CompTIA Security+ (SY0-501)
"nontransparent proxy"
"nontransparent proxy"—that is, one that "modifies the request or response in order to provide some added service
IMAP
(Internet Message Access Protocol) can all be secured with TLS.
POP3
(Post Office Protocol v3),
email protocol SMTP
(Simple Mail Transfer Protocol),
SNMP
(Simple Network Management Protocol) is used to manage networks. Each managed device has a software agent installed that reports issues and problems to a centralized SNMP management server. Versions 1 and 2 of SNMP sent all data as clear text. SNMP v3 encrypts all data.
SCADA
(Supervisor Control and Data Acquisition) and PLCs (primary logic controllers). One of the most fundamental security steps that you can take with a SCADA system is to implement account usage and monitoring.
SPIT
(spam over Internet telephony).
SPIM
(spam over instant messaging)
Types of Vulnerabilities
*Configuration Issues *User Issues *Zero-Day Exploits *Secure Protocols *
Several types of attacks can occur in this category.
*Deny access to information, applications, systems, or communications. *Bring down a website while the communications and systems continue to operate. *Crash the operating system (a simple reboot may restore the server to normal operation). *Fill the communications channel of a network and prevent access by authorized users. *Open as many TCP sessions as possible. This type of attack is called a TCP SYN flood DoS attack. Two of the most common types of DoS
Maintenance and Administrative Requirements These standards outline what is required to manage and administer the systems or networks.
*Following Guidelines *Scope and Purpose *Roles and Responsibilities *Guideline Statements *Operational Considerations
Guidelines help an organization in three ways:
*If a process or set of steps isn't performed routinely, experienced support and security staff will forget how to do them; guidelines will help refresh their memory. *When you're trying to train someone to do something new, written guidelines can reduce the new person's learning curve. *When a crisis or high-stress situation occurs, guidelines can keep you from coming unglued.
impact, be sure to factor in the following variables:
*Life. Is anyone in immediate jeopardy because of the failure? *Property, Will anything be lost as a result of the malfunction? *Safety, Is anyone in harm's way due to the crash? *Finance, How much will be lost due to the stoppage? *Reputation, How harmful is the breakdown to the trust of the organization?
Some devices are best placed based on the rest of your network configuration.
*Load balancers are used to balance the load for mirrored servers in a server cluster. *Port mirroring will also be placed wherever your network demands it. This is often done throughout network switches so that traffic from a given network segment is also copied to another segment.
Implementing Policies for Personnel
*Mandatory Vacations *Job Rotation *Separation of Duties Policies *Clean Desk *Background Checks *Nondisclosure Agreement *Onboarding *Continuing Education *Exit Interviews *Role-Based Awareness Training
Operating Systems
*Network operating systems define how the network will function. In general, however, server operating systems usually offer up additional network services and are usually more secure than client operating systems. *Appliance operating systems and kiosk operating systems are both limited to a specific purpose. An appliance operating system might be on a smart device, such as a smart home's thermostat. A kiosk is usually a public computer used for a limited purpose. *Mobile operating systems are now similar to server and client operating systems.
Four popular asymmetric systems are in use today:
*RSA *Diffie-Hellman *Elliptic Curve Cryptography *ElGamal
Guidelines
*Scope and Purpose *Roles and Responsibilities *Guideline Statements *Operational Considerations
Secure Network Architecture Concepts Zones
*Secure Zone These are the most sensitive systems, with mission critical data. *General Work Zone These are standard workstations and servers, with typical business data and functionality. *Low Security Zone These are computers, network segments, and systems that have no highly sensitive information, and the breach of these systems would have minimal impact.
Authentication systems
*Something you know, such as a password or PIN. This is often referred to as Type I. *Something you have, such as a smartcard, token, or identification device. This is often referred to as Type II. *Something you are, such as your fingerprints or retinal pattern (often called biometrics). This is often referred to as Type III. *Something you do, such as an action you must take to complete authentication. This does not have a type (I, II, III). *Somewhere you are (this is based on geolocation). This does not have a type (I, II, III).
two key components of fault tolerance that you should never overlook:
*Spare parts should always be readily available to repair any system-critical component if it should fail. *At a bare minimum, an uninterruptible power supply (UPS)—with surge protection—should accompany every server and workstation. That UPS should be rated for the load it is expected to carry in the event of a power failure You will need a backup generator. Backup generators run off of gasoline, propane, natural gas, or diesel and generate the electricity needed to provide steady power.
method of preventing the propagation of malicious code
*The primary method of preventing the propagation of malicious code involves the use of antivirus software *The second method of preventing viruses is user education. * *
Symptoms of a Virus Infection
*The programs on your system start to load more slowly. *Program sizes change from the installed versions. *unusual operating characteristics. *The system mysteriously shuts itself down
The two primary types of nonmathematical cryptography, or ciphering methods, are
*substitution *transposition.
Modern Cryptography Modern cryptography is divided into three major areas:
*symmetric cryptography, *asymmetric cryptography, *hashing algorithms. until you realize that the XOR operation is reversible. At some point, all symmetric ciphers use an XOR operation as a part of their algorithm.
Common arp flags
-d Removes a listing from the arp cache. You won't use this very often. -a Displays all of the current arp entries for all interfaces. This is the most common flag. -g Displays all of the current arp entries for all interfaces. Same as -N Lists arp cache for a specified interface.
Symmetric Ciphers Issues
-latency
A cipher suite
. A cipher suite is a combination of methods, such as an authentication, encryption, and message authentication code (MAC) algorithms used together.
zero-day exploit
...A vulnerability that is unknown to the product vendor, and thus there is no patch for it.
If data has been stolen, you cannot go back in time and prevent the loss of that data.
1. Immediately change all passwords. 2. Notify the relevant parties. 3. Make procedural changes so that the information stolen cannot be used to affect additional breaches.
