LAN

There are several types of local area networks (LANs) that are commonly used, each with their own advantages and disadvantages:

Ethernet: The most common type of LAN, Ethernet networks use a wired connection and can support high-speed data transfer. Ethernet networks use a variety of cabling options, including twisted pair and fiber optic cables.
Token ring: This type of LAN uses a token passing method for data transfer. In this method, a token (a special packet of data) is passed around the network, and only the computer that holds the token can transmit data.
FDDI: Fiber Distributed Data Interface (FDDI) is a standard for data transmission on fiber optic lines in a LAN that can extend in range up to 200 km (124 miles).
Wireless LAN (WLAN): A wireless LAN uses radio waves to transmit data between devices, eliminating the need for physical cables. WLANs use the 802.11 standard, which includes a variety of different options such as 802.11a, 802.11b, 802.11g, and 802.11n.
Bluetooth: Bluetooth is a wireless technology that allows devices to communicate over short distances using radio waves. It is commonly used for connecting peripherals such as keyboards, mice, and headphones to a computer.
Powerline: Powerline networks use the electrical wiring in a building to transmit data, allowing devices to connect to the network through a power outlet.
HomePNA: Home Phone Networking Alliance (HomePNA) is a standard for networking over existing telephone lines.
Zigbee: Zigbee is a low-power wireless communications protocol used primarily in building automation, industrial control, and medical device networks.

Each of these types of LANs has its own unique set of features, capabilities, and limitations, and the best choice will depend on the specific needs of the organization and the environment in which the LAN will be deployed.

I.2. WAN (Wide Area Network)

WAN (Wide Area Network) is a type of computer network that spans a large geographical area, such as a city, a country, or even the world. WANs connect computers, servers, and other devices over long distances using high-speed communication links, such as leased lines, satellite links, or public communication networks, such as the internet.

I.2.a. Types of WAN

Circuit-switched WAN: uses dedicated connections for each transmission.
Packet-switched WAN: breaks data into packets and routes them to the destination.
Cellular WAN: uses cellular data networks for wide area connectivity.
MPLS (Multiprotocol Label Switching) WAN: uses labels to route data and prioritize traffic.
Satellite WAN: uses satellites for wide area connectivity.

I.3. MAN (Metropolitan Area Network)

A Metropolitan Area Network (MAN) is a computer network that spans a metropolitan area and interconnects several LANs (Local Area Networks) within a city. A MAN is typically larger than a LAN and smaller than a WAN (Wide Area Network). It is used to connect users within a specific geographic area, such as a city or university campus. A MAN often uses high-speed fiber-optic or microwave transmission technology to provide high-bandwidth connectivity between different LANs.

I.3.a. Types of MAN

SMAN (Switched Metropolitan Area Network): a high-speed network that provides dedicated connections between various sites within a metropolitan area.
DMAN (Distributed Metropolitan Area Network): a network that interconnects several LANs over a metropolitan area and provides connectivity between LANs.

I.4. SAN (Storage Area Network)

SAN (Storage Area Network) is a specialized, high-speed network that provides block-level access to data storage. It connects storage devices with servers in a single data center or across multiple locations, creating a dedicated and isolated network for storage traffic. SANs use Fibre Channel or iSCSI protocols to deliver high-speed data transfer and improve storage performance, security, and scalability.

I.4.a. Types of SAN

Fibre Channel SAN: It uses Fibre Channel technology and dedicated optical fibers to provide fast and secure data transfer between storage devices and servers.
iSCSI SAN: It uses Internet Protocol (IP) and SCSI commands to transfer data over Ethernet networks.
FCoE (Fibre Channel over Ethernet) SAN: It combines Fibre Channel and Ethernet technologies to provide a unified data storage network.
NAS (Network Attached Storage) SAN: It uses Ethernet networks to provide network-based data storage access to clients.

I.5. VPN (Virtual Private Network)

VPN (Virtual Private Network) is a technology that allows you to create a secure and encrypted connection over a public network (typically the internet) to access a private network or internal resources. It provides secure remote access to internal network resources, such as servers, databases, and applications, as if you were physically connected to the internal network.

I.5.a. Types of VPN

Site-to-Site VPN - connects two or more fixed locations to share resources
Remote Access VPN - allows a user to access the network from a remote location
Mobile VPN - provides secure access to a network for mobile devices
Intranet VPN - connects separate company locations to share resources within the company
Extranet VPN - connects separate company locations and partners to share resources
Cloud VPN - connects a company's on-premise network to the cloud network.

I.6. Internet

The Internet is a global network of interconnected computers and servers that allows the exchange of information and communication between individuals, businesses, and organizations. It was created in the late 1960s and has since grown to become one of the largest and most important technologies in the world. The Internet allows for communication, data transfer, and access to information from anywhere in the world with an Internet connection.

I.7. Intranet

An intranet is a private computer network that uses the Internet protocols and network connectivity within a company, organization, or institution. It allows organizations to securely share information and resources among employees, departments, and other affiliates. Intranets are designed to be accessible only by authorized users and can be used to support internal communication, collaboration, and knowledge management.

I.8. Cloud Computing Network

Cloud computing network is a network infrastructure used for delivering cloud computing services over the internet. It provides users access to virtualized computing resources, such as storage, processing power, and software applications, on demand. Cloud networks can be public, private, or hybrid, and are maintained by third-party service providers.

📟 II. Internet Protocol

An Internet Protocol (IP) is a communication protocol used for connecting and transmitting data across a computer network. It is responsible for routing packets of data from one network to another and enabling communication between devices over the Internet. IP is a key component of the Internet Protocol Suite (TCP/IP) and provides a unique identifier for each device connected to the network.

II.1. Types of Internet Protocol

IP (Internet Protocol): A set of rules that govern the format of data sent over the Internet. It's responsible for routing data packets between networks.
TCP (Transmission Control Protocol): A reliable and connection-oriented protocol that ensures that data is transmitted and received in the correct order.
UDP (User Datagram Protocol): An unreliable and connectionless protocol that does not guarantee that data is transmitted and received in the correct order.
ICMP (Internet Control Message Protocol): A protocol used to send control messages between devices in a network.
ARP (Address Resolution Protocol): A protocol used to map an IP address to a physical address, such as a MAC address.
DNS (Domain Name System): A protocol that translates domain names into IP addresses, allowing users to access websites and other Internet resources by name rather than by IP address.

II.2. IP Addressing

IP addressing refers to the method used to assign IP addresses to networked devices, allowing them to communicate with each other. IP addresses are numerical labels that are assigned to each device connected to a network, allowing it to be uniquely identified and located. There are two main types of IP addresses: IPv4 and IPv6. IPv4 uses 32-bit addresses and is the most widely used, while IPv6 uses 128-bit addresses and provides a much larger address space. IP addressing is a critical component of networking, as it enables devices to communicate and exchange data with each other over a network.

IPv4 and IPv6 are the two versions of the Internet Protocol (IP) used for transmitting data over the internet. IPv4 uses 32-bit addresses and can support approximately 4.3 billion unique addresses. IPv6 uses 128-bit addresses, allowing for a much larger number of unique addresses and improved security and scalability. IPv6 is gradually being adopted as the replacement for IPv4, as the increasing demand for unique IP addresses is making IPv4 addresses scarce.

II.3. Subnetting

Subnetting refers to dividing a network into smaller sub-networks, or subnets, each of which can be assigned a unique IP address range and be configured with its own network parameters. The primary purpose of subnetting is to increase network security, improve network performance, and reduce network congestion by breaking up large networks into smaller, more manageable sub-nets.

II.4. Routing

Routing is the process of directing the flow of data packets between devices on a computer network. Routers, which are networking devices, use routing algorithms to determine the best path for data packets to travel from one network to another. They use routing tables, which store information about the network topology and the best routes to different destinations, to make this decision. The goal of routing is to ensure that data packets are delivered to their intended destination in a fast and efficient manner, while minimizing the amount of network congestion and reducing the risk of data loss.

🌐 III. Network Topology

Network topology refers to the physical and logical layout of the devices and connections in a computer network. It describes how the devices on the network are arranged and how they communicate with each other.

There are several different types of network topologies, including:

Bus topology: In this topology, all devices are connected to a central cable or bus, which acts as a backbone for the network. All devices can communicate with each other through this bus.
Star topology: In this topology, all devices are connected to a central hub or switch. The hub or switch acts as a central point of communication for the network.
Ring topology: In this topology, devices are connected in a circular fashion, with each device connected to two other devices. Data is passed from device to device in a circular fashion.
Mesh topology: In this topology, each device is connected to every other device in the network. This allows for multiple paths for data to travel, providing redundancy and fault tolerance.
Tree topology: In this topology, the network is arranged in a hierarchical fashion, with a central device connected to multiple other devices, which in turn can be connected to other devices.
Hybrid topology: As the name suggests, is a combination of multiple topologies, combining the advantages of different topologies.
Wireless Topology: It is a topology that is designed to connect devices in a wireless network. These topologies include ad-hoc, infrastructure and mesh wireless topologies.

The choice of topology depends on the requirement of the network and the number of devices that will be connected. For example, a bus topology is simple and easy to set up, but it can be less reliable, while a mesh topology provides multiple paths for data to travel, making it more reliable.

Video: Network Topologies (Star, Bus, Ring, Mesh, Ad hoc, Infrastructure, & Wireless Mesh Topology)

💻 IV. OSI (Open Systems Interconnection)

The OSI (Open Systems Interconnection) model is a framework for understanding how data is transmitted over a network. It is divided into seven layers, each of which serves a specific function in the process of transmitting data. The seven layers are:

Physical Layer: This layer is responsible for transmitting the raw bits of data over the network medium, such as copper or fiber-optic cable.
Data Link Layer: This layer is responsible for creating a reliable link between two devices on the network. It adds a header and trailer to the data to create a frame, which is used to identify the source and destination of the data.
Network Layer: This layer is responsible for routing data between different networks. It adds a header to the data that includes the source and destination IP addresses.
Transport Layer: This layer is responsible for ensuring that data is delivered reliably and in the correct order. It adds a header to the data that includes information such as the source and destination ports, and a checksum to detect errors.
Session Layer: This layer is responsible for establishing, maintaining and synchronizing sessions between applications on different devices.
Presentation Layer: This layer is responsible for the translation and compression of the data, so that it can be understood by both the sender and receiver.
Application Layer: This layer is responsible for providing a user interface and supporting services to the application. This layer is where the common application protocol such as HTTP, FTP, SMTP, DNS, and Telnet runs.

Each layer of the OSI model communicates with the layer directly above and below it, and together they provide a complete framework for transmitting data over a network.

Video: How the OSI Model Works | Network Fundamentals and What is OSI Model?

🎮 V. TCP/IP (Transmission Control Protocol/Internet Protocol)

The TCP/IP (Transmission Control Protocol/Internet Protocol) model is a set of communication protocols used for connecting devices on a network. It is the most widely used network protocol in the world, and is the foundation of the internet. The TCP/IP model is divided into four layers:

Network Interface Layer: This layer is responsible for the physical and data link connections between devices on a network. It includes protocols such as Ethernet and Wi-Fi.
Internet Layer: This layer is responsible for routing data between different networks. It includes the Internet Protocol (IP), which is responsible for addressing and routing data to its destination.
Transport Layer: This layer is responsible for ensuring that data is delivered reliably and in the correct order. It includes the Transmission Control Protocol (TCP), which is responsible for creating a reliable connection between devices, and the User Datagram Protocol (UDP), which is a simpler, connectionless protocol.
Application Layer: This layer is responsible for providing a user interface and supporting services to the application. This layer includes protocols such as HTTP, FTP, SMTP, DNS, and Telnet, which are commonly used for web browsing, file transfer, email, and other internet services.

