Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide - Chapter 1
active-active failover
In an active-active failover configuration, both of the firewalls are active. If one fails, the other will continue to pass traffic in the network.
Pattern matching
methodology in which the intrusion detection device searches for a fixed sequence of bytes within the packets traversing the network. can lead to high rate of false positives.
Common Configuration Scoring System (CCSS):
???? More information about CCSS can be found at http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf.
List a commercial tool used in digital forensics.
EnCase
Common Weakness Scoring System (CWSS):
A methodology for scoring software weaknesses. CWSS is part of the Common Weakness Enumerator (CWE) standard.
Return-to-LibC Attacks and Buffer Overflows
A return-to-libc (or ret2libc) attack typically starts with a buffer overflow. In this type of attack, a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the executable memory of the process. This is done to potentially bypass the no-execute (NX) bit feature and allow attackers to inject their own code.
What is DLP?
A software or solution for making sure that corporate users do not send sensitive or critical information outside the corporate network
Common Misuse Scoring System (CMSS):
A standardized way to measure software feature misuse vulnerabilities.
What Is a Threat
A threat is any potential danger to an asset
Mailer or mass-mailer worm:
A type of worm that sends itself in an email message. Examples of mass-mailer worms are Loveletter.A@mm and W32/SKA.A@m (a.k.a. the Happy99 worm), which sends a copy of itself every time the user sends a new message.
What Is a Vulnerability?
A vulnerability is a weakness in the system design, implementation, software, or code or the lack of a mechanism
Which of the following is a good definition of a vulnerability? A. A weakness in the system design, implementation, software, or code or the lack of a mechanism B. A common vulnerability and exposure (CVE) C. Any potential danger to an asset D. None of these answers are correct.
A. A vulnerability is a weakness in the system design, implementation, software, or code, or the lack of a mechanism. Vulnerabilities can be found in software or hardware.
Which of the following statements are true about application proxies? (Choose two.) A. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network. B. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet. C. Application proxies can be classified as next-generation firewalls. D. Application proxies always perform Network Address Translation.
A. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network. B. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.
Which of the following is a technology that typically has the ability to detect any sensitive emails, documents, or information leaving your organization? A. DLP B. IDaaS C. SaaS D. IaaS
A. Data Loss Prevention (DLP) systems are designed to detect any sensitive emails, documents, or information leaving your organization.
Which of the following is true about heuristic-based algorithms? A. Heuristic-based algorithms may require fine-tuning to adapt to network traffic and minimize the possibility of false positives. B. Heuristic-based algorithms do not require fine-tuning. C. Heuristic-based algorithms support advanced malware protection. D. Heuristic-based algorithms provide capabilities for the automation of IPS signature creation and tuning.
A. Heuristic-based algorithms may require fine-tuning to adapt to network traffic and minimize the possibility of false positives.
Which of the following is the component of the CIA triad that ensures that a system and its data have not been altered or compromised? A. Integrity B. Availability C. Confidentiality D. Nonrepudiation
A. Integrity is the component of the CIA triad that ensures that a system and its data have not been altered or compromised.
Which of the following is a methodology in which the intrusion detection device searches for a fixed sequence of bytes within the packets traversing the network using signatures? A. Pattern matching and stateful pattern-matching recognition B. Anomaly-based analysis C. Snort-based analysis using AMP D. NetFlow-based analysis
A. Pattern matching and stateful pattern-matching recognition are methodologies used by intrusion detection devices.
You are part of a vulnerability management team tasked to research information about a new vulnerability disclosed by Microsoft affecting numerous systems in your company. What database can you query to obtain more information about such a vulnerability? A. NVD B. CVSS C. FIRST D. None of these answers are correct.
A. NVD is a common repository of known security vulnerabilities that can be accessed at nvd.nist.gov. CVSS provides a scoring system to characterize the impact of a given security vulnerability. FIRST is an international nonprofit organization where incident response professionals exchange information, provide education, and develop new standards and best practices.
Which of the following are components of the 5-tuple in a NetFlow flow record? A. Source port, destination port, source IP address, destination IP address, and protocol B. TCP, UDP, ICMP, source IP address, destination IP address C. Source IP address, destination IP address, source MAC address, destination MAC address, protocol D. None of these answers are correct.
