CCNA Cyber Ops 國際認可證書課程

現今公司或團體在管理網絡上，不時要面對關於網絡安全上的問題，而負責保護系統的網絡安全人員亦要迅速的發現安全漏洞及針對漏洞作出有效的應對。此類工作需要對不同系統在運作及保安上有一定認識， 始能在面對網絡安全上的威脅時作出有效的檢測和應對。

Cisco 作為全球最大網絡安全設備生產商之一，除了生產各類安全設備外，同時也致力培養網絡安全人材以應對現今的網絡安全威脅。CCNA Cyber Ops (網絡安全運營) 認證可為相關人員提供網絡安全的知識，培養他們成為可在安全運營中心（Security Operations Centers）工作的網絡安全分析師。

取得 CCNA Cyber Ops 認證，可證明你有作為安全運營中心分析師的知識及專業水準，可為公司或團體應對不同網絡安全上的威脅。
此認證的一個特點是內容大部份為基本網絡安全上的知識，而非使用 Cisco 安全設備上的專用知識。因此報讀此課程對現在或將來會或不會使用 Cisco 生產的安全設備均也合適。

課程中部份網絡安全的知識會在課堂上以實例形式通過 Linux / Windows 等等作業系統作出示範，令學員對相關內容有更清晰的認識。

本中心的 Cisco 課程均由 Norman Lau、Franco Tsang 及 Vincent Ho 等多位 CCIE 籌備多時，精心編排。由上堂、溫習、實習、考試研習、做試題至最後考試，均為你度身訂造，作出有系統的編排。務求真正教識你，又令你考試及格。

只要你於下列科目取得合格成績，便可獲 Cisco 頒發 CCNA Cyper Ops (Cisco Certified Network Associate - Cyber Ops，Cisco 認可網路夥伴 - 網絡安全運營) 國際認可證書：

本中心為 Cisco 指定的 CCNA Cyber Ops 證書考試試場，報考時請致電本中心，登記欲報考之科目考試編號、考試日期及時間 (最快可即日報考)。

臨考試前要繳付考試費 HK$2,348，及必須出示下列兩項有效之身份證明文件，否則考生不可進行考試，而已繳付之考試費亦不會退回：
1. 香港身份證   及
2. 附有考生姓名及簽名的證件 (如信用咭、香港特區護照、BNO 等)

考試題目由澳洲考試中心傳送到你要應考的電腦，考試時以電腦作答。所有考試題目均為英文，而大多數的考試題目為單項選擇題 (意即 O) 或多項選擇題 (意即 口)，其餘則為配對題及實戰題。作答完成後會立即出現你的分數，結果即考即知！考試不合格便可重新報考，不限次數。欲知道作答時間、題目總數、合格分數等詳細考試資料，可瀏覽本中心網頁 "各科考試分數資料"。

為進一步加強本中心 Cisco 的課程質素，本中心投放大量資源購買 Cisco 器材，以供學員進行實習。以下是本中心擁有的 Cisco 器材 (種類繁多，未能盡錄)：

210-250 Understanding Cisco Cybersecurity Fundamentals

Network Concepts

• Describe the function of the network layers as specified by the OSI and the TCP/IP network models
• Describe the operation of the following
  • IP
  • TCP
  • UDP
  • ICMP
• Describe the operation of these network services
  • ARP
  • DNS
  • DHCP
• Describe the basic operation of these network device types
  • Router
  • Switch
  • Hub
  • Bridge
  • Wireless access point (WAP)
  • Wireless LAN controller (WLC)
• Describe the functions of these network security systems as deployed on the host, network, or the cloud:
  • Firewall
  • Cisco Intrusion Prevention System (IPS)
  • Cisco Advanced Malware Protection (AMP)
  • Web Security Appliance (WSA) / Cisco Cloud Web Security (CWS)
  • Email Security Appliance (ESA) / Cisco Cloud Email Security (CES)
• Describe IP subnets and communication within an IP subnet and between IP subnets
• Describe the relationship between VLANs and data visibility
• Describe the operation of ACLs applied as packet filters on the interfaces of network devices
• Compare and contrast deep packet inspection with packet filtering and stateful firewall operation
• Compare and contrast inline traffic interrogation and taps or traffic mirroring
• Compare and contrast the characteristics of data obtained from taps or traffic mirroring and NetFlow in the analysis of network traffic
• Identify potential data loss from provided traffic profiles