The TCP/IP model is different from the OSI model in that it is more focused on the practical implementation of network communication. The OSI model is more abstract and defines a broader set of functions that are needed for network communication. Both models are used for understanding and troubleshooting the network communication.

Video: TCP/IP Model (Internet Protocol Suite) and TCP IP Model Explained | TCP IP Model Animation | TCP IP Protocol Suite | TCP IP Layers | TechTerms

🔐 VI. Network Security

Network security refers to the measures taken to protect a computer network from unauthorized access, theft, and damage to its resources and components. It includes hardware, software, and policies that protect sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction. The goal of network security is to provide confidentiality, integrity, and availability of information and data within the network.

VI.1. Security Concepts

A security concept is a set of principles, guidelines, and policies that dictate how an organization should protect its assets, including its data, systems, and networks, from unauthorized access, use, disclosure, disruption, modification, or destruction. A security concept can include measures such as access controls, encryption, firewalls, and security monitoring. Its goal is to ensure the confidentiality, integrity, and availability of the organization's assets and to prevent unauthorized access to sensitive information.

Here are some key security concepts that a reviewer should be familiar with:

Confidentiality: Ensuring that sensitive information is only accessible to authorized individuals or systems.
Integrity: Ensuring that information and systems are protected from unauthorized modification or alteration.
Availability: Ensuring that systems and information are always accessible to authorized individuals or systems.
Authentication: Verifying the identity of an individual or system before allowing access to information or resources.
Authorization: Granting access to information or resources based on the authenticated identity and the assigned role or permissions.
Non-repudiation: Proving that a specific individual or system is responsible for a specific action.
Access control: Managing and controlling access to resources and information.
Risk management: Identifying, assessing and mitigating risks to the organization's information and assets.
Incident management: Managing and responding to security incidents in a timely and effective manner.
Compliance: Ensuring that the organization's security practices conform to legal, regulatory, and industry standards.
Encryption: Protecting data at rest or in transit by converting it into a format that is unreadable by unauthorized parties.
Network security: Implementing security measures to protect against threats targeting the organization's networks.
Endpoint security: Protecting the organization's endpoints, such as laptops and mobile devices, from threats.
Cloud security: Protecting the organization's data and applications hosted in cloud environments.
Supply Chain security: Ensuring the security of the entire supply chain of an organization, from the manufacturing of components to the delivery of products or services.

It's important to note that this list is not exhaustive and new security concepts may appear over time. Additionally, some of these concepts may overlap or be used in combination

VI.2. Threats to Network Security

Malware: Virus, worm, Trojan, spyware, ransomware, etc.
Man-in-the-middle (MITM) attacks: eavesdropping, hijacking network traffic, etc.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks: overloading a network or server with traffic to prevent normal operation.
SQL injection: unauthorized access and manipulation of a database through malicious inputs in a website or application.
Phishing: tricking users into revealing sensitive information through fake emails or websites.
Buffer overflow: exploiting a software vulnerability to overwrite data in a buffer, potentially leading to arbitrary code execution.
Unsecured Wi-Fi networks: unauthorized access to sensitive information transmitted over a public Wi-Fi network.
Social engineering: using psychological manipulation to trick users into divulging confidential information.

VI.3. Common Network Security Measures

There are several common network security measures that organizations can implement to protect their networks and data:

Firewalls: A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on a set of security rules. It can be hardware- or software-based and is used to prevent unauthorized access to a network.
Intrusion detection and prevention systems (IDPS): An IDPS is a system that monitors network traffic for signs of malicious activity and can take action to block or alert on it.
Virtual private networks (VPNs): A VPN allows remote users to securely access a private network over the internet. It uses encryption and authentication to protect the data being transmitted.
Encryption: Encryption is the process of converting plaintext into ciphertext to protect data from unauthorized access. Common encryption methods include AES, RSA and SSL/TLS.
Security information and event management (SIEM): SIEM systems collect and analyze security-related data from various sources such as logs, network traffic, and system status, to detect and respond to security incidents.
Anti-virus and anti-malware: Anti-virus and anti-malware software are used to detect and remove malicious software from computers and devices on a network.
Access control: Access control is the process of ensuring that only authorized users can access resources on a network. This can be achieved through the use of user accounts, passwords, and other forms of authentication.
Network segmentation: Network segmentation is the process of dividing a network into smaller, isolated segments in order to limit the potential impact of a security incident.
Public Key Infrastructure (PKI): A security system that uses a combination of public and private keys to secure communications and establish the authenticity of digital certificates and transactions. It enables secure exchange of sensitive information through encryption and digital signatures. PKI is used in applications such as SSL/TLS for secure web browsing, digital signatures for electronic documents, and secure email communication.

These are just a few examples of the many security measures that can be used to protect networks. It is important to use a combination of measures and tailor them to the specific needs of an organization.

Video:

VI.4. Security information and event management (SIEM)

SIEM is a security management technology that helps organizations centralize and analyze log data from various devices and applications in real-time to identify security threats, incidents and potential security breaches. SIEM technology provides real-time monitoring and alerting, incident response and reporting, and forensic analysis capabilities to help organizations detect, investigate and resolve security incidents quickly.

VI.4.a. Components of SIEM

Data Collection: Collects security-related data from multiple sources such as network devices, servers, and applications.
Data Analysis: Analyzes the collected data and detects any security threats or anomalies.
Event Correlation: Correlates the events and identifies the relationships between them.
Threat Intelligence: Uses threat intelligence data to provide context to the events and improve the accuracy of threat detection.
Alert Management: Generates alerts based on the analyzed events and categorizes them based on their severity and risk.
Incident Response: Helps to automate incident response processes by providing the necessary information and tools to respond to security incidents effectively.
Compliance Management: Supports compliance with various security regulations and standards.
Reporting and Dashboards: Provides reports and dashboards to help monitor and manage the security of the network.

VI.4.b. Two Main Deployment Option for SIEM

On-premises deployment: involves installing and maintaining the SIEM software on the organization's own servers.
Cloud-based deployment: involves using a cloud service provider to host the SIEM software and store the collected data.

VI.4.c. Challenges and limitations of SIEM

SIEM solutions are designed to provide comprehensive security information and event management capabilities, but there are several challenges and limitations that organizations may face when deploying and using these systems, including:
Complexity and scalability: SIEM solutions can be complex and difficult to set up, manage, and scale.
Integration challenges: SIEM solutions need to be integrated with multiple sources of security data, including firewalls, intrusion detection systems, and security information and event management systems.
False positive and false negative alerts: SIEM systems can generate false positive or false negative alerts, leading to security breaches or inefficient use of resources.
Performance and capacity issues: SIEM solutions can impact network performance, particularly in high-volume environments, and may require significant storage capacity.
Data privacy and compliance: SIEM solutions can collect and store sensitive information, which can raise data privacy and compliance concerns.
High costs: SIEM solutions can be expensive to implement and maintain, especially for large organizations with complex security requirements.

VI.4.d. Best practices for SIEM implementation and management

To ensure effective SIEM implementation and management, some best practices are:

Define security objectives and goals: Identify what you want to achieve with SIEM and align the system to meet those needs.
Plan your deployment: Consider the size of your organization, the number of devices and systems, and the complexity of your network environment.
Choose the right hardware: Make sure your hardware infrastructure meets the requirements for a SIEM deployment.
Invest in training: Provide your staff with the necessary training to effectively use the system.
Establish clear policies and procedures: Establish clear policies and procedures for the use of SIEM in your organization.
Configure the system correctly: Configure the SIEM to correctly identify and collect relevant data from your network environment.
Regularly maintain and update: Regularly maintain and update your SIEM to ensure optimal performance and security.
Regularly review and audit logs: Regularly review and audit logs to ensure the system is functioning as intended and to detect any security breaches.

VI.4.e. Network and Endpoint Forensics

A reviewer for forensics for network and endpoints should be familiar with the various techniques and tools used to collect, analyze, and preserve data from networks and endpoint devices in order to investigate and understand security incidents

Network Forensic

Network forensics is the process of collecting, analyzing, and preserving network data in order to investigate and understand security incidents. It involves capturing and analyzing network traffic, system and application logs, and other data from network devices such as routers, switches, firewalls, and servers. The goal of network forensics is to identify the causes of security incidents, understand the scope of an incident, and identify the actors behind an attack.

Network forensics can be used to investigate a wide range of security incidents, such as data breaches, denial of service attacks, and advanced persistent threats. The data collected and analyzed during a network forensics investigation can also be used to improve an organization's security posture by identifying vulnerabilities and weaknesses in their network.

Here are some key concepts that a reviewer for network forensics should be familiar with:

Traffic capture and analysis: The process of collecting and analyzing network traffic to identify malicious activity and understand the scope of an incident.
Packet analysis: The process of examining individual packets of network data to extract information about the source, destination, and content of the traffic.
Log analysis: The process of examining system and application logs to identify unusual activity and understand the actions of attackers.
Flow analysis: The process of examining the flow of network traffic to identify patterns of malicious activity and understand the scope of an incident.
Malware analysis: The process of examining network traffic to identify and analyze malware samples and understand their capabilities.
Attribution analysis: The process of examining network data to identify the actors behind an attack, the infrastructure used, and the purpose of the attack.

Video: Network Forensic

Endpoint Forensic

Endpoint forensics is the process of collecting, analyzing, and preserving data from endpoint devices such as laptops, servers, and mobile devices, in order to investigate and understand security incidents. The goal of endpoint forensics is to identify the causes of security incidents, understand the scope of an incident, and identify the actors behind an attack.

Endpoint forensics can be used to investigate a wide range of security incidents, such as data breaches, advanced persistent threats, and malware infections. The data collected and analyzed during an endpoint forensics investigation can also be used to improve an organization's security posture by identifying vulnerabilities and weaknesses in their endpoint devices.

Here are some key concepts that a reviewer for endpoint forensics should be familiar with:

Disk imaging: The process of creating a bit-by-bit copy of a hard drive or other storage device for analysis.
File system analysis: The process of examining the file system of an endpoint device to identify and analyze files and artifacts related to an incident.
Memory analysis: The process of examining the memory of an endpoint device to identify and analyze malware or other malicious code that may be running in memory.
Registry analysis: The process of examining the Windows registry to identify and analyze configuration changes and artifacts related to an incident
Timeline analysis: The process of collecting and analyzing data on the system to determine the sequence of events that occurred during the incident.
Forensically sound methodology: The process of following the best practice guidelines for collecting and preserving evidence to ensure that it is admissible in court.

Video: Understanding Endpoint Forensics

VI.4.f. Incident Response Scenarios

An incident response scenario is a hypothetical situation that organizations can use to test and practice their incident response plan. These scenarios simulate different types of security incidents, such as data breaches, malware infections, and advanced persistent threats, and provide a way for organizations to evaluate the effectiveness of their incident response procedures.