A. The 5-tuple in a NetFlow record includes the source port, destination port, source IP address, destination IP address, and protocol.
Which of the following centralizes the management and reporting for one or more Cisco ESAs and Cisco WSAs? A. Cisco SMA B. Cisco FMC C. Cisco Defense Orchestrator D. Cisco DNAC
A. The Cisco Content Security Management Appliance (SMA) is used to provide centralized management and reporting for one or more Cisco ESAs and Cisco WSAs. Cisco FMC is used to manage firewalls and intrusion prevention systems. Cisco Defense Orchestrator is a cloud-based solution to manage and deploy policies to Cisco firewalls. The Cisco DNA Center (DNAC) is a software-defined networking (SDN) solution.
Which of the following entities developed a tool to provide a repeatable and measurable process for organizations to measure their cybersecurity readiness? A. FFIEC B. FedRAMP C. FIRST D. ISO
A. The Federal Financial Institutions Examination Council developed a tool to provide a repeatable and measurable process for organizations to measure their cybersecurity readiness.
Which of the following protocols is used to redirect traffic from a network infrastructure device to the Cisco WSA for inspection? A. WCCP B. NetFlow C. TLS D. TAXII
A. The WCCP protocol can be used to redirect traffic from a network infrastructure device (such as a firewall or router) to the Cisco WSA for inspection.
Explain the features of a traditional stateful firewall.
Access control is done by application awareness and visibility.
HTML Injection
An HTML injection is a vulnerability that occurs when an unauthorized user is able to control an input point and able to inject arbitrary HTML code into a web application. Successful exploitation could lead to disclosure of a user's session cookies; an attacker might do this to impersonate a victim or to modify the web page or application content seen by the victims. HTML injection vulnerabilities can lead to cross-site scripting (XSS)
What Is an Exploit?
An exploit refers to a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system.
Vulnerabilities can be found in each of the following
Applications, Operating Systems, Hardware, Misconfiguration, Shrinkwrap software
Availability
Availability means that a system or application must be "available" to authorized users at all times.
Which of the following refers to the way you document and preserve evidence from the time that you started the cyber forensics investigation to the time the evidence is presented at court or to your executives? A. Best evidence B. Chain of custody C. Chain of trust D. Web of trust
B. Chain of custody is the way you document and preserve evidence from the time that you started the cyber forensics investigation to the time the evidence is presented at court or to your executives. Review Questions
Which of the following is the operating system used by the Cisco ESA and Cisco WSA? A. Cisco IOS-XE B. AsyncOS C. Cisco FTD D. Cisco NX-OS
B. The operating system used by the Cisco ESA and Cisco WSA is the AsyncOS operating system. Cisco IOS-XE is used in Cisco enterprise routers and switches. Cisco FTD is a next-generation firewall solution. Cisco NX-OS is the operating system used in datacenter switches and other Cisco products.
Which of the following is a collection of procedures and operations performed by system administrators, security professionals, or network operators? A. Separation of duties document B. Vulnerability management SOP C. Runbook D. None of these answers are correct.
C. A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators.
Which of the following is a solution that makes basic personal firewalls and HIPS obsolete? A. CTA B. CVSS C. AMP for Endpoints D. None of these answers are correct.
C. AMP for Endpoints provides capabilities that are more advanced than basic personal firewalls and host intrusion prevention systems (HIPS).
Which of the following has the most storage requirements? A. NetFlow B. Syslog C. Full packet captures D. IPS signatures
C. Full packet captures
What is a specification that provides a methodology for scoring software weaknesses?
CWE
Which of the following statements are true when referring to Network Address Translation? (Choose two.) A. NAT can only be used in firewalls. B. Static NAT does not allow connections to be initiated bidirectionally. C. Static NAT allows connections to be initiated bidirectionally. D. NAT is often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT.
C. Static NAT allows connections to be initiated bidirectionally. D. NAT is often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT.
