Chapter 2
Payment Card Industry Data Security Standard (PCI-DSS)
Standard used by major credit card companies where the main focus is the security controls and objectives that companies that process credit cards should implement.
Development Environment
THis is where the application is developed
International Organization for Standardization (ISO)
The defacto source for international standards.
Software Defined Networking (SDN)
The entire network is virtualized which allows a relatively easy segmentation of the network.
Application Blacklisting
The process of listing banned applications.
Least functinality
The system itself should be configured and capable of doing only what it is intended to do and no more.
NIST SP 800-53
This document organizes security measures into families of controls, such as risk assessment, access control, incident response, and others. The document also defines three levels of minimum security controls.
air gap
This occurs when one or more systems are literally not connected to a network.
ISO 27002
This standard recommends best practices for initiating, implementing, and maintaining information security management systems.
Proxy firewall
Used to process requests from an outside networks. Can be thought of as an intermediary between your network and any other network.
Dual-homed firewall
a host that resides on more than one network and possesses more than one network card
Extranet
a network configuration that allows selected outside organizations to access internal information systems
Intranet
a network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization
Stateless firewalls
make decisions based on the data that comes in—the packet, for example—and not based on any complex decisions
Secure baseline
process whereby you find a baseline for any system, application, or service that is considered secure.
Staging
used to roll the new software out in sections instead of deploying to the entire network at once.
VPN concentrator
A hardware device used to create remote access VPNs.
Virtual private network (VPN)
A private network connection that occurs through a public network.
Secure boot
A process whereby the BIOS or UEFI makes a cryptographic hash of the operating system boot loader and any boot drivers and compares that against a stored hash.
root of trust (RoT)
A security process that has to begin with some unchangeable hardware identity often stored in a TPM.
Honeypot
A separate system that appears to be an attractive target but is in reality a trap for attackers.
ISA/IEC-62443
A series of standards that define procedures for implementing electronically secure industrial automation and control systems.
Sandbox
A test environment that is completely isolated from the rest of the network.
Administrative controls
All the policies, procedures, and processes that are in place to support security.
Demilitarized zone (DMZ)
An area where you can place a public server for access by people whom you might not trust otherwise.
Test Environment
An environment containing hardware, instrumentation, simulators, software tools, and other support elements needed to conduct a test.
Open Web Application Security Project (OWASP)
An open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
Technical controls
Controls that involve software and hardware.
Trusted Platform Module (TPM)
Dedicated processors that use cryptographic keys to perform a variety of tasks.
Hardware security modules (HSM)
Devices that handle digital keys.
Full Disk Encryption (FDE)
Encrypting the entire disk, rather than a specific file or folder.
Firewalls
First lines of defense in a network to prevent unauthorized users.
Appliances
Freestanding devices that operate in a largely self-contained manner, requiring less maintenance and support than a server-based product.
Defense in depth
Fundamental precept that means that it should never be the case that your security is either all or primarily focused on your network's borders.
Self-encrypting drive (SED)
Has a controller chip built into it that automatically encrypts the drive and decrypts it.
Networking segmentation
Involves dividing your network into zones based on security needs.
Stateful inspection
It does what a packet filtering firewall does, but it also remembers what the recent previous packets from the same client contained.
Key encryption key (KEK)
Key that encrypts or decrypts other key for transmission or storage
Media encryption key (MEK)
Key used for unlocking and locking a drive used in SED.
Application Whitelisting
Making a list of allowed apps, and only those applications may be installed.
Integrity measurement
Monitor a system to ensure that it has not deviated from that secure baseline.
Honeynet
Next logical extension of a honeypot. For example, there is a fake network segment that appears to be a very enticing target.
Packet filter
Passes or blocks traffic to specific addresses based on the type of application.
North American Electric Reliability Corporation (NERC)
Publishes standards for electrical power companies.
National Institute of Standards and Technology (NIST)
Source for many of the national standards in the United States. Publishes a number of standards, many of which are related to cybersecurity.
ISO IEC 27001:2013
Specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.