An incident response scenario typically includes a detailed description of the incident, including the cause of the incident, the systems and data affected, and the potential impact on the organization. It also includes a set of tasks and procedures that incident responders should follow to contain and resolve the incident, such as identifying the cause of the incident, containing the attack to prevent further damage, and recovering systems and data.

Some examples of incident response scenarios include:

A phishing email that leads to a data breach
A ransomware attack that encrypts files on a network
A Distributed Denial of Service (DDoS) attack that disrupts network services
A malware infection that exfiltrates sensitive information
A supply chain attack that compromises a 3rd party software

These scenarios help organizations to identify their incident response weaknesses and strengths, and to develop a plan that can handle different types of incidents. It also help incident responders to be familiar with their roles and responsibilities during an incident, and to be able to perform their incident response tasks in a timely manner.

VI.4.g.Elements to be Addressed

Identification: The incident response plan should clearly outline the procedures for identifying and reporting security incidents. This should include guidelines for identifying unusual or suspicious activity and procedures for reporting incidents to the appropriate parties.
Containment: The incident response plan should include procedures for containing security incidents to prevent further damage or data loss. This should include guidelines for disconnecting affected systems from the network, isolating compromised devices, and implementing other containment measures as necessary.
Eradication: The incident response plan should include procedures for eradicating the cause of a security incident. This may include steps for removing malware, patching vulnerabilities, or other remediation steps as necessary.
Recovery: The incident response plan should include procedures for recovering from a security incident. This may include steps for restoring systems and data, testing systems to ensure they are functioning properly, and returning systems to normal operations.
Lessons learned: The incident response plan should include a section on post-incident review and lessons learned. This should include a review of the incident response process, identification of areas for improvement, and recommendations for future incident response procedures.
Communication: The incident response plan should include procedures for communicating with stakeholders during and after an incident. This should include guidelines for communicating with employees, customers, and other stakeholders as well as incident status updates.
Drill and Exercise: The incident response plan should include a section on incident response drill and exercise. This should include a schedule of incident response drill and exercise, roles and responsibilities, and evaluation criteria.
Compliance: The incident response plan should include a section on compliance. This should include a review of the incident response plan against regulatory and industry standards and guidelines.

It's important to note that incident response scenarios are different, and the incident response plan should be flexible enough to handle different types of incidents. The plan should be regularly reviewed, tested and updated to ensure it remains effective in the face of new and emerging threats.

VI.4.h. Examples of Incident Scenarios

Data breach: A data breach occurs when an attacker gains unauthorized access to sensitive information, such as personal data, financial information, or confidential business information. In this scenario, incident responders would work to identify the cause of the breach, determine the scope of the incident, and contain the attack to prevent further data exfiltration.
Malware infection: A malware infection occurs when a device is compromised by malicious software, such as a virus or trojan. In this scenario, incident responders would work to identify the malware, determine the scope of the infection, and remove the malware from infected systems.
Denial of Service (DoS) attack: A DoS attack occurs when an attacker floods a network or system with traffic in order to disrupt service. In this scenario, incident responders would work to identify the source of the attack, determine the scope of the incident, and implement countermeasures to mitigate the attack.
Advanced Persistent Threat (APT) attack: An APT attack occurs when an attacker establishes a prolonged and targeted presence on a network in order to steal sensitive information. In this scenario, incident responders would work to identify the cause of the attack, determine the scope of the incident, and remove the attacker from the network.
Insider Threat: This scenario occurs when an individual or group with authorized access to an organization's assets misuses or abuses their access to commit unauthorized actions. In this scenario incident responders would work to identify the cause of the attack, determine the scope of the incident

A basic network is a collection of devices, such as computers, servers, and routers, that are connected together to allow the sharing of resources and the exchange of information. The most common type of basic network is a local area network (LAN), which connects devices within a small geographic area, such as a home or office.

Video: Practice and prepare for Incident Response

🔌 VII. Wireless Networking

Wireless networking refers to the use of wireless communication technologies, such as Wi-Fi, cellular, or Bluetooth, to create a local area network (LAN) or a wide area network (WAN) that allows devices to communicate with each other without the need for wired connections. Wireless networking offers mobility and convenience, but also introduces security concerns such as the need to secure data transmission, protect against unauthorized access, and prevent interference from other wireless devices.

VII.1. Types of Wireless Networking

WLAN (Wireless Local Area Network) - A type of wireless network that covers a small geographical area like a home, office or building.
WPAN (Wireless Personal Area Network) - A type of wireless network that covers a small personal area like a single room or a person's desk.
WMAN (Wireless Metropolitan Area Network) - A type of wireless network that covers a metropolitan area, connecting multiple LANs and providing internet access to a large number of users.
WWAN (Wireless Wide Area Network) - A type of wireless network that provides internet access over a wide geographical area, often through cellular data networks.
Wi-Fi Direct - A type of wireless network that allows devices to directly connect to each other without the need for a central router or access point.
Wi-Fi Hotspot - A type of wireless network created by a router or access point that provides internet access to multiple devices in a public or private location.
Wi-Fi Mesh Network - A type of wireless network that uses multiple interconnected nodes to create a single large network.

📱 VIII. Network Devices

A network device is any hardware device that is part of a computer network and plays a specific role in enabling communication between different network devices. Examples include routers, switches, firewalls, access points, hubs, bridges, and modems.

VIII.1. Types of Network Devices

Router: directs and manages data flow between networks
Switch: directs data flow within a network
Firewall: provides network security
Bridge: connects multiple networks
Access Point: enables wireless devices to connect to a wired network
Modem: connects a computer to the internet
Hub: connects multiple devices in a network
Repeater: amplifies signal strength in a network
Gateway: serves as the entry and exit point between networks.

⚙️ IX. Network Performance Optimization Techniques

Network performance optimization techniques are methods used to improve the efficiency, reliability, and speed of a computer network. These techniques aim to minimize latency, maximize bandwidth utilization, and minimize network downtime.

Bandwidth Throttling - controlling and limiting the amount of data that can be transmitted over a network connection.
Load Balancing - distributing network traffic evenly across multiple servers to improve performance and prevent downtime.
Traffic Shaping - controlling the flow of network traffic to optimize performance and prevent bottlenecks.
Quality of Service (QoS) - prioritizing certain types of network traffic to improve performance for critical applications.
Caching - storing frequently accessed data on a local device to reduce network latency and improve performance.
Compression - reducing the size of data being transmitted over a network to improve speed and efficiency.
Network Virtualization - creating virtual networks to improve performance and increase flexibility.
Hardware Upgrades - updating network hardware to increase speed and capacity.
Network Monitoring - continuously monitoring network performance and identifying bottlenecks or potential issues.
Network Maintenance - regularly performing maintenance and updates to keep the network running smoothly.

The most fundamental building block of a basic network is the network connection, which can be wired or wireless. Wired connections use physical cables to connect devices, while wireless connections use radio waves to connect devices.

Another important component of a basic network is the network protocol, which is a set of rules that govern how devices communicate with each other. The most common network protocol is TCP/IP (Transmission Control Protocol/Internet Protocol), which is used to connect devices to the Internet.

A basic network also often includes network services and servers, such as file servers, print servers, and email servers, that provide shared resources and services to the devices on the network

🗼 I. Types of Networks

I.1. Local Area Network (LAN)

A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). LANs are typically used for single sites where people need to share resources and information.

A LAN typically includes a group of interconnected devices such as computers, servers, printers, and routers that are connected to a shared medium such as a wired or wireless network. LANs can be connected to other LANs or to a wide area network (WAN) to form an enterprise network.

A LAN allows devices to communicate and share resources such as files, printers, and internet connection. This improves productivity and allows for the sharing of information.

The most common type of LAN is a Ethernet LAN, which uses a wired Ethernet connection to connect devices. Another common type of LAN is a wireless LAN (WLAN), which uses wireless radio waves to connect devices.

Video: What is a Local Area Network?

I.1.a. Types of LAN

There are several types of local area networks (LANs) that are commonly used, each with their own advantages and disadvantages:

Ethernet: The most common type of LAN, Ethernet networks use a wired connection and can support high-speed data transfer. Ethernet networks use a variety of cabling options, including twisted pair and fiber optic cables.
Token ring: This type of LAN uses a token passing method for data transfer. In this method, a token (a special packet of data) is passed around the network, and only the computer that holds the token can transmit data.
FDDI: Fiber Distributed Data Interface (FDDI) is a standard for data transmission on fiber optic lines in a LAN that can extend in range up to 200 km (124 miles).
Wireless LAN (WLAN): A wireless LAN uses radio waves to transmit data between devices, eliminating the need for physical cables. WLANs use the 802.11 standard, which includes a variety of different options such as 802.11a, 802.11b, 802.11g, and 802.11n.
Bluetooth: Bluetooth is a wireless technology that allows devices to communicate over short distances using radio waves. It is commonly used for connecting peripherals such as keyboards, mice, and headphones to a computer.
Powerline: Powerline networks use the electrical wiring in a building to transmit data, allowing devices to connect to the network through a power outlet.
HomePNA: Home Phone Networking Alliance (HomePNA) is a standard for networking over existing telephone lines.
Zigbee: Zigbee is a low-power wireless communications protocol used primarily in building automation, industrial control, and medical device networks.

Each of these types of LANs has its own unique set of features, capabilities, and limitations, and the best choice will depend on the specific needs of the organization and the environment in which the LAN will be deployed.

I.2. WAN (Wide Area Network)

WAN (Wide Area Network) is a type of computer network that spans a large geographical area, such as a city, a country, or even the world. WANs connect computers, servers, and other devices over long distances using high-speed communication links, such as leased lines, satellite links, or public communication networks, such as the internet.

I.2.a. Types of WAN

Circuit-switched WAN: uses dedicated connections for each transmission.
Packet-switched WAN: breaks data into packets and routes them to the destination.
Cellular WAN: uses cellular data networks for wide area connectivity.
MPLS (Multiprotocol Label Switching) WAN: uses labels to route data and prioritize traffic.
Satellite WAN: uses satellites for wide area connectivity.

I.3. MAN (Metropolitan Area Network)

A Metropolitan Area Network (MAN) is a computer network that spans a metropolitan area and interconnects several LANs (Local Area Networks) within a city. A MAN is typically larger than a LAN and smaller than a WAN (Wide Area Network). It is used to connect users within a specific geographic area, such as a city or university campus. A MAN often uses high-speed fiber-optic or microwave transmission technology to provide high-bandwidth connectivity between different LANs.

I.3.a. Types of MAN

SMAN (Switched Metropolitan Area Network): a high-speed network that provides dedicated connections between various sites within a metropolitan area.
DMAN (Distributed Metropolitan Area Network): a network that interconnects several LANs over a metropolitan area and provides connectivity between LANs.

I.4. SAN (Storage Area Network)

SAN (Storage Area Network) is a specialized, high-speed network that provides block-level access to data storage. It connects storage devices with servers in a single data center or across multiple locations, creating a dedicated and isolated network for storage traffic. SANs use Fibre Channel or iSCSI protocols to deliver high-speed data transfer and improve storage performance, security, and scalability.