Which of the following is a framework, developed by the United States government, that provides a common taxonomy, and one of the main goals is to address and manage cybersecurity risk in a cost-effective way to protect critical infrastructure? A. The Forum of Incident Response and Security Teams (FIRST) B. The Common Vulnerability Scoring System (CVSS) C. NIST Cybersecurity Framework D. The National Vulnerability Database (NVD)
C. The NIST Cybersecurity Framework provides a common taxonomy, and one of the main goals is to address and manage cybersecurity risk in a cost-effective way to protect critical infrastructure. CVSS provides a scoring system to characterize the impact of a given security vulnerability. FIRST is an international nonprofit organization where incident response professionals exchange information, provide education, and develop new standards and best practices. NVD is a common repository of known security vulnerabilities that can be accessed at nvd.nist.gov.
Authentication-Based Vulnerabilities
Credential brute forcing Session hijacking Redirecting Exploiting default credentials Exploiting weak credentials Exploiting Kerberos vulnerabilities
1. Which of the following statements are true about cybersecurity practices? A. Cybersecurity risk includes not only the risk of a data breach but also the risk of the entire organization being undermined via business activities that rely on digitization and accessibility. B. The objective of cybersecurity is to protect each of us, our economy, our critical infrastructure, and our country from the harm that can result from inadvertent or intentional misuse, compromise, or destruction of information and information systems. C. In the past, information security programs and policies were designed to protect the confidentiality, integrity, and availability of data within the confines of an organization. Cybersecurity is the process of protecting information by preventing, detecting, and responding to attacks. D. All of these answers are correct.
D. All of these answers are correct.
Which of the following are best practices in the SOC? A. Organizations should operate the SOC as a program rather than a single project. B. Metrics must be established to measure the effectiveness of the SOC capabilities. C. Analysts should collaborate with other groups such as public relations, legal, and IT. D. All of these answers are correct.
D. All the available answers are best practices for the Security Operations Center (SOC). Organizations should operate the SOC as a program rather than a single project. Metrics must be established to measure the effectiveness of the SOC capabilities. SOC analysts should collaborate with other groups such as public relations, legal, and IT.
Which of the following are considered personally identifiable information (PII)? A. Individual's name B. Date of birth C. Mother's maiden name D. All of these answers are correct.
D. An individual's name, date of birth, and mother's maiden name are all considered personally identifiable information (PII).
Cybersecurity programs and policies expand and build on traditional information security programs but also include which of the following? A. Cyber risk management and oversight B. Threat intelligence C. Threat hunting D. All of these answers are correct.
D. Cybersecurity programs and policies include risk management and oversight, threat intelligence, and threat hunting.
Which of the following can be used to obtain proof-of-concept exploits against known vulnerabilities? A. The Exploit Database by Offensive Security B. The searchploit tool C. GitHub D. All of these answers are correct.
D. The Exploit Database by Offensive Security (exploit-db.com), searchsploit, and sometimes GitHub can be used to obtain proof-of-concept software designed to exploit a security vulnerability.
One of the primary benefits of a ____________ is that even if a single control (such as a firewall or IPS) fails, other controls can still protect your environment and assets. A. DLP B. AMP C. CoPP D. Defense-in-depth strategy
D. One of the primary benefits of a defense-in-depth strategy is to provide security capabilities even if a single control (such as a firewall or IPS) fails. Other controls can still protect your environment and assets.
Which of the following is part of TrustSec? A. Security group tags (SGTs) B. Security group access control lists (SGACLs) C. AnyConnect D. All of these answers are correct.
D. SGTs, SGALCs, and the Cisco AnyConnect Secure Mobility Client are all components of the TrustSec solution.
A number of standards are being developed for disseminating threat intelligence information. Which of the following standards is a language designed for sharing threat intelligence? A. CWE B. CVE c. CVSS D. STIX
D. STIX is a standard designed to share threat intelligence. The Common Vulnerability and Exposures (CVE) is a standard created by MITRE to identify security vulnerabilities. CVSS is a scoring system to describe the impact of a security vulnerability.
Which of the following states that all users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their jobs and no more? A. ISO privilege standard B. NIST 800-61r2 C. CVSS D. Principle of least privilege
D. The principle of least privilege states that all users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their jobs, and no more.
