2026 D329 CEH Notes: Key Concepts in Cybersecurity and Ethical Hacking
(Network and Security – Applications) Western Governors University
CEH Notes
A. What is cybersecurity? - Per Dr. Mansur Hasib “Cybersecurity is the mission-focused
and risk-optimized governance of information, which maximizes confidentiality, integrity,
and availability using a balanced mix of people, policy, and technology, while perennially
improving over time.”
B. CIA Triad - confidentiality, integrity, availability
C. Defense in depth
D. IAM (Identity and Access Management) - The right people/systems can access the right
information at the right time. - RBAC, SSO, MFA, PAM
E. DLP (Data Loss Prevention)
Information Security Threats and Attacks
A. Attack = Motive (usually financial) + Method + Vulnerability
B. Common motives include data theft, disrupting business operations (continuity),
data manipulation/deletion, creating fear/panic by disrupting critical infrastructure,
religious or political beliefs, brand/reputation damage, Nation State objectives,
and revenge.
C. Common attack vectors - Cloud attacks, APT, malware (viruses, worms, Trojans,
ransomware, etc), mobile device threats, botnets, and insider threats.
D. InfoSec Threat Categories -
, E. Network Threats - information gathering, sniffing/eavesdropping, spoofing,
session hijacking and MitM attacks, DNS and ARP poisoning, password attacks,
DoS/DDoS, compromised credentials/key, and firewall/IDS/IPS attacks.
F. Host Threats- malware attacks, footprinting, password attacks, DoS/DDoS,
arbitrary code execution, unauthorized access, privilege escalation, backdoor
attacks, and physical security threats.
G. Application Threats- improper data/input validation, authentication/authorization
attacks, security misconfiguration, information disclosure, broken session
management, buffer overflow attack, SQL injection, XSS (cross-site scripting),
and improper error handling/exception management.
Introduction to Ethical Hacking
A. What is ethical hacking? - Ethical Hacking involves the use of hacking tools,
techniques, and tricks, with permission, to identify vulnerabilities in systems
before they can be exploited by adversaries. Ethical Hackers are commonly
called Penetration Testers (Pentesters) in the industry.
, B. Pentesting differs from a vulnerability assessment because in a pentest, you are
actually proving the vulnerability can be exploited by an adversary.
C. Types of hackers - Black Hat, Grey Hat, White Hat, Hacktivist, Script Kiddie.
D. Phases of Hacking - Reconnaissance, Scanning, Gaining Access, Maintaining
Access, Covering Tracks.
E. Black box testing - In this type of testing, the pentester is not given any access to
internal information and is also not provided access to the client’s internal
applications or network. This type of testing simulates what a real external
adversary would do; however, it is performed in a limited period of time and real
adversaries can take months or years to assess their target. This means that the
pentester might miss some vulnerabilities that can be exploited.
F. Gray box testing- Typically, this type of testing grants the pentester some type of
internal access or knowledge. This could be low-level login credentials,
application logic flowcharts, or maps of the network infrastructure. This type of
testing simulates an attacker that has breached the network perimeter and has
some type of internal access to the network.
G. White box testing- In this type of test, the pentester has open access to
applications and systems, including the ability to view source code and have
high-level privilege accounts. This is a more comprehensive type of pentest that
analyzes both internal and external vulnerabilities from a viewpoint that a typical
attacker will not have.
Introduction to the Cyber Kill Chain
A. Lockheed Martin Cyber Kill Chain- We will focus on the Adversary side of
the Kill Chain for this course.
B. Reconnaissance - gaining information on the target - harvest email
addresses, IP addresses, host/network information, vulnerability
identification, identify employees on social media, press releases,
contracts awarded, discover Internet-facing servers.
C. Weaponization- attackers obtain a “weaponizer” (tool that couples
malware and an exploit into a deliverable payload) from public/private
channels or build in-house. For file-based exploits, that attacker selects
the appropriate decoy document for the victim. The attacker then selects
the backdoor implant and the appropriate command and control
infrastructure for the operation. The attacker then designates a specific
“mission ID” and embeds it in the malware. The backdoor is then
compiled and the payload is weaponized.
D. Delivery- adversaries have launched the malware to the target.
Adversary Controlled Delivery (direct against web servers). Adversary
Released Delivery (malicious email, malware on USB stick, social media
interactions, watering hole attack with compromised websites).