I.4.a. Types of SAN

Fibre Channel SAN: It uses Fibre Channel technology and dedicated optical fibers to provide fast and secure data transfer between storage devices and servers.
iSCSI SAN: It uses Internet Protocol (IP) and SCSI commands to transfer data over Ethernet networks.
FCoE (Fibre Channel over Ethernet) SAN: It combines Fibre Channel and Ethernet technologies to provide a unified data storage network.
NAS (Network Attached Storage) SAN: It uses Ethernet networks to provide network-based data storage access to clients.

I.5. VPN (Virtual Private Network)

VPN (Virtual Private Network) is a technology that allows you to create a secure and encrypted connection over a public network (typically the internet) to access a private network or internal resources. It provides secure remote access to internal network resources, such as servers, databases, and applications, as if you were physically connected to the internal network.

I.5.a. Types of VPN

Site-to-Site VPN - connects two or more fixed locations to share resources
Remote Access VPN - allows a user to access the network from a remote location
Mobile VPN - provides secure access to a network for mobile devices
Intranet VPN - connects separate company locations to share resources within the company
Extranet VPN - connects separate company locations and partners to share resources
Cloud VPN - connects a company's on-premise network to the cloud network.

I.6. Internet

The Internet is a global network of interconnected computers and servers that allows the exchange of information and communication between individuals, businesses, and organizations. It was created in the late 1960s and has since grown to become one of the largest and most important technologies in the world. The Internet allows for communication, data transfer, and access to information from anywhere in the world with an Internet connection.

I.7. Intranet

An intranet is a private computer network that uses the Internet protocols and network connectivity within a company, organization, or institution. It allows organizations to securely share information and resources among employees, departments, and other affiliates. Intranets are designed to be accessible only by authorized users and can be used to support internal communication, collaboration, and knowledge management.

I.8. Cloud Computing Network

Cloud computing network is a network infrastructure used for delivering cloud computing services over the internet. It provides users access to virtualized computing resources, such as storage, processing power, and software applications, on demand. Cloud networks can be public, private, or hybrid, and are maintained by third-party service providers.

📟 II. Internet Protocol

An Internet Protocol (IP) is a communication protocol used for connecting and transmitting data across a computer network. It is responsible for routing packets of data from one network to another and enabling communication between devices over the Internet. IP is a key component of the Internet Protocol Suite (TCP/IP) and provides a unique identifier for each device connected to the network.

II.1. Types of Internet Protocol

IP (Internet Protocol): A set of rules that govern the format of data sent over the Internet. It's responsible for routing data packets between networks.
TCP (Transmission Control Protocol): A reliable and connection-oriented protocol that ensures that data is transmitted and received in the correct order.
UDP (User Datagram Protocol): An unreliable and connectionless protocol that does not guarantee that data is transmitted and received in the correct order.
ICMP (Internet Control Message Protocol): A protocol used to send control messages between devices in a network.
ARP (Address Resolution Protocol): A protocol used to map an IP address to a physical address, such as a MAC address.
DNS (Domain Name System): A protocol that translates domain names into IP addresses, allowing users to access websites and other Internet resources by name rather than by IP address.

II.2. IP Addressing

IP addressing refers to the method used to assign IP addresses to networked devices, allowing them to communicate with each other. IP addresses are numerical labels that are assigned to each device connected to a network, allowing it to be uniquely identified and located. There are two main types of IP addresses: IPv4 and IPv6. IPv4 uses 32-bit addresses and is the most widely used, while IPv6 uses 128-bit addresses and provides a much larger address space. IP addressing is a critical component of networking, as it enables devices to communicate and exchange data with each other over a network.

IPv4 and IPv6 are the two versions of the Internet Protocol (IP) used for transmitting data over the internet. IPv4 uses 32-bit addresses and can support approximately 4.3 billion unique addresses. IPv6 uses 128-bit addresses, allowing for a much larger number of unique addresses and improved security and scalability. IPv6 is gradually being adopted as the replacement for IPv4, as the increasing demand for unique IP addresses is making IPv4 addresses scarce.

II.3. Subnetting

Subnetting refers to dividing a network into smaller sub-networks, or subnets, each of which can be assigned a unique IP address range and be configured with its own network parameters. The primary purpose of subnetting is to increase network security, improve network performance, and reduce network congestion by breaking up large networks into smaller, more manageable sub-nets.

II.4. Routing

Routing is the process of directing the flow of data packets between devices on a computer network. Routers, which are networking devices, use routing algorithms to determine the best path for data packets to travel from one network to another. They use routing tables, which store information about the network topology and the best routes to different destinations, to make this decision. The goal of routing is to ensure that data packets are delivered to their intended destination in a fast and efficient manner, while minimizing the amount of network congestion and reducing the risk of data loss.

🌐 III. Network Topology

Network topology refers to the physical and logical layout of the devices and connections in a computer network. It describes how the devices on the network are arranged and how they communicate with each other.

There are several different types of network topologies, including:

Bus topology: In this topology, all devices are connected to a central cable or bus, which acts as a backbone for the network. All devices can communicate with each other through this bus.
Star topology: In this topology, all devices are connected to a central hub or switch. The hub or switch acts as a central point of communication for the network.
Ring topology: In this topology, devices are connected in a circular fashion, with each device connected to two other devices. Data is passed from device to device in a circular fashion.
Mesh topology: In this topology, each device is connected to every other device in the network. This allows for multiple paths for data to travel, providing redundancy and fault tolerance.
Tree topology: In this topology, the network is arranged in a hierarchical fashion, with a central device connected to multiple other devices, which in turn can be connected to other devices.
Hybrid topology: As the name suggests, is a combination of multiple topologies, combining the advantages of different topologies.
Wireless Topology: It is a topology that is designed to connect devices in a wireless network. These topologies include ad-hoc, infrastructure and mesh wireless topologies.

The choice of topology depends on the requirement of the network and the number of devices that will be connected. For example, a bus topology is simple and easy to set up, but it can be less reliable, while a mesh topology provides multiple paths for data to travel, making it more reliable.

Video: Network Topologies (Star, Bus, Ring, Mesh, Ad hoc, Infrastructure, & Wireless Mesh Topology)

💻 IV. OSI (Open Systems Interconnection)

The OSI (Open Systems Interconnection) model is a framework for understanding how data is transmitted over a network. It is divided into seven layers, each of which serves a specific function in the process of transmitting data. The seven layers are:

Physical Layer: This layer is responsible for transmitting the raw bits of data over the network medium, such as copper or fiber-optic cable.
Data Link Layer: This layer is responsible for creating a reliable link between two devices on the network. It adds a header and trailer to the data to create a frame, which is used to identify the source and destination of the data.
Network Layer: This layer is responsible for routing data between different networks. It adds a header to the data that includes the source and destination IP addresses.
Transport Layer: This layer is responsible for ensuring that data is delivered reliably and in the correct order. It adds a header to the data that includes information such as the source and destination ports, and a checksum to detect errors.
Session Layer: This layer is responsible for establishing, maintaining and synchronizing sessions between applications on different devices.
Presentation Layer: This layer is responsible for the translation and compression of the data, so that it can be understood by both the sender and receiver.
Application Layer: This layer is responsible for providing a user interface and supporting services to the application. This layer is where the common application protocol such as HTTP, FTP, SMTP, DNS, and Telnet runs.

Each layer of the OSI model communicates with the layer directly above and below it, and together they provide a complete framework for transmitting data over a network.

Video: How the OSI Model Works | Network Fundamentals and What is OSI Model?

🎮 V. TCP/IP (Transmission Control Protocol/Internet Protocol)

The TCP/IP (Transmission Control Protocol/Internet Protocol) model is a set of communication protocols used for connecting devices on a network. It is the most widely used network protocol in the world, and is the foundation of the internet. The TCP/IP model is divided into four layers:

Network Interface Layer: This layer is responsible for the physical and data link connections between devices on a network. It includes protocols such as Ethernet and Wi-Fi.
Internet Layer: This layer is responsible for routing data between different networks. It includes the Internet Protocol (IP), which is responsible for addressing and routing data to its destination.
Transport Layer: This layer is responsible for ensuring that data is delivered reliably and in the correct order. It includes the Transmission Control Protocol (TCP), which is responsible for creating a reliable connection between devices, and the User Datagram Protocol (UDP), which is a simpler, connectionless protocol.
Application Layer: This layer is responsible for providing a user interface and supporting services to the application. This layer includes protocols such as HTTP, FTP, SMTP, DNS, and Telnet, which are commonly used for web browsing, file transfer, email, and other internet services.

The TCP/IP model is different from the OSI model in that it is more focused on the practical implementation of network communication. The OSI model is more abstract and defines a broader set of functions that are needed for network communication. Both models are used for understanding and troubleshooting the network communication.

Video: TCP/IP Model (Internet Protocol Suite) and TCP IP Model Explained | TCP IP Model Animation | TCP IP Protocol Suite | TCP IP Layers | TechTerms

🔐 VI. Network Security

Network security refers to the measures taken to protect a computer network from unauthorized access, theft, and damage to its resources and components. It includes hardware, software, and policies that protect sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction. The goal of network security is to provide confidentiality, integrity, and availability of information and data within the network.

VI.1. Security Concepts

A security concept is a set of principles, guidelines, and policies that dictate how an organization should protect its assets, including its data, systems, and networks, from unauthorized access, use, disclosure, disruption, modification, or destruction. A security concept can include measures such as access controls, encryption, firewalls, and security monitoring. Its goal is to ensure the confidentiality, integrity, and availability of the organization's assets and to prevent unauthorized access to sensitive information.

Here are some key security concepts that a reviewer should be familiar with:

Confidentiality: Ensuring that sensitive information is only accessible to authorized individuals or systems.
Integrity: Ensuring that information and systems are protected from unauthorized modification or alteration.
Availability: Ensuring that systems and information are always accessible to authorized individuals or systems.
Authentication: Verifying the identity of an individual or system before allowing access to information or resources.
Authorization: Granting access to information or resources based on the authenticated identity and the assigned role or permissions.
Non-repudiation: Proving that a specific individual or system is responsible for a specific action.
Access control: Managing and controlling access to resources and information.
Risk management: Identifying, assessing and mitigating risks to the organization's information and assets.
Incident management: Managing and responding to security incidents in a timely and effective manner.
Compliance: Ensuring that the organization's security practices conform to legal, regulatory, and industry standards.
Encryption: Protecting data at rest or in transit by converting it into a format that is unreadable by unauthorized parties.
Network security: Implementing security measures to protect against threats targeting the organization's networks.
Endpoint security: Protecting the organization's endpoints, such as laptops and mobile devices, from threats.
Cloud security: Protecting the organization's data and applications hosted in cloud environments.
Supply Chain security: Ensuring the security of the entire supply chain of an organization, from the manufacturing of components to the delivery of products or services.

It's important to note that this list is not exhaustive and new security concepts may appear over time. Additionally, some of these concepts may overlap or be used in combination

VI.2. Threats to Network Security

Malware: Virus, worm, Trojan, spyware, ransomware, etc.
Man-in-the-middle (MITM) attacks: eavesdropping, hijacking network traffic, etc.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks: overloading a network or server with traffic to prevent normal operation.
SQL injection: unauthorized access and manipulation of a database through malicious inputs in a website or application.
Phishing: tricking users into revealing sensitive information through fake emails or websites.
Buffer overflow: exploiting a software vulnerability to overwrite data in a buffer, potentially leading to arbitrary code execution.
Unsecured Wi-Fi networks: unauthorized access to sensitive information transmitted over a public Wi-Fi network.
Social engineering: using psychological manipulation to trick users into divulging confidential information.