Describe the use of DMZs.
DMZs can serve as segments on which a web server farm resides or as extranet connections to business partners.
Access control entries, which are part of an access control list, can classify packets by inspecting Layer 2 through Layer 4 headers for a number of parameters, including which of the following items? A. Layer 2 protocol information such as EtherTypes B. Layer 3 protocol information such as ICMP, TCP, or UDP C. Layer 3 header information such as source and destination IP addresses D. Layer 4 header information such as source and destination TCP or UDP ports E. All of these answers are correct.
E. Access control lists can classify packets using Layer 2 protocol information such as EtherTypes; Layer 3 protocol information such as ICMP, TCP, or UDP; Layer 3 header information such as source and destination IP addresses; and Layer 4 header information such as source and destination TCP or UDP ports.
Which of the following are examples of cloud-based security solutions? A. Cisco Cloud Email Security (CES) B. Cisco AMP Threat Grid C. Umbrella (OpenDNS) D. CloudLock E. All of these answers are correct.
E. Cisco Cloud Email Security (CES), Cisco AMP Threat Grid, Umbrella (formerly OpenDNS), and CloudLock are all cloud-based security solutions.
heuristic-based analysis
Heuristic scanning uses algorithmic logic from statistical analysis of the traffic passing through the network.
SQL injection attacks can be divided into the following categories:
In-band SQL injection: With this type of injection, the attacker obtains the data by using the same channel that is used to inject the SQL code. This is the most basic form of an SQL injection attack, where the data is dumped directly in a web application (or web page). Out-of-band SQL injection: With this type of injection, the attacker retrieves data using a different channel. For example, an email, a text, or an instant message could be sent to the attacker with the results of the query. Alternatively, the attacker might be able to send the compromised data to another system. Blind (or inferential) SQL injection: With this type of injection, the attacker does not make the application display or transfer any data; rather, the attacker is able to reconstruct the information by sending specific statements and discerning the behavior of the application and database.
Integrity
Integrity is the ability to make sure that a system and its data have not been altered or compromised.
types of threats:
Natural disasters, weather, and catastrophic damage, Hacker attacks, Cyberattack, Viruses and Malware, Disclosure of Confidential Information, Denial-of-Service (DoS) or Distributed denial-of-service (DDoS) attacks
Describe some of the benefits of NetFlow.
NetFlow provides information about network session data, and NetFlow records take less space than a full packet capture.
There are two major categories of brute-force attacks:
Online brute-force attacks: In this type of attack, the attacker actively tries to log in to the application directly by using many different combinations of credentials. Online brute-force attacks are easy to detect because you can easily inspect for large numbers of attempts by an attacker. Offline brute-force attacks: In this type of attack, the attacker can gain access to encrypted data or hashed passwords. These attacks are more difficult to prevent and detect than online attacks. However, offline attacks require significantly more computation effort and resources from the attacker.
List an open-source SDN solution.
Open vSwitch
five-step threat intelligence process for evaluating threat intelligence sources and information.
Planning and Direction > Collection > Processing > Analysis and Production > Dissemination
There are several ways an attacker can perform a session hijack and several ways a session token may be compromised:
Predicting session tokens: If attackers can predict session tokens, they can easily hijack the web session to further compromise the system or steal data. Session sniffing: This can occur through collecting packets of unencrypted web sessions. Man-in-the-middle (MITM) attack: With this type of attack, the attacker sits in the path between the client and the web server. Man-in-the-browser (MITB) attack: This attack is similar in approach to a man-in-the-middle attack; however, in this case, a browser (or an extension or a plug-in) is compromised and used to intercept and manipulate web sessions between the user and the web server.