Conducting a Risk Assessment
1. Interview the department heads and the data owners 2. Evaluate the network infrastructure 3. Perform a physical assessment of the facility Ask for what those steps need to be done.
be one-way
1. It must be one-way. This means that it is not reversible. Once you hash something, you cannot unhash it.
You can derive a single checklist from these various guidelines and benchmarks for operating systems that is an appropriate baseline
1. Make certain that the operating system is patched. Without updating the operating system itself, other security measures will be less effective. 2. Turn off any unneeded services, accounts, or other methods of accessing the system. 3. Turn on sufficient logging to allow you to audit the system and to understand what has occurred on the operating system. 4. If the operating system has an inherent firewall, turn it on and see that it is properly configured. 5. Run an appropriate antimalware software package.
NIST defines the cloud model
1. On-demand self-service. The customer is able to provision new users, services, virtual machines, and so on without involving the provider. 2. Broad network access. Services are accessed via the Internet, instead of through an internal network accessible only over private connections. 3. Resource pooling. Shared resources are made available so that services can draw from them as needed. 4. Rapid elasticity. Needs can expand or contract, and needed service will expand or contract with those needs. 5. Measured service. Billing is based on some measured consumption (which could be licenses, CPU cycles, storage consumed, and so forth)—you pay for what you use.
The SSL connection process
1. The client sends the server the client's SSL version number, cipher settings, session- specific data, and other information that the server needs to communicate with the client using SSL. 2. The server sends the client the server's SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the client's certificate. 3. The client uses the information sent by the server to authenticate the server—for example, in the case of a web browser connecting to a web server, the browser checks whether the received certificate's subject name actually matches the name of the server being contacted, whether the issuer of the certificate is a trusted certificate authority, whether the certificate has expired, and, ideally, whether the certificate has been revoked. If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to the next step. 4. Using all of the data generated in the handshake thus far, the client (with the cooperation of the server, depending on the cipher in use) creates the pre-master secret for the session, encrypts it with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the encrypted pre-master secret to the server. 5. If the server has requested client authentication (an optional step in the handshake), the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends both the signed data and the client's own certificate to the server along with the encrypted pre-master secret. 6. If the server has requested client authentication, the server attempts to authenticate the client. If the client cannot be authenticated, the session ends. If the client can be successfully authenticated, the server uses its private key to decrypt the premaster secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret. 7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection). 8. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished. 9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished.
Variable-length
2. Variable-length input produces fixed-length output. This means that whether you hash two characters or two million, the hash size is the same.
Blowfish and Twofish
64-bit block cipher Twofish is quite similar, and it works on 128-bit blocks.
802.11n
802.11n standard operates at 5 GHz, and it can also operate at 2.4 GHz.
A common method of verifying integrity involves adding a message authentication code (MAC) to the message
A MAC is calculated by using a symmetric cipher in cipher block chaining mode (CBC) with only the final block being produced. However, unlike a hashing algorithm, the cipher requires a symmetric key that is exchanged between the two parties in advance.
Trojan
A Trojan, or Trojan horse, is a program that enters a system or network under the guise of another program. as an attachment Immediately before and after you install a new software program or operating system, back it up!
A backout
A backout is a reversion from a change that had negative consequences.
Understanding Backup Plan Issues
A backup plan identifies which information is to be stored, how it will be stored, and for what duration it will be stored.
full backup
A backup that copies all data to the archive medium.
Behavior-Based Detection
A behavior-based system looks for variations in behavior such as unusually high traffic, policy violations, and so on.
Vendor Diversity
A better solution would be to use vendor A for the firewall antimalware, vendor B for the network, and vendor C for individual computers. The probability of all three products, created by different vendors and using different detection algorithms, missing a specific malware is far lower than any one of them alone missing it.
information security management system (ISMS)
A broad term that applies to a wide range of systems used to manage information security.
Annualized rate of occurrence (ARO)
A calculation of how often a threat will occur. For example, a threat that occurs once every five years has an annualized rate of occurrence of 1/5, or 0.2.
Annual loss expectancy (ALE)
A calculation used to identify risks and calculate the expected loss each year.
Historical Cryptography A cipher
A cipher is a method used to scramble or obfuscate characters to hide their value. Ciphering is the process of using a cipher to do that type of scrambling to a message.
A circuit-level proxy
A circuit-level proxy creates a circuit between the client and the server and doesn't deal with the contents of the packets that are being processed.
mutual authentication
A client may authenticate to a server, and a server may authenticate to a client when there is a need to establish a secure session between the two and employ encryption.
public cloud
A cloud delivery model available to others.
private cloud
A cloud delivery model owned and managed internally.
Platform as a Service (PaaS)
A cloud service model wherein the consumer can deploy but does not manage or control any of the underlying cloud infrastructure.
Cold Site
A cold site is a facility that isn't immediately ready to use. The organization using it must bring along its equipment and network. Cold sites are usually the least expensive to put into place, but they require the most advanced planning, testing, and resources to become operational—occasionally taking up to a month to make operational.
federation
A collection of computer networks that agree on standards of operation, such as security standards.
QoS (quality of service)
A collection of technologies that provide the ability to balance network traffic and prioritize workloads.
Collision
A collision occurs when two different inputs to a hashing algorithm produce the same output.
firewall
A combination of hardware and software filters placed between trusted and untrusted networks intended to protect a network from attack by hackers who could gain access through public networks, including the Internet.
Companion Virus
A companion virus attaches itself to legitimate programs and then creates a program with a different filename extension. When a user types the name of the legitimate program, the companion virus executes instead of the real program.
implicit deny
A condition that states that unless otherwise given, the permission will be denied.
Redundant Array of Independent Disks (RAID)
A configuration of multiple hard disks used to provide fault tolerance should a disk fail. Different levels of RAID exist.
wireless access point
A connection device used for clients in a radio frequency (RF) network.
administrative control
A control implemented through administrative policies or procedures.
