CASP+
Order of Volatility
"Guidelines for Evidence Collection and Archiving," is as follows: 1. Memory contents (registers, cache) 2. Swap files 3. Routing table, ARP cache, process table, and kernel statistics 4. File system information (including temporary file systems) 5. Raw disk blocks 6. Remote logging and monitoring data 7. Physical configuration and network topology 8. Archival media (backup media, CDs, DVDs)
Infrastructure as a Service
(IaaS) involves the vendor providing the hardware platform or data center and the company installing and managing its own operating systems and application systems. The vendor simply provides access to the data center and maintains that access.
Platform as a Service
(PaaS) involves the vendor providing the hardware platform or data center and the software running on the platform. This includes the operating systems and infrastructure software. The company is still involved in managing the system
Software as a Service
(SaaS) involves the vendor providing the entire solution. This includes the operating system, infrastructure software, and application. The vendor may provide you with an email system, for example, in which the vendor hosts and manages everything for you
Blowfish
(Symmetric)Blowfish is a block cipher that uses 64-bit data blocks with anywhere from 32- to 448-bit encryption keys. Blowfish performs 16 rounds of transformation. Initially developed with the intention of serving as a replacement for DES, Blowfish is one of the few algorithms that is not patented.
Twofish
(Symmetric)Twofish is a version of Blowfish that uses 128-bit data blocks using 128-, 192-, and 256-bit keys. It uses 16 rounds of transformation. Like Blowfish, Twofish is not patented.
RC4
(Symmetric)also called ARC4, is one of the most popular stream ciphers. It is used in SSL and WEP. RC4 uses a variable key size of 40 to 2,048 bits and up to 256 rounds of transformation
RC5
(Symmetric)block cipher that uses a key size of up to 2,048 bits and up to 255 rounds of transformation. Block sizes supported are 32, 64, and 128 bits. Because of all the possible variables in RC5, the industry often uses an RC5= w / r / b designation, where w is the block size, r is the number of rounds, and b is the number of 8-bit bytes in the key. For example, RC5-64/16/16 denotes a 64-bit word (or 128-bit data blocks), 16 rounds of transformation, and a 16-byte (128-bit) key.
Diffie-Hellman
(asymmetric)Diffie-Hellman is responsible for the key agreement process, which includes the following steps: 1. John and Sally need to communicate over an encrypted channel and decide to use Diffie-Hellman. 2. John generates a private key and a public key, and Sally generates a private key and a public key. 3. John and Sally share their public keys with each other. 4. An application on John's computer takes John's private key and Sally's public key and applies the Diffie-Hellman algorithm, and an application on Sally's computer takes Sally's private key and John's public key and applies the Diffie-Hellman algorithm. 5. Through this application, the same shared value is created for John and Sally, which in turn creates the same symmetric key on each system, using the asymmetric key agreement algorithm. susceptible to man-in-the-middle attacks unless an organization implements digital signatures or digital certificates for authentication at the beginning of the Diffie-Hellman process.
El Gamal
(asymmetric)El Gamal is an asymmetric key algorithm based on the Diffie-Hellman algorithm. Like Diffie-Hellman, El Gamal deals with discrete logarithms. However, whereas Diffie-Hellman can only be used for key agreement, El Gamal can provide key exchange, encryption, and digital signatures.
ECC
(asymmetric)Elliptic Curve Cryptosystem (ECC) provides secure key distribution, encryption, and digital signatures. The elliptic curve's size defines the difficulty of the problem. Although ECC can use a key of any size, it can use a much smaller key than RSA or any other asymmetric algorithm and still provide comparable security. Therefore, the primary benefit promised by ECC is a smaller key size, which means reduced storage and transmission requirements. ECC is more efficient and provides better security than RSA keys of the same size.
RSA
(asymmetric)The most popular asymmetric algorithm, RSA, was invented by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA can provide key exchange, encryption, and digital signatures. The strength of the RSA algorithm is the difficulty of finding the prime factors of very large numbers. As a key exchange protocol, RSA encrypts a DES or AES symmetric key for secure distribution. RSA uses a one-way function to provide encryption/decryption and digital signature verification/generation. The public key works with the one-way function to perform encryption and digital signature verification. The private key works with the one-way function to perform decryption and signature generation. In RSA, the one-way function is a trapdoor. The private key knows the one-way function. The private key is capable of determining the original prime numbers. Finally, the private key knows how to use the one-way function to decrypt the encrypted message.
Strategies for penetration testing
- Blind test: The testing team is provided with limited knowledge of the network systems and devices and performs the test using publicly available information only. The organization's security team knows that an attack is coming. This test requires more effort from the testing team. - Double-blind test: This test is like a blind test, except the organization's security team does not know that an attack is coming. This test usually requires equal effort from both the testing team and the organization's security team. - Target test: Both the testing team and the organization's security team are given maximum information about the network and the type of test that will occur. This is the easiest test to complete but does not provide a full picture of the organization's security.
Network Analysis
- Communications analysis: This involves analyzing communication over a network by capturing all or part of the communication and searching for particular types of activity. - Log analysis: This involves analyzing network traffic logs. - Path tracing: This involves tracing the path of a particular traffic packet or traffic type to discover the route used by the attacker.
Software Analysis
- Content analysis: This involves analyzing the content of software, particularly malware, to determine the purpose for which the software was created. - Reverse engineering: This involves retrieving the source code of a program to study how the program performs certain operations. - Author identification: This involves attempting to determine the software's author. - Context analysis: This involves analyzing the environment the software was found in to discover clues related to determining risk.
sales staff security solutions
- Create a virtual private network (VPN) to allow the remote sales staff to connect to the organization's network. - Implement full disk encryption on all mobile devices issued to the sales staff. - Implement geolocation/GPS location tracking for all mobile devices issued to the sales staff. - Implement remote lock and remote wipe for all mobile devices issued to the sales staff.
Merger and Demerger/Divestiture
- Defining a plan to set and measure security controls at every step of the process - Identifying gaps and overlaps in security between the two firms - Creating a risk profile for all identified risks involved in moving data - Prioritizing processes and identifying those that require immediate attention - Ensuring that auditors and the compliance team are utilizing matching frameworks
Best Practices
- Disable or rename the default accounts, including any administrator or guest accounts. - Change the default passwords for any default accounts. - Regularly update the software or firmware for all devices with the latest patches and hot fixes. - Implement firewalls when necessary, both at the network and device levels. - Disable remote login ability unless absolutely necessary. If it is necessary, ensure that you have changed default settings, including accounts and passwords. - Implement encryption to protect data. - Configure auditing. - Review audit and security logs on a regular basis. - Disable all unnecessary services and protocols.
Media Analysis
- Disk imaging: This involves creating an exact image of the contents of a hard drive. - Slack space analysis: This involves analyzing the slack (marked as empty or reusable) space on the drive to see whether any old (marked for deletion) data can be retrieved. - Content analysis: This involves analyzing the contents of the drive and gives a report detailing the types of data by percentage. - Steganography analysis: This involves analyzing the files on a drive to see whether the files have been altered or to discover the encryption used on the file.
Patch Management
- Hot fixes: These security patches are updates that solve a security issue and should be applied immediately if the issue they resolve is relevant to the system. - Updates: An update solves a functionality issue rather than a security issue. - Service packs: A service pack incudes all updates and hotfixes since the release of the operating system.
Authentication Factors
- Knowledge factor authentication: Something a person knows - Ownership factor authentication: Something a person has - Characteristic factor authentication: Something a person is -Location factor authentication: Somewhere a person is - Action factor authentication: Something a person does
net admin security solutions
- Protecting data from attackers should be a primary concern for a network administrator - administrators should know who is on their network, which devices are connected, and who accesses the devices - attend security awareness training that is focused on issues that the network administrators will encounter, including network security, new attack vectors and threats, new security devices and techniques, password protection, and social engineering - have two accounts: admin and user
Security Requirements for Contracts
- Required policies, practices, and procedures related to handling organizational data - Training or certification requirements for any third-party personnel - Background investigation or security clearance requirements for any third-party personnel - Required security reviews of third-party devices - Physical security requirements for any third-party personnel - Laws and regulations that will affect the contract
Telecommuting
- VPN - increases security risk if using a non company computer to access internal company network
Privilege Escalation
- Vertical privilege escalation: This occurs when a lower-privilege user or application accesses functions or content reserved for higher-privilege users or applications. - Horizontal privilege escalation: This occurs when a normal user accesses functions or content reserved for other normal users.
review of the effectiveness of the security controls
- Which security controls are we using? - How can these controls be improved? - Are these controls necessary? - Have any new issues arisen? - Which security controls can be deployed to address the new issues?
Penetration testing categories
- Zero-knowledge test: The testing team is provided with no knowledge regarding the organization's network. The testing team can use any means at its disposal to obtain information about the organization's network. This is also referred to as closed or black-box testing. - Partial-knowledge test: The testing team is provided with public knowledge regarding the organization's network. Boundaries may be set for this type of test. - Full-knowledge test: The testing team is provided with all available knowledge regarding the organization's network. This test is focused on what attacks can be carried out
Buffer Overflow
- an attack that occurs when the amount of data that is submitted to data is larger than the buffer can handle. -this type of attack is possible because of poorly written application or operating system code. - result in an injection of malicious code, primarily either a denial-of-service (DoS) attack or a SQL injection.
Memory Leaks
- application mismanages the memory - by not returning the allocated memory to the operating system, memory is exhausted. It also can result in objects that have been stored in memory becoming inaccessible to the application
database admin security solutions
- attend security awareness training that is focused on issues that the database administrators will encounter, including database security, secure database design, password protection, and social engineering - have two accounts: admin and user - database administrators should consider implementing some form of encryption
BYOD
- bring your own device - An initiative undertaken by many organizations to allow the secure use of personal devices on a corporate network.
Human Resources sec solutions
- clean-desk policies and locking screensavers - training on laws, and security best practices
Management/Executive Management sec solutions
- communicate with all these groups regarding the security issues that an organization faces and must be able to translate those issues into security requirements and goals - complete the appropriate research to ensure that the security controls that he or she suggests fit the organization's goals and the reasons behind the decision are valid - attend security training
De-perimiterization
- constantly changing network boundaries - introduction of wireless networks, portable network devices, virtualization, and cloud service providers has rendered the network boundary and attack surface increasingly porous
Financial sec solutions
- isolate the accounting department from other departments to ensure that the data is not compromised - adopt a clean-desk policy to ensure that others cannot obtain information - periodically obtain training to ensure that their skill level is maintained and that they understand new laws or regulations that may affect the organization's financial record-keeping methods
Performance
- the manner in which or the efficiency with which a device or technology reacts or fulfills its intended purpose. -An organization should determine the performance level that should be maintained on each device and on the enterprise as a whole. -Any security solutions that are deployed should satisfy the established performance requirements
3DES Modes
-3DES-EEE3: Each block of data is encrypted three times, each time with a different key. -3DES-EDE3: Each block of data is encrypted with the first key, decrypted with the second key, and encrypted with the third key. -3DES-EEE2: Each block of data is encrypted with the first key, encrypted with the second key, and finally encrypted again with the first key. -3DES-EDE2: Each block of data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the first key.
IPv6 and Associated Transitional Technologies
-6 to 4: This allows IPv6 sites to communicate with each other over an IPv4 network. IPv6 sites communicate with native IPv6 domains via relay routers. This effectively treats a wide area IPv4 network as a unicast point-to-point link layer. - Teredo: This assigns addresses and creates host-to-host tunnels for unicast IPv6 traffic when IPv6 hosts are located behind IPv4 network address translators (NATs). - Dual Stack: This solution runs both IPv4 and IPv6 on networking devices. - GRE tunnels: Generic Routing Encapsulation (GRE) can be used to carry IPv6 packets across an IPv4 network by encapsulating them in GRE IPv4 packets.
Key Stretching
-A cryptographic technique that makes a weak key stronger by increasing the time it takes to test each possible key. In key stretching, the original key is fed into an algorithm to produce an enhanced key, which should be at least 128 bits for effectiveness. -Systems include Pretty Good Privacy (PGP), GNU Privacy Guard (GPG), Wi-Fi Protected Access (WPA), and WPA2. Widely used Password-Based Key Derivation Function 2 (PBKDF2), bcrypt, and scrypt.