VI.3. Common Network Security Measures

There are several common network security measures that organizations can implement to protect their networks and data:

Firewalls: A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on a set of security rules. It can be hardware- or software-based and is used to prevent unauthorized access to a network.
Intrusion detection and prevention systems (IDPS): An IDPS is a system that monitors network traffic for signs of malicious activity and can take action to block or alert on it.
Virtual private networks (VPNs): A VPN allows remote users to securely access a private network over the internet. It uses encryption and authentication to protect the data being transmitted.
Encryption: Encryption is the process of converting plaintext into ciphertext to protect data from unauthorized access. Common encryption methods include AES, RSA and SSL/TLS.
Security information and event management (SIEM): SIEM systems collect and analyze security-related data from various sources such as logs, network traffic, and system status, to detect and respond to security incidents.
Anti-virus and anti-malware: Anti-virus and anti-malware software are used to detect and remove malicious software from computers and devices on a network.
Access control: Access control is the process of ensuring that only authorized users can access resources on a network. This can be achieved through the use of user accounts, passwords, and other forms of authentication.
Network segmentation: Network segmentation is the process of dividing a network into smaller, isolated segments in order to limit the potential impact of a security incident.
Public Key Infrastructure (PKI): A security system that uses a combination of public and private keys to secure communications and establish the authenticity of digital certificates and transactions. It enables secure exchange of sensitive information through encryption and digital signatures. PKI is used in applications such as SSL/TLS for secure web browsing, digital signatures for electronic documents, and secure email communication.

These are just a few examples of the many security measures that can be used to protect networks. It is important to use a combination of measures and tailor them to the specific needs of an organization.

Video:

VI.4. Security information and event management (SIEM)

SIEM is a security management technology that helps organizations centralize and analyze log data from various devices and applications in real-time to identify security threats, incidents and potential security breaches. SIEM technology provides real-time monitoring and alerting, incident response and reporting, and forensic analysis capabilities to help organizations detect, investigate and resolve security incidents quickly.

VI.4.a. Components of SIEM

Data Collection: Collects security-related data from multiple sources such as network devices, servers, and applications.
Data Analysis: Analyzes the collected data and detects any security threats or anomalies.
Event Correlation: Correlates the events and identifies the relationships between them.
Threat Intelligence: Uses threat intelligence data to provide context to the events and improve the accuracy of threat detection.
Alert Management: Generates alerts based on the analyzed events and categorizes them based on their severity and risk.
Incident Response: Helps to automate incident response processes by providing the necessary information and tools to respond to security incidents effectively.
Compliance Management: Supports compliance with various security regulations and standards.
Reporting and Dashboards: Provides reports and dashboards to help monitor and manage the security of the network.

VI.4.b. Two Main Deployment Option for SIEM

On-premises deployment: involves installing and maintaining the SIEM software on the organization's own servers.
Cloud-based deployment: involves using a cloud service provider to host the SIEM software and store the collected data.

VI.4.c. Challenges and limitations of SIEM

SIEM solutions are designed to provide comprehensive security information and event management capabilities, but there are several challenges and limitations that organizations may face when deploying and using these systems, including:
Complexity and scalability: SIEM solutions can be complex and difficult to set up, manage, and scale.
Integration challenges: SIEM solutions need to be integrated with multiple sources of security data, including firewalls, intrusion detection systems, and security information and event management systems.
False positive and false negative alerts: SIEM systems can generate false positive or false negative alerts, leading to security breaches or inefficient use of resources.
Performance and capacity issues: SIEM solutions can impact network performance, particularly in high-volume environments, and may require significant storage capacity.
Data privacy and compliance: SIEM solutions can collect and store sensitive information, which can raise data privacy and compliance concerns.
High costs: SIEM solutions can be expensive to implement and maintain, especially for large organizations with complex security requirements.

VI.4.d. Best practices for SIEM implementation and management

To ensure effective SIEM implementation and management, some best practices are:

Define security objectives and goals: Identify what you want to achieve with SIEM and align the system to meet those needs.
Plan your deployment: Consider the size of your organization, the number of devices and systems, and the complexity of your network environment.
Choose the right hardware: Make sure your hardware infrastructure meets the requirements for a SIEM deployment.
Invest in training: Provide your staff with the necessary training to effectively use the system.
Establish clear policies and procedures: Establish clear policies and procedures for the use of SIEM in your organization.
Configure the system correctly: Configure the SIEM to correctly identify and collect relevant data from your network environment.
Regularly maintain and update: Regularly maintain and update your SIEM to ensure optimal performance and security.
Regularly review and audit logs: Regularly review and audit logs to ensure the system is functioning as intended and to detect any security breaches.

VI.4.e. Network and Endpoint Forensics

A reviewer for forensics for network and endpoints should be familiar with the various techniques and tools used to collect, analyze, and preserve data from networks and endpoint devices in order to investigate and understand security incidents

Network Forensic

Network forensics is the process of collecting, analyzing, and preserving network data in order to investigate and understand security incidents. It involves capturing and analyzing network traffic, system and application logs, and other data from network devices such as routers, switches, firewalls, and servers. The goal of network forensics is to identify the causes of security incidents, understand the scope of an incident, and identify the actors behind an attack.

Network forensics can be used to investigate a wide range of security incidents, such as data breaches, denial of service attacks, and advanced persistent threats. The data collected and analyzed during a network forensics investigation can also be used to improve an organization's security posture by identifying vulnerabilities and weaknesses in their network.

Here are some key concepts that a reviewer for network forensics should be familiar with:

Traffic capture and analysis: The process of collecting and analyzing network traffic to identify malicious activity and understand the scope of an incident.
Packet analysis: The process of examining individual packets of network data to extract information about the source, destination, and content of the traffic.
Log analysis: The process of examining system and application logs to identify unusual activity and understand the actions of attackers.
Flow analysis: The process of examining the flow of network traffic to identify patterns of malicious activity and understand the scope of an incident.
Malware analysis: The process of examining network traffic to identify and analyze malware samples and understand their capabilities.
Attribution analysis: The process of examining network data to identify the actors behind an attack, the infrastructure used, and the purpose of the attack.

Video: Network Forensic

Endpoint Forensic

Endpoint forensics is the process of collecting, analyzing, and preserving data from endpoint devices such as laptops, servers, and mobile devices, in order to investigate and understand security incidents. The goal of endpoint forensics is to identify the causes of security incidents, understand the scope of an incident, and identify the actors behind an attack.

Endpoint forensics can be used to investigate a wide range of security incidents, such as data breaches, advanced persistent threats, and malware infections. The data collected and analyzed during an endpoint forensics investigation can also be used to improve an organization's security posture by identifying vulnerabilities and weaknesses in their endpoint devices.

Here are some key concepts that a reviewer for endpoint forensics should be familiar with:

Disk imaging: The process of creating a bit-by-bit copy of a hard drive or other storage device for analysis.
File system analysis: The process of examining the file system of an endpoint device to identify and analyze files and artifacts related to an incident.
Memory analysis: The process of examining the memory of an endpoint device to identify and analyze malware or other malicious code that may be running in memory.
Registry analysis: The process of examining the Windows registry to identify and analyze configuration changes and artifacts related to an incident
Timeline analysis: The process of collecting and analyzing data on the system to determine the sequence of events that occurred during the incident.
Forensically sound methodology: The process of following the best practice guidelines for collecting and preserving evidence to ensure that it is admissible in court.

Video: Understanding Endpoint Forensics

VI.4.f. Incident Response Scenarios

An incident response scenario is a hypothetical situation that organizations can use to test and practice their incident response plan. These scenarios simulate different types of security incidents, such as data breaches, malware infections, and advanced persistent threats, and provide a way for organizations to evaluate the effectiveness of their incident response procedures.

An incident response scenario typically includes a detailed description of the incident, including the cause of the incident, the systems and data affected, and the potential impact on the organization. It also includes a set of tasks and procedures that incident responders should follow to contain and resolve the incident, such as identifying the cause of the incident, containing the attack to prevent further damage, and recovering systems and data.

Some examples of incident response scenarios include:

A phishing email that leads to a data breach
A ransomware attack that encrypts files on a network
A Distributed Denial of Service (DDoS) attack that disrupts network services
A malware infection that exfiltrates sensitive information
A supply chain attack that compromises a 3rd party software

These scenarios help organizations to identify their incident response weaknesses and strengths, and to develop a plan that can handle different types of incidents. It also help incident responders to be familiar with their roles and responsibilities during an incident, and to be able to perform their incident response tasks in a timely manner.

VI.4.g.Elements to be Addressed

Identification: The incident response plan should clearly outline the procedures for identifying and reporting security incidents. This should include guidelines for identifying unusual or suspicious activity and procedures for reporting incidents to the appropriate parties.
Containment: The incident response plan should include procedures for containing security incidents to prevent further damage or data loss. This should include guidelines for disconnecting affected systems from the network, isolating compromised devices, and implementing other containment measures as necessary.
Eradication: The incident response plan should include procedures for eradicating the cause of a security incident. This may include steps for removing malware, patching vulnerabilities, or other remediation steps as necessary.
Recovery: The incident response plan should include procedures for recovering from a security incident. This may include steps for restoring systems and data, testing systems to ensure they are functioning properly, and returning systems to normal operations.
Lessons learned: The incident response plan should include a section on post-incident review and lessons learned. This should include a review of the incident response process, identification of areas for improvement, and recommendations for future incident response procedures.
Communication: The incident response plan should include procedures for communicating with stakeholders during and after an incident. This should include guidelines for communicating with employees, customers, and other stakeholders as well as incident status updates.
Drill and Exercise: The incident response plan should include a section on incident response drill and exercise. This should include a schedule of incident response drill and exercise, roles and responsibilities, and evaluation criteria.
Compliance: The incident response plan should include a section on compliance. This should include a review of the incident response plan against regulatory and industry standards and guidelines.

It's important to note that incident response scenarios are different, and the incident response plan should be flexible enough to handle different types of incidents. The plan should be regularly reviewed, tested and updated to ensure it remains effective in the face of new and emerging threats.

VI.4.h. Examples of Incident Scenarios

Data breach: A data breach occurs when an attacker gains unauthorized access to sensitive information, such as personal data, financial information, or confidential business information. In this scenario, incident responders would work to identify the cause of the breach, determine the scope of the incident, and contain the attack to prevent further data exfiltration.
Malware infection: A malware infection occurs when a device is compromised by malicious software, such as a virus or trojan. In this scenario, incident responders would work to identify the malware, determine the scope of the infection, and remove the malware from infected systems.
Denial of Service (DoS) attack: A DoS attack occurs when an attacker floods a network or system with traffic in order to disrupt service. In this scenario, incident responders would work to identify the source of the attack, determine the scope of the incident, and implement countermeasures to mitigate the attack.
Advanced Persistent Threat (APT) attack: An APT attack occurs when an attacker establishes a prolonged and targeted presence on a network in order to steal sensitive information. In this scenario, incident responders would work to identify the cause of the attack, determine the scope of the incident, and remove the attacker from the network.
Insider Threat: This scenario occurs when an individual or group with authorized access to an organization's assets misuses or abuses their access to commit unauthorized actions. In this scenario incident responders would work to identify the cause of the attack, determine the scope of the incident

A basic network is a collection of devices, such as computers, servers, and routers, that are connected together to allow the sharing of resources and the exchange of information. The most common type of basic network is a local area network (LAN), which connects devices within a small geographic area, such as a home or office.