Data Retention
A data retention policy should exist within each organization to outline the guidelines for retaining information for operational use while ensuring adherence to the laws and regulations concerning them.
Deception
A deception active response fools the attacker into thinking that the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system that is designed to be broken. sending them to the honeypot.
Demilitarized Zones
A demilitarized zone (DMZ) is an area where you can place a public server for access by people whom you might not trust otherwise.
distributed denial-of-service (DDoS)
A derivative of a DoS attack in which multiple hosts in multiple locations all focus on one target to reduce its availability to the public. This can be accomplished through the use of compromised systems, botnets, and other means.
Deterrent
A deterrent control is anything intended to warn a wouldbe attacker that they should not attack.
application-level proxy
A device or software that recognizes application-specific commands and offers granular control over them.
mantrap
A device, such as a small room, that limits access to one or a few individuals. Mantraps typically use electronic locks and other methods to control access.
Differential Backup
A differential backup is similar in function to an incremental backup, but it backs up any files that have been altered since the last full backup; This means that the backups in the earliest part of the weekly cycle will be very fast, whereas each successive one will be slower.
Digital Signatures
A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key of the sender to validate the digital signature. If the values match, the receiver knows that the message is authentic.The receiver compares the signature area referred to as a message digest in the message with the calculated value. If the values match, the message hasn't been tampered with and the originator is verified as the person they claim to be. This process provides message integrity, nonrepudiation, and authentication. Since this process provides nonrepudiation, the receiver can be confident the message was sent by the sender, not someone pretending to be the sender. In some cases, digital signatures are also part of authentication. For example, a user logs in and provides their username and password, but that login information is digitally signed.
A directional antenna
A directional antenna, on the other hand, forces the signal in one direction, and since it is focusing the signal, it can cover a greater distance with a stronger signal.
honeypot
A fake system designed to divert attackers from your real systems. It is often replete with logging and tracking to gather evidence.
A federated identity sounds similar to a single sign-on, but do not confuse the two. Single sign-on is about having one password for all resources on a given network. Federated identities relate to being able to access resources on diverse networks.
A federated identity sounds similar to a single sign-on, but do not confuse the two. Single sign-on is about having one password for all resources on a given network. Federated identities relate to being able to access resources on diverse networks.
Federations
A federation is a collection of computer networks that agree on standards of operation, such as security standards. A federated identity is a means of linking a user's identity with their privileges in a manner that can be used across business boundaries even entirely different businesses.
Packet filter
A firewall operating as a packet filter passes or blocks traffic to specific addresses based on the type of application. The packet filter doesn't analyze the data of a packet; it decides whether to pass it based on the packet's addressing information.
Packet Filter Firewalls
A firewall operating as a packet filter, or static firewall, passes or blocks traffic to specific addresses based on the type of application. The packet filter doesn't analyze the data of a packet; based on given rules, it decides whether to pass it based on the packet's addressing information.
stateful packet inspection (SPI)
A firewall that not only examines each packet but also remembers the recent previous packets.
false positive
A flagged event that isn't really a notable incident and has been falsely triggered.
false positive
A flagged event that isn't really an event and has been falsely triggered.
Vulnerability
A flaw or weakness in some part of a system's security procedures, design, implementation, or internal controls that could expose it to danger (accidental or intentional) and result in a violation of the security policy.
rogueware
A form of malware that tries to convince the user to pay for a fake threat.
spear phishing
A form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party.
phishing
A form of social engineering in which you simply ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. Commonly sent via email.
cross-site request forgery (XSRF)
A form of web-based attack in which unauthorized commands are sent from a user that a website trusts.
appliance
A freestanding device that operates in a largely selfcontained manner.
Full Backup
A full backup is a complete, comprehensive backup of all files on a disk or server.
cryptographic hash
A function that is one-way (nonreversible), has a fixed length output, and is collision resistant.
Scope Statement
A good policy has a scope statement that outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses.
Walkthrough
A group discussion of recovery, operations, resumption plans, and procedures.
Heuristic
A heuristic system uses algorithms to analyze the traffic passing through the network.
HIDS
A host-based intrusion detection system. An HIPS is a hostbased intrusion prevention system.
Hot Site
A hot site is a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. hot site is also referred to as an active backup model.
Hotfix
A hotfix is an immediate and urgent patch. In general, these represent serious security issues and are not optional; they must be applied to the system.
Job Rotation
A job rotation policy defines intervals at which employees must rotate through positions. It helps to ensure that the company does not become too dependent on one person
Keylogger
A keylogger is a piece of software that records keystrokes pressed into a log file and then allows that log file to be viewed so that passwords and other sensitive data can be seen.
ping of death
A large Internet Control Message Protocol (ICMP) packet sent to overflow the remote host's buffer. A ping of death usually causes the remote host to reboot or hang.
hot site
A location that can provide operations within hours of a failure.
Macro Virus
A macro virus exploits the enhancements made to many application programs that are used by programmers to expand the capability of applications such as Microsoft Word and Excel. mini-BASIC programming language
Man-in-the-Browser
A man-in-the-browser attack (abbreviated as MITB, MitB, MIB, and MiB) is a type of man-in-the-middle attack in which a Trojan horse manipulates calls between the browser and its security mechanisms, sniffing or modifying transactions as they are formed on the browser yet still displaying back the user's intended transaction.
Mandatory Vacations
A mandatory vacation policy requires employees to take time away from work to refresh, and it is primarily used in jobs related to the financial sector. If the company becomes too dependent on one person, they can end up in a real bind if something should happen to that person. Mandatory vacations also provide an opportunity to discover fraud.
clustering
A method of balancing loads and providing fault tolerance.
Agile development
A method of software development meant to be rapid.
fuzzing
A method of testing that intentionally enters invalid input to see if the application can handle it.
cloud computing
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.