Measured Launch
-A measured launch is a launch in which the software and platform components have been identified, or "measured," using cryptographic techniques. -The resulting values are used at each boot to verify trust in those components. -A measured launch is designed to prevent attacks on these components (system and BIOS code) or at least to identify when these components have been compromised.
resource exhaustion
-A state that occurs when a computer is out of memory, CPU cycles, and/or bandwidth -the goal of DoS attacks
Cloud Storage
-Cloud storage locates the data on a central server, but the key difference is that the data is accessible from anywhere and in many cases from a variety of device types. Moreover, cloud solutions typically provide fault tolerance. Cloud storage has a number of security issues: -Inability to apply and manage access controls and security policies in the provider cloud. A strict service-level agreement (SLA) detailing security configurations should be implemented. -Data at risk traveling across the public Internet. Sensitive traffic should be encrypted. -Potential theft of physical machines holding the data. The physical security of the solution should be a prime consideration when selecting a provider.
Hashing
-Involves running data through a cryptographic function to produce a one-way message digest. -The message digest represents the data but cannot be reversed in order to determine the original data. -Because the message digest is unique, it can be used to check data integrity.
MD5
-Like the other MD algorithms, this algorithm produces a 128-bit hash value. It performs four rounds of computations. It was originally created because of the issues with MD4, and it is more complex than MD4. However, it is not collision free.
IPv6
-Security: IPsec is built into the standard; it's not an add-on. - Larger address space: There are enough IPv6 addresses for every man, woman, and child on the face of the earth to each have the number of IP addresses that were available in IPv4. -Stateless autoconfiguration: It is possible for IPv6 devices to create their own IPv6 address, either link-local or global unicast. - Better performance: Performance is better due to the simpler header.
SANs
-Storage area networks (SANs) are comprised of high-capacity storage devices that are connected by a high-speed private network (separate from the LAN) using a storage-specific switch. This storage information architecture addresses the collection of data, management of data, and use of data. Security issues with SANs include the following: - In the absence of an internal security mechanism that can compensate for a nonsecure client, the security of the data is only as secure as the OS of the client. -Fiber Channel provides no security against spoofing attacks. - Fiber Channel and Fiber Channel Protocol (FCP) allow several methods by which a determined and knowledgeable attacker can steal or destroy SAN data, given the ability to alter device driver code in a SAN client. Security best practices for SANs include the following: - Ensure that the level of security is consistent across all components, including clients. -Use logical unit number (LUN) masking to restrict access and visibility when indicated. LUN masking hides or makes unavailable groups of storage devices from all but devices with approved access. - Segregate sensitive data by using partitioning and zoning. -Secure management access and access paths.
MD4
-This algorithm also produces a 128-bit hash value. However, it performs only three rounds of computations. Although faster than MD2 its use has significantly declined because attacks against it have been very successful
MD6
-This algorithm produces a variable hash value, performing a variable number of computations. Although it was originally introduced as a candidate for SHA-3, it was withdrawn because of early issues the algorithm had with differential attacks.
MD2
-This message digest algorithm produces a 128-bit hash value. It performs 18 rounds of computations. Although MD2 is still in use today, it is much slower than MD4, MD5, and MD6.
Host Hardening
-Unnecessary applications should be removed. - Unnecessary services should be disabled. - Unrequired ports should be blocked. - The connecting of external storage devices and media should be tightly controlled, if allowed at all. - Unnecessary accounts should be disabled. - Default accounts should be renamed, if possible. - Default passwords for default accounts should be changed.
Virtual Storage
-When multiple physical locations are pooled from multiple network storage devices and presented to users as a single storage location, storage virtualization has been implemented. -The additional layers of technology required by virtual storage increase management overhead (and the chance of misconfiguration) by necessitating additional points at which to apply security controls. This can be mitigated through strict change management processes. - Challenges involved in managing large numbers of virtual instances and snapshots. Major vendors have helped to reduce the complexity of this with the development of robust management tools. - Potential loss of visibility into the guest operating systems and the network traffic in the virtualized environment. It is possible to purposely expose network traffic between virtualized hosts to the physical network by using multiple interfaces on the system running the hypervisor. The cost for gaining this visibility is a decrease in performance.
Data Warehousing
-is the process of combining data from multiple databases or data sources in a central location called a warehouse. The warehouse is used to carry out analysis. The data is not simply combined but is processed and presented in a more useful and understandable way. Data warehouses require more stringent security since the data is not dispersed but located in a central location Three measures should be taken when using data warehousing applications: - Control metadata from being used interactively. - Monitor the data purging plan. - Reconcile data moved between the operations environment and the data warehouse.
Data Archiving
-is the process of identifying old or inactive data and relocating it to specialized long-term archival storage systems. This frees up space and increases performance in the production environment while retaining the inactive data for regulatory or organizational requirements. The following are security issues that warrant attention with archiving systems: -Weak access controls on the archive servers, leading to stolen data: Strong authentication and physical security must be implemented. -Inadequate physical protection of tape copies: Tapes should be securely stored offsite. -Overreliance on a single form of media: A mix of media types, including tape, DVD, and network storage, should be considered. - Inadequate logging by the archiving software: This should be a prime consideration and requirement when selecting an archive product. - Unencrypted sensitive data: Encryption can and should be used when sensitive data is involved.
Build and Fix
-old way, discredited -product rushed to market then fixed as errors were discovered -not cost effective over time
Integrity Measurement Architecture (IMA)
-open source trusted computing component -creates a list of components and anchors the list to the TPM chip. It can use the list to attest to the system's runtime integrity. Anchoring the list to the TPM chip in hardware prevents its compromise.
programmer security solutions
-programmers should obtain periodic training on the latest security coding techniques. -Programmers should adhere to design specifications for all software developed, and security practitioners should ensure that the design specifications include security requirements
SLE
-single loss expectancy -The monetary impact of a threat occurrence. -The equation is SLE = AV × EF. For example, an organization has a web server farm with an AV of $20,000. If the risk assessment has determined that a power failure is a threat agent for the web server farm and the exposure factor for a power failure is 25%, the SLE for this event equals $5,000.
Java Applets
-small server-side component created using Java that runs in a web browser. -Java Virtual Machine (JVM), which must be present -JVM executes the applet in a protected environment called a sandbox
Snapshots
-their real value comes in the ability to capture only the data that has changed since the last full snapshot. -Read-only snapshots are typically used in mission-critical environments because they allow read-write operations to continue. -Read-write snapshots, or branching snapshots, create a point-in-time version of the data. They are useful in virtualization scenarios because they allow you to return a system to an earlier point in time if necessary.
ACL rule construction
1 The type of traffic 2 The source of the traffic 3 The destination of the traffic 4 The action to take on the traffic
Commercial Business Classifications
1. Confidential 2. Private 3. Sensitive 4. Public -Data that is confidential includes trade secrets, intellectual data, application programming code, and other data that could seriously affect the organization if unauthorized disclosure occurred. -Confidential data is exempt from disclosure under the Freedom of Information Act -Data that is private includes any information related to personnel—including human resources records, medical records, and salary information—that is used only within the organization.
Incident Response
1. Detect. The first step is to detect the incident. The worst sort of incident is one that goes unnoticed. 2. Respond. The response to the incident should be appropriate for the type of incident. Establish standard responses and response times ahead of time. 3. Report. All incidents should be reported within a time frame that reflects the seriousness of the incident. Exercising attention to detail at this early stage while time-sensitive information is still available is critical. 4. Recover. Recovery involves a reaction designed to make the network or system affected functional again. Exactly what that means depends on the circumstances. The main goal of this step is to make all resources available again. 5. Remediate. This step involves eliminating any residual danger or damage to the network that still might exist. These measures are designed to make a more detailed mitigation when time allows. 6. Review. Finally, review each incident to discover what could be learned from it. Changes to procedures might be called for. Share lessons learned with all personnel who might encounter the same type of incident again. Complete documentation and analysis are the goals of this step.
performing a penetration test
1. Document information about the target system or device. 2. Gather information about attack methods against the target system or device. 3. Identify the known vulnerabilities of the target system or device. 4. Execute attacks against the target system or device to gain user and privileged access. 5. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.
Change Monitoring
1. Submit/resubmit a change request. 2. Review the change request. 3. Coordinate the change. 4. Implement the change. 5. Measure the results of the change.
Military and Government Classifications
1. Top secret: gravely damage national security if disclosed 2. Secret: seriously damage national security 3. Confidential: seriously affect the government 4. Sensitive but unclassified: PII 5. Unclassified
802.1x
802.1x is a standard that defines a framework for centralized port-based authentication. It can be applied to both wireless and wired networks and uses three components: -Supplicant: The user or device requesting access to the network - Authenticator: The device through which the supplicant is attempting to access the network - Authentication server: The centralized device that performs authentication
cipher block chaining (CBC)
A DES mode in which each 64-bit block is chained together because each resultant 64-bit ciphertext block is applied to the next block. So plaintext message block 1 is processed by the algorithm using an initialization vector (IV). The resultant ciphertext message block 1 is XORed with plaintext message block 2, resulting in ciphertext message 2. This process continues until the message is complete.
counter mode
A DES mode similar to OFB mode that uses an incrementing IV counter to ensure that each block is encrypted with a unique keystream. Also, the ciphertext is not chaining into the encryption process. Because this chaining does not occur, CTR performance is much better than the other modes.
cipher feedback (CFB)
A DES mode that works with 8-bit (or smaller) blocks and uses a combination of stream ciphering and block ciphering. As with CBC, the first 8-bit block of the plaintext message is XORed by the algorithm using a keystream, which is the result of an IV and the key. The resultant ciphertext message is applied to the next plaintext message block.
output feedback (OFB)
A DES mode that works with 8-bit (or smaller) blocks that uses a combination of stream ciphering and block ciphering. However, it uses the previous keystream with the key to create the next keystream.
Man-in-the-Middle (MITM) Attacks
A MITM attack is an attack that is placed by an active attacker who listens to the communication between two communicators and changes the contents of this communication. While performing this attack, the attacker pretends to be one of the parties to the other party.
Federal Information Processing Standard (FIPS) 199
A U.S. government standard for categorizing information assets for confidentiality, integrity, and availability.
full backup
A backup in which all data is backed up, and the archive bit for each file is cleared.
incremental backup
A backup in which all files that have been changed since the last full or incremental backup are backed up, and the archive bit for each file is cleared. shorter time to backup, longer time to restore (it requires a full and all incrementals since the full)
Birthday Attacks
A birthday attack uses the premise that finding two messages that result in the same hash value is easier than matching a message and its hash value. Most hash algorithms can resist simple birthday attacks.
policy
A broad rule that provides the foundation for development of standards, baselines, guidelines, and procedures. A policy is an information security governance component that outlines goals but does not give any specific ways to accomplish the stated goals.
Chosen Ciphertext Attacks
A chosen ciphertext attack is the opposite of a chosen plaintext attack. In a chosen ciphertext attack, an attacker chooses the ciphertext to be decrypted to obtain the plaintext. This attack is more difficult because control of the system that implements the algorithm is needed.
countermeasure
A control that is implemented to reduce potential risk.
logical deployment diagram
A diagram that shows the architecture, including the domain architecture, including the existing domain hierarchy, names, and addressing scheme; server roles; and trust relationships.
physical deployment diagram
A diagram that shows the details of physical communication links, such as cable length, grade, and wiring paths; servers, with computer name, IP address (if static), server role, and domain membership; device location, such as printer, hub, switch, modem, router and bridge, and proxy location; communication links and the available bandwidth between sites; and the number of users at each site, including mobile users.