E. Exploitation- Attackers must exploit a vulnerability to gain access/Zero-
Day exploits. Software, hardware, or human vulnerability. Attacker
acquires or develops a Zero-day exploit. The adversary triggered exploits
, for server-based vulnerabilities. The victim then triggers the exploit
(opening malicious email attachment, clicking malicious link).
F. Installation- Attacker wants to maintain access, so they typically install a
backdoor at this stage. (Installs webshell on web server, installs
backdoor/implant on client system, creates a point of persistence by
adding services/Autorun keys, time stomp of the file to make the malware
appear as if it is part of the operating system install).
G. Command & Control (C2)- The malware opens a channel of
communication, so the attacker can manipulate the victim remotely. Two
way communication channels are opened with C2 infrastructure, usually
over the Web, DNS, and/or email protocols.
H. Actions on Objectives- Attackers now have “hands on keyboard” and
move forward with their objective. This may include collecting user
credentials, privilege escalation, internal reconnaissance, lateral
movement through the victim’s environment, collecting/exfiltrating other
data, destroying systems, overwriting, corrupting, or otherwise modifying
data.
Introduction to Security Controls
A. Physical controls - premises and surroundings, reception area,
server/workstation area, other equipment, access control, computer
equipment maintenance, wiretapping, environmental control.
Premises and Surroundings - fences/gates/walls, security guards, alarms, CCTV
cameras, alarm system, door/window locks.
Reception Area - lock away important files/documents/equipment
Server/Workstation Area - lock when not in use, disable access to removable media, use
CCTV cameras
Other Equipment - lock when not in use, physically destroy corrupted removable media
Access Control - implement Biometric access controls, man traps, ID badges, keycards,
sign-in procedures, separate work areas
Computer Equipment Maintenance- Designate who will be responsible for maintenance
on equipment.
Wiretapping - inspect all data wires on a routine basis and never leave wire exposed
Environmental Control - fire suppression, humidity and A/C control
A. Logical Controls - network segmentation, user permissions, MFA,
firewalls
Introduction to Security Laws and Standards
A. PCI DSS - The Payment Card Industry Data Security Standard applies to
all entities involved in payment card processing and sets minimum
security requirements. Some of the common requirements are
organizations must build and maintain a secure network, protect
(Network and Security – Applications) Western Governors University
CEH Notes
A. What is cybersecurity? - Per Dr. Mansur Hasib “Cybersecurity is the mission-focused
and risk-optimized governance of information, which maximizes confidentiality, integrity,
and availability using a balanced mix of people, policy, and technology, while perennially
improving over time.”
B. CIA Triad - confidentiality, integrity, availability
C. Defense in depth
D. IAM (Identity and Access Management) - The right people/systems can access the right
information at the right time. - RBAC, SSO, MFA, PAM
E. DLP (Data Loss Prevention)
Information Security Threats and Attacks
A. Attack = Motive (usually financial) + Method + Vulnerability
B. Common motives include data theft, disrupting business operations (continuity),
data manipulation/deletion, creating fear/panic by disrupting critical infrastructure,
religious or political beliefs, brand/reputation damage, Nation State objectives,
and revenge.
C. Common attack vectors - Cloud attacks, APT, malware (viruses, worms, Trojans,
ransomware, etc), mobile device threats, botnets, and insider threats.
D. InfoSec Threat Categories -
, E. Network Threats - information gathering, sniffing/eavesdropping, spoofing,
session hijacking and MitM attacks, DNS and ARP poisoning, password attacks,
DoS/DDoS, compromised credentials/key, and firewall/IDS/IPS attacks.
F. Host Threats- malware attacks, footprinting, password attacks, DoS/DDoS,
arbitrary code execution, unauthorized access, privilege escalation, backdoor
attacks, and physical security threats.
G. Application Threats- improper data/input validation, authentication/authorization
attacks, security misconfiguration, information disclosure, broken session
management, buffer overflow attack, SQL injection, XSS (cross-site scripting),
and improper error handling/exception management.
Introduction to Ethical Hacking
A. What is ethical hacking? - Ethical Hacking involves the use of hacking tools,
techniques, and tricks, with permission, to identify vulnerabilities in systems
before they can be exploited by adversaries. Ethical Hackers are commonly
called Penetration Testers (Pentesters) in the industry.
, B. Pentesting differs from a vulnerability assessment because in a pentest, you are
actually proving the vulnerability can be exploited by an adversary.