Infrastructure as a Service (IaaS)
A model of cloud computing that utilizes virtualization; clients pay an outsourcer for the resources used.
Software as a Service (SaaS)
A model of cloud computing in which the consumer can use the provider's applications, but they do not manage or control any of the underlying cloud infrastructure.
Motion Detection
A motion detection system can monitor a location and signal an alarm if it picks up movement.
Multipartite Virus
A multipartite virus attacks your system in multiple ways. It may attempt to infect your boot sector, infect all of your executable files, and destroy your application files.
switch
A network device that can replace a router or hub in a local network and get data from a source to a destination. Switching allows for higher speeds.
Demilitarized Zone (DMZ)
A network segment between two firewalls. One is outward facing, connected to the outside world, the other inward facing, connected to the internal network. Publicfacing servers, such as web servers, are often placed in a DMZ.
Honeynet
A network that functions in the same manner as a honeypot.
network-based IDS (NIDS)
A network-based IDS (NIDS) approach to IDS attaches the system to a point in the network where it can monitor and report on all network traffic. NIDS placement in a network determines what data will be analyzed.
NIDS
A network-based intrusion detection system. An NIPS is an intrusion prevention system. Unlike an HIDS/HIPS, an NIDS/NIPS scans an entire network segment.
passive response
A nonactive response, such as logging. Passive response is the most common type of response to many intrusions. In general, passive responses are the easiest to develop and implement.
Nondisclosure Agreement
A nondisclosure agreement (NDA) is a legal contract intended to cover confidentiality.
alarm
A notification that an unusual condition exists and should be investigated.
Patch
A patch provides some additional functionality or a non-urgent fix. These are sometimes optional.
least privilege
A permission method in which users are granted only the privileges necessary to perform their job function.
Phage Virus
A phage virus modifies and alters other programs and databases. The virus infects all of these files. The only way to remove this virus is to reinstall the programs that are infected. If you miss even a single incident of this virus on the victim system, the process will start again and infect the system once more.
cable lock
A physical security deterrent used to protect a computer.
cold site
A physical site that can be used if the main site is inaccessible (destroyed) but that lacks all of the resources necessary to enable an organization to use it immediately.
disaster-recovery plan
A plan outlining the procedure by which data is recovered after a disaster.
Policy Overview Statement
A policy overview statement provides the goal of the policy, why it's important, and how to comply with it. Ideally, a single paragraph is all you need to provide readers with a sense of the policy.
Policy Statement
A policy statement should be as clear and unambiguous as possible. T
Operational Considerations
A procedure's operational considerations specify and identify what duties are required and at what intervals. This list might include daily, weekly, and monthly tasks.
virus
A program intended to damage a computer system.
Protected Distribution
A protected distribution system (PDS) is one in which the network is secure enough to allow for the transmission of classified information in unencrypted format
Secure Sockets Layer (SSL)
A protocol that secures messages by operating between the Application layer (HTTP) and the Transport layer.
Proxy firewall
A proxy firewall can be thought of as an intermediary between your network and any other network. Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused.
Proxy
A proxy is any device that acts on behalf of other(s). All internal user interaction with the Internet should be controlled through a proxy server. Most proxies act as a forward proxy and are used to retrieve data on behalf of the clients they serve. transparency as "a proxy that does not modify the request or response "nontransparent proxy"—that is, one that "modifies the request or response in order to provide some added service
proxy firewall
A proxy server that also acts as a firewall, blocking network access from external networks.
PRNG
A pseudo-random number generator is an algorithm used to generate a number that is sufficiently random for cryptographic purposes.
A registration authority (RA)
A registration authority (RA) offloads some of the work from a CA.
RAT
A remote administration tool (RAT) is one that, as the name implies, allows a remote user to access the system for the purpose of administering it.
Replay
A replay attack is a kind of access or modification attack that has become quite common. They occur when information is captured over a network and then malevolently reused for a purpose other than intended. The attacker can capture the information and replay it later. If this type of attack is successful, the attacker in this example will have all of the rights and privileges from the original certificate. This is the primary reason that most certificates contain a unique session identifier and a time stamp. If the certificate has expired, it will be rejected and an entry should be made in a security log to notify system administrators.
active response
A response generated in real time.
Document Review
A review of recovery, operations, resumption plans, and procedures.
Rogue Access Point
A rogue access point occurs when someone puts up an unauthorized access point.
evil twin
A rogue wireless access point that mimics the SSID of a legitimate access point.
Safe
A safe provides a secure, physical location where items can be stored. Those items can include hard copies of your data, backup media, or almost anything else vital to your firm.
Wired Equivalent Privacy (WEP)
A security protocol for 802.11b (wireless) networks that attempts to establish the same security for them as would be present in a wired network.
Sensor
A sensor is the IDS component that collects data from the data source and passes it to the analyzer for analysis.
hot aisles
A server room aisle that removes hot air.
Internet Protocol Security (IPSec)
A set of protocols that enable encryption, authentication, and integrity over IP. IPSec is commonly used with virtual private networks (VPNs) and operates at Layer 3.
Shimming
A shim is a small library that is created to intercept API calls transparently and do one of three things: handle the operation itself, change the arguments passed, or redirect the request elsewhere. —to bypass a driver and perform a function other than the one for which the API was created.
Signature-Based Detection
A signature-based system, also commonly known as misuse-detection IDS (MD-IDS), is primarily focused on evaluating attacks based on attack signatures and audit trails. For example, a TCP flood attack begins with a large number of incomplete TCP sessions.
Single Point of Failure (SPOF)
A single weakness that is capable of bringing an entire system down
warm site
A site that provides some capabilities in the event of a disaster. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that might already exist in the warm site.
shim
A small library that is created to intercept API calls transparently.
system image
A snapshot of what exists.
waterfall method
A software development method that uses very well-defined sequential phases.
macro virus
A software exploitation virus that works by using the macro feature included in many applications, such as Microsoft Office.