XSS vulnerabilities are classified in three major categories:
Reflected XSS - Reflected XSS attacks (nonpersistent XSS) occur when malicious code or scripts are injected by a vulnerable web application using any method that yields a response as part of a valid HTTP request. Stored (persistent) XSS - Stored, or persistent, XSS attacks occur when the malicious code or script is permanently stored on a vulnerable or malicious server, using a database. DOM-based XSS - The Document Object Model (DOM) is a cross-platform and language-independent application programming interface (API) that treats an HTML, XHTML, or XML document as a tree structure
code injection vulnerabilities include the following
SQL injection HTML script injection Dynamic code evaluation Object injection Remote file inclusion Uncontrolled format string Shell injection
injection-based vulnerabilities:
SQL injection vulnerabilities HTML injection vulnerabilities Command injection vulnerabilities
You typically find XSS vulnerabilities in the following:
Search fields that echo a search string back to the user HTTP headers Input fields that echo user data Error messages that return user-supplied text Hidden fields that may include user input data Applications (or websites) that display user-supplied data
Stateful and traditional firewalls can analyze packets and judge them against a set of predetermined rules called access control lists. Which elements within a packet do they inspect?
Source and destination ports and source and destination IP addresses
Organized crime groups:
The main purpose of these groups is to steal information, scam people, and make money.
State sponsors and governments:
These agents are interested in stealing data, including intellectual property and research-and-development data from major manufacturers, government agencies, and defense contractors.
Terrorist groups:
These groups are motivated by political or religious beliefs
Hacktivists:
These people carry out cybersecurity attacks aimed at promoting a social or political cause.
Script kiddies:
These people use existing "scripts" or tools to hack into computers and networks. They lack the expertise to write their own scripts.
Malware attachments:
These threats are email messages containing malicious software (malware).
Spam:
These unsolicited email messages advertise a service, a scam (typically), or a message with malicious intent. Email spam continues to be a major threat because it can be used to spread malware.
Downloader:
This piece of malware downloads and installs other malicious content from the Internet to perform additional exploitation on an affected system.
Representational State Transfer (REST):
This API standard is easier to use than SOAP. It uses JSON instead of XML, and it uses standards such as Swagger and the OpenAPI Specification (www.openapis.org) for ease of documentation and to encourage adoption.
Backdoor:
This piece of malware or a configuration change allows an attacker to control the victim's system remotely. For example, a backdoor can open a network port on the affected system so that the attacker can connect to and control the system.
Structured Threat Information eXpression (STIX):
This express language is designed for sharing cyberattack information. STIX details can contain data such as the IP addresses or domain names of command and control servers (often referred to as C2 or CnC), malware hashes, and so on. STIX was originally developed by MITRE and is now maintained by OASIS.
Cyber Observable eXpression (CybOX):
This free standardized schema is used for specification, capture, characterization, and communication of events of stateful properties that are observable in the operational domain. CybOX was originally developed by MITRE and is now maintained by OASIS.
Open Command and Control (OpenC2):
This language is used for the command and control of cyber-defense technologies. OpenC2 Forum was a community of cybersecurity stakeholders that was facilitated by the U.S. National Security Agency. OpenC2 is now an OASIS technical committee (TC) and specification.
Exploit:
This malicious program is designed to exploit, or take advantage of, a single vulnerability or set of vulnerabilities.
Computer virus:
This malicious software infects a host file or system area to produce an undesirable outcome such as erasing data, stealing information, or corrupting the integrity of the system. In numerous cases, these viruses multiply again to form new generations of themselves.
Spammer:
This malware sends spam, or unsolicited messages sent via email, instant messaging, newsgroups, or any other kind of computer or mobile device communications. Spammers send these unsolicited messages with the primary goal of fooling users into clicking malicious links, replying to emails or other messages with sensitive information, or performing different types of scams. The attacker's main objective is to make money.
Open Indicators of Compromise (OpenIOC):
This open framework is used for sharing threat intelligence in a machine-digestible format.
Trusted Automated eXchange of Indicator Information (TAXII):
This open transport mechanism standardizes the automated exchange of cyber threat information. TAXII was originally developed by MITRE and is now maintained by OASIS.
Key logger:
This piece of malware captures the user's keystrokes on a compromised computer or mobile device. A key logger collects sensitive information such as passwords, personal identification numbers (PINs), personally identifiable information (PII), credit card numbers, and more.
stateful pattern-matching recognition
This process dictates that systems performing this type of signature analysis must consider the chronological order of packets in a TCP stream The capability to directly correlate a specific exploit within a given pattern Support for all nonencrypted IP protocols
Rootkit:
This set of tools is used by an attacker to elevate privilege to obtain root-level access to be able to completely take control of the affected system.
