Essential tables from the study guide — bookmark this page for fast review.
Know these cold for the CompCert assessment. Focus on encrypted vs. unencrypted alternatives.
| Port | Protocol | Encrypted? | Secure Alternative |
|---|---|---|---|
| 20/21 | FTP | ❌ No | SFTP (22), FTPS (990) |
| 22 | SSH / SFTP / SCP | ✅ Yes | — |
| 23 | Telnet | ❌ No | SSH (22) |
| 25 | SMTP | ❌ No | SMTPS (587/465) |
| 53 | DNS | ❌ No | DoH (443), DoT (853) |
| 67/68 | DHCP | ❌ No | DHCP snooping |
| 80 | HTTP | ❌ No | HTTPS (443) |
| 110 | POP3 | ❌ No | POP3S (995) |
| 143 | IMAP | ❌ No | IMAPS (993) |
| 161/162 | SNMP | ❌ No (v1/v2) | SNMPv3 |
| 389 | LDAP | ❌ No | LDAPS (636) |
| 443 | HTTPS | ✅ Yes | — |
| 3389 | RDP | ⚠️ Optional | RDP over VPN |
Critical Security and System log events for investigation and auditing.
| Event ID | Log | Description |
|---|---|---|
1102 | Security | Audit log was cleared |
4624 | Security | Successful account logon |
4625 | Security | Failed account logon |
4648 | Security | Logon using explicit credentials |
4672 | Security | Special privileges assigned to new logon |
4720 | Security | A user account was created |
4722 | Security | A user account was enabled |
4725 | Security | A user account was disabled |
4732 | Security | Member added to security-enabled local group |
4738 | Security | A user account was changed |
7045 | System | A new service was installed in the system |
Essential commands organized by category — know the syntax and purpose.
| Category | Command | Purpose |
|---|---|---|
| Navigation | pwd | Print working directory |
ls -la | List all files with details | |
cd /path | Change directory | |
find / -name "file" | Search for files by name | |
grep "pattern" file | Search text in files | |
cat / less / head / tail | View file contents | |
| Permissions | chmod 750 file | Change file permissions |
chown user:group file | Change file ownership | |
find / -perm -4000 | Find SUID files | |
ls -la | View permissions | |
| Users | useradd -m user | Create user |
passwd user | Set password | |
usermod -aG group user | Add user to group | |
id user | Show user info | |
| Networking | ip addr show | Show IP configuration |
ss -tulnp | Show listening ports | |
ping host | Test connectivity | |
nmap target | Scan ports | |
| Monitoring | ps aux | List processes |
top / htop | Real-time process monitor | |
tail -f /var/log/auth.log | Watch auth log live |
Windows security investigation and system administration commands.
| Task | Command |
|---|---|
| View security events | Get-EventLog -LogName Security -Newest 50 |
| Find failed logins | Get-EventLog -LogName Security -InstanceId 4625 |
| List local users | Get-LocalUser |
| List admin group members | Get-LocalGroupMember -Group "Administrators" |
| Check running services | Get-Service | Where-Object {$_.Status -eq "Running"} |
| View network connections | Get-NetTCPConnection -State Established |
| Check firewall status | Get-NetFirewallProfile |
| View scheduled tasks | Get-ScheduledTask | Where-Object {$_.State -ne "Ready"} |
Memorize these three formulas — they appear in scenario questions.
Single Loss Expectancy = Asset Value × Exposure Factor
How much you lose from a single incident.
Annualized Loss Expectancy = SLE × Annualized Rate of Occurrence
Expected yearly cost of a specific risk.
Qualitative Risk Assessment
A conceptual model for evaluating overall risk.
Common Vulnerability Scoring System severity levels (0.0–10.0).
| Score Range | Severity | Action |
|---|---|---|
0.0 | None | Informational |
0.1 – 3.9 | Low | Scheduled patch |
4.0 – 6.9 | Medium | Prioritized patch |
7.0 – 8.9 | High | Expedited remediation |
9.0 – 10.0 | Critical | Immediate action |
The four-phase NIST incident response lifecycle.
| # | Phase |
|---|---|
| 1 | Preparation |
| 2 | Detection & Analysis |
| 3 | Containment, Eradication & Recovery |
| 4 | Post-Incident Activity |
Numeric (octal) permission values.
| Value | Permission |
|---|---|
0 | No permissions (---) |
1 | Execute (--x) |
2 | Write (-w-) |
4 | Read (r--) |
5 | Read + Execute (r-x) |
6 | Read + Write (rw-) |
7 | Full (rwx) |
Collect evidence in this order — most volatile first.
| # | Source | Volatility |
|---|---|---|
| 1 | CPU registers & cache | Most volatile |
| 2 | RAM / running processes | Very high |
| 3 | Network state / connections | High |
| 4 | Temporary file systems | Moderate |
| 5 | Hard drive / disk | Moderate |
| 6 | Remote logging data | Low |
| 7 | Physical configuration | Low |
| 8 | Archival media (backups) | Least volatile |
Know the scope and requirements of each framework.
| Framework | Scope |
|---|---|
| HIPAA | Protected Health Information (PHI) |
| PCI DSS | Payment card data |
| GDPR | EU personal data protection |
| SOX | Public company financial reporting |
| FERPA | Student education records |
| GLBA | Financial institution customer data |