Video: Practice and prepare for Incident Response

🔌 VII. Wireless Networking

Wireless networking refers to the use of wireless communication technologies, such as Wi-Fi, cellular, or Bluetooth, to create a local area network (LAN) or a wide area network (WAN) that allows devices to communicate with each other without the need for wired connections. Wireless networking offers mobility and convenience, but also introduces security concerns such as the need to secure data transmission, protect against unauthorized access, and prevent interference from other wireless devices.

VII.1. Types of Wireless Networking

WLAN (Wireless Local Area Network) - A type of wireless network that covers a small geographical area like a home, office or building.
WPAN (Wireless Personal Area Network) - A type of wireless network that covers a small personal area like a single room or a person's desk.
WMAN (Wireless Metropolitan Area Network) - A type of wireless network that covers a metropolitan area, connecting multiple LANs and providing internet access to a large number of users.
WWAN (Wireless Wide Area Network) - A type of wireless network that provides internet access over a wide geographical area, often through cellular data networks.
Wi-Fi Direct - A type of wireless network that allows devices to directly connect to each other without the need for a central router or access point.
Wi-Fi Hotspot - A type of wireless network created by a router or access point that provides internet access to multiple devices in a public or private location.
Wi-Fi Mesh Network - A type of wireless network that uses multiple interconnected nodes to create a single large network.

📱 VIII. Network Devices

A network device is any hardware device that is part of a computer network and plays a specific role in enabling communication between different network devices. Examples include routers, switches, firewalls, access points, hubs, bridges, and modems.

VIII.1. Types of Network Devices

Router: directs and manages data flow between networks
Switch: directs data flow within a network
Firewall: provides network security
Bridge: connects multiple networks
Access Point: enables wireless devices to connect to a wired network
Modem: connects a computer to the internet
Hub: connects multiple devices in a network
Repeater: amplifies signal strength in a network
Gateway: serves as the entry and exit point between networks.

⚙️ IX. Network Performance Optimization Techniques

Network performance optimization techniques are methods used to improve the efficiency, reliability, and speed of a computer network. These techniques aim to minimize latency, maximize bandwidth utilization, and minimize network downtime.

Bandwidth Throttling - controlling and limiting the amount of data that can be transmitted over a network connection.
Load Balancing - distributing network traffic evenly across multiple servers to improve performance and prevent downtime.
Traffic Shaping - controlling the flow of network traffic to optimize performance and prevent bottlenecks.
Quality of Service (QoS) - prioritizing certain types of network traffic to improve performance for critical applications.
Caching - storing frequently accessed data on a local device to reduce network latency and improve performance.
Compression - reducing the size of data being transmitted over a network to improve speed and efficiency.
Network Virtualization - creating virtual networks to improve performance and increase flexibility.
Hardware Upgrades - updating network hardware to increase speed and capacity.
Network Monitoring - continuously monitoring network performance and identifying bottlenecks or potential issues.
Network Maintenance - regularly performing maintenance and updates to keep the network running smoothly.

The most fundamental building block of a basic network is the network connection, which can be wired or wireless. Wired connections use physical cables to connect devices, while wireless connections use radio waves to connect devices.

Another important component of a basic network is the network protocol, which is a set of rules that govern how devices communicate with each other. The most common network protocol is TCP/IP (Transmission Control Protocol/Internet Protocol), which is used to connect devices to the Internet.

A basic network also often includes network services and servers, such as file servers, print servers, and email servers, that provide shared resources and services to the devices on the network

🗼 I. Types of Networks

I.1. Local Area Network (LAN)

A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). LANs are typically used for single sites where people need to share resources and information.

A LAN typically includes a group of interconnected devices such as computers, servers, printers, and routers that are connected to a shared medium such as a wired or wireless network. LANs can be connected to other LANs or to a wide area network (WAN) to form an enterprise network.

A LAN allows devices to communicate and share resources such as files, printers, and internet connection. This improves productivity and allows for the sharing of information.

The most common type of LAN is a Ethernet LAN, which uses a wired Ethernet connection to connect devices. Another common type of LAN is a wireless LAN (WLAN), which uses wireless radio waves to connect devices.

Video: What is a Local Area Network?

I.1.a. Types of LAN

There are several types of local area networks (LANs) that are commonly used, each with their own advantages and disadvantages:

Ethernet: The most common type of LAN, Ethernet networks use a wired connection and can support high-speed data transfer. Ethernet networks use a variety of cabling options, including twisted pair and fiber optic cables.
Token ring: This type of LAN uses a token passing method for data transfer. In this method, a token (a special packet of data) is passed around the network, and only the computer that holds the token can transmit data.
FDDI: Fiber Distributed Data Interface (FDDI) is a standard for data transmission on fiber optic lines in a LAN that can extend in range up to 200 km (124 miles).
Wireless LAN (WLAN): A wireless LAN uses radio waves to transmit data between devices, eliminating the need for physical cables. WLANs use the 802.11 standard, which includes a variety of different options such as 802.11a, 802.11b, 802.11g, and 802.11n.
Bluetooth: Bluetooth is a wireless technology that allows devices to communicate over short distances using radio waves. It is commonly used for connecting peripherals such as keyboards, mice, and headphones to a computer.
Powerline: Powerline networks use the electrical wiring in a building to transmit data, allowing devices to connect to the network through a power outlet.
HomePNA: Home Phone Networking Alliance (HomePNA) is a standard for networking over existing telephone lines.
Zigbee: Zigbee is a low-power wireless communications protocol used primarily in building automation, industrial control, and medical device networks.

Each of these types of LANs has its own unique set of features, capabilities, and limitations, and the best choice will depend on the specific needs of the organization and the environment in which the LAN will be deployed.

I.2. WAN (Wide Area Network)

WAN (Wide Area Network) is a type of computer network that spans a large geographical area, such as a city, a country, or even the world. WANs connect computers, servers, and other devices over long distances using high-speed communication links, such as leased lines, satellite links, or public communication networks, such as the internet.

I.2.a. Types of WAN

Circuit-switched WAN: uses dedicated connections for each transmission.
Packet-switched WAN: breaks data into packets and routes them to the destination.
Cellular WAN: uses cellular data networks for wide area connectivity.
MPLS (Multiprotocol Label Switching) WAN: uses labels to route data and prioritize traffic.
Satellite WAN: uses satellites for wide area connectivity.

I.3. MAN (Metropolitan Area Network)

A Metropolitan Area Network (MAN) is a computer network that spans a metropolitan area and interconnects several LANs (Local Area Networks) within a city. A MAN is typically larger than a LAN and smaller than a WAN (Wide Area Network). It is used to connect users within a specific geographic area, such as a city or university campus. A MAN often uses high-speed fiber-optic or microwave transmission technology to provide high-bandwidth connectivity between different LANs.

I.3.a. Types of MAN

SMAN (Switched Metropolitan Area Network): a high-speed network that provides dedicated connections between various sites within a metropolitan area.
DMAN (Distributed Metropolitan Area Network): a network that interconnects several LANs over a metropolitan area and provides connectivity between LANs.

I.4. SAN (Storage Area Network)

SAN (Storage Area Network) is a specialized, high-speed network that provides block-level access to data storage. It connects storage devices with servers in a single data center or across multiple locations, creating a dedicated and isolated network for storage traffic. SANs use Fibre Channel or iSCSI protocols to deliver high-speed data transfer and improve storage performance, security, and scalability.

I.4.a. Types of SAN

Fibre Channel SAN: It uses Fibre Channel technology and dedicated optical fibers to provide fast and secure data transfer between storage devices and servers.
iSCSI SAN: It uses Internet Protocol (IP) and SCSI commands to transfer data over Ethernet networks.
FCoE (Fibre Channel over Ethernet) SAN: It combines Fibre Channel and Ethernet technologies to provide a unified data storage network.
NAS (Network Attached Storage) SAN: It uses Ethernet networks to provide network-based data storage access to clients.

I.5. VPN (Virtual Private Network)

VPN (Virtual Private Network) is a technology that allows you to create a secure and encrypted connection over a public network (typically the internet) to access a private network or internal resources. It provides secure remote access to internal network resources, such as servers, databases, and applications, as if you were physically connected to the internal network.

I.5.a. Types of VPN

Site-to-Site VPN - connects two or more fixed locations to share resources
Remote Access VPN - allows a user to access the network from a remote location
Mobile VPN - provides secure access to a network for mobile devices
Intranet VPN - connects separate company locations to share resources within the company
Extranet VPN - connects separate company locations and partners to share resources
Cloud VPN - connects a company's on-premise network to the cloud network.

I.6. Internet

The Internet is a global network of interconnected computers and servers that allows the exchange of information and communication between individuals, businesses, and organizations. It was created in the late 1960s and has since grown to become one of the largest and most important technologies in the world. The Internet allows for communication, data transfer, and access to information from anywhere in the world with an Internet connection.

I.7. Intranet

An intranet is a private computer network that uses the Internet protocols and network connectivity within a company, organization, or institution. It allows organizations to securely share information and resources among employees, departments, and other affiliates. Intranets are designed to be accessible only by authorized users and can be used to support internal communication, collaboration, and knowledge management.

I.8. Cloud Computing Network

Cloud computing network is a network infrastructure used for delivering cloud computing services over the internet. It provides users access to virtualized computing resources, such as storage, processing power, and software applications, on demand. Cloud networks can be public, private, or hybrid, and are maintained by third-party service providers.

📟 II. Internet Protocol

An Internet Protocol (IP) is a communication protocol used for connecting and transmitting data across a computer network. It is responsible for routing packets of data from one network to another and enabling communication between devices over the Internet. IP is a key component of the Internet Protocol Suite (TCP/IP) and provides a unique identifier for each device connected to the network.

II.1. Types of Internet Protocol

IP (Internet Protocol): A set of rules that govern the format of data sent over the Internet. It's responsible for routing data packets between networks.
TCP (Transmission Control Protocol): A reliable and connection-oriented protocol that ensures that data is transmitted and received in the correct order.
UDP (User Datagram Protocol): An unreliable and connectionless protocol that does not guarantee that data is transmitted and received in the correct order.
ICMP (Internet Control Message Protocol): A protocol used to send control messages between devices in a network.
ARP (Address Resolution Protocol): A protocol used to map an IP address to a physical address, such as a MAC address.
DNS (Domain Name System): A protocol that translates domain names into IP addresses, allowing users to access websites and other Internet resources by name rather than by IP address.

II.2. IP Addressing

IP addressing refers to the method used to assign IP addresses to networked devices, allowing them to communicate with each other. IP addresses are numerical labels that are assigned to each device connected to a network, allowing it to be uniquely identified and located. There are two main types of IP addresses: IPv4 and IPv6. IPv4 uses 32-bit addresses and is the most widely used, while IPv6 uses 128-bit addresses and provides a much larger address space. IP addressing is a critical component of networking, as it enables devices to communicate and exchange data with each other over a network.