HSM (hardware security module)
A software or appliance stand-alone used to enhance security and commonly used with PKI systems.
Incorporating Standards
A standard deals with specific issues or aspects of a business. The following five points are the key aspects of standards documents: *Scope and Purpose *Roles and Responsibilities *Reference Documents *Performance Criteria
privacy
A state of security in which information isn't seen by unauthorized parties without the express permission of the party involved.
Risk avoidance
A strategy of dealing with risk in which it is decided that the best approach is to avoid the risk.
Risk Deterrence
A strategy of dealing with risk in which it is decided that the best approach is to discourage potential attackers from engaging in the behavior that leads to the risk.
Risk Mitigation
A strategy of dealing with risk in which it is decided that the best approach is to lessen the risk.
Risk transference
A strategy of dealing with risk in which it is decided that the best approach is to offload some of the risk through insurance, third-party contracts, and/or shared responsibility.
Risk Acceptance
A strategy of dealing with risk in which it is decided the best approach is simply to accept the consequences should the threat happen.
Business impact analysis (BIA)
A study of the possible impact if a disruption to a business's vital resources were to occur.
Security as a Service
A subscription-based business model intended to be more cost effective than smaller individuals/corporations could ever achieve on their own.
A substitution cipher
A substitution cipher is a type of coding or ciphering system that changes one character or symbol into another.
A multilayer switch
A switch can work at either Layer 2 (the data link layer) or Layer 3 (the network layer) of the OSI model. A multilayer switch is one that can operate at both Layer 2 and Layer 3 of the OSI model, which means that the multilayer device can operate as both a switch and a router.
Switch
A switch is a multiport device that improves network efficiency. A switch typically contains a small amount of information about systems in a network—a table of MAC addresses (Media Access Control, or unique physical addresses for each controller) as opposed to IP addresses.
Capture System Image
A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.
signature-based system
A system that acts based on the digital signature it sees and offers no repudiation to increase the integrity of a message.
intrusion prevention system (IPS)
A system that monitors the network for possible intrusions and logs that activity and then blocks the traffic that is suspected of being an attack.
intrusion detection system (IDS)
A system that monitors the network for possible intrusions and logs that activity.
rainbow table
A table of precomputed hashes used to guess passwords by searching for the hash of a password.
Access Control List (ACL)
A table or data file that specifies whether a user or group has access to a specific resource on a computer or network.
Tabletop Exercises
A tabletop exercise is a simulation of a disaster. It is a way to check to see if your plans are ready to go.
radio frequency identification (RFID)
A technology that incorporates the use of electromagnetic coupling in the radio frequency (RF) portion of the spectrum to identify items uniquely (object, animal, person, credit cards, door access tokens, antishoplifting devices, and so on).
malicious insider threat
A threat from someone inside the organization intent on doing harm.
Tokens
A token is some physical device that is used to gain access. Software-based security tokens are part of a two-factor authentication device. Software tokens are stored on the device and used to authenticate the user.
network scanner
A tool that enumerates your network and provides a map of the network.
Transposition Ciphers
A transposition cipher involves transposing or scrambling the letters in a certain manner.
denial-of-service (DoS)
A type of attack that prevents any users —even legitimate ones—from using a system.
incremental backup
A type of backup that includes only new files or files that have changed since the last full backup and then clears the archive bit upon completion.
differential backup
A type of backup that includes only new files or files that have changed since the last full backup. Differential backups differ from incremental backups in that they don't clear the archive bit upon their completion.
buffer overflow
A type of denial-of-service (DoS) attack that occurs when more data is put into a buffer than it can hold, thereby overflowing it (as the name implies).
proxy server
A type of server that makes a single Internet connection and services requests on behalf of many users.
proxy
A type of system that prevents direct communication between a client and a host by acting as an intermediary.
A variation is the reverse proxy
A variation is the reverse proxy, also known as a "surrogate." This is an internal-facing server used as a front-end to control (and protect) access to a server on a private network.
VDE
A virtual desktop environment (VDE) stores everything related to the user (wallpaper, folders, windows, and so on) remotely and client software locally simulates the user's desktop environment and capabilities while running them on the host.
Tunneling/VPN
A virtual private network (VPN) is a private network connection that occurs through a public network. VPN, the remote end appears to be connected to the network as if it were connected locally.
virtual private network (VPN)
A virtual private network (VPN) is a private network connection that occurs through a public network. VPNs can be used to connect LANs together across the Internet or other public networks (site-tosite) or be used on a much smaller scale to offer security to remote users (known as remote access or host-to-site). VPNs typically use a tunneling protocol, such as Layer 2 Tunneling Protocol, IPSec
multipartite virus
A virus that attacks a system in more than one way.
retrovirus
A virus that attacks or bypasses the antivirus software installed on a computer.
stealth virus
A virus that attempts to avoid detection by masking itself from applications.
companion virus
A virus that creates a new program that runs in the place of an expected program of the same name.
armored virus
A virus that is protected in a way that makes disassembling it difficult. The difficulty makes it "armored" against antivirus programs that have trouble getting to, and understanding, its code.
phage virus
A virus that modifies and alters other programs and databases.
Simulation
A walkthrough of recovery, operations, resumption plans, and procedures in a scripted "case study" or "scenario."
Warm Site
A warm site provides some of the capabilities of a hot site, but it requires the customer to do more work to become operational. Another term for a warm site/reciprocal site is active/active model.
Web Application Firewall
A web application firewall (WAF) is a real-time appliance that applies a set of rules to block traffic to and from web servers and to try to prevent attacks. cross-site scripting (XSS), injection attacks (such as those using SQL), and forged HTTP requests. Operating at the highest level of the OSI model
Wi-Fi
A wireless network operating in the 2.4 GHz or 5 GHz range.