Digital Signatures
A digital signature is a hash value encrypted with the sender's private key. A digital signature provides authentication, non-repudiation, and integrity. A blind signature is a form of digital signature where the contents of the message are masked before it is signed. The process for creating a digital signature is as follows: 1. The signer obtains a hash value for the data to be signed. 2. The signer encrypts the hash value using her private key. 3. The signer attaches the encrypted hash and a copy of his public key in a certificate to the data and sends the message to the receiver. The process for verifying the digital signature is as follows: 1. The receiver separates the data, encrypted hash, and certificate. 2. The receiver obtains the hash value of the data. 3. The receiver verifies that the public key is still valid using the PKI. 4. The receiver decrypts the encrypted hash value using the public key. 5. The receiver compares the two hash values. If the values are the same, the message has not been changed.
third-party connection agreement
A document that spells out exactly the security measures that should be taken with respect to the handling of data exchanged between the parties. This is a document that should be executed in any instance where a partnership involves depending upon another entity to secure company data.
Dual-Homed Firewalls
A dual-homed firewall has two network interfaces: one pointing to the internal network and another connected to the untrusted network. In many cases, routing between these interfaces is turned off. The firewall software will allow or deny traffic between the two interfaces based on the firewall rules configured by the administrator. The danger of relying on a single dual-homed firewall is that there is a single point of failure.
Factoring Attacks
A factoring attack is carried out against the RSA algorithm by using the solutions of factoring large numbers.
SHA-2
A family of hash functions, each of which provides different functional limits. The SHA-2 family is as follows: - SHA-224: Produces a 224-bit hash value after performing 64 rounds of computations on 512-bit blocks. - SHA-256: Produces a 256-bit hash value after performing 64 rounds of computations on 512-bit blocks. - SHA-384: Produces a 384-bit hash value after performing 80 rounds of computations on 1,024-bit blocks. - SHA-512: Produces a 512-bit hash value after performing 80 rounds of computations on 1,024-bit blocks. - SHA-512/224: Produces a 224-bit hash value after performing 80 rounds of computations on 1,024-bit blocks. The 512 designation here indicates the internal state size. - SHA-512/256: Produces a 256-bit hash value after performing 80 rounds of computations on 1,024-bit blocks. Once again, the 512 designation indicates the internal state size.
Federation
A federated identity is a portable identity that can be used across businesses and domains. In federated identity management, each organization that joins the federation agrees to enforce a common set of policies and standards. These policies and standards define how to provision and manage user identification, authentication, and authorization. Providing disparate authentication mechanisms with federated IDs has the lowest up-front development cost compared to other methods, such as a PKI or attestation.
three-legged firewall
A firewall configuration that has three interfaces: one connected to the untrusted network, one to the internal network, and the last to a part of the network called a demilitarized zone (DMZ).
Forensic Tasks
A forensic investigation involves the following steps: 1. Identification 2. Preservation 3. Collection 4. Examination 5. Analysis 6. Presentation 7. Decision
Asynchronous JavaScript and XML (AJAX)
A group of interrelated web development techniques used on the client side to create asynchronous web applications. An AJAX application introduces an intermediary—the AJAX engine—between the user and the server. Instead of loading a web page, at the start of the session, the browser loads an AJAX engine. The AJAX engine allows the user's interaction with the application to happen asynchronously (that is, independently of communication with the server).
Click-Jacking
A hacker using a click-jack attack will craft a transparent page or frame over a legitimate-looking page that entices the user to click something. When he does, he is really clicking on a different URL. In many cases, the site or application may entice the user to enter credentials that could be used later by the attacker
HSM
A hardware security module (HSM) is an appliance that safeguards and manages digital keys used with strong authentication and provides crypto processing. It attaches directly to a computer or server. There are some drawbacks to an HSM, including the following: -High cost -Lack of a standard for the strength of the random number generator -Difficulty in upgrading
HBA Allocation
A host bus adapter (HBA) connects a computer to a storage network and is associated with data transfers. HBAs have World Wide Names (WWNs) that identify them much like MAC addresses. HBAs have two types of these: one that identifies the HBA and is used by all ports on the HBA and one that identifies each port on the HBA.
LUN Masking/Mapping
A logical unit number (LUN) identifies a device addressed by the SCSI protocol or protocols that encapsulate SCSI, such as Fiber Channel or iSCSI. LUN masking or mapping is the process of controlling access to a LUN by effectively "hiding" its existence from those who should not have access. This makes the storage available to some hosts but not to others.
HAVAL
A one-way function that produces variable-length hash values, including 128 bits, 160 bits, 192 bits, 224 bits, and 256 bits, and uses 1,024-bit blocks. The number of rounds of computations can be three, four, or five. Collision issues have been discovered while producing a 128-bit hash value with three rounds of computations. All other variations do not have any discovered issues as of this printing.
Simple Object Access Protocol (SOAP)
A protocol specification for exchanging structured information in the implementation of web services in computer networks. -The SOAP processing model: Defines the rules for processing a SOAP message - The SOAP extensibility model: Defines the concepts of SOAP features and SOAP modules - The SOAP binding framework: Describes the rules for defining a binding to an underlying protocol that can be used for exchanging SOAP messages between SOAP nodes - The SOAP message: Defines the structure of a SOAP message
Chain of Trust/Root of Trust
A public key infrastructure (PKI) includes systems, software, and communication protocols that distribute, manage, and control public key cryptography. When implementing a PKI, most organizations rely on a hierarchical chain-of-trust model that uses a minimum of three components: certificate authorities (CAs), registration authorities (RAs), and a central directory/distribution management mechanism.
Quantitative Risk Analysis
A quantitative risk analysis assigns monetary and numeric values to all facets of the risk analysis process, including asset value, threat frequency, vulnerability severity, impact, and safeguard costs. Equations are used to determine total and residual risks.
trusted platform module (TPM)
A security chip installed on a computer's motherboard that is responsible for managing symmetric and asymmetric keys, hashes, and digital certificates. The memory used in a TPM chip is as follows: - Endorsement key (EK): The EK is persistent memory installed by the manufacturer that contains a public/private key pair. - Storage root key (SRK): The SRK is persistent memory that secures the keys stored in the TPM. - Attestation identity key (AIK): The AIK is versatile memory that ensures the integrity of the EK. - Platform configuration register (PCR) hash: A PCR hash is versatile memory that stores data hashes for the sealing function. - Storage keys: A storage key is versatile memory that contains the keys used to encrypt the computer's storage, including hard drives, USB flash drives, and so on.
Corrective controls
A security control that reduces the effect of an attack or other undesirable event. Corrective controls are useful after an event has occurred ex: installing fire extinguishers, isolating or terminating a connection,
job rotation
A security measure which ensures that more than one person fulfills the job tasks of a single position within an organization. It involves training multiple users to perform the duties of a position to help prevent fraud by any individual employee
least privilege
A security principle which requires that a user or process be given only the minimum access privilege needed to perform a particular task Organizational rules that support the principle of least privilege include the following: - Keep the number of administrative accounts to a minimum. - Administrators should use normal user accounts when performing routine operations. - Permissions on tools that are likely to be used by attackers should be as restrictive as possible
ISO 27000
A security program development standard on how to develop and maintain an information security management system (ISMS). These standards provide guidance to organizations in integrating security into the development and maintenance of software applications. The series establishes information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Also known as ISO/IEC 27000.
chain of custody
A series of documents that shows who controlled the evidence, who secured the evidence, and who obtained the evidence
JavaScript Object Notation (JSON
A simple text-based message format that is often used with RESTful web services. -Size: REST/JSON is a lot smaller and less bloated than SOAP/XML. Therefore, much less data is passed over the network, which is particularly important for mobile devices. - Efficiency: REST/JSON makes it easier to parse data, thereby making it easier to extract and convert the data. As a result, it requires much less from the client's CPU. - Caching: REST/JSON provides improved response times and server loading due to support from caching. - Implementation: REST/JSON interfaces are much easier than SOAP/XML to design and implement.
security requirements traceability matrix (SRTM)
A spreadsheet-like report that documents the security requirements that a new asset must meet.
secure boot
A standard developed by the PC industry to help ensure that a PC boots using only software that is trusted by the PC manufacturer.
IPSec (Internet Protocol Security)
A suite of protocols that establishes a secure channel between two devices. Commonly implemented over VPNs. Includes Authentication Header (AH), Encapsulating Security Payload (ESP), and security associations. AH provides authentication and integrity, whereas ESP provides authentication, integrity, and encryption (confidentiality).
supervisory control and data acquisition (SCADA)
A system used to remotely control industrial equipment with coded signals. It is a type of industrial control system (ICS). It includes the following components: -Sensors: Sensors typically have digital or analog I/O and are not in a form that can be easily communicated over long distances. -Remote terminal units (RTUs): RTUs connect to the sensors and convert sensor data to digital data, including telemetry hardware. -Programmable logic controllers (PLCs): PLCs connect to the sensors and convert sensor data to digital data; they do not include telemetry hardware. - Telemetry system: Such a system connects RTUs and PLCs to control centers and the enterprise. - Human interface: Such an interface presents data to the operator.
external actor
A threat actor that comes from outside the organization - Anarchist - Competitor - Corrupt government official - Data miner - Government cyber warrior - Irrational individual - Legal adversary - Mobster - Activist - Terrorist - Vandal
internal actor
A threat actor that comes from within an organization. -Reckless employee -Untrained employee - Partner - Disgruntled employee - Internal spy - Government spy - Vendor - Thief
risk assessment
A tool used in risk management to identify vulnerabilities and threats, assess the impact of those vulnerabilities and threats, and determine which controls to implement. risk assessment or analysis has four main steps: 1. Identify assets and asset value. 2. Identify vulnerabilities and threats. 3. Calculate threat probability and business impact. 4. Balance threat impact with countermeasure cost.
electronic code book (ECB)
A version of DES in which 64-bit blocks of data are processed by the algorithm using the key. The ciphertext produced can be padded to ensure that the result is a 64-bit block.
WAF
A web application firewall (WAF) applies rule sets to an HTTP conversation. These rule sets cover common attack types to which these session types are susceptible. Among the common attacks they address are cross-site scripting and SQL injections.
Wildcard Certificate
A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. The advantages of using a wildcard certificate include: -The wildcard certificate can secure unlimited subdomains. -While wildcard certificates do cost more than single certificates, buying a wildcard certificate is often much cheaper than buying separate certificates for each subdomain. In some cases, it is possible to purchase an unlimited server license, so you only buy one wildcard certificate to use on as many web servers as necessary. -A wildcard certificate is much easier to manage, deploy, and renew than separate certificates for each subdomain. There are, however, some important disadvantages to using wildcard certificates: -If one server in one subdomain is compromised, then all the servers in all the subdomains that used the same wildcard certificate are compromised. -Some popular mobile device operating systems do not recognize the wildcard character (*) and cannot use a wildcard certificate.
ACLs
ACLs are rule sets that can be implemented on firewalls, switches, and other infrastructure devices to control access When creating ACL rule sets, keep the following design considerations in mind: - The order of the rules is important. If traffic matches a rule, the action specified by the rule will be applied, and no other rules will be read. Place more specific rules at the top of the list and more general rules at the bottom. - On many devices (such as Cisco routers), an implied deny all rule is located at the end of all ACLs. If you are unsure, it is always best to configure an explicit deny all rule at the end of an ACL list. - It is also possible to log all traffic that meets any of the rules.
due care
Actions exhibited when an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur.
due diligence
Actions which ensure that an organization understands the security risks it faces.
Administrative (Management) Controls
Administrative, or management, controls are implemented to administer the organization's assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management. These controls are commonly referred to as soft controls. Specific examples are personnel controls, data classification, data labeling, security awareness training, and supervision.
service-level agreements (SLAs)
Agreements about the ability of a support system to respond to problems within a certain time frame while providing an agreed level of service.
Algebraic Attacks
Algebraic attacks rely on the algebra used by cryptographic algorithms. If an attacker exploits known vulnerabilities of the algebra used, looking for those vulnerabilities can help the attacker determine the key and algorithm used.
Electronic Inventory and Asset Control
All equipment should be inventoried, and all relevant information about each device should be maintained and kept up-to-date.
Data Retention Policies
All organizations need procedures in place for the retention and destruction of data. Data retention and destruction must follow all local, state, and government regulations and laws.
RAID 1
Also called disk mirroring, RAID 1 uses two disks and writes a copy of the data to both disks, providing fault tolerance in the case of a single drive failure.