C. Types of hackers - Black Hat, Grey Hat, White Hat, Hacktivist, Script Kiddie.
D. Phases of Hacking - Reconnaissance, Scanning, Gaining Access, Maintaining
Access, Covering Tracks.
E. Black box testing - In this type of testing, the pentester is not given any access to
internal information and is also not provided access to the client’s internal
applications or network. This type of testing simulates what a real external
adversary would do; however, it is performed in a limited period of time and real
adversaries can take months or years to assess their target. This means that the
pentester might miss some vulnerabilities that can be exploited.
F. Gray box testing- Typically, this type of testing grants the pentester some type of
internal access or knowledge. This could be low-level login credentials,
application logic flowcharts, or maps of the network infrastructure. This type of
testing simulates an attacker that has breached the network perimeter and has
some type of internal access to the network.
G. White box testing- In this type of test, the pentester has open access to
applications and systems, including the ability to view source code and have
high-level privilege accounts. This is a more comprehensive type of pentest that
analyzes both internal and external vulnerabilities from a viewpoint that a typical
attacker will not have.
Introduction to the Cyber Kill Chain
A. Lockheed Martin Cyber Kill Chain- We will focus on the Adversary side of
the Kill Chain for this course.
B. Reconnaissance - gaining information on the target - harvest email
addresses, IP addresses, host/network information, vulnerability
identification, identify employees on social media, press releases,
contracts awarded, discover Internet-facing servers.
C. Weaponization- attackers obtain a “weaponizer” (tool that couples
malware and an exploit into a deliverable payload) from public/private
channels or build in-house. For file-based exploits, that attacker selects
the appropriate decoy document for the victim. The attacker then selects
the backdoor implant and the appropriate command and control
infrastructure for the operation. The attacker then designates a specific
“mission ID” and embeds it in the malware. The backdoor is then
compiled and the payload is weaponized.
D. Delivery- adversaries have launched the malware to the target.
Adversary Controlled Delivery (direct against web servers). Adversary
Released Delivery (malicious email, malware on USB stick, social media
interactions, watering hole attack with compromised websites).
E. Exploitation- Attackers must exploit a vulnerability to gain access/Zero-
Day exploits. Software, hardware, or human vulnerability. Attacker
acquires or develops a Zero-day exploit. The adversary triggered exploits
, for server-based vulnerabilities. The victim then triggers the exploit
(opening malicious email attachment, clicking malicious link).
F. Installation- Attacker wants to maintain access, so they typically install a
backdoor at this stage. (Installs webshell on web server, installs
backdoor/implant on client system, creates a point of persistence by
adding services/Autorun keys, time stomp of the file to make the malware
appear as if it is part of the operating system install).
G. Command & Control (C2)- The malware opens a channel of
communication, so the attacker can manipulate the victim remotely. Two
way communication channels are opened with C2 infrastructure, usually
over the Web, DNS, and/or email protocols.
H. Actions on Objectives- Attackers now have “hands on keyboard” and
move forward with their objective. This may include collecting user
credentials, privilege escalation, internal reconnaissance, lateral
movement through the victim’s environment, collecting/exfiltrating other
data, destroying systems, overwriting, corrupting, or otherwise modifying
data.
Introduction to Security Controls
A. Physical controls - premises and surroundings, reception area,
server/workstation area, other equipment, access control, computer
equipment maintenance, wiretapping, environmental control.
Premises and Surroundings - fences/gates/walls, security guards, alarms, CCTV
cameras, alarm system, door/window locks.
Reception Area - lock away important files/documents/equipment
Server/Workstation Area - lock when not in use, disable access to removable media, use
CCTV cameras
Other Equipment - lock when not in use, physically destroy corrupted removable media
Access Control - implement Biometric access controls, man traps, ID badges, keycards,
sign-in procedures, separate work areas
Computer Equipment Maintenance- Designate who will be responsible for maintenance
on equipment.
Wiretapping - inspect all data wires on a routine basis and never leave wire exposed
Environmental Control - fire suppression, humidity and A/C control
A. Logical Controls - network segmentation, user permissions, MFA,
firewalls
Introduction to Security Laws and Standards
A. PCI DSS - The Payment Card Industry Data Security Standard applies to
all entities involved in payment card processing and sets minimum
security requirements. Some of the common requirements are
organizations must build and maintain a secure network, protect