From the prompt, you can attempt a zone transfer: run: nslookup.exe type: ls -d domain_name <enter>
A zone transfer is when you attempt to get the DNS server to send you all of its zone information. A properly configured DNS server will refuse. It is a good idea to attempt this to verify whether or not your DNS server is secure.
Risk Calculations
ALE is the annual loss expectancy value. This is a monetary measure of how much loss you could expect in a year. SLE is another monetary value, and it represents how much you could expect to lose at any one time: the single loss expectancy. SLE can be divided into two components: AV (asset value): the value of the item EF (exposure factor): the percentage of it threatened ARO is the likelihood, often drawn from historical data, of an event occurring within a year: the annualized rate of occurrence.
ANT
ANT is a proprietary wireless network technology that provides low power modes, and it is used in Wi-Fi settings.
Acceptable Use Policies
Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.
Understanding Physical Security
Access control is a critical part of physical security, and it can help cut down the possibility of a social engineering or other type of attack from succeeding. Systems must operate in controlled environments in order to be secure. physical barrier is to prevent access to computers and network systems.
Logging
Access points typically offer logging that must be turned on and configured.
Access violations
Access violations occur when someone accesses or attempts to access, data that they should not be accessing. When an application running on a computer is able to access the memory of another application, this is also an access violation. When an application running on a computer is able to access the memory of another application, this is also an access violation.
Active scanners
Active scanners will interact directly with the target network.
Active-active configuration
Active-active configuration means that more than one load balancing server is working at all times to handle the load/requests as they come in.
Advanced Encryption Standard
Advanced Encryption Standard (AES) has replaced DES as the current standard it uses the Rijndael algorithm. It supports key sizes of 128, 192, and 256 bits, with 128 bits being the default.
Screen Lock
After a certain number of attempts, the user should not be allowed to attempt any additional logons; this is called lockout.
Step 5: Adjusting Procedures
After an incident has been successfully managed, it's a worthwhile step to revisit the procedures and policies in place in your organization to determine what changes, if any, need to be made. How did the policies work or not work in this situation? What did you learn about the situation that was new? What should you do differently next time?
Agile development
Agile development works in cycles, with each cycle producing specific deliverables.This process is repeated, each time getting closer to the final goal.
Acceptable use policy/rules of behavior
Agreed-upon principles set forth by a company to govern how the employees of that company may use resources such as computers and Internet access.
All antennas are rated in terms of gain value, which is expressed in dBi numbers.
All antennas are rated in terms of gain value, which is expressed in dBi numbers.
Default Passwords
All systems come with a default login. This login must be changed immediately.
Amplification
Amplification attacks are usually employed as a part of a DDoS attack. The goal of the attacker is to get a response to their request in a greater than 1:1 ratio so that the additional bandwidth traffic works to congest and slow the responding server down. The ratio achieved is known as the amplification factor, and high numbers are possible with UDPbased protocols such as NTP, CharGen, and DNS.
Working with a Host-Based IDS
An HIDS examines the machine logs, system events, and applications interactions; it normally doesn't monitor incoming network traffic to the host. The first problem involves a compromise of the system. If the system is compromised, the log files to which the IDS reports may become corrupt or inaccurate. The second major problem with an HIDS is that it must be deployed on each system that needs it. This can create a headache for administrative and support staff.
Encapsulating Security Payload (ESP)
An IPSec header used to provide a mix of security services in IPv4 and IPv6. ESP can be used alone or in combination with the IP Authentication Header (AH).
Authentication Header (AH)
An IPSec header used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays.
SSID broadcast
An access point's broadcasting of the network name.
Activity
An activity is an element of a data source that is of interest to the operator. This could include a specific occurrence of a type of activity that is suspicious.
Administrative
An administrative control is one that comes down through policies, procedures, and guidelines.
Xmas attack
An advanced attack that tries to get around detection and send a packet with every single option enabled.
National Institute of Standards and Technology (NIST)
An agency (formerly known as the National Bureau of Standards [NBS]) that has been involved in developing and supporting standards for the U.S. government for over 100 years. NIST has become involved in cryptography standards, systems, and technology in a variety of areas. It's primarily concerned with governmental systems, where it exercises a great deal of influence.
Business partners agreement (BPA)
An agreement between partners in a business that outlines their responsibilities, obligations, and sharing of profits and losses.
reciprocal agreement
An agreement between two companies to provide services in the event of an emergency is called a reciprocal agreement. Usually, these agreements are made on a best-effort basis; there is no guarantee that services will be available if the site is needed. Make sure that your agreement is with an organization that is outside of your geographic area. If both sites are affected by the same disaster, the agreement is worthless.
Service Level Agreement (SLA)
An agreement that specifies performance requirements for a vendor. This agreement may use mean time before failure (MTBF) and mean time to repair (MTTR) as performance measures in the SLA.
Alarms
An alarm is used to draw attention to a breach, or suspected breach, when it occurs.
Alert
An alert is a message from the analyzer indicating that an event of interest has occurred.
UTM Security Appliances
An all-in-one appliance, also known as unified threat management (UTM) and next generation firewall (NGFW), Provides URL filtering, content inspection, or malware inspection. (intrusion prevention, antivirus, content filtering, and so forth) The advantages of combining everything into one include a reduced learning curve (you only have one product to learn), a single vendor to deal with, and (typically) reduced complexity. The disadvantages of combining everything into one include a potential single point of failure and dependence on the one vendor.
An alternative to this is active-passive
An alternative to this is active-passive in which case there is one primary server and the secondary one is in listening mode—able to activate and start splitting the load when needed if the first server becomes overwhelmed.