RAID 0
Also called disk striping, this method writes the data across multiple drives. While it improves performance, it does not provide fault tolerance
Protocol analyzers
Also called sniffers, these devices can capture raw data frames from a network. They can be used as a security and performance tool. Many protocol analyzers can organize and graph the information they collect.
Security/Group Policy Implementation
Among the advantages provided by the granular control available in the GPMC are: - Ability to allow or disallow the inheritance of a policy from one container in Active Directory to one of its child containers - Ability to filter out specific users or computers from a policy's effect - Ability to delegate administration of any part of the Active Directory namespace to an administrator - Ability to use Windows Management Instrumentation (WMI) filters to exempt computers of a certain hardware type from a policy The following are some of the notable policies that relate to security: - Account Policies: These policies include password polices, account lockout policies, and Kerberos authentication policies. - Local Policies: These policies include audit, security, and user rights policies that affect the local computer. - Event Log: This log controls the behavior of the event log. - Restricted Groups: This is used to control the membership of sensitive groups. - Systems Services: This is used to control the access to and behavior of system services. - Registry: This is used to control access to the registry. - File System: This includes security for files and folders and controls security auditing of files and folders. - Public Key Policies: This is used to control behavior of a PKI. - Internet Protocol Security Policies on Active Directory: This is used to create IPsec policies for servers.
VM escape
An attack in which the attacker "breaks out" of a VM's normally isolated state and interacts directly with the hypervisor.
Zero-day attack
An attack on a vulnerable security component of an application or operating system that targets a vulnerability not yet known to the developers of the software.
SQL injection attack
An attack that inserts, or "injects," a SQL query as the input data from a client to an application. Results can be reading sensitive data from the database, modifying database data, executing administrative operations on the database, recovering the content of a given file, and in some cases issuing commands to the operating system.
client-side attack
An attack that targets vulnerabilities in a client's applications that work with the server. It can occur only if the client makes a successful connection with the server.
threat actor
An entity that discovers and/or exploits vulnerabilities. Not all threat actors will actually exploit an identified vulnerability. FBI has identified three categories of threat actors: - Organized crime groups primarily threatening the financial services sector and expanding the scope of their attacks - State sponsors, usually foreign governments, interested in pilfering data, including intellectual property and research and development data from major manufacturers, government agencies, and defense contractors - Terrorist groups that want to impact countries by using the Internet and other networks to disrupt or harm the viability of a society by damaging its critical infrastructure
Event Versus Incident
An event is a change of state An incident is a series of events that negatively impact an organization's operations and security
INE
An in-line network encryptor (INE), also called a high-assurance Internet Protocol encryptor (HAIPE), is a Type I encryption device. Type I designation indicates that it is a system certified by the NSA for use in securing U.S. government classified documents.
virtual desktop infrastructure (VDI)
An infrastructure that hosts desktop operating systems within a virtual environment in a centralized server. -Centralized model: All desktop instances are stored in a single server, requiring significant processing power on the server. - Hosted model: Desktops are maintained by a service provider. This model eliminates capital cost and is instead subject to operation cost. - Remote virtual desktops model: An image is copied to the local machine, making a constant network connection unnecessary.
Out-of-Band NICs
An interface that is out-of-band (OOB) is connected to a separate and isolated network that is not accessible from the LAN or the outside world. These interfaces are also typically live even when the device is off. OOB interface can be Ethernet or serial. Guidelines to follow when configuring OOB interfaces are: - Place all OOB interfaces in a separate subnet from the data network. - Create a separate VLAN on the switches for this subnet. - When crossing WAN connections, use a separate Internet connection from that for the production network. - Use QoS to ensure that the management traffic does not affect production performance. - To help get more bang for the investment in additional technology, consider using the same management network for backups. - If the NICs support it, use the Wake-on-LAN feature to make systems available even when shut down.
TLS (Transport Layer Security)
An open-community standard that provides many of the same services as SSL. TLS 1.0 is based on SSL 3.0 but is more extensible
Antivirus
Antivirus software is designed to identify viruses, Trojans, and worms.
Brute-Force Attacks
As with a brute-force attack against passwords, a brute-force attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext. This attack requires considerable time and processing power and is very difficult to complete. Brute-force is the ultimate attack on a cipher because all possible keys are successively tested until the correct one is encountered. A brute-force attack cannot be avoided but can be made infeasible.
Asymmetric Algorithms
Asymmetric algorithms, often referred to as dual-key or public-key cryptography, use both a public key and a private or secret key. The public key is known by all parties, and the private key is known only by its owner. One of these keys encrypts the message, and the other decrypts the message. In asymmetric cryptography, determining a user's private key is virtually impossible even if the public key is known, although both keys are mathematically related. However, if a user's private key is discovered, the system can be compromised. Asymmetric systems provide confidentiality, integrity, authentication, and non-repudiation. Because both users have one unique key that is part of the process, determining where the message originated is possible. Asymmetric algorithms include Diffie-Hellman, RSA, El Gamal, ECC, Knapsack, and Zero Knowledge Proof.
Block Ciphers
Blocks ciphers perform encryption by breaking a message into fixed-length units, called blocks. Advantages of block ciphers include the following: -Implementation of block ciphers is easier than stream-based cipher implementation. -Block ciphers are generally less susceptible to security issues. -They are generally used more in software implementations. -Block ciphers employ both confusion and diffusion. Block ciphers often use different modes: ECB, CBC, CFB, and CTR.
BPA
Business Partnership Agreement -an agreement between two business partners that establishes the conditions of the partner relationship. -The agreement usually includes the responsibilities of each partner, profit/loss sharing details, resource sharing details, and data sharing details
CDMA
Code Division Multiple Access A transmission sharing process that assigns a unique code to each call or transmission and spreads the data across the spectrum, allowing a call to make use of all frequencies
Codebook Attacks
Codebook attacks take advantage of the property by which a given block of plaintext is always encrypted to the same block of ciphertext, as long as the same key is used. There are several types of codebook attacks. Using character occurrence probabilities in plaintext is the most popular.
CERT
Computer Emergency Response Team an organization that studies security vulnerabilities and provides assistance to organizations that fall victim to attacks. It is part of the Software Engineering Institute at Carnegie Mellon University. It offers 24-hour emergency response service and shares information for improving web security.
cloud computing
Computing in which resources are available in a web-based data center so the resources can be accessed from anywhere.
Confusion
Confusion is the process of changing a key value during each round of encryption. Confusion is often carried out by substitution. Confusion conceals a statistical connection between plaintext and ciphertext. Substitution is the process of exchanging one byte in a message for another. For example, ABCCDEB is a substituted version of MESSAGE.
CobiT
Control Objectives for Information and Related Technology A security controls development framework that uses a process model to subdivide IT into four domains: Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME).
CSRF
Cross-Site Request Forgery is an attack that causes an end user to execute unwanted actions on a web application in which he or she is currently authenticated. Unlike with XSS, in CSRF, the attacker exploits the website's trust of the browser rather than the other way around. The website thinks that the request came from the user's browser and was actually made by the user. However, the request was planted in the user's browser
XSS
Cross-site scripting (XSS) occurs when an attacker locates a website vulnerability, thereby allowing the attacker to inject malicious code into the web application. Many websites allow and even incorporate user input into a web page to customize the web page. If a web application does not properly validate this input, one of two things could happen: Either the text will be rendered on the page or a script may be executed when others visit the web page
Confidentiality
Cryptography systems provide confidentiality by altering the original data in such a way as to ensure that the data cannot be read except by the valid recipient.
Integrity
Cryptosystems provide integrity by allowing valid recipients to verify that data has not been altered. Hash functions do not prevent data alteration but provide a means to determine whether data alteration has occurred.
Bastion Hosts
DMZ dudes The term actually refers to the position of any device. If the device is exposed directly to the Internet or to any untrusted network while screening the rest of the network from exposure, it is a bastion host.
DAM
Database activity monitors (DAMs) monitor transactions and the activity of database services. They can be used for monitoring unauthorized access and fraudulent activities as well as for compliance auditing. Among the architectures used are: - Interception-based model: Watches the communications between the client and the server. - Memory-based model: Uses a sensor attached to the database and continually polls the system to collect the SQL statements as they are being performed. - Log-based model: Analyzes and extracts information from the transaction logs
Deduplication
Deduplication is a desirable process provided by many storage solutions that searches through data and removes redundant copies of the same files There are two main methods: - Post-process: Deduplication can be performed after the data is fully written to the storage device. The benefit is that the performance of the write operation is not degraded. - In-line: Deduplication can be performed as the data enters the device in real time. This approach takes longer but avoids temporary use of space on the device.
Deterrence
Deterrence is the use of the threat of punishment to deter persons from committing certain actions
SSL (Secure Sockets Layer)
Developed by Netscape to transmit private documents over the Internet. While SSL implements either 40-bit (SSL 2.0) or 128-bit (SSL 3.0) encryption, the 40-bit version is susceptible to attacks because of its limited key size.
Differential Cryptanalysis
Differential cryptanalysis, also referred to as a side-channel attack, measures the execution times and power required by the cryptographic device. The measurements help the key and algorithm used. Differential cryptanalysis is the attempt to find similarities between the ciphertexts that are derived from similar (but not identical) plaintexts. Oftentimes, the similarity assists in recovering the key.
Diffusion
Diffusion is the process of changing the location of the plaintext within ciphertext. Diffusion is often carried out using transposition. Transposition, also referred to as permutation, is the process of shuffling or reordering the plaintext to hide the original message. For example, AEEGMSS is a transposed version of MESSAGE.
Digital Rights Management (DRM)
Digital rights management (DRM) is used by hardware manufacturers, publishers, copyright holders, and individuals to control the use of digital content. This often also involves device controls.
DSSS
Direct Sequence Spread Spectrum One of two technologies (along with FHSS) that were a part of the original 802.11 standard. DSSS is the modulation technique used in 802.11b.
DAC
Discretionary Access Control the owner of an object specifies which subjects can access the resource. DAC is typically used in local, dynamic situations. The access is based on the subject's identity, profile, or role. DAC is considered to be a need-to-know control
Disk-Level Encryption
Disk-level encryption encrypts an entire volume or entire disk and may use the same key for the entire disk or, in some cases, a different key for each partition or volume. It may also use a Trusted Platform Module (TPM) chip. This chip is located on the motherboard of the system and provides password protection, digital rights management (DRM), and full disk encryption.
Dynamic Disk Pools
Dynamic disk pools (DDPs) employ a disk technology that uses an algorithm to define which drives are used and to distribute data and capacity accordingly. DDP reserves a number of reconstruction locations known as the preservation capacity. The preservation capacity provides rebuild locations for potential drive failures. A minimum of 11 drives is required to use dynamic disk pools. A DDP is composed of two lower-level elements: - D-piece: This is a contiguous 512 MB block on a physical disk - D-stripe: Each D-stripe is made up of 10 D-pieces and uses 8 D-pieces for data, 1 for parity information, and 1 for a value used in the algorithm called the Q-value.
PFS (Perfect Forward Secrecy)
Ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. To work properly, requires two conditions: Keys are not reused. New keys are not derived from previously used keys Is primarily used in VPNs but can also be used by web browsers, services, and applications.
Entropy
Entropy is the randomness collected by an application that is used in cryptography or other uses that require random data, which is often collected from hardware sources.
XACML
Extensible Access Control Markup Language A standard for an access control policy language using XML. Its goal is to create an attribute-based access control system that decouples the access decision from the application or the local machine. It provides for fine-grained control of activities
SHA (Secure Hash Algorithm)
Family of four algorithms published by the U.S. NIST. SHA-0, originally referred to as simply SHA because there were no other "family members," produces a 160-bit hash value after performing 80 rounds of computations on 512-bit blocks. SHA-0 was never very popular because collisions were discovered.
FCoE
Fiber Channel over Ethernet (FCoE) encapsulates Fiber Channel traffic within Ethernet frames much as iSCSI encapsulates SCSI commands in IP packets. However, unlike iSCSI, it does not use IP at all.
Evidence
For evidence to be admissible, it must be relevant, legally permissible, reliable, properly identified, and properly preserved. An investigator must ensure that evidence adheres to five rules of evidence: - Be authentic. - Be accurate. - Be complete. - Be convincing. - Be admissible.
