Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
CompTIA®
AACybersecurity Analyst (CySA+™)
Study Guide
CompTIA®
AACybersecurity Analyst (CySA+™)
Study Guide
Exam CS0-001
Mike Chapple
David Seidl
Senior Acquisitions Editor: Kenyon BrownDevelopment Editor: David ClarkTechnical Editor: Robin AbernathyProduction Editor: Rebecca AndersonCopy Editor: Elizabeth WelchEditorial Manager: Mary Beth WakefieldProduction Manager: Kathleen WisorExecutive Editor: Jim MinatelBook Designers: Judy Fung and Bill GibsonProofreader: Kim WimpsettIndexer: Ted LauxProject Coordinator, Cover: Brent SavageCover Designer: WileyCover Image: ©Getty Images Inc./Jeremy Woodhouse
Copyright © 2017 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-34897-9 ISBN: 978-1-119-34991-4 (ebk.)ISBN: 978-1-119-34988-4 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warrantymay be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or thepublisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, youmay download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2017935704
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and CySA+ are trademarks or registered trademarks of CompTIA Properties, LLC. All other trademarks are the property of their respective owners. John Wiley & Sons,Inc. is not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1
I dedicate this book to my father, who was a role model of the value of hard
work, commitment to family, and the importance of doing the right thing.
Rest in peace, Dad.
—Mike Chapple
This book is dedicated to Ric Williams, my friend, mentor, and partner in
crime through my first forays into the commercial IT world. Thanks for
making my job as a “network janitor” one of the best experiences of my life.
—David Seidl
Acknowledgments Books like this involve work from many people, and as authors, we truly appreciate the hard work and dedication that the team at Wiley shows. We would especially like to thank senior acquisitions editor Kenyon Brown. We have worked with Ken on multiple projects and consistently enjoy our work with him.
We also greatly appreciated the editing and production team for the book, including David Clark, our developmental editor, who brought years of experience and great talent to the project, Robin Abernathy, our technical editor, who provided insightful advice and gave wonderful feedback throughout the book, and Becca Anderson, our production editor, who guided us through layouts, formatting, and final cleanup to produce a great book. We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a fin-ished product.
Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonder-ful opportunities, advice, and assistance throughout our writing careers.
Finally, we would like to thank our families and significant others who support us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.
About the Authors
Mike Chapple, Ph.D., CySA+ , is author of the best-selling CISSP (ISC)2 Certifi ed Information Systems Security Professional Offi cial Study Guide (Sybex, 2015) and theCISSP (ISC)2 Offi cial Practice Tests (Sybex 2016). He is an information security pro-fessional with two decades of experience in higher education, the private sector, and government.
Mike currently serves as senior director for IT Service Delivery at the University of Notre Dame. In this role, he oversees the information security, data governance, IT archi-tecture, project management, strategic planning, and product management functionsfor Notre Dame. Mike also serves as Associate Teaching Professor in the university’s IT, Analytics, and Operations department, where he teaches undergraduate and graduatecourses on cybersecurity, data management, and business analytics.
Before returning to Notre Dame, Mike served as executive vice president and chief information offi cer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National SecurityAgency and served as an active duty intelligence offi cer in the U.S. Air Force.
Mike is technical editor for Information Security Magazine and has written more than 25 books. He earned both his B.S. and Ph.D. degrees from Notre Dame in computer science and engineering. Mike also holds an M.S. in computer science from the University of Idaho and an MBA from Auburn University. Mike holds the Cybersecurity Analyst+(CySA+), Security+, and Certifi ed Information Systems Security Professional (CISSP) certifi cations.
David Seidl is the senior director for Campus Technology Services at the University of Notre Dame. As the senior director for CTS, David is responsible for central platform andoperating system support, database administration and services, identity and access man-agement, application services, email and digital signage, and document management.
During his over 20 years in information technology, he has served in a variety of leader-ship, technical, and information security roles, including leading Notre Dame’s informa-tion security team as Notre Dame’s director of information security. He currently teaches a popular course on networking and security for Notre Dame’s Mendoza College of Businessand has written books on security certifi cation and cyberwarfare, including co-authoring CISSP (ISC)2 Offi cial Practice Tests (Sybex 2016).
David holds a bachelor’s degree in communication technology and a master’s degree in information security from Eastern Michigan University, as well as CISSP, GPEN, andGCIH certifi cations.