Anomaly Detection
An anomaly-detection (AD) system looks for anomalies, meaning it looks for things outside of the ordinary. Typically, a training program learns what the normal operation is and then spots deviations from it. behavior based
anomaly-detection IDS (AD-IDS)
An anomaly-detection intrusion detection system works by looking for deviations from a pattern of normal network traffic.
all-in-one appliance
An appliance that performs multiple functions.
network-based IDS (NIDS)
An approach to an intrusion detection system (IDS); it attaches the system to a point in the network where it can monitor and report on all network traffic.
evil twin
An attack in which a rogue wireless access point poses as a legitimate wireless service provider to intercept information that users transmit.
disassociation
An attack in which the intruder sends a frame to the AP with a spoofed address to make it look like it came from the victim and disconnects them from the network.
DNS poisoning
An attack method in which a daemon caches DNS reply packets, which sometimes contain other information (data used to fill the packets). The extra data can be scanned for information useful in a break-in or man-in-the-middle attack.
zero-day exploit
An attack that begins the very day an exploit is discovered.
replay attack
An attack that captures portions of a session to play back later to convince a host that it is still talking to the original connection.
Address Resolution Protocol (ARP) poisoning
An attack that convinces the network that the attacker's MAC (Media Access Control) address is the one associated with an allowed address so that traffic is wrongly sent to attacker's address.
IV attack
An attack that involves looking at repeated results in order to crack the WEP secret key.
man-in-the-middle
An attack that occurs when someone/something that is trusted intercepts packets and retransmits them to another party. Man-in-the-middle attacks have also been called TCP/IP hijacking in the past.
social engineering
An attack that uses others by deceiving them. It does not directly target hardware or software, but instead it targets and manipulates people.
script kiddy
An attacker with very minimal skills.
spoofing
An attempt by someone or something to masquerade as someone/something else.
polymorphic
An attribute of some viruses that allows them to mutate and appear differently each time they crop up. The mutations make it harder for virus scanners to detect (and react) to the viruses.
Wi-Fi Protected Setup (WPS)
An authentication process that requires the user to do something in order to complete the enrollment process. Examples include pressing a button on the router within a short time period, entering a PIN, or bringing the new device close.
Kerberos
An authentication protocol developed at MIT that uses tickets for authentication.
Challenge Handshake Authentication Protocol (CHAP)
An authentication protocol that periodically reauthenticates.
bot
An automated software program (network robot) that collects information on the web. In its malicious form, a bot is a compromised computer being controlled remotely.
Faraday cage
An electrically conductive wire mesh or other conductor woven into a "cage" that surrounds a room and prevents electromagnetic signals from entering or leaving the room through the walls.
Embedded Systems Security
An embedded system is a computer system with a dedicated function within a larger mechanical or electrical system.
Risk analysis
An evaluation of each risk that can be identified. Each risk should be outlined, described, and evaluated on the likelihood of it occurring.
Risk assessment
An evaluation of the possibility of a threat or vulnerability existing. An assessment must be performed before any other actions—such as how much to spend on security in terms of dollars and manpower—can be decided.
Event
An event is an occurrence—or continuous occurrence—in a data source that indicates that a suspicious activity has occurred
false negative
An event that should be flagged but isn't.
evil twin attack
An evil twin attack is one in which a rogue wireless access point poses as a legitimate wireless service provider to intercept information that users transmit.
An evil twin
An evil twin is a rogue access point that copies the SSID of a legitimate access point.
persistence
An example of persistence would be an employee having his or her laptop infected at a hotel while traveling for business and the company's network not being compromised until the employee is back in the office a week later and connected to the company's network.
tabletop exercise
An exercise that involves individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them.
Incident Response Procedures
An incident response plan, outlining action steps, or incident response procedures will define how an organization should respond to an incident. an incident is any attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information.
Incremental Backup
An incremental backup is a partial backup that stores only the information that has been changed since the last full or the last incremental backup. Incremental backups are usually the fastest backups to perform on most systems, and each incremental backup tape is relatively small.
alert
An indication that an unusual condition could exist and should be investigated.
Intrusion Detection Systems
An intrusion detection system (IDS) is software that runs either on individual workstations or on network devices to monitor and track network activity. IDSs can be configured to evaluate system logs, look at suspicious network activity,
host-based IDS (HIDS)
An intrusion detection system that is host based. An alternative is an intrusion detection system that is network based.
network intrusion prevention system (NIPS)
An intrusion prevention system that is network based.
An omnidirectional antenna
An omnidirectional antenna is designed to provide a 360-degree pattern and an even signal in all directions, so you usually want to locate the AP in the middle of the area to be covered.
Open Web Application Security Project (OWASP)
An online community that develops free articles, documentation, tools, and more on web application security.
backdoor
An opening left in a program application (usually by the developer) that allows additional access to data. Typically, a backdoor is created for debugging purposes and is not documented. Before the product ships, the backdoors are closed; when they aren't closed, security loopholes exist.
rogue access point
An unauthorized wireless access point on a network.
root of trust (RoT)
Another aspect of secure system design is the root of trust (RoT). A root of trust is a security process that has to begin with some unchangeable hardware identity often stored in a TPM.
Control Diversity
Another issue is the diversity of vendors and controls. What this means is that you do not address any particular security concern with a single control or a single vendor. You should not rely on a single control to address any security threat.
Another relatively new technology is system-on-a-chip (SoC).
Another relatively new technology is system-on-a-chip (SoC). These devices are completely self-contained systems on a single chip. Medical devices are also a growing concern. vehicles have sophisticated computers and even wireless capabilities. unmanned aerial vehicles (UAVs, or drones) Security cameras are another issue. Many such cameras are digital with wireless capabilities. surveil the victim. Security cannot simply be added as an afterthought.
wetware
Another term for social engineering.
Antenna placement
Antenna placement can be crucial in allowing clients to reach the access point.