FDMA
Frequency Division Multiple Access One of the modulation techniques used in cellular wireless networks. It divides the frequency range into bands and assigns a band to each subscriber. FDMA was used in 1G cellular networks
FHSS
Frequency Hopping Spread Spectrum One of two technologies (along with DSSS) that were a part of the original 802.11 standard. It is unique in that it changes frequencies or channels every few seconds in a set pattern that both transmitter and receiver know
Frequency Analysis
Frequency analysis is an attack that relies on the fact that substitution and transposition ciphers will result in repeated patterns in ciphertext. Recognizing the patterns of 8 bits and counting them can allow an attacker to use reverse substitution to obtain the plaintext message. Frequency analysis usually involves the creation of a chart that lists all the letters of the alphabet alongside the number of times each letter occurs. So if the letter Q in the frequency lists has the highest value, a good possibility exists that this letter is actually E in the plaintext message because E is the most-used letter in the English language.
GNU Privacy Guard (GPG)
GNU Privacy Guard (GPG) is closely related to Pretty Good Privacy (PGP). Both programs were developed to protect electronic communications. PGP provides email encryption over the Internet and uses different encryption technologies based on the needs of the organization. GPG is a rewrite or upgrade of PGP and uses AES. It does not use the IDEA encryption algorithm to make it completely free. All the algorithm data is stored and documented publicly by the OpenPGP Alliance. GPG is a better choice than PGP because AES costs less than IDEA and is considered more secure. Moreover, GPG is royalty free because it is not patented.
PRNG (Pseudo-Random Number Generation)
Generates a sequence of numbers that approximates the properties of random numbers using an algorithm. In actuality, the sequence is not random because it is derived from a relatively small set of initial values.
GSM
Global System for Mobile Communications A type of cell phone that contains a Subscriber Identity Module (SIM) chip. These chips contain all the information about the subscriber and must be present in the phone for it to function
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA, also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance companies, and healthcare clearing houses. It is enforced by the Office of Civil Rights of the Department of Health and Human Services. It provides standards and procedures for storing, using, and transmitting medical information and healthcare data. HIPAA overrides state laws unless the state laws are stricter.
Load balancing
Hardware products provide load balancing services. Application delivery controllers (ADCs) support the same algorithms but also use complex number-crunching processes, such as per-server CPU and memory utilization, fastest response times, and so on, to adjust the balance of the load. Load balancing solutions are also referred to as farms or pools.
Social Media/Networking
If an organization decides to allow its employees to access and use social media at work, strict policies and guidelines should be established, including: - Make sure all devices and applications are up-to-date. - Ensure that the organization employs layers of security to defend the enterprise from security threats. - Create acceptable use policies that explicitly spell out the details about social media usage at work. These policies should include what type of company information can be published by all personnel and what type should only come from senior management or public relations. - Include social media training as part of the security awareness training that all personnel must obtain.
Chosen Plaintext Attacks
In a chosen plaintext attack, an attacker chooses the plaintext to get encrypted to obtain the ciphertext. The attacker sends a message, hoping that the user will forward that message as ciphertext to another user. The attacker captures the ciphertext version of the message and tries to determine the key by comparing the plaintext version he originated with the captured ciphertext version. Once again, key discovery is the goal of this attack.
Ciphertext-Only Attacks
In a ciphertext-only attack, an attacker uses several encrypted messages (ciphertext) to figure out the key used in the encryption process. Although it is a very common type of attack, it is usually not successful because so little is known about the encryption used.
Known Plaintext Attacks
In a known plaintext attack, an attacker uses the plaintext and ciphertext versions of a message to discover the key used. This type of attack implements reverse engineering, frequency analysis, or brute force to determine the key so that all messages can be deciphered.
Meet-in-the-Middle Attacks
In a meet-in-the-middle attack, an attacker tries to break the algorithm by encrypting from one end and decrypting from the other to determine the mathematical problem used.
Software-Defined Networking
In a network, three planes typically form the networking architecture: - Control plane: This plane carries signaling traffic originating from or destined for a router. This is the information that allows routers to share information and build routing tables. - Data plane: Also known as the forwarding plane, this plane carries user traffic. - Management plane: This plane administers the router. Software-defined networking (SDN) has been classically defined as the decoupling of the control plane and the data plane in networking. In a conventional network, these planes are implemented in the firmware of routers and switches. SDN implements the control plane in software, which enables programmatic access to it.
Replay Attacks
In a replay attack, an attacker sends the same data repeatedly in an attempt to trick the receiving device. This data is most commonly authentication information. The best countermeasures against this type of attack are timestamps and sequence numbers.
Analytic Attacks
In analytic attacks, attackers use known structural weaknesses or flaws to determine the algorithm used. If a particular weakness or flaw can be exploited, then the possibility of a particular algorithm being used is more likely.
incremental model
In this model, a working version or iteration of the solution is produced, tested, and redone until the final product is completed. It could be thought of as a series of waterfalls.
Cross-certification model
In this model, each organization certifies that every other organization is trusted. This trust is established when the organizations review each other's standards. Each organization must verify and certify through due diligence that the other organizations meet or exceed standards. One disadvantage of cross-certification is that the number of trust relationships that must be managed can become problematic
Trusted third-party, or bridge, model:
In this model, each organization subscribes to the standards of a third party. The third party manages verification, certification, and due diligence for all organizations. This is usually the best model if an organization needs to establish federated identity management relationships with a large number of organizations.
Trend Analysis
In this process, historical data is utilized, given a set of mathematical parameters, and then processed in order to determine any possible variance from an established baseline.
First in, first out (FIFO) backup scheme
In this scheme, the newest backup is saved to the oldest media. Although this is the simplest rotation scheme, it does not protect against data errors. If an error in data exists, the organization might not have a version of the data that does not contain the error.
Grandfather/father/son (GFS) backup scheme
In this scheme, three sets of backups are defined. Most often these three definitions are daily, weekly, and monthly. The daily backups are the sons, the weekly backups are the fathers, and the monthly backups are the grandfathers. Each week, one son advances to the father set. Each month, one father advances to the grandfather set
Input Validation
Input validation is the process of checking all input for things such as proper format and proper length. In many cases, these validators use either the blacklisting of characters or patterns or the whitelisting of characters or patterns. Blacklisting looks for characters or patterns to block. It can be prone to preventing legitimate requests. Whitelisting looks for allowable characters or patterns and only allows those.
ISA
Interconnection Security Agreement -an agreement between two organizations that own and operate connected IT systems to document the technical requirements of the interconnection. -In most cases, the security control needs of each organization are spelled out in detail in the agreement to ensure that there is no misunderstanding
iSCSI
Internet Small Computer System Interface (iSCSI) is an IP-based networking storage standard method of encapsulating SCSI commands (which are used with storage area networks) within IP packets. This allows the use of the same network for storage as is used for other network traffic. If you implement a SAN using iSCSI, keep in mind the following issues: -Use a separate VLAN for SAN traffic. -Use access control lists to control access. -Use strong authentication. - Lock down access to the management interfaces of the iSCSI devices. - Encrypt sensitive data in transit and at rest.
SHA-3
Is a family of hash functions. This standard was formally adopted in May 2014. The hash value sizes range from 224 to 512 bits. SHA-3 performs 120 rounds of computations by default.
HTML5
It has been improved to support the latest multimedia
Key Escrow
Key escrow and key recovery are two different terms. Key escrow is the process of storing keys with a third party to ensure that decryption can occur.
downstream liability
Liability that an organization accrues due to partnerships with other organizations and customers.
Linear Cryptanalysis
Linear cryptanalysis is a known plaintext attack that uses linear approximation, which describes the behavior of the block cipher, to find linear dependency between the plaintext, ciphertext, and the key. An attacker is more successful with this type of attack when more plaintext and matching ciphertext messages are obtained.
Logical (Technical) Controls
Logical, or technical, controls are software or hardware components used to restrict access. Specific examples of logical controls are firewalls, IDSs, IPSs, encryption, authentication systems, protocols, auditing and monitoring, biometrics, smart cards, and passwords.
Management Interface
Management interfaces are used for accessing devices remotely. Typically, a management interface is disconnected from the in-band network and is connected to the device's internal network
MAC
Mandatory Access Control subject authorization is based on security labels. MAC is often described as prohibitive because it is based on a security label system. Under MAC, all that is not expressly permitted is forbidden. Only administrators can change the category of a resource. For government or military institutions the levels of security labels could be top secret, secret, confidential, and unclassified.
MTD
Maximum tolerable downtime the maximum amount of time that an organization can tolerate a single resource or function being down. This is also referred to as maximum period time of disruption (MPTD)
MOU
Memorandum of Understanding - an agreement between two or more organizations that details a common line of action. - It is often used in cases where parties either do not have a legal commitment or in situations where the parties cannot create a legally enforceable agreement.
Motivation
Motivation is what causes organizations and their attackers to act. Not all risks that an organization identifies will have a motivation
Multipathing
Multipathing is simply the use of multiple physical or virtual network paths to the storage device. This can provide both network fault tolerance and increased performance, depending on the exact configuration.
Secure Multipurpose Internet Mail Extensions (S/MIME)
Multipurpose Internet Mail Extensions (MIME) is an Internet standard that allows email to include non-text attachments, non-ASCII character sets, multiple-part message bodies, and non-ASCII header information. In today's world, SMTP in MIME format transmits a majority of email.
NIST SP 800-30.
NIST SP 800-53 is a security controls development framework developed by the NIST body of the U.S. Department of Commerce. SP 800-53 divides the controls into three classes: technical, operational, and management. Each class contains control families or categories.
NPV
Net present value (NPV) adds another dimension to payback by considering the fact that money spent today is worth more than savings realized tomorrow.
NFS and CIFS
Network File System (NFS) and Common Internet File System (CIFS) are two methods for accessing data in networks. NFS was developed for use with UNIX and Linux-based systems, while CIFS is a public version of Server Message Block (SMB), which was invented by Microsoft. Consequently, CIFS is used with Windows-based systems. Most storage solutions support both NFS and CIFS. The security issues with CIFS include the following: -Earlier versions perform authentication in plaintext. - It is vulnerable to dictionary attacks. -There is potential for man-in-the middle attacks with improperly configured clients.
Network Access Control
Network access control (NAC) is a service that goes beyond authentication of the user and includes an examination of the state of the computer the user is introducing to the network when making a remote access or VPN connection to the network. features are the same: to examine all devices requesting network access for malware, missing security updates, and any other security issues the devices could potentially introduce to the network. These are the limitations of using NAC or NAP: - They work well for company-managed computers but less so for guests. - They tend to react only to known threats and not new threats. - The return on investment is still unproven. - Some implementations involve confusing configuration.
NAS
Network-attached storage (NAS) serves the same function as SAN, but clients access the storage in a different way. In a NAS, almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use protocols such as NFS, CIFS, or HTTP to connect to a NAS and share files. In a SAN, only devices that can use the Fiber Channel SCSI network can access the data, so it is typically done though a server with this capability. Security issues with network attached storage include the following: - As in any other TCP/IP network, spoofing and sniffing become easier. - Controlling access to data can be a complicated issue. - The potential for human error in administration is high.
NextGen Firewalls
Next-generation firewalls (NGFWs) are a category of devices that attempt to address traffic inspection and application awareness shortcomings of a traditional stateful firewall, without hampering the performance. Among the features provided NGFWs are: - Non-disruptive in-line configuration (which has little - on network performance) - Standard first-generation firewall capabilities, such as network address translation (NAT), stateful protocol inspection (SPI), and virtual private networking (VPN) - Integrated signature-based IPS engine -Application awareness, full stack visibility, and granular control - Ability to incorporate information from outside the firewall, such as directory-based policy, blacklists, and whitelists - Upgrade path to include future information feeds and security threats and SSL decryption to enable identifying undesirable encrypted applications
Non-repudiation
Non-repudiation in cryptosystems provides proof of the origin of data, thereby preventing the sender from denying that he sent the message and supporting data integrity. Public key cryptography and digital signatures provide non-repudiation.