Security Concepts

• Describe the principles of the defense in depth strategy
• Compare and contrast these concepts
  • Risk
  • Threat
  • Vulnerability
  • Exploit
• Describe these terms
  • Threat actor
  • Run book automation (RBA)
  • Chain of custody (evidentiary)
  • Reverse engineering
  • Sliding window anomaly detection
  • PII
  • PHI
• Describe these security terms
  • Principle of least privilege
  • Risk scoring/risk weighting
  • Risk reduction
  • Risk assessment
• Compare and contrast these access control models
  • Discretionary access control
  • Mandatory access control
  • Nondiscretionary access control
• Compare and contrast these terms
  • Network and host antivirus
  • Agentless and agent-based protections
  • SIEM and log collection
• Describe these concepts
  • Asset management
  • Configuration management
  • Mobile device management
  • Patch management
  • Vulnerability management

Cryptography

• Describe the uses of a hash algorithm
• Describe the uses of encryption algorithms
• Compare and contrast symmetric and asymmetric encryption algorithms
• Describe the processes of digital signature creation and verification
• Describe the operation of a PKI
• Describe the security impact of these commonly used hash algorithms
  • MD5
  • SHA-1
  • SHA-256
  • SHA-512
• Describe the security impact of these commonly used encryption algorithms and secure communications protocols
  • DES
  • 3DES
  • AES
  • AES256-CTR
  • RSA
  • DSA
  • SSH
  • SSL/TLS
• Describe how the success or failure of a cryptographic exchange impacts security investigation
  Describe these items in regards to SSL/TLS
  • Cipher-suite
  • X.509 certificates
  • Key exchange
  • Protocol version
  • PKCS

Host-Based Analysis

• Define these terms as they pertain to Microsoft Windows
  • Processes
  • Threads
  • Memory allocation
  • Windows Registry
  • WMI
  • Handles
  • Services
• Define these terms as they pertain to Linux
  • Processes
  • Forks
  • Permissions
  • Symlinks
  • Daemon
• Describe the functionality of these endpoint technologies in regards to security monitoring
  • Host-based intrusion detection
  • Antimalware and antivirus
  • Host-based firewall
  • Application-level whitelisting/blacklisting
  • Systems-based sandboxing (such as Chrome, Java, Adobe reader)
• Interpret these operating system log data to identify an event
  • Windows security event logs
  • Unix-based syslog
  • Apache access logs
  • IIS access logs

Security Monitoring

• Identify the types of data provided by these technologies
  • TCP Dump
  • NetFlow
  • Next-Gen firewall
  • Traditional stateful firewall
  • Application visibility and control
  • Web content filtering
  • Email content filtering
• Describe these types of data used in security monitoring
  • Full packet capture
  • Session data
  • Transaction data
  • Statistical data
  • Extracted content
  • Alert data
• Describe these concepts as they relate to security monitoring
  • Access control list
  • NAT/PAT
  • Tunneling
  • TOR
  • Encryption
  • P2P
  • Encapsulation
  • Load balancing
• Describe these NextGen IPS event types
  • Connection event
  • Intrusion event
  • Host or endpoint event
  • Network discovery event
  • NetFlow event
• Describe the function of these protocols in the context of security monitoring
  • DNS
  • NTP
  • SMTP/POP/IMAP
  • HTTP/HTTPS

Attack Methods

• Compare and contrast an attack surface and vulnerability
• Describe these network attacks
  • Denial of service
  • Distributed denial of service
  • Man-in-the-middle
• Describe these web application attacks
  • SQL injection
  • Command injections
  • Cross-site scripting
  • Describe these attacks
  • Social engineering
  • Phishing
  • Evasion methods
• Describe these endpoint-based attacks
  • Buffer overflows
  • Command and control (C2)
  • Malware
  • Rootkit
  • Port scanning
  • Host profiling
• Describe these evasion methods
  • Encryption and tunneling
  • Resource exhaustion
  • Traffic fragmentation
  • Protocol-level misinterpretation
  • Traffic substitution and insertion
  • Pivot
• Define privilege escalation
• Compare and contrast remote exploit and a local exploit

