• 1.0 Threats, Attacks and Vulnerabilities
• 1.1 Given a scenario, analyze indicators of compromise and determine the type of malware
• 1.2 Compare and contrast types of attacks
• 1.3 Explain threat actor types and attributes
• 1.4 Explain penetration testing concepts
• 1.5 Explain vulnerability scanning concepts
• 1.6 Explain the impact associated with types of vulnerabilities

• 2.0 Install and configure network components, both hardwareand software-based, to support organizational security
• 2.1 Install and configure network components, both hardware and software-based, to support organizational security
• 2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization
• 2.3 Given a scenario, troubleshoot common security issues
• 2.4 Given a scenario, analyze and interpret output from security technologies
• 2.5 Given a scenario, deploy mobile devices securely
• 2.6 Given a scenario, implement secure protocols

• 3.0 Architecture and Design
• 3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides
• 3.2 Given a scenario, implement secure network architecture concepts
• 3.3 Given a scenario, implement secure systems design
• 3.4 Explain the importance of secure staging deployment concepts
• 3.5 Explain the security implications of embedded systems
• 3.6 Summarize secure application development and deployment concepts
• 3.7 Summarize cloud and virtualization concepts
• 3.8 Explain how resiliency and automation strategies reduce risk
• 3.9 Explain the importance of physical security controls

• 4.0 Identity and Access Management
• 4.1 Compare and contrast identity and access management concepts
• 4.2 Given a scenario, install and configure identity and access services
• 4.3 Given a scenario, implement identity and access management controls
• 4.4 Given a scenario, differentiate common account management practices

• 5.0 Risk Management
• 5.1 Explain the importance of policies, plans and procedures related to organizational security.
• 5.2 Summarize business impact analysis concepts
• 5.3 Explain risk management processes and concepts
• 5.4 Given a scenario, follow incident response procedures
• 5.5 Summarize basic concepts of forensics
• 5.6 Explain disaster recovery and continuity of operation concepts
• 5.7 Compare and contrast various types of controls
• 5.8 Given a scenario, carry out data security and privacy practices

• 6.0 Cryptography and PKI
• 6.1 Compare and contrast basic concepts of cryptography
• 6.2 Explain cryptography algorithms and their basic characteristics
• 6.3 Given a scenario, install and configure wireless security settings
• 6.4 Given a scenario, implement public key infrastructure

In this section we discuss penetration testing, which is the practice in which an organization gives a security professional (it may be either internal or external to the organization) the task of finding and exploiting the vulnerabilities in the organization's network and personnel, with the goal of testing the security controls of the organizations. Then, the penetration tester creates a report of her work and gives it to the organization. The organization uses this report to enhance its security posture, in order to lower the success probability of a real attack.

The steps that a penetration tester (and an attacker) usually follow are: passive reconnaissance -> active reconnaissance -> Initial exploitation -> escalation of privileges -> pivoting -> persistence.

Passive reconnaissance

In the passive reconnaissance stage, the tester gathers information about the target using open-source intelligence (OSINT), like information from social networks. It does not use tools to directly probe the target system.

Active reconnaissance

In the active reconnaissance stage, the tester actively probes the target system to collect and analyze the responses. Example: network scanners (like nmap) and vulnerability scanners (like nessus) are used in this stage.

Initial exploitation

After the tester has collected the vulnerabilities that she is able to discover on the target system, she exploits one of these vulnerabilities to gain access to the system. This first exploitation is called inital exploitation and the vulnerabilities that the attacker can initially exploit are part of the attack surface of the system. It is important to keep this attack surface as small as possible, to reduce the possible entry points for an attacker.

Escalation of privilege

The tester has now gained access to the system, but right now it has tipically few rights. For example, it has exploited a misconfigured Guest account to enter the system. Now that it is inside, the tester uses escalation of privilege techniques to gain more rights on the exploited system.

Pivot

The tester has compromised a system and the higher its righer, the more are the actions it is allowed to perform. Pivoting is the practice of using the exploited machine to reach other machines inside the same network. Example: the tester has compromised the Internet-facing Web server. At this point, it launches an attack from the web server to gain access to the database server.

Persistence

At this point the tester has successfully conducted the exploitation of the target devices. Persistence means setting up remote access to the exploited devices. This may be achieved by creating a backdoor on the system.

Black box

In a black box penetration test, the tester has no prior knowledge of the environment to be tested. This test simulates an attacker with no initial knowlege (like an external one).

White box

In a black box penetration test, the tester has full knowledge of the environment to be tested. It know which devices are present inside the network, the network topology, the OSes and the applications installed and so on. This test simulates an attacker with full initial knowlege (like an insider with high privileges).

Gray box

In a black box penetration test, the tester has partial knowledge of the environment to be tested. As an example, it may know the devices in a subnet, but the path to reach other target may be unknown a priori. This test simulates an attacker with partial initial knowlege.

Penetration testing vs. vulnerability scanning

The main difference between vulnerability scanning and penetration testing is that, while both discover and document vulnerabilities, penetration testing actually exploits them. In this regard, it is much more intrusive and can even cause interruption of service of the target system.