IPv4 and IPv6 are the two versions of the Internet Protocol (IP) used for transmitting data over the internet. IPv4 uses 32-bit addresses and can support approximately 4.3 billion unique addresses. IPv6 uses 128-bit addresses, allowing for a much larger number of unique addresses and improved security and scalability. IPv6 is gradually being adopted as the replacement for IPv4, as the increasing demand for unique IP addresses is making IPv4 addresses scarce.

II.3. Subnetting

Subnetting refers to dividing a network into smaller sub-networks, or subnets, each of which can be assigned a unique IP address range and be configured with its own network parameters. The primary purpose of subnetting is to increase network security, improve network performance, and reduce network congestion by breaking up large networks into smaller, more manageable sub-nets.

II.4. Routing

Routing is the process of directing the flow of data packets between devices on a computer network. Routers, which are networking devices, use routing algorithms to determine the best path for data packets to travel from one network to another. They use routing tables, which store information about the network topology and the best routes to different destinations, to make this decision. The goal of routing is to ensure that data packets are delivered to their intended destination in a fast and efficient manner, while minimizing the amount of network congestion and reducing the risk of data loss.

🌐 III. Network Topology

Network topology refers to the physical and logical layout of the devices and connections in a computer network. It describes how the devices on the network are arranged and how they communicate with each other.

There are several different types of network topologies, including:

Bus topology: In this topology, all devices are connected to a central cable or bus, which acts as a backbone for the network. All devices can communicate with each other through this bus.
Star topology: In this topology, all devices are connected to a central hub or switch. The hub or switch acts as a central point of communication for the network.
Ring topology: In this topology, devices are connected in a circular fashion, with each device connected to two other devices. Data is passed from device to device in a circular fashion.
Mesh topology: In this topology, each device is connected to every other device in the network. This allows for multiple paths for data to travel, providing redundancy and fault tolerance.
Tree topology: In this topology, the network is arranged in a hierarchical fashion, with a central device connected to multiple other devices, which in turn can be connected to other devices.
Hybrid topology: As the name suggests, is a combination of multiple topologies, combining the advantages of different topologies.
Wireless Topology: It is a topology that is designed to connect devices in a wireless network. These topologies include ad-hoc, infrastructure and mesh wireless topologies.

The choice of topology depends on the requirement of the network and the number of devices that will be connected. For example, a bus topology is simple and easy to set up, but it can be less reliable, while a mesh topology provides multiple paths for data to travel, making it more reliable.

Video: Network Topologies (Star, Bus, Ring, Mesh, Ad hoc, Infrastructure, & Wireless Mesh Topology)

💻 IV. OSI (Open Systems Interconnection)

The OSI (Open Systems Interconnection) model is a framework for understanding how data is transmitted over a network. It is divided into seven layers, each of which serves a specific function in the process of transmitting data. The seven layers are:

Physical Layer: This layer is responsible for transmitting the raw bits of data over the network medium, such as copper or fiber-optic cable.
Data Link Layer: This layer is responsible for creating a reliable link between two devices on the network. It adds a header and trailer to the data to create a frame, which is used to identify the source and destination of the data.
Network Layer: This layer is responsible for routing data between different networks. It adds a header to the data that includes the source and destination IP addresses.
Transport Layer: This layer is responsible for ensuring that data is delivered reliably and in the correct order. It adds a header to the data that includes information such as the source and destination ports, and a checksum to detect errors.
Session Layer: This layer is responsible for establishing, maintaining and synchronizing sessions between applications on different devices.
Presentation Layer: This layer is responsible for the translation and compression of the data, so that it can be understood by both the sender and receiver.
Application Layer: This layer is responsible for providing a user interface and supporting services to the application. This layer is where the common application protocol such as HTTP, FTP, SMTP, DNS, and Telnet runs.

Each layer of the OSI model communicates with the layer directly above and below it, and together they provide a complete framework for transmitting data over a network.

Video: How the OSI Model Works | Network Fundamentals and What is OSI Model?

🎮 V. TCP/IP (Transmission Control Protocol/Internet Protocol)

The TCP/IP (Transmission Control Protocol/Internet Protocol) model is a set of communication protocols used for connecting devices on a network. It is the most widely used network protocol in the world, and is the foundation of the internet. The TCP/IP model is divided into four layers:

Network Interface Layer: This layer is responsible for the physical and data link connections between devices on a network. It includes protocols such as Ethernet and Wi-Fi.
Internet Layer: This layer is responsible for routing data between different networks. It includes the Internet Protocol (IP), which is responsible for addressing and routing data to its destination.
Transport Layer: This layer is responsible for ensuring that data is delivered reliably and in the correct order. It includes the Transmission Control Protocol (TCP), which is responsible for creating a reliable connection between devices, and the User Datagram Protocol (UDP), which is a simpler, connectionless protocol.
Application Layer: This layer is responsible for providing a user interface and supporting services to the application. This layer includes protocols such as HTTP, FTP, SMTP, DNS, and Telnet, which are commonly used for web browsing, file transfer, email, and other internet services.

The TCP/IP model is different from the OSI model in that it is more focused on the practical implementation of network communication. The OSI model is more abstract and defines a broader set of functions that are needed for network communication. Both models are used for understanding and troubleshooting the network communication.

Video: TCP/IP Model (Internet Protocol Suite) and TCP IP Model Explained | TCP IP Model Animation | TCP IP Protocol Suite | TCP IP Layers | TechTerms

🔐 VI. Network Security

Network security refers to the measures taken to protect a computer network from unauthorized access, theft, and damage to its resources and components. It includes hardware, software, and policies that protect sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction. The goal of network security is to provide confidentiality, integrity, and availability of information and data within the network.

VI.1. Security Concepts

A security concept is a set of principles, guidelines, and policies that dictate how an organization should protect its assets, including its data, systems, and networks, from unauthorized access, use, disclosure, disruption, modification, or destruction. A security concept can include measures such as access controls, encryption, firewalls, and security monitoring. Its goal is to ensure the confidentiality, integrity, and availability of the organization's assets and to prevent unauthorized access to sensitive information.

Here are some key security concepts that a reviewer should be familiar with:

Confidentiality: Ensuring that sensitive information is only accessible to authorized individuals or systems.
Integrity: Ensuring that information and systems are protected from unauthorized modification or alteration.
Availability: Ensuring that systems and information are always accessible to authorized individuals or systems.
Authentication: Verifying the identity of an individual or system before allowing access to information or resources.
Authorization: Granting access to information or resources based on the authenticated identity and the assigned role or permissions.
Non-repudiation: Proving that a specific individual or system is responsible for a specific action.
Access control: Managing and controlling access to resources and information.
Risk management: Identifying, assessing and mitigating risks to the organization's information and assets.
Incident management: Managing and responding to security incidents in a timely and effective manner.
Compliance: Ensuring that the organization's security practices conform to legal, regulatory, and industry standards.
Encryption: Protecting data at rest or in transit by converting it into a format that is unreadable by unauthorized parties.
Network security: Implementing security measures to protect against threats targeting the organization's networks.
Endpoint security: Protecting the organization's endpoints, such as laptops and mobile devices, from threats.
Cloud security: Protecting the organization's data and applications hosted in cloud environments.
Supply Chain security: Ensuring the security of the entire supply chain of an organization, from the manufacturing of components to the delivery of products or services.

It's important to note that this list is not exhaustive and new security concepts may appear over time. Additionally, some of these concepts may overlap or be used in combination

VI.2. Threats to Network Security

Malware: Virus, worm, Trojan, spyware, ransomware, etc.
Man-in-the-middle (MITM) attacks: eavesdropping, hijacking network traffic, etc.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks: overloading a network or server with traffic to prevent normal operation.
SQL injection: unauthorized access and manipulation of a database through malicious inputs in a website or application.
Phishing: tricking users into revealing sensitive information through fake emails or websites.
Buffer overflow: exploiting a software vulnerability to overwrite data in a buffer, potentially leading to arbitrary code execution.
Unsecured Wi-Fi networks: unauthorized access to sensitive information transmitted over a public Wi-Fi network.
Social engineering: using psychological manipulation to trick users into divulging confidential information.

VI.3. Common Network Security Measures

There are several common network security measures that organizations can implement to protect their networks and data:

Firewalls: A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on a set of security rules. It can be hardware- or software-based and is used to prevent unauthorized access to a network.
Intrusion detection and prevention systems (IDPS): An IDPS is a system that monitors network traffic for signs of malicious activity and can take action to block or alert on it.
Virtual private networks (VPNs): A VPN allows remote users to securely access a private network over the internet. It uses encryption and authentication to protect the data being transmitted.
Encryption: Encryption is the process of converting plaintext into ciphertext to protect data from unauthorized access. Common encryption methods include AES, RSA and SSL/TLS.
Security information and event management (SIEM): SIEM systems collect and analyze security-related data from various sources such as logs, network traffic, and system status, to detect and respond to security incidents.
Anti-virus and anti-malware: Anti-virus and anti-malware software are used to detect and remove malicious software from computers and devices on a network.
Access control: Access control is the process of ensuring that only authorized users can access resources on a network. This can be achieved through the use of user accounts, passwords, and other forms of authentication.
Network segmentation: Network segmentation is the process of dividing a network into smaller, isolated segments in order to limit the potential impact of a security incident.
Public Key Infrastructure (PKI): A security system that uses a combination of public and private keys to secure communications and establish the authenticity of digital certificates and transactions. It enables secure exchange of sensitive information through encryption and digital signatures. PKI is used in applications such as SSL/TLS for secure web browsing, digital signatures for electronic documents, and secure email communication.

These are just a few examples of the many security measures that can be used to protect networks. It is important to use a combination of measures and tailor them to the specific needs of an organization.

Video:

VI.4. Security information and event management (SIEM)

SIEM is a security management technology that helps organizations centralize and analyze log data from various devices and applications in real-time to identify security threats, incidents and potential security breaches. SIEM technology provides real-time monitoring and alerting, incident response and reporting, and forensic analysis capabilities to help organizations detect, investigate and resolve security incidents quickly.

VI.4.a. Components of SIEM

Data Collection: Collects security-related data from multiple sources such as network devices, servers, and applications.
Data Analysis: Analyzes the collected data and detects any security threats or anomalies.
Event Correlation: Correlates the events and identifies the relationships between them.
Threat Intelligence: Uses threat intelligence data to provide context to the events and improve the accuracy of threat detection.
Alert Management: Generates alerts based on the analyzed events and categorizes them based on their severity and risk.
Incident Response: Helps to automate incident response processes by providing the necessary information and tools to respond to security incidents effectively.
Compliance Management: Supports compliance with various security regulations and standards.
Reporting and Dashboards: Provides reports and dashboards to help monitor and manage the security of the network.

VI.4.b. Two Main Deployment Option for SIEM

On-premises deployment: involves installing and maintaining the SIEM software on the organization's own servers.
Cloud-based deployment: involves using a cloud service provider to host the SIEM software and store the collected data.