NDA
Nondisclosure Agreement - an agreement between two parties that defines what information is considered confidential and cannot be shared outside the two parties
Hash collision
Occurs when a hash function produces the same hash value on different messages.
Code Signing
Occurs when code creators digitally sign executables and scripts so that the user installing the code can be assured that it comes from the verified author. The code is signed using a cryptographic hash, which in turn ensures that the code has not been altered or corrupted
Reverse Engineering Attacks
One of the most popular cryptographic attacks, reverse engineering occurs when an attacker purchases a particular cryptographic product to attempt to reverse engineer the product to discover confidential information about the cryptographic algorithm used.
OLA
Operating-Level Agreement - an internal organizational document that details the relationships that exist between departments to support business activities. - OLAs are often used with SLAs.
OFDM
Orthogonal Frequency Division Multiplexing A more advanced modulation technique in which a large number of closely spaced orthogonal subcarrier signals are used to carry data on several parallel data streams. It is used in 802.11a and 802.11g. It makes possible speeds up to 54 Mbps
Payback
Payback is a simple calculation that compares ALE against the expected savings as a result of an investment. Let's use the earlier example of the server that results in a $2,500 ALE. The organization may want to deploy a power backup if it can be purchased for less than $2,500. However, if that power backup cost a bit more, the organization might be willing to still invest in the device if it is projected to provide protection for more than one year with some type of guarantee.
Physical Controls
Physical controls are implemented to protect an organization's facilities and personnel. Personnel concerns should take priority over all other concerns. Specific examples of physical controls include perimeter security, badges, swipe cards, guards, dogs, mantraps, biometrics, and cabling.
RDP
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a graphical interface to connect to another computer over a network connection. Unlike Telnet and SSH, which allow only working from the command line, RDP enables you to work on a remote computer as if you were actually sitting at its console.
RFQ
Request for Quote A bidding-process document that invites suppliers to bid on specific products or services. RFQ generally means the same thing as Invitation for Bid (IFB). RFQs often include item or service specifications.
Residual risk
Residual risk is the level of risk that remains after the safeguards or controls have been implemented Residual risk = Total risk - Countermeasures
Magnitude of Impact
Risk impact or magnitude of impact is an estimate of how much damage a negative risk can have or the potential opportunity cost should a positive risk be realized. Risk impact can be measured in financial terms (quantitative) or with a subjective measurement scale (qualitative). Risks usually are ranked on a scale that is determined by the organization. High-level risks result in significant loss, and low-level risks result in negligible losses.
inherent risk
Risk that is virtually impossible to avoid.
RBAC
Role-Based Access Control each subject is assigned to one or more roles. Roles are hierarchical, and access control is defined based on the roles. RBAC can be used to easily enforce minimum privileges for subjects. An example of RBAC is implementing one access control policy for bank tellers and another policy for loan officers.
Rule-Based Access Control
Rule-based access control facilitates frequent changes to data permissions. Using this method, a security policy is based on global rules imposed for all users. Profiles are used to control access. Many routers and firewalls use this type of access control and define which packet types are allowed on a network. Rules can be written that allow or deny access based on packet type, port number used, MAC address, and other parameters.
Aggregate CIA Score
SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)} ex: SCweb server = {(confidentiality, high), (integrity, high), (availability, high)}
Application Sandboxing
Sandboxing an application means limiting the parts of the operating system and user files the application is allowed to interact with. This prevents the code from making permanent changes to the OS kernel and other data on the host machine
Secure Shell (SSH)
Secure Shell (SSH) is an application and protocol that is used to remotely log in to another computer using a secure tunnel. After the secure channel is established after a session key is exchanged, all communication between the two computers is encrypted over the secure channel. SSH is a solution that could be used to remotely access devices, including switches, routers, and servers. SSH is preferred over Telnet because Telnet does not secure the communication.
SSH
Secure Shell (SSH) was created to provide an encrypted replacement for Telnet and should be considered when performing remote management from the command line.
SSL
Secure Sockets Layer (SSL) is another option for creating secure connections to servers. It works at the application layer of the OSI model. It is used mainly to protect HTTP traffic or web servers. Its functionality is embedded in most browsers, It is widely used to secure Internet transactions. It can be implemented in two ways: -SSL portal VPN: In this case, a user has a single SSL connection for accessing multiple services on the web server. Once authenticated, the user is provided a page that acts as a portal to other services. - SSL tunnel VPN: A user may use an SSL tunnel to access services on a server that is not a web server. This solution uses custom programming to provide access to non-web services through a web browser.
Secure Coding Standards
Secure coding standards are practices that, if followed throughout the software development life cycle, will help reduce the attack surface of an application
SIEM
Security information and event management (SIEM) utilities receive information from log files of critical systems and centralize the collection and analysis of this data. SIEM technology is an intersection of two closely related technologies: security information management (SIM) and security event management (SEM)
SABSA
Sherwood Applied Business Security Architecture An enterprise security architecture framework that is similar to the Zachman framework. It uses the six communication questions (what, where, when, why, who, and how) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual). It is a risk-driven architecture, a model for guiding the creation and design of a security architecture. It attempts to enhance the communication process between stakeholders.
Dictionary Attacks
Similar to a brute-force attack, a dictionary attack uses all the words in a dictionary until a key is discovered that successfully decrypts the ciphertext. This attack requires considerable time and processing power and is very difficult to complete. It also requires a comprehensive dictionary of words.
MAC (Message Authentication Code)
Similar to code signing in that it can provide message integrity and authenticity. You should be familiar with three types of MACs: HMAC, CBC-MAC, and CMAC. A hash MAC (HMAC) is a keyed-hash MAC that involves a hash function with a symmetric key. HMAC provides data integrity and authentication. Any of the previously listed hash functions can be used with HMAC, with HMAC being prepended to the hash function name (for example, HMAC-SHA-1). The strength of HMAC depends on the strength of the hash function, including the hash value size and the key size. HMAC's hash value output size is the same as the underlying hash function. HMAC can help reduce the collision rate of the hash function. Cipher block chaining MAC (CBC-MAC) is a block-cipher MAC that operates in CBC mode. CBC-MAC provides data integrity and authentication. Cipher-based MAC (CMAC) operates in the same manner as CBC-MAC but with much better mathematical functions. CMAC addresses some security issues with CBC-MAC and is approved to work with AES and 3DES.
Social Engineering Attacks
Social engineering attacks against cryptographic algorithms do not differ greatly from social engineering attacks against any other security area. Attackers attempt to trick users into giving the attacker the cryptographic key used. Common social engineering methods include intimidation, enticement, and inducement.
Spam Filters
Spam filters are designed to prevent spam from being delivered to mailboxes. The issue with spam filters is that often legitimate email is marked as spam. Finding the right setting can be challenging.
Antispyware
Spyware tracks your activities and can also gather personal information that could lead to identity theft
Steganography
Steganography occurs when a message is hidden inside another object, such as a picture or document.
Stream Ciphers
Stream-based ciphers perform encryption on a bit-by-bit basis and use keystream generators. Advantages of stream-based ciphers include the following: -They generally have lower error propagation because encryption occurs on each bit. -They are generally used more in hardware implementations. -They use the same key for encryption and decryption. -They are generally cheaper to implement than block ciphers. -They employ only confusion, not diffusion.
Switches
Switches are intelligent and operate at layer 2 of the OSI model. We say they map to this layer because they make switching decisions based on MAC addresses, which reside at layer 2. they eliminate collisions
3DES (Triple DES)
Symmetric Key Algorithm, Applies DES three times, 168-bit key (+24 for parity) Because of the need to quickly replace DES, a version of DES that increases security by using three 56-bit keys, was developed
Skipjack
Symmetric algorithm is a block-cipher, symmetric algorithm developed by the U.S. NSA. It uses an 80-bit key to encrypt 64-bit blocks. This is the algorithm that is used in the Clipper chip. Algorithm details are classified.
IDEA
Symmetric algorithm that is faster and harder to break than DES. However, it is not as widely used as DES or AES because it was patented, and licensing fees had to be paid owner, a Swiss company named Ascom. However, the patent expired in 2012. Used in PGP.
DES (Digital Encryption Standard)
Symmetric algorithm uses a 64-bit key, 8 bits of which are used for parity. Therefore, the effective key length is 56 bits. Divides a message into 64-bit blocks. Sixteen rounds of transposition and substitution are performed on each block, resulting in a 64-bit block of ciphertext.
SDLC
Systems Development Life Cycle The steps in the SDLC are as follows: 1. Initiate 2. Acquire/develop 3. Implement 4. Operate/maintain 5. Dispose
Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) of 1986 affects any entities that might engage in hacking of "protected computers," as defined in the act. A "protected computer" is a computer used exclusively by a financial institution or the U.S. government or used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. Due to the inter-state nature of most Internet communication, ordinary computers—even smartphones—have come under the jurisdiction of the law. The law includes several definitions of hacking, including knowingly accessing a computer without authorization; intentionally accessing a computer to obtain financial records, U.S. government information, or protected computer information; and transmitting fraudulent commerce communication with the intent to extort
Federal Information Security Management Act (FISMA) of 2002
The Federal Information Security Management Act (FISMA) of 2002 affects every federal agency. It requires each federal agency to develop, document, and implement an agencywide information security program.
Gramm-Leach-Bliley Act (GLBA) of 1999
The Gramm-Leach-Bliley Act (GLBA) of 1999 affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers. It provides guidelines for securing all financial information and prohibits sharing of financial information with third parties. This act directly affects the security of PII
OCSP Versus CRL
The Online Certificate Status Protocol (OCSP) is an Internet protocol that obtains the revocation status of an X.509 digital certificate using the serial number. OCSP is an alternative to the standard certificate revocation list (CRL) that is used by many PKIs.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) affects any organizations that handle cardholder information for the major credit card companies. The latest version is 3.0. To prove compliance with the standard, an organization must be reviewed annually. Although PCI DSS is not a law, this standard has affected the adoption of several state laws
Sarbanes-Oxley (SOX) Act
The Public Company Accounting Reform and Investor Protection Act of 2002, more commonly known as the Sarbanes-Oxley (SOX) Act, affects any organization that is publicly traded in the United States. It regulates the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.
Accept
The accept strategy understands and accepts the level of risk as well as the cost of damages that can occur. This strategy is usually used to cover residual risk. It is usually employed for assets that have small exposure or value.
ARP Poisoning
The attacker accomplishes this poison by answering ARP requests for another computer's IP address with his own MAC address. Once the ARP cache has been successfully poisoned, when ARP resolution occurs, both computers will have the attacker's MAC address listed as the MAC address that maps to the other computer's IP address. As a result, both are sending to the attacker, placing him "in the middle."
Avoid
The avoid strategy involves terminating the activity that causes a risk or choosing an alternative that is not as risky. Unfortunately, this method cannot be used against all threats. An example of avoidance is organizations utilizing alternate data centers in different geographic locations to avoid a natural disaster being able to affect both facilities.
Capability
The capability of a solution is the action that the solution is able to perform
separation of duties
The concept that sensitive operations should be divided among multiple users so that no one user has the rights and access to carry out a sensitive operation alone. This security measure ensures that one person is not capable of compromising organizational security. It prevents fraud by distributing tasks and their associated rights and privileges between more than one user.
File-Level Encryption
The encryption and decryption process is performed per file, and each file owner has a key
General Change Management
The following are guidelines to include as a part of any change control policy: - All changes should be formally requested. - Each request should be analyzed to ensure that it supports all goals and polices. - Prior to formal approval, all costs and effects of the methods of implementation should be reviewed. - After they're approved, the change steps should be developed. - During implementation, incremental testing should occur, relying on a predetermined fallback strategy, if necessary. - Complete documentation should be produced and submitted with a formal report to management
Likelihood of Threat
The likelihood of threat is a measurement of the chance that a particular risk event will impact the organization. The levels used for threat likelihood are usually high, moderate, and low. The likelihood that an event will occur is usually determined by examining the motivation, source, ARO, and trend analysis.