210-255 Implementing Cisco Cybersecurity Operations

Endpoint Threat Analysis and Computer Forensics

• Interpret the output report of a malware analysis tool such as AMP Threat Grid and Cuckoo Sandbox
• Describe these terms as they are defined in the CVSS 3.0
  • Attack vector
  • Attack complexity
  • Privileges required
  • User interaction
  • Scope
• Describe these terms as they are defined in the CVSS 3.0
  • Confidentiality
  • Integrity
  • Availability
• Define these items as they pertain to the Microsoft Windows file system
  • FAT32
  • NTFS
  • Alternative data streams
  • MACE
  • EFI
  • Free space
  • Timestamps on a file system
• Define these terms as they pertain to the Linux file system
  • EXT4
  • Journaling
  • MBR
  • Swap file system
  • MAC
• Compare and contrast three types of evidence
  • Best evidence
  • Corroborative evidence
  • Indirect evidence
• Compare and contrast two types of image
  • Altered disk image
  • Unaltered disk image
• Describe the role of attribution in an investigation
  • Assets
  • Threat actor

Network Intrusion Analysis

• Interpret basic regular expressions
• Describe the fields in these protocol headers as they relate to intrusion analysis
  • Ethernet frame
  • IPv4
  • IPv6
  • TCP
  • UDP
  • ICMP
  • HTTP
• Identify the elements from a NetFlow v5 record from a security event
• Identify these key elements in an intrusion from a given PCAP file
  • Source address
  • Destination address
  • Source port
  • Destination port
  • Protocols
  • Payloads
• Extract files from a TCP stream when given a PCAP file and Wireshark
• Interpret common artifact elements from an event to identify an alert
  • IP address (source / destination)
  • Client and Server Port Identity
  • Process (file or registry)
  • System (API calls)
  • Hashes
  • URI / URL
• Map the provided events to these source technologies
  • NetFlow
  • IDS / IPS
  • Firewall
  • Network application control
  • Proxy logs
  • Antivirus
• Compare and contrast impact and no impact for these items
  • False Positive
  • False Negative
  • True Positive
  • True Negative
• Interpret a provided intrusion event and host profile to calculate the impact flag generated by Firepower Management Center (FMC)
  

Incident Response

• Describe the elements that should be included in an incident response plan as stated in NIST.SP800-61 r2
• Map elements to these steps of analysis based on the NIST.SP800-61 r2
  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident analysis (lessons learned)
• Map the organization stakeholders against the NIST IR categories (C2M2, NIST.SP800-61 r2)
  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident analysis (lessons learned)
• Describe the goals of the given CSIRT
  • Internal CSIRT
  • National CSIRT
  • Coordination centers
  • Analysis centers
  • Vendor teams
  • Incident response providers (MSSP)
• Identify these elements used for network profiling
  • Total throughput
  • Session duration
  • Ports used
  • Critical asset address space
• Identify these elements used for server profiling
  • Listening ports
  • Logged in users/service accounts
  • Running processes
  • Running tasks
  • Applications
• Map data types to these compliance frameworks
  • PCI
  • HIPPA (Health Insurance Portability and Accountability Act)
  • SOX
• Identify data elements that must be protected with regards to a specific standard (PCI-DSS)

Data and Event Analysis

• Describe the process of data normalization
• Interpret common data values into a universal format
• Describe 5-tuple correlation
• Describe the 5-tuple approach to isolate a compromised host in a grouped set of logs
• Describe the retrospective analysis method to find a malicious file, provided file analysis report
• Identify potentially compromised hosts within the network based on a threat analysis report containing malicious IP address or domains
• Map DNS logs and HTTP logs together to find a threat actor
• Map DNS, HTTP, and threat intelligence data together
• Identify a correlation rule to distinguish the most significant alert from a given set of events from multiple data sources using the firepower management console
• Compare and contrast deterministic and probabilistic analysis

Incident Handling

• Classify intrusion events into these categories as defined by the Cyber Kill Chain Model
  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and control
  • Action on objectives
• Apply the NIST.SP800-61 r2 incident handling process to an event
• Define these activities as they relate to incident handling
  • Identification
  • Scoping
  • Containment
  • Remediation
  • Lesson-based hardening
  • Reporting
• Describe these concepts as they are documented in NIST SP800-86
  • Evidence collection order
  • Data integrity
  • Data preservation
  • Volatile data collection
• Apply the VERIS schema categories to a given incident

* The course content above may change at any time without notice in order to better reflect the contents of examinations.