Simple Object Access Protocol (SOAP):
This standards-based web services access protocol was originally developed by Microsoft and has been used by numerous legacy applications for many years. SOAP exclusively uses XML to provide API services. XML-based specifications are governed by XML Schema Definition (XSD) documents. SOAP was originally created to replace older solutions such as the Distributed Component Object Model (DCOM) and Common Object Request Broker Architecture (CORBA).
Spear phishing:
This threat involves phishing attempts that are more targeted. Spear-phishing emails are directed to specific individuals or organizations.
Phishing:
This threat is an attacker's attempt to fool a user into thinking that the email communication comes from a legitimate entity or site, such as a bank, social media website, online payment processor, or even the corporate IT department. The goal of a phishing email is to steal a user's sensitive information, such as user credentials, bank account information, and so on.
Logic bomb:
This type of malicious code is injected into a legitimate application. An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the system. Examples of these malicious tasks include deleting or corrupting files or databases and executing a specific instruction after certain system conditions are met.
Ransomware:
This type of malware compromises a system and then demands that the victim pay a ransom to the attacker for the malicious activity to cease or for the malware to be removed from the affected system. Examples of ransomware are Nyeta, NotPetya, WannaCry, Sodinokibi, BadRabbit, and CryptoWall; they all encrypt the victim's data and demand that the user pay a ransom for the data to be decrypted and accessible again.
Trojan horse:
This type of malware executes instructions to delete files, steal data, or otherwise compromise the integrity of the underlying operating system. Trojan horses typically use a form of social engineering to fool victims into installing such software on their computers or mobile devices. Trojans can also act as backdoors.
Worm:
This virus replicates itself over the network, infecting numerous vulnerable systems. In most cases, a worm executes malicious instructions on a remote system without user interaction.
Threat intelligence platforms support the following:
Threat intelligence collection: Collecting and aggregating multiple data formats including CSV, STIX, XML, JSON, IODEK, OpenIOC, and proprietary threat intelligence feeds. Data correlation: Automatically analyzing and correlating threat intelligence data. Enrichment and contextualization: Provides enriched context around threats in order to enable SOC analysts and incident responders to have as much data as possible regarding the attack and the threat actor (adversary). Analyze: Automates the analysis of threat indicators to enable the identification of the adversary's tactics, techniques, and procedures (TTPs). Often TIPs can leverage the adversary tactics and techniques included in MITRE's ATT&CK framework (attack.mitre.org). Integrations with other security systems: Modern TIPs provide the ability to integrate with many different security solutions (including Security Information and Event Management [SIEM] and Security Orchestration Automation and Response [SOAR] solutions). Act: The threat intelligence platform should enable security professionals to create tools and applications that can help respond to and mitigate cybersecurity threats and attacks.
types of IPSs
Traditional network-based IPSs (NIPSs) Next-generation IPS systems (NGIPSs) Host-based IPSs (HIPSs)
Traditional Firewalls
Typically, firewalls are devices that are placed, or deployed, between a trusted and an untrusted network
CVE identifier
Vulnerabilities are typically identified by a Common Vulnerabilities and Exposures (CVE) identifier. CVE is an identifier for publicly known security vulnerabilities. This is a standard created and maintained by MITRE and used by numerous organizations in the industry, as well as security researchers.
Internet edge firewalls
When firewalls are connected to the Internet,
signature
a set of conditions that points out some type of intrusion occurrence.
Data loss prevention
ability to detect any sensitive emails, documents, or information leaving your organization.
threat intelligence platforms (TIPs)
aggregate, correlate, and analyze threat intelligence information from multiple sources in near real time. use APIs to gather or exchange data.
Principle of Least Privilege
all users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their jobs, and no more.
SQL injection (SQLi) vulnerabilities
allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts, or injects, partial or complete SQL queries via the web application.
Separation of Duties
an administrative control dictating that a single individual should not perform all critical- or privileged-level duties.