Mitigate
The mitigate strategy defines the acceptable risk level the organization can tolerate and reduces the risk to that level. This is the most common strategy employed. This strategy includes implementing security controls, including intrusion detection systems (IDSs), intrusion prevention systems (IPSs), firewalls, and so on.
risk
The probability that a threat agent will exploit a vulnerability and the impact of the probability.
risk management
The process that occurs when organizations identify, measure, and control organizational risks. NIST SP 800-30.
code review
The systematic investigation of code for security and functional problems
race condition
The term originates with the idea of two signals racing each other to influence the output first. Race conditions arise in software when an application depends on the sequence or timing of processes or threads for it to operate properly.
Transfer
The transfer strategy passes the risk on to a third party, including insurance companies. However, the risk could still rest with the original organization, depending on the provisions in the contract. If your organization plans to use this method, legal counsel should be used to ensure that the contract provides the level of protection needed. An example is to outsource certain functions to a provider, usually involving a service-level agreement (SLA) with a third party.
Stateful firewalls
These firewalls are aware of the proper functioning of the TCP handshake, keep track of the state of all connections with respect to this process, and can recognize when packets are trying to enter the network that don't make sense in the context of the TCP handshake
Packet-filtering firewalls
These firewalls are the least detrimental to throughput as they only inspect the header of the packet for allowed IP addresses or port numbers. While performing this function slows traffic, it involves only looking at the beginning of the packet and making a quick decision to allow or disallow
Physical threat
This category includes CCTV issues, perimeter measures failure, and biometric failure.
Operational threat
This category includes any process or procedure that can affect CIA
Human threat
This category includes both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel.
Natural threat
This category includes floods, fires, tornadoes, hurricanes, earthquakes, or other natural disasters or weather events.
Technical threat
This category includes hardware and software failure, malicious code, and new technologies.
Environmental threat
This category includes power and other utility failures, traffic issues, biological warfare, and hazardous material issues (such as spillage).
EAP-TTLS
This form of EAP requires a certificate on the server only. The client uses a password, but the password is sent within a protected EAP message. It is, however, susceptible to password-based attacks.
EAP-TLS
This form of EAP requires a public key infrastructure because it requires certificates on both server and clients. It is, however, immune to password-based attacks as it does not use passwords.
Private cloud
This is a solution owned and managed by one company solely for that company's use. This provides the most control and security but also requires the biggest investment in both hardware and expertise. - Ensure that the data is stored only on internal resources. - Ensure that the data is owned by the organization. - Ensure that only authorized individuals are allowed to access the data. - Ensure that data is always available.
Public cloud
This is a solution provided by a third party. It offloads the details to that third party but gives up some control and can introduce security issues. Typically you are a tenant sharing space with others, and in many cases you don't know where your data is being kept physically. - Data is protected by enterprise-class firewalls and within a secured facility. - Attackers and disgruntled employees are unsure of where the data actually resides. - The cloud vendor will provide security expertise and must maintain the level of service detailed in the contract.
Hybrid cloud
This is some combination of private and public. For example, perhaps you only use the facilities of the provider but still manage the data yourself.
Secure by design
This means that the application was designed with security in mind rather than as an afterthought. An application is truly secure if you give someone the details of the application's security system and the person still cannot defeat the security. An application should not rely on a lack of knowledge on the part of the hacker (sometimes called security by obscurity).
Secure by deployment
This means that the environment into which the application is introduced was taken into consideration from a security standpoint. For example, it may be advisable to disable all unused interfaces on one server while that may not be critical in another.
Secure by default
This means that without changes to any default settings, the application is secure. For example, some server products have certain security capabilities, but those services must be enabled in order to function so that the service is not available to a hacker. A product that requires the enabling of the security functions is not secure by default
RAID 5
This method, which requires at least three drives, writes the data across all drives, as with striping, and then writes parity information across all drives as well. The parity information is used in the same way as in RAID 3, but it is not stored on a single drive, -hot swappable
RAID 3
This method, which requires at least three drives, writes the data across all drives, as with striping, and then writes parity information to a single dedicated drive. The parity information is used to regenerate the data in the case of a single drive failure. The downfall of this method is that the parity drive is a single point of failure
Clustering
This refers to a software product that provides load balancing services. With clustering, one instance of an application server acts as a master controller and distributes requests to multiple instances, using round-robin, weighted-round-robin, or a least-connections algorithm.
AES (Advanced Encryption Standard)
This symmetric algorithm is the replacement algorithm for DES. Although it is considered the standard, the algorithm that is used in the this standard is the Rijndael algorithm. Often used interchangeably with Rijndael. The three block sizes that are used: 128, 192, and 256 bits. A 128-bit key with a 128-bit block size undergoes 10 transformation rounds. A 192-bit key with a 192-bit block size undergoes 12 transformation rounds. Finally, a 256-bit key with a 256-bit block size undergoes 14 transformation rounds.
Signature-based IDS
This type of IDS analyzes traffic and compares it to attack or state patterns, called signatures, that reside within the IDS database. It is also referred to as a misuse-detection system. While this type of IDS is very popular, it can only recognize attacks as compared with its database and is therefore only as effective as the signatures provided. Frequent updates are necessary. There are two main types of signature-based IDSs: - Pattern-matching: This type of IDS compares traffic to a database of attack patterns. The IDS carries out specific steps when it detects traffic that matches an attack pattern. - Stateful-matching: This type of IDS records the initial operating system state. Any changes to the system state that specifically violate the defined rules result in an alert or a notification being sent.
Protocol anomaly-based IDS
This type of IDS has knowledge of the protocols that it will monitor. A profile of normal usage is built and compared to activity.
Rule- or heuristic-based IDS
This type of IDS is an expert system that uses a knowledge base, an inference engine, and rule-based programming. The knowledge is configured as rules. The data and traffic are analyzed, and the rules are applied to the analyzed traffic. The inference engine uses its intelligent software to "learn." If characteristics of an attack are met, alerts or notifications are triggered. This is often referred to as an if/then, or expert, system
Traffic anomaly-based IDS
This type of IDS tracks traffic pattern changes. All future traffic patterns are compared to the sample. Changing the threshold reduces the number of false positives or false negatives. This type of filter is excellent for detecting unknown attacks. But user activity may not be static enough to effectively implement such a system.
Proxy firewalls
This type of firewall actually stands between an internal-to-external connection and makes the connection on behalf of the endpoints. Therefore, there is no direct connection. The proxy firewall acts as a relay between the two endpoints
Kernel proxy firewalls
This type of firewall is an example of a fifth-generation firewall. It inspects a packet at every layer of the OSI model but does not introduce the same performance hit as an application-layer firewall because it does this at the kernel layer. It also follows the proxy model in that it stands between two systems and creates connections on their behalf.
EAP-MD5-CHAP
This variant of EAP uses the CHAP challenge process, but the challenges and responses are sent as EAP messages. It allows the use of passwords with EAP.
TDMA
Time Division Multiple Access A modulation technique that increases the speed over FDMA by dividing the channels into time slots and assigning slots to calls. This also helps prevent eavesdropping in calls.
Transport Encryption
To provide this encryption, secure communication mechanisms should be used, including SSL/TLS, HTTP/HTTPS/SHTTP, SET, SSH, and IPsec.
TCO
Total cost of ownership (TCO) is a financial estimate intended to help buyers and owners determine the direct and indirect costs of a product or system
UTM
Unified threat management (UTM) is an approach that involves performing multiple security functions within the same device or appliance.
Symmetric Algorithms
Use a private or secret key that must remain secret between the two parties. Each party pair requires a separate private key. Therefore, a single user would need a unique secret key for every user with whom she communicates. Provide confidentiality but not authentication or non-repudiation. If both users use the same key, determining where the message originated is impossible. Includes DES, AES, IDEA, Skipjack, Blowfish, Twofish, RC4/RC5/RC6, and CAST.
VNC
Virtual Network Computing (VNC) operates much like RDP but uses the Remote Frame Buffer (RFB) protocol. Unlike RDP, VNC is platform independent.
VPNs
Virtual private network (VPN) connections use an untrusted carrier network but provide protection of the information through strong authentication protocols and encryption mechanisms. VPN connections can be used to provide remote access to teleworkers or traveling users (called remote access VPNs) and can also be used to securely connect two locations (called site-to-site VPNs)
VSANs
Virtual storage area networks (VSANs) are logical divisions of a storage area network, much like a VLAN is a logical subdivision of a local area network. While providing the same general advantages and disadvantages of a SAN, VSANs provide separation between sections of a SAN that can be leveraged to provide the following: - Problems with one VSAN can be confined to that VSAN without disturbing the operation of other VSANs. -If one VSAN is compromised, other VSANs are not
server-based application virtualization
Virtualization in which applications run on servers.
Passive Vulnerability Scanners
Vulnerability scanners are tools or utilities used to probe and reveal weaknesses in a network's security. A passive vulnerability scanner (PVS) monitors network traffic at the packet layer to determine topology, services, and vulnerabilities. It avoids the instability that can be introduced to a system by actively scanning for vulnerabilities.
Web Services Security (WS-Security)
Web services typically use a protocol specification called Simple Object Access Protocol (SOAP) for exchanging structured information. SOAP employs XML and is insecure by itself. Web Services Security (WS-Security, or WSS) is an extension to SOAP that is used to apply security to web services. WS-Security describes three main mechanisms: - How to sign SOAP messages to ensure integrity. Signed messages also provide nonrepudiation. - How to encrypt SOAP messages to ensure confidentiality. - How to attach security tokens to ascertain the sender's identity.
Statistical Attacks
Whereas analytic attacks look for structural weaknesses or flaws, statistical attacks use known statistical weaknesses of an algorithm to aid in the attack.
Active Vulnerability Scanners
Whereas passive scanners can only gather information, active scanners can take action to block an attack, such as block a dangerous IP address. They can also be used to simulate an attack to assess readiness. They operate by sending transmissions to nodes and examining the responses. Because of this, these scanners may disrupt network traffic.
V-shaped model
While this model can work when all requirements are well understood up front (which is frequently not the case) and potential scope changes are small, it does not provide for handling events concurrently as it is also a sequential process like the Waterfall method.
Mandatory Vacation
With mandatory vacations, all personnel are required to take time off, allowing other personnel to fill their position while gone. This detective administrative control enhances the opportunity to discover unusual activity.
Port-Level Encryption
You can encrypt network data on specific ports to prevent network eavesdropping with a network protocol analyzer. Network encryption occurs at the network layer of a selected protocol. Network data is encrypted only while it is in transit. Once the data has been received, network encryption is no longer in effect.
Scalability
a characteristic of a device or security solution that describes its capability to cope and perform under an increased or expanding workload
E-Discovery
a term used when evidence is recovered from electronic devices. Because of the volatile nature of the data on electronic devices, it is important that security professionals obtain the appropriate training to ensure that evidence is collected and preserved in the proper manner. E-discovery involves the collection of all data, including written and digital, regarding an incident.
APT
advanced persistent threat A hacking process that targets a specific entity and is carried out over a long period of time.
ALE
annualized loss expectancy (ALE) The expected risk factor of an annual threat event. The equation used is ALE = SLE × ARO. if the risk assessment has determined that the ARO for the power failure of the web server farm is 50%, the ALE for this event equals $2,500.
ARO
annualized rate of occurrence (ARO) The estimate of how often a given threat might occur annually.
Detective controls
are in place to detect an attack while it is occurring to alert appropriate personnel. Detective controls are useful during an event. ex: motion detectors, intrusion detection systems (IDSs), logs, guards
Compensative controls
are in place to substitute for a primary access control and mainly act as a way to mitigate risks ex: two keys owned by different personnel to open a safe deposit box.
AV
asset value The estimated value of an asset, used in the calculation of single loss expectancy.
Data Loss Prevention
attempts to prevent data leakage. It does this by maintaining awareness of actions that can and cannot be taken with respect to a document. - Network DLP: Installed at network egress points near the perimeter, network DLP analyzes network traffic. - Endpoint DLP: Endpoint DLP runs on end-user workstations or servers in the organization. - Precise methods: These methods involve content registration and trigger almost zero false-positive incidents. - Imprecise methods: These can include keywords, lexicons, regular expressions, extended regular expressions, metadata tags, Bayesian analysis, and statistical analysis.