Contents at a GlanceIntroduction xxvii
Assessment Test xlv
Chapter 1 Defending Against Cybersecurity Threats 1
Chapter 2 Reconnaissance and Intelligence Gathering 33
Chapter 3 Designing a Vulnerability Management Program 75
Chapter 4 Analyzing Vulnerability Scans 103
Chapter 5 Building an Incident Response Program 143
Chapter 6 Analyzing Symptoms for Incident Response 169
Chapter 7 Performing Forensic Analysis 207
Chapter 8 Recovery and Post-Incident Response 245
Chapter 9 Policy and Compliance 269
Chapter 10 Defense-in-Depth Security Architectures 293
Chapter 11 Identity and Access Management Security 329
Chapter 12 Software Development Security 371
Chapter 13 Cybersecurity Toolkit 401
Appendix A Answers to the Review Questions 437
Appendix B Answers to the Lab Exercises 461
Index 475
ContentsIntroduction xxvii
Assessment Test xlv
Chapter 1 Defending Against Cybersecurity Threats 1
Cybersecurity Objectives 2Evaluating Security Risks 3
Identify Threats 5Identify Vulnerabilities 7Determine Likelihood, Impact, and Risk 7Reviewing Controls 8
Building a Secure Network 8Network Access Control 9Firewalls and Network Perimeter Security 10Network Segmentation 13Defense through Deception 14
Secure Endpoint Management 15Hardening System Configurations 15Patch Management 15Group Policies 16Endpoint Security Software 17
Penetration Testing 17Planning a Penetration Test 18Conducting Discovery 18Executing a Penetration Test 19Communicating Penetration Test Results 20Training and Exercises 20
Reverse Engineering 20Isolation and Sandboxing 21Reverse Engineering Software 21Reverse Engineering Hardware 22
Summary 23Exam Essentials 24Lab Exercises 25
Activity 1.1: Create an Inbound Firewall Rule 25Activity 1.2: Create a Group Policy Object 25Activity 1.3: Write a Penetration Testing Plan 26Activity 1.4: Security Tools 27
Review Questions 28
xvi Contents
Chapter 2 Reconnaissance and Intelligence Gathering 33
Footprinting 34Active Reconnaissance 35Mapping Networks and Discovering Topology 35Port Scanning and Service Discovery Techniques and Tools 37
Passive Footprinting 43Log and Configuration Analysis 43Harvesting Data from DNS and Whois 51Information Aggregation and Analysis Tools 58Information Gathering Using Packet Capture 58
Gathering Organizational Intelligence 59Organizational Data 59Electronic Document Harvesting 60
Detecting, Preventing, and Responding to Reconnaissance 63Capturing and Analyzing Data to Detect Reconnaissance 63Preventing Reconnaissance 65
Summary 66Exam Essentials 67Lab Exercises 68
Activity 2.1: Port Scanning 68Activity 2.2: Write an Intelligence Gathering Plan 68Activity 2.3: Intelligence Gathering Techniques 69
Review Questions 70
Chapter 3 Designing a Vulnerability Management Program 75
Identifying Vulnerability Management Requirements 76Regulatory Environment 76Corporate Policy 79Identifying Scan Targets 80Determining Scan Frequency 81
Configuring and Executing Vulnerability Scans 83Scoping Vulnerability Scans 83Configuring Vulnerability Scans 84Scanner Maintenance 88
Developing a Remediation Workflow 90Reporting and Communication 91Prioritizing Remediation 94Testing and Implementing Fixes 94
Overcoming Barriers to Vulnerability Scanning 95Summary 96Exam Essentials 97Lab Exercises 98
Activity 3.1: Installing a Vulnerability Scanner 98Activity 3.2: Running a Vulnerability Scan 98
Review Questions 99
Contents xvii
Chapter 4 Analyzing Vulnerability Scans 103
Reviewing and Interpreting Scan Reports 104Understanding CVSS 106
Validating Scan Results 111False Positives 112Documented Exceptions 112Understanding Informational Results 112Reconciling Scan Results with Other Data Sources 114Trend Analysis 114
Common Vulnerabilities 115Server and Endpoint Vulnerabilities 116Network Vulnerabilities 123Virtualization Vulnerabilities 129Internet of Things (IoT) 130Web Application Vulnerabilities 131
Summary 134Exam Essentials 135Lab Exercises 136
Activity 4.1: Interpreting a Vulnerability Scan 136Activity 4.2: Analyzing a CVSS Vector 136Activity 4.3: Remediating a Vulnerability 137
Review Questions 138
Chapter 5 Building an Incident Response Program 143
Security Incidents 144Phases of Incident Response 145
Preparation 146Detection and Analysis 146Containment, Eradication, and Recovery 148Post-Incident Activity 148
Building the Foundation for Incident Response 150Policy 150Procedures and Playbooks 151Documenting the Incident Response Plan 151
Creating an Incident Response Team 152Incident Response Providers 153CSIRT Scope of Control 154