VI.4.c. Challenges and limitations of SIEM

SIEM solutions are designed to provide comprehensive security information and event management capabilities, but there are several challenges and limitations that organizations may face when deploying and using these systems, including:
Complexity and scalability: SIEM solutions can be complex and difficult to set up, manage, and scale.
Integration challenges: SIEM solutions need to be integrated with multiple sources of security data, including firewalls, intrusion detection systems, and security information and event management systems.
False positive and false negative alerts: SIEM systems can generate false positive or false negative alerts, leading to security breaches or inefficient use of resources.
Performance and capacity issues: SIEM solutions can impact network performance, particularly in high-volume environments, and may require significant storage capacity.
Data privacy and compliance: SIEM solutions can collect and store sensitive information, which can raise data privacy and compliance concerns.
High costs: SIEM solutions can be expensive to implement and maintain, especially for large organizations with complex security requirements.

VI.4.d. Best practices for SIEM implementation and management

To ensure effective SIEM implementation and management, some best practices are:

Define security objectives and goals: Identify what you want to achieve with SIEM and align the system to meet those needs.
Plan your deployment: Consider the size of your organization, the number of devices and systems, and the complexity of your network environment.
Choose the right hardware: Make sure your hardware infrastructure meets the requirements for a SIEM deployment.
Invest in training: Provide your staff with the necessary training to effectively use the system.
Establish clear policies and procedures: Establish clear policies and procedures for the use of SIEM in your organization.
Configure the system correctly: Configure the SIEM to correctly identify and collect relevant data from your network environment.
Regularly maintain and update: Regularly maintain and update your SIEM to ensure optimal performance and security.
Regularly review and audit logs: Regularly review and audit logs to ensure the system is functioning as intended and to detect any security breaches.

VI.4.e. Network and Endpoint Forensics

A reviewer for forensics for network and endpoints should be familiar with the various techniques and tools used to collect, analyze, and preserve data from networks and endpoint devices in order to investigate and understand security incidents

Network Forensic

Network forensics is the process of collecting, analyzing, and preserving network data in order to investigate and understand security incidents. It involves capturing and analyzing network traffic, system and application logs, and other data from network devices such as routers, switches, firewalls, and servers. The goal of network forensics is to identify the causes of security incidents, understand the scope of an incident, and identify the actors behind an attack.

Network forensics can be used to investigate a wide range of security incidents, such as data breaches, denial of service attacks, and advanced persistent threats. The data collected and analyzed during a network forensics investigation can also be used to improve an organization's security posture by identifying vulnerabilities and weaknesses in their network.

Here are some key concepts that a reviewer for network forensics should be familiar with:

Traffic capture and analysis: The process of collecting and analyzing network traffic to identify malicious activity and understand the scope of an incident.
Packet analysis: The process of examining individual packets of network data to extract information about the source, destination, and content of the traffic.
Log analysis: The process of examining system and application logs to identify unusual activity and understand the actions of attackers.
Flow analysis: The process of examining the flow of network traffic to identify patterns of malicious activity and understand the scope of an incident.
Malware analysis: The process of examining network traffic to identify and analyze malware samples and understand their capabilities.
Attribution analysis: The process of examining network data to identify the actors behind an attack, the infrastructure used, and the purpose of the attack.

Video: Network Forensic

Endpoint Forensic

Endpoint forensics is the process of collecting, analyzing, and preserving data from endpoint devices such as laptops, servers, and mobile devices, in order to investigate and understand security incidents. The goal of endpoint forensics is to identify the causes of security incidents, understand the scope of an incident, and identify the actors behind an attack.

Endpoint forensics can be used to investigate a wide range of security incidents, such as data breaches, advanced persistent threats, and malware infections. The data collected and analyzed during an endpoint forensics investigation can also be used to improve an organization's security posture by identifying vulnerabilities and weaknesses in their endpoint devices.

Here are some key concepts that a reviewer for endpoint forensics should be familiar with:

Disk imaging: The process of creating a bit-by-bit copy of a hard drive or other storage device for analysis.
File system analysis: The process of examining the file system of an endpoint device to identify and analyze files and artifacts related to an incident.
Memory analysis: The process of examining the memory of an endpoint device to identify and analyze malware or other malicious code that may be running in memory.
Registry analysis: The process of examining the Windows registry to identify and analyze configuration changes and artifacts related to an incident
Timeline analysis: The process of collecting and analyzing data on the system to determine the sequence of events that occurred during the incident.
Forensically sound methodology: The process of following the best practice guidelines for collecting and preserving evidence to ensure that it is admissible in court.

Video: Understanding Endpoint Forensics

VI.4.f. Incident Response Scenarios

An incident response scenario is a hypothetical situation that organizations can use to test and practice their incident response plan. These scenarios simulate different types of security incidents, such as data breaches, malware infections, and advanced persistent threats, and provide a way for organizations to evaluate the effectiveness of their incident response procedures.

An incident response scenario typically includes a detailed description of the incident, including the cause of the incident, the systems and data affected, and the potential impact on the organization. It also includes a set of tasks and procedures that incident responders should follow to contain and resolve the incident, such as identifying the cause of the incident, containing the attack to prevent further damage, and recovering systems and data.

Some examples of incident response scenarios include:

A phishing email that leads to a data breach
A ransomware attack that encrypts files on a network
A Distributed Denial of Service (DDoS) attack that disrupts network services
A malware infection that exfiltrates sensitive information
A supply chain attack that compromises a 3rd party software

These scenarios help organizations to identify their incident response weaknesses and strengths, and to develop a plan that can handle different types of incidents. It also help incident responders to be familiar with their roles and responsibilities during an incident, and to be able to perform their incident response tasks in a timely manner.

VI.4.g.Elements to be Addressed

Identification: The incident response plan should clearly outline the procedures for identifying and reporting security incidents. This should include guidelines for identifying unusual or suspicious activity and procedures for reporting incidents to the appropriate parties.
Containment: The incident response plan should include procedures for containing security incidents to prevent further damage or data loss. This should include guidelines for disconnecting affected systems from the network, isolating compromised devices, and implementing other containment measures as necessary.
Eradication: The incident response plan should include procedures for eradicating the cause of a security incident. This may include steps for removing malware, patching vulnerabilities, or other remediation steps as necessary.
Recovery: The incident response plan should include procedures for recovering from a security incident. This may include steps for restoring systems and data, testing systems to ensure they are functioning properly, and returning systems to normal operations.
Lessons learned: The incident response plan should include a section on post-incident review and lessons learned. This should include a review of the incident response process, identification of areas for improvement, and recommendations for future incident response procedures.
Communication: The incident response plan should include procedures for communicating with stakeholders during and after an incident. This should include guidelines for communicating with employees, customers, and other stakeholders as well as incident status updates.
Drill and Exercise: The incident response plan should include a section on incident response drill and exercise. This should include a schedule of incident response drill and exercise, roles and responsibilities, and evaluation criteria.
Compliance: The incident response plan should include a section on compliance. This should include a review of the incident response plan against regulatory and industry standards and guidelines.

It's important to note that incident response scenarios are different, and the incident response plan should be flexible enough to handle different types of incidents. The plan should be regularly reviewed, tested and updated to ensure it remains effective in the face of new and emerging threats.

VI.4.h. Examples of Incident Scenarios

Data breach: A data breach occurs when an attacker gains unauthorized access to sensitive information, such as personal data, financial information, or confidential business information. In this scenario, incident responders would work to identify the cause of the breach, determine the scope of the incident, and contain the attack to prevent further data exfiltration.
Malware infection: A malware infection occurs when a device is compromised by malicious software, such as a virus or trojan. In this scenario, incident responders would work to identify the malware, determine the scope of the infection, and remove the malware from infected systems.
Denial of Service (DoS) attack: A DoS attack occurs when an attacker floods a network or system with traffic in order to disrupt service. In this scenario, incident responders would work to identify the source of the attack, determine the scope of the incident, and implement countermeasures to mitigate the attack.
Advanced Persistent Threat (APT) attack: An APT attack occurs when an attacker establishes a prolonged and targeted presence on a network in order to steal sensitive information. In this scenario, incident responders would work to identify the cause of the attack, determine the scope of the incident, and remove the attacker from the network.
Insider Threat: This scenario occurs when an individual or group with authorized access to an organization's assets misuses or abuses their access to commit unauthorized actions. In this scenario incident responders would work to identify the cause of the attack, determine the scope of the incident

A basic network is a collection of devices, such as computers, servers, and routers, that are connected together to allow the sharing of resources and the exchange of information. The most common type of basic network is a local area network (LAN), which connects devices within a small geographic area, such as a home or office.

Video: Practice and prepare for Incident Response

🔌 VII. Wireless Networking

Wireless networking refers to the use of wireless communication technologies, such as Wi-Fi, cellular, or Bluetooth, to create a local area network (LAN) or a wide area network (WAN) that allows devices to communicate with each other without the need for wired connections. Wireless networking offers mobility and convenience, but also introduces security concerns such as the need to secure data transmission, protect against unauthorized access, and prevent interference from other wireless devices.

VII.1. Types of Wireless Networking

WLAN (Wireless Local Area Network) - A type of wireless network that covers a small geographical area like a home, office or building.
WPAN (Wireless Personal Area Network) - A type of wireless network that covers a small personal area like a single room or a person's desk.
WMAN (Wireless Metropolitan Area Network) - A type of wireless network that covers a metropolitan area, connecting multiple LANs and providing internet access to a large number of users.
WWAN (Wireless Wide Area Network) - A type of wireless network that provides internet access over a wide geographical area, often through cellular data networks.
Wi-Fi Direct - A type of wireless network that allows devices to directly connect to each other without the need for a central router or access point.
Wi-Fi Hotspot - A type of wireless network created by a router or access point that provides internet access to multiple devices in a public or private location.
Wi-Fi Mesh Network - A type of wireless network that uses multiple interconnected nodes to create a single large network.

📱 VIII. Network Devices

A network device is any hardware device that is part of a computer network and plays a specific role in enabling communication between different network devices. Examples include routers, switches, firewalls, access points, hubs, bridges, and modems.

VIII.1. Types of Network Devices

Router: directs and manages data flow between networks
Switch: directs data flow within a network
Firewall: provides network security
Bridge: connects multiple networks
Access Point: enables wireless devices to connect to a wired network
Modem: connects a computer to the internet
Hub: connects multiple devices in a network
Repeater: amplifies signal strength in a network
Gateway: serves as the entry and exit point between networks.

⚙️ IX. Network Performance Optimization Techniques

Network performance optimization techniques are methods used to improve the efficiency, reliability, and speed of a computer network. These techniques aim to minimize latency, maximize bandwidth utilization, and minimize network downtime.

Bandwidth Throttling - controlling and limiting the amount of data that can be transmitted over a network connection.
Load Balancing - distributing network traffic evenly across multiple servers to improve performance and prevent downtime.
Traffic Shaping - controlling the flow of network traffic to optimize performance and prevent bottlenecks.
Quality of Service (QoS) - prioritizing certain types of network traffic to improve performance for critical applications.
Caching - storing frequently accessed data on a local device to reduce network latency and improve performance.
Compression - reducing the size of data being transmitted over a network to improve speed and efficiency.
Network Virtualization - creating virtual networks to improve performance and increase flexibility.
Hardware Upgrades - updating network hardware to increase speed and capacity.
Network Monitoring - continuously monitoring network performance and identifying bottlenecks or potential issues.
Network Maintenance - regularly performing maintenance and updates to keep the network running smoothly.