BIA
business impact analysis A functional analysis that occurs as part of business continuity and disaster recovery and lists the critical and necessary business functions, their resource dependencies, and their level of criticality to the overall organization. The four main steps of the BIA are as follow: 1. Identify critical processes and resources. 2. Identify outage impacts and estimate downtime. 3. Identify resource requirements. 4. Identify recovery priorities.
Wireless Controllers
centralized appliances or software packages that monitor, manage, and control multiple wireless access points. Some of these features include: -Interference detection and avoidance: This is achieved by adjusting the channel assignment and RF power in real time. - Load balancing: You can use load balancing to connect a single user to multiple APs for better coverage and data rate. - Coverage gap detection: This type of detection can increase the power to cover holes that appear in real time.
Virtual TPM (VTPM)
chip is a software object that performs the functions of a TPM chip. It is a system that enables trusted computing for an unlimited number of virtual machines on a single hardware platform. It makes secure storage and cryptographic functions available to operating systems and applications running in virtual machines.
Record-Level Encryption
choices can be made about which records to encrypt, which has a significant positive effect on both performance and security. This type of encryption allows more granularity in who possesses the keys since a single key does not decrypt the entire disk or volume.
time of check to time of use
class of software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check.
Flash
client-side program by Adobe that can be used to create content that is played in Adobe Flash player. Flash has been dogged by security issues over the year
benchmark
compared to the baseline to determine whether any security or performance issues exist.
Standard Libraries
contain common objects and functions used by a language that developers can access and reuse without re-creating them The components that should be provided by an application security library are: - Input validation - Secure logging - Encryption and decryption
COOP
continuity of operations plan A business continuity document that considers all aspects that are affected by a disaster, including functions, systems, personnel, and facilities and that lists and prioritizes the services that are needed, particularly the telecommunications and IT functions
System-Specific Security Policy
ddresses security for a specific computer, network, technology, or application. It outlines how to protect the system or technology. This policy type is much more technically focused than an issue-specific security policy
Issue-Specific Security Policy
ddresses specific security issues ex: email privacy policies, virus checking policies, employee termination policies, no expectation of privacy policies, and so on. Issue-specific policies support the organizational security policy.
Standard Operating Environment/Configuration Baselining
deploy standard images that have been secured with security baselines. A security baseline is a set of configuration settings that provide a floor of minimum security in the image being deployed.
Deterrent controls
deter or discourage an attacker. Deterrent controls often trigger preventive and corrective controls ex: user identification and authentication, fences, lighting
Qualitative risk analysis
does not assign monetary and numeric values to all facets of the risk analysis process. Qualitative risk analysis techniques include intuition, experience, and best practice techniques, such as brainstorming, focus groups, surveys, questionnaires, meetings, interviews
EF
exposure factor (EF) The percent value or functionality of an asset that will be lost when a threat event occurs.
NIST SP 800-34 Revision 1 (R1)
guidelines for performing business continuity and disaster recovery planning. The following list summarizes the steps in SP 800-34 R1: 1. Develop contingency planning policy. 2. Conduct business impact analysis (BIA). 3. Identify preventive controls. 4. Create recovery strategies. 5. Develop business continuity plan (BCP). 6. Test, train, and exercise. 7. Maintain the plan.
data remnant
he residual information left on a drive after a delete process or the data left in terminated virtual machines.
Organizational Security Policy
highest-level security policy adopted by an organization. Business goals steer the organizational security policy - Define overall goals of security policy. - Define overall steps and importance of security. - Define security framework to meet business goals. - State management approval of policy, including support of security goals and principles. - Define all relevant terms. - Define security roles and responsibilities. - Address all relevant laws and regulations. - Identify major functional areas. - Define compliance requirements and noncompliance consequences.
Maintainability
how often a security solution or device must be updated and how long the updates take. This includes installing patches, cleaning out logs, and upgrading the applications
Waterfall method
incremental design process
IA
interoperability agreement - An agreement between two or more organizations to work together to allow information exchange. - The most common implementation of these agreements occurs between sister companies that are owned by the same large corporation.
Fuzzing/Fault Injection
involves injecting invalid or unexpected input (sometimes called faults) into an application to test how the application reacts. It is usually done with a software tool that automates the process. Inputs can include environment variables, keyboard and mouse events, and sequences of API calls. Figure 5-6 shows the logic of the fuzzing process - Mutation fuzzing: This type involves changing the existing input values (blindly) - Generation-based fuzzing: This type involves generating the inputs from scratch, based on the specification/format
client-based application virtualization
irtualization in which the target application is packaged and streamed to the client. -It has its own application computing environment that is isolated from the client OS and other applications
Representational State Transfer (REST)
is a client/server model for interacting with content on remote systems, typically using HTTP. It involves accessing and modifying existing content and also adding content to a system in a particular way. REST does not require a specific message format during HTTP resource exchanges.
differential backup
is a cumulative backup of all changes made since the last full backup, i.e., the differences since the last full backup. The advantage to this is the quicker recovery time, requiring only a full backup and the last differential backup to restore the entire data repository.
ActiveX
is a server-side Microsoft technology that uses object-oriented programming (OOP) and is based on the Component Object Model (COM) and the Distributed Component Object Model (DCOM). The problem is that these controls execute under the security context of the current user, which in many cases has administrator rights.
Unified Extensible Firmware Interface (UEFI)
is an alternative to using BIOS to interface between the software and the firmware of a system. Most images that support UEFI also support legacy BIOS services as well. Some of its advantages are: - Ability to boot from large disks (over 2 TB) with a GUID partition table - CPU-independent architecture - CPU-independent drivers - Flexible pre-OS environment, including network capability - Modular design
Shibboleth
is an open source project that provides single sign-on capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. Shibboleth allows the use of common credentials among sites that are a part of the federation. It is based on SAML. T
Trusted OS
is an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. Included in the Common Criteria (former Orange Book) EAL: - EAL1: Functionally tested - EAL2: Structurally tested - EAL3: Methodically tested and checked -EAL4: Methodically designed, tested, and reviewed - EAL5: Semi-formally designed and tested - EAL6: Semi-formally verified design and tested - EAL7: Formally verified design and tested
Extensible Authentication Protocol (EAP)
is not a single protocol but a framework for port-based access control that uses the same three components that are used in RADIUS. A wide variety of these implementations can use all sorts of authentication mechanisms, including certificates, a PKI, or even simple passwords.
Sandboxing
is the segregation of virtual environments for security proposes. Sandboxed appliances have been used in the past to supplement the security features of a network. These appliances are used to test suspicious files in a protected environment.
spiral model
iterative approach, but it places more emphasis on risk analysis at each stage. Prototypes are produced at each stage, and the process can be seen as a loop that keeps circling back to take a critical look at risks that have been addressed while still allowing visibility into new risks
Routers
layer 3 break up broadcast domains have ACLs
Rapid Application Development (RAD)
less time is spent upfront on design, and emphasis is on rapidly producing prototypes with the assumption that crucial knowledge can be gained only through trial and error. This model is especially helpful when requirements are not well understood at the outset and are developed as issues and challenges arise while building prototypes
Block-Level Encryption
lock-level encryption can also mean encryption of a disk partition, or a file that is acting as a virtual partition.
Usability
making a security solution or device easier to use and matching the solution or device more closely to organizational needs and requirements
MTBF
mean time between failures The estimated amount of time a device will operate before a failure occurs. Describes how often a component fails, on average.
MTTR
mean time to repair The average time required to repair a single resource or function when a disaster or other disruption occurs. Describes the average amount of time it takes to get a device fixed and back online.
NIPS
network intrusion prevention system (NIPS) scans traffic on a network for signs of malicious activity and then takes some action to prevent it. A NIPS monitors the entire network. be careful of false positives and false negatives
OAUTH
open authorization A standard for authorization that allows users to share private resources on one site to another site without using credentials. OAUTH uses tokens to allow restricted access to a user's data when a client application requires access. These tokens are issued by an authorization server.
Preventive controls
prevent an attack from occurring. Preventive controls are useful before an event occurs. ex: locks, badges, biometric systems, encryption, intrusion prevention systems (IPSs), antivirus software
Password Authentication Protocol (PAP)
provides authentication, but the credentials are sent in cleartext and can be read with a sniffer.
Asynchronous replication
provides delayed replication but uses less bandwidth, can survive higher latency, and is usually used across long distances.
Synchronous replication
provides near-real-time replication but uses more bandwidth and cannot tolerate latency.
Point-in-time replication (snapshot)
provides periodic replication and uses the least bandwidth because it replicates only changes.
Agile model
puts more emphasis on continuous feedback and cross-functional teamwork.
Recovery controls
recover a system or device after an attack has occurred. The primary goal of recovery controls is restoring resources ex: disaster recovery plans, data backups, and offsite facilities.
RPO
recovery point objective The point in time to which a disrupted resource or function must be returned.
RTO
recovery time objective he shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences.
RFI
request for information A bidding-process document that collects written information about the capabilities of various suppliers. An RFI may be used prior to an RFP or RFQ, if needed, but can also be used after these if the RFP or RFQ does not obtain enough specification information.
RFP
request for proposal A bidding-process document that is issued by an organization that gives details of a commodity, a service, or an asset that the organization wants to purchase
ROI
return on investment (ROI) refers to the money gained or lost after an organization makes an investment. ROI measures the expected improvement over the status quo against the cost of the action required to achieve the improvement. In the security field, improvement is not really the goal. Reduction in risk is the goal.
Type I Hypervisor
runs directly on the host's hardware to control the hardware and to manage guest operating systems. A guest operating system runs on another level above the hypervisor. Examples of these are Citrix XenServer, Microsoft Hyper-V and VMware vSphere.
Type II Hypervisor
runs within a conventional operating system environment. With the hypervisor layer as a distinct second software level, guest operating systems run at the third level above the hardware. VMware Workstation and VirtualBox exemplify Type II hypervisors.
Challenge Handshake Authentication Protocol (CHAP)
solves the cleartext problem by operating without sending the credentials across the link. The server sends the client a set of random text called a challenge. The client encrypts the text with the password and sends it back. The server then decrypts it with the same password and compares the result with what was sent originally. If the results match, then the server can be assured that the user or system possesses the correct password without ever needing to send it across the untrusted network.
Exemptions
some organizations have exemptions from certain types of risks due to the nature of their business and governmental standards In most cases, organizations should employ legal counsel to ensure that they understand any exemptions that they think apply to them.
Directive controls
specify acceptable practice within an organization. They are in place to formalize an organization's security directive mainly to its employees. The most popular directive control is an acceptable use policy (AUP) that lists proper (and often examples of improper) procedures and behaviors that personnel must follow
SOA
statement of applicability A document that identifies the controls chosen by an organization and explains how and why the controls are appropriate
Availability
the amount or percentage of time a computer system is available for use. When determining availability, the following terms are often used: maximum tolerable downtime (MTD), mean time to repair (MTTR), mean time between failures (MTBF).
Latency
the delays typically incurred in the processing of network data
Recoverability
the probability that a failed security solution or device can be restored to its normal operable state within a given time frame, using the prescribed practices and procedures. When determining recoverability, the following terms are often used: recovery time objective (RTO), work recovery time (WRT), recovery point objective (RPO)
Community cloud
this is a solution owned and managed by a group of organizations that create the cloud for a common purpose, perhaps to address a common concern such as regularity compliance.
Application-based IDS
this is a specialized IDS that analyzes transaction log files for a single application. This type of IDS is usually provided as part of the application or can be purchased as an add-on.
Statistical anomaly-based IDS
this type of IDS samples the live environment to record activities. The longer the IDS is in operation, the more accurate the profile that is built. However, developing a profile that will not have a large number of false positives can be difficult and time-consuming. Thresholds for activity deviations are important in this type of IDS. Too low a threshold will result in false positives, while too high a threshold will result in false negatives.
container-based virtualization
type of server virtualization in which the kernel allows for multiple isolated user-space instances. Also called operating system virtualization.
VMS
vulnerability management system Software that centralizes and to a certain extent automates the process of continually monitoring and testing a network for vulnerabilities.
WRT
work recovery time The difference between RTO and MTD, which is the remaining time that is left over after the RTO before reaching the maximum tolerable.