Coordination and Information Sharing 154Internal Communications 155External Communications 155
Classifying Incidents 155Threat Classification 156Severity Classification 157
Summary 160Exam Essentials 161
xviii Contents
Lab Exercises 162Activity 5.1: Incident Severity Classification 162Activity 5.2: Incident Response Phases 162Activity 5.3: Developing an Incident Communications Plan 163
Review Questions 164
Chapter 6 Analyzing Symptoms for Incident Response 169
Analyzing Network Events 170Capturing Network Events 170Network Monitoring Tools 174Detecting Common Network Issues 179
Handling Network Probes and Attacks 183Detecting Scans and Probes 183Detecting Denial-of-Service and Distributed
Denial-of-Service Attacks 184Detecting Other Network Attacks 186Detecting and Finding Rogue Devices 187
Investigating Host Issues 188System Resources 189Malware and Unauthorized Software 192Unauthorized Access, Changes, and Privileges 193
Investigating Service and Application Issues 194Application and Service Monitoring 194Application and Service Issue Response and Restoration 196Detecting Attacks on Applications 197
Summary 198Exam Essentials 198Lab Exercises 199
Activity 6.1: Identify a Network Scan 199Activity 6.2: Write a Service Issue Response Plan 200Activity 6.3: Security Tools 201
Review Questions 202
Chapter 7 Performing Forensic Analysis 207
Building a Forensics Capability 208Building a Forensic Toolkit 208Training and Certification 212
Understanding Forensic Software 212Capabilities and Application 212
Conducting a Forensic Investigation 216The Forensic Process 216Target Locations 218Acquiring and Validating Drive Images 219
Contents xix
Imaging Live Systems 224Acquiring Other Data 225
Forensic Investigation: An Example 229Importing a Forensic Image 229Analyzing the Image 231Reporting 234
Summary 236Exam Essentials 236Lab Exercises 237
Activity 7.1: Create a Disk Image 237Activity 7.2: Conduct the NIST Rhino Hunt 238Activity 7.3: Security Tools 239
Review Questions 240
Chapter 8 Recovery and Post-Incident Response 245
Containing the Damage 246Segmentation 248Isolation 249Removal 251Evidence Gathering and Handling 252Identifying Attackers 253
Incident Eradication and Recovery 253Reconstruction and Reimaging 255Patching Systems and Applications 255Sanitization and Secure Disposal 256Validating the Recovery Effort 258
Wrapping Up the Response 258Managing Change Control Processes 258Conducting a Lessons-Learned Session 259Developing a Final Report 259
Summary 260Exam Essentials 260Lab Exercises 261
Activity 8.1: Incident Containment Options 261Activity 8.2: Incident Response Activities 263Activity 8.3: Sanitization and Disposal Techniques 263
Review Questions 265
Chapter 9 Policy and Compliance 269
Understanding Policy Documents 270Policies 270Standards 273Procedures 274
xx Contents
Guidelines 275Exceptions and Compensating Controls 276
Complying with Laws and Regulations 277Adopting a Standard Framework 278
NIST Cybersecurity Framework 279ISO 27001 282Control Objectives for Information and Related
Technologies (COBIT) 282Sherwood Applied Business Security Architecture (SABSA) 283The Open Group Architecture Framework (TOGAF) 283Information Technology Infrastructure Library (ITIL) 285
Implementing Policy-Based Controls 285Security Control Verification and Quality Control 286Summary 287Exam Essentials 287Lab Exercises 288
Activity 9.1: Policy Documents 288Activity 9.2: Using a Cybersecurity Framework 288Activity 9.3: Compliance Auditing Tools 288
Review Questions 289
Chapter 10 Defense-in-Depth Security Architectures 293
Understanding Defense in Depth 294Layered Security 294Control Types and Classification 298
Implementing Defense in Depth 299Layered Security and Network Design 299Layered Host Security 305Logging, Monitoring, and Validation 306Cryptography 307Policy, Process, and Standards 308Outsourcing and Personnel Security 310
Analyzing Security Architecture 311Analyzing Security Requirements 312Reviewing Architecture 312Common Issues 313Reviewing a Security Architecture 317Maintaining a Security Design 319
Summary 320Exam Essentials 320Lab Exercises 321
Activity 10.1: Review an Application Using the OWASP Application Security Architecture Cheat Sheet 321
Activity 10.2: Review a NIST Security Architecture 322Activity 10.3: Security Architecture Terminology 323
Review Questions 324
Contents xxi
Chapter 11 Identity and Access Management Security 329
Understanding Identity 330Identity Systems and Security Design 332
Threats to Identity and Access 335Understanding Security Issues with Identities 336Attacking AAA Systems and Protocols 336Targeting Account Creation, Provisioning,