Command Injection
an attack in which an attacker tries to execute commands that she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements).
asset
any item of economic value owned by an individual or corporation. Assets can be real—such as routers, servers, hard drives, and laptops—or assets can be virtual, such as formulas, databases, spreadsheets, trade secrets, and processing time.
There are three basic elements of risk:
assets, threats, and vulnerabilities.
ASCII armoring
can be used to mitigate ret2libc attacks. When you implement ASCII armoring, the address of every system library (such as libc) contains a NULL byte (0x00) that you insert in the first 0x01010101 bytes of memory.
Intrusion prevention system (IPS) devices
capable of not only detecting all these security threats but also dropping malicious packets inline
Confidentiality
confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
ISO 27005
defines the high-level risk management approach recommended by ISO
ISO 27002
describes the code of practice for information security management
Intrusion detection systems (IDSs)
devices that detect (in promiscuous mode) attempts from an attacker to gain unauthorized access to a network or a host, to create performance degradation, or to steal information.
command-line tool called searchsploit
enables you to download a copy of the Exploit Database so that you can use it on the go.
Security operations centers (SOCs)
facilities where an organization's assets, including applications, databases, servers, networks, desktops, and other endpoints, are monitored, assessed, and protected.
deep packet inspection (DPI)
firewalls can look at specific Layer 7 payloads to protect against security threats.
threat agent or threat vector
he path used by this actor to perform the attack is known as
Personally Identifiable Information
information which can be used to distinguish or trace an individual's identity.
deep web
is a collection of information and systems on the Internet that is not indexed by web search engines
GraphQL: GraphQL
is a query language for APIs that provides many developer tools. GraphQL is now used for many mobile applications and online dashboards. Many different languages support GraphQL.
Risk
is the probability or likelihood of the occurrence or realization of a threat.
ISO 27001
is the specification for an information security management system (ISMS)
anomaly-based analysis
keeps track of network traffic that diverges from "normal" behavioral patterns
zero-day exploit
no one may even know the vulnerability exists, and it is exploited
Cross-site request forgery (CSRF or XSRF) attacks
occur when unauthorized commands are transmitted from a user who is trusted by the application. CSRF vulnerabilities are also referred to as one-click attacks or session riding.
Protocol analysis
often referred to as an extension to stateful pattern recognition. A network-based intrusion detection system (NIDS) accomplishes protocol analysis by decoding all protocol or client/server conversations.
Cookie manipulation attacks
often referred to as stored DOM-based attacks (or vulnerabilities). Cookie manipulation is possible when vulnerable applications store user input and then embed that input in a response within a part of the DOM.
ISO 27004
outlines how an organization can monitor and measure security using metrics
ISO 27006
outlines the requirements for organizations that will measure ISO 27000 compliance for certification.
dark web (or darknet)
overlay of networks and systems that uses the Internet but requires specific software and configurations to access it. The dark web is just a small part of the deep web.
false negatives
overlooked events of real attacks
ISO 27003
provides detailed implementation guidance
Threat intelligence
referred to as the knowledge about an existing or emerging threat to assets, including networks and systems.
Demilitarized Zones
separate multiple network segments (or zones), usually called demilitarized zones (DMZs). These zones provide security to the systems that reside within them with different security levels and policies between them.
threat
sets the stage for risk and is any agent, condition, or circumstance that could potentially cause harm, loss, or damage or compromise an IT asset or data asset
personal firewalls
several software applications can run on a system to protect only that host
whaling
specifically targets executives and high-profile users.
residual risk
the amount of risk left after safeguards and controls have been put in place to protect the asset
malicious actor
the entity that takes advantage of the vulnerability
Threat actors
the individuals (or a group of individuals) who perform an attack or are responsible for a security incident that impacts or has the potential of impacting an organization or individual.
active-standby failover
the primary firewall (when operational) is always active, and the secondary is in standby mode. When the primary firewall fails, the secondary firewall takes over.
What is Cybersecurity?
the process of protecting information by preventing, detecting, and responding to attacks
false positives
which are alerts that do not represent a genuine malicious activity