and Deprovisioning 341Preventing Common Exploits of Identity
and Authorization 343Acquiring Credentials 343
Identity as a Security Layer 345Identity and Defense-in-Depth 346Securing Authentication and Authorization 346Detecting Attacks and Security Operations 352
Understanding Federated Identity and Single Sign-On 353Federated Identity Security Considerations 354Federated Identity Design Choices 355Federated Identity Technologies 357Federation Incident Response 361
Summary 362Exam Essentials 362Lab Exercises 363
Activity 11.1: Federated Security Scenario 363Activity 11.2: Onsite Identity Issues Scenario 364Activity 11.3: Identity and Access Management Terminology 365
Review Questions 366
Chapter 12 Software Development Security 371
Understanding the Software Development Life Cycle 372Software Development Phases 373Software Development Models 375
Designing and Coding for Security 380Common Software Development Security Issues 381Secure Coding Best Practices 381Application Testing 384Information Security and the SDLC 384Code Review Models 385Formal Code Review 387
Software Security Testing 388Analyzing and Testing Code 389Web Application Vulnerability Scanning 391
Summary 394Exam Essentials 394
xxii Contents
Lab Exercises 395Activity 12.1: Review an Application Using the
Owasp Application Security Architecture Cheat Sheet 395Activity 12.2: Learn about Web Application Exploits
from WebGoat 396Activity 12.3: SDLC Terminology 396
Review Questions 397
Chapter 13 Cybersecurity Toolkit 401
Host Security Tools 402Antimalware and Antivirus 402EMET 403Sysinternals 404
Monitoring and Analysis Tools 405Syslog 406Security Information and Event Management (SIEM) 407Network Monitoring 409
Scanning and Testing Tools 411Network Scanning 412Vulnerability Scanning 412Exploit Frameworks 415Password Cracking and Recovery 416
Network Security Tools 418Firewalls 418Network Intrusion Detection and Prevention 418Host Intrusion Prevention 420Packet Capture 421Command-Line Network Tools 423Web Proxies 426OpenSSL 428
Web Application Security Tools 429Web Application Firewalls 429Interception Proxies 430Fuzzers 431
Forensics Tools 433Hashing 433Imaging 434Forensic Suites 435Mobile Forensics 436
Summary 436
Appendix A Answers to the Review Questions 437
Chapter 1: Defending Against Cybersecurity Threats 438Chapter 2: Reconnaissance and Intelligence Gathering 439
Contents xxiii
Chapter 3: Designing a Vulnerability Management Program 441Chapter 4: Analyzing Vulnerability Scans 443Chapter 5: Building an Incident Response Program 444Chapter 6: Analyzing Symptoms for Incident Response 446Chapter 7: Performing Forensic Analysis 448Chapter 8: Recovery and Post-Incident Response 449Chapter 9: Policy and Compliance 451Chapter 10: Defense-in-Depth Security Architectures 453Chapter 11: Identity and Access Management Security 456Chapter 12: Software Development Security 458
Appendix B Answers to the Lab Exercises 461
Chapter 1: Defending Against Cybersecurity Threats 462Chapter 2: Reconnaissance and Intelligence Gathering 462Chapter 4: Analyzing Vulnerability Scans 463Chapter 5: Building an Incident Response Program 464Chapter 6: Analyzing Symptoms for Incident Response 465Chapter 7: Performing Forensic Analysis 466Chapter 8: Recovery and Post-Incident Response 467Chapter 9: Policy and Compliance 470Chapter 10: Defense-in-Depth Security Architectures 471Chapter 11: Identity and Access Management Security 472Chapter 12: Software Development Security 473
Index 475
Learn Certify Work
* Source: CompTIA 9th Annual Information Security Trends study: 500 U.S. IT and Business Executives Responsible for Security** Source: CompTIA Employer Perceptions of IT Training and Certi�cation
© 2016 CompTIA Properties, LLC, used under license by CompTIA Certi�cations, LLC. All rights reserved. All certi�cation programs and education related to suchprograms are operated exclusively by CompTIA Certi�cations, LLC. CompTIA is a registered trademark of CompTIA Properties, LLC in the U.S. and internationally.Other brands and company names mentioned herein may be trademarks or service marks of CompTIA Properties, LLC or of their respective owners. Reproductionor dissemination prohibited without written consent of CompTIA Properties, LLC. Printed in the U.S. 03288-Nov2016
Why Get CompTIA Certified?Growing DemandLabor estimates predict some technology fields will experience growth of over 20% by the year 2020.* CompTIA certification qualifies the skills required to join this workforce.
Higher SalariesIT professionals with certifications on their resume command better jobs, earn higher salaries and have more doors open to new multi-industry opportunities.
Verified Strengths91% of hiring managers indicate CompTIA certifications are valuable in validating IT expertise, making certification the best way to demonstrate your competency and knowledge to employers.**
Universal SkillsCompTIA certifications are vendor neutral—which means that certified professionals can proficiently work with an extensive variety of hardware and software found in most organizations.
Certification.CompTIA.org/certifications/cybersecurity-analyst
Becoming aCompTIA CertifiedIT Professional is EasyIt’s also the best way to reach greater professional opportunities and rewards.
Learn more about whatthe exam covers byreviewing the following:
• Exam objectives for key study points.
• Sample questions for a general overview of what to expect on the exam and examples of question format.
• Visit online forums, like LinkedIn, to see what other IT professionals say about CompTIA exams.
Purchase a voucher at aPearson VUE testing centeror at CompTIAstore.com.
• Register for your exam at a Pearson VUE testing center:
• Visit pearsonvue.com/CompTIA to find the closest testing center to you.
• Schedule the exam online. You will be required to enter your voucher number or provide payment information at registration.
• Take your certification exam.
Congratulations on your CompTIA certification!
• Make sure to add your certification to your resume.
• Check out the CompTIA Certification Roadmap to plan your next career move.
Introduction
CompTIA Cybersecurity Analyst (CySA+) Study Guide provides accessible explanationsand real-world knowledge about the exam objectives that make up the Cybersecurity Analyst+ certifi cation. This book will help you to assess your knowledge before taking the exam, as well as provide a stepping-stone to further learning in areas where you may want to expand your skillset or expertise.
Before you tackle the CySA+, you should already be a security practitioner. CompTIA suggests that test takers have between 3 and 4 years of existing hands-on information security experience. You should also be familiar with at least some of the tools and techniques described in this book. You don’t need to know every tool, but understanding how to approach a new scenario, tool, or technology that you may not know using existingexperience is critical to passing the CySA+ exam.
For up-to-the-minute updates covering additions or modifications to the
CompTIA certification exams, as well as additional study tools, videos,
practice questions, and bonus material, be sure to visit the Sybex website
and forum at www.sybex.com .
CompTIA CompTIA is a nonprofi t trade organization that offers certifi cation in a variety of ITareas, ranging from the skills that a PC support technical needs, which are covered in theA+ exam, to advanced certifi cations like the CompTIA Advanced Security Practitioner,or CASP certifi cation. CompTIA divides its exams into four different categories based onthe skill level required for the exam and what topics it covers, as shown in the following table:
Foundational Professional Specialty Mastery
IT Fundamentals A+
Cloud+ with Virtualization
CySA+
Linux+
Mobility+
Network+
Security+
Project+
Server+
CDIA+
CTT+
Cloud Essentials
Healthcare IT Tech
CASP
xxviii Introduction
CompTIA recommends that practitioners follow a cybersecurity career path as shown here:
CompTIAIT
Fundamentals
CompTIAA+
CompTIANetwork+
CompTIASecurity+
CompTIACySA+
CompTIACASP
As you can see, despite the A+, Network+, and Security+ falling into the Professional certification category, the Cybersecurity Analyst+ exam is a more advanced exam, intended for professionals with hands-on experience and who possess the knowledge covered by the prior exams.
CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the Security+ and the CASP, have been approved by the U.S. government as Information Assuance baseline certifications and are included in the State Department’s Skills Incentive Program.
The Cybersecurity Analyst+ ExamThe Cybersecurity Analyst+ exam, which CompTIA refers to as the CySA+, is designed to be a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. The CySA+ certification is designed for security analysts and engineers as well as Security Operations Center (SOC) staff, vulnerability analysts, and threat intelligence analysts. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers four major domains: Threat Management, Vulnerability Management, Cyber
flast.indd 28 2/10/2018 5:08:17 PM