Trojan horse
Any application that masquerades as one thing in order to get past scrutiny and then does something malicious. One of the major differences between Trojan horses and viruses is that Trojan horses tend not to replicate themselves.
hybrid cloud
Any cloud delivery model that combines two or more of the other delivery model types.
logic bomb
Any code that is hidden within an application and causes something unexpected to happen based on some criteria being met. For example, a programmer could create a program that always makes sure her name appears on the payroll roster; if it doesn't, then key files begin to be erased.
malicious code
Any code that is meant to do harm.
symmetric cipher
Any cryptographic algorithm that uses the same key to encrypt and decrypt. DES, AES, and Blowfish are examples.
Personally Identifiable Information (PII)
Any information that could identify a particular individual.
intrusion detection system (IDS)
Any set of tools that can identify an attack using defined rules or logic. An IDS can be network-based or host-based.
intrusion prevention system (IPS)
Any set of tools that identify and then actively respond to attacks based on defined rules. Like an IDS (which is the passive counterpart), an IPS can be network-based or host-based.
advanced persistent threats (APTs)
Any sophisticated series of related attacks taking place over an extended period of time.
zombie
Any system taking directions from a master control computer. Zombies are often used in distributed denial-of-service (DDoS) and botnet attacks.
data loss prevention (DLP)
Any systems that identify, monitor, and protect data to prevent it from unauthorized use, modification, destruction, egress, or exfiltration from a location.
data execution prevention (DEP)
Any technique that prevents a program from running without the user's approval.
attack
Any unauthorized intrusion into the normal operations of a computer or computer network. The attack can be carried out to gain access to the system or any of its resources.
rogue access points
Any wireless access point added to your network that has not been authorized is considered a rogue. open up the system for a man-in-the-middle attack or evil twin attack.
Application Control
Application control is primarily concerned with controlling what applications are installed on the mobile device.
Application-level proxy
Application-level proxy functions read the individual commands of the protocols that are being served. This type of server is advanced and must know the rules and capabilities of the protocol used. An implementation of this type of proxy must know the difference between GET and PUT operations, for example, and have rules specifying how to execute them.
Applications
Applications such as word processors, transaction systems, and other programs usually don't change on a frequent basis. Some commercial applications require that each copy of the software be registered with a centralized license server. This may present a problem if you attempt to use a centralized recovery procedure for applications. Each machine may require its own copy of the applications for a recovery to be successful.
Proxy Firewalls
Aproxy firewall can be thought of as an intermediary between your network and any other network. A proxy firewall typically uses two network interface cards (NICs). This type of firewall is referred to as a dual-homed firewall. One of the cards is connected to the outside network, and the other is connected to the internal network. The proxy software manages the connection between the two NICs. This setup segregates the two networks from each other and offers increased security. The proxy function can occur at either the application level or the circuit level.
Placing Security Devices Proxies
Are also most appropriate on the network perimeter. This is because they stand as intermediaries between internal and external traffic.
Interconnection Security Agreement (ISA)
As defined by NIST (in Publication 800-47), it is "an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations."
Clean Desk
As secure as data within a computer system may be, equally insecure are printed copies of the data resting in a pile on someone's desk.
Preventive
As the name implies, the purpose of preventive controls is to stop something from happening.
This growth is known as sprawl,
As they grow, so do the licenses, the users, the maintenance, and the overall administration. This growth is known as sprawl, and it can quickly catch an organization off-guard when the savings they thought they were getting suddenly leave them with a bigger job than they can manage. The best way to handle sprawl is to plan for it as you would anything else.
Working with Asymmetric Algorithms
Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. what one key does, the other one undoes.
Atbash Caesar cipher
Atbash is another ancient substitution cipher. A becomes Z, B becomes Y, C becomes X, and so forth.
bluesnarfing
Attack that involves getting data from a Bluetooth device.
password attacks
Attempting to ascertain a password that you should not know.
ABAC
Attribute-based access control (ABAC) is a relatively new method for access control. Essentially, the access control mechanism looks at subjects that are attempting to access a given object but considers all of the various attributes associated with the subject and object in making the access control decision.
Authentication Header (AH)
Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides the authentication and integrity checking for data packets, and ESP provides encryption services. IPsec operates at the network layer of the Open Systems Interconnection (OSI) IPSec can work in either Tunneling mode or Transport mode.
Authentication
Authentication is the process of verifying that the sender is who they say they are. verifying authenticity is the addition of a digital signature.
The Principles Behind Social Engineering
Authority Insensus Scarcintimidation Coty Familiarity Trust Urgency
The Principles Behind Social Engineering
Authority Intimidation Consensus Scarcity Familiarity Trust Urgency
Business Continuity Planning (BCP)
BCP is primarily a management tool that ensures that critical business functions can be performed when normal business operations are disrupted and alternate business practices must be employed. For each critical business task, there should be a minimum of one alternative business process identified during the crafting of a continuity plan. Those alternate business practices should be documented in such a way that someone unfamiliar with them could perform them with minimal training.
business impact analysis (BIA)
BIA is concerned with evaluating the processes
BIOS or UEFI must be secured.
BIOS (basic input/output system) was the older method for handling bootup information for a computer. UEFI (Unified Extensible Firmware Interface) is the more modern technique.
BYOD Issues
BYOD (Bring Your Own Device) refers to employees bringing their personal devices into the corporate network environment. substantial security risks. The first risk involves those devices connecting to the company network. any virus, spyware, or other malware that may have infected their phone can spread to the company network. second Wi-Fi network Another risk involves compromising confidential data. That policy could be as simple as all employees agreeing that if they bring a mobile device onto company property, it is subject to random search. Data ownership becomes an issue with BYOD. If the device is personally owned but used for company business, who owns the data on the device? Patch management is closely related to support ownership. Antivirus
Application Configuration Baselining
Baselining always involves comparing performance to a metric.
User Privileges
Be cognizant of the fact that you won't have the same control over user accounts in the cloud as you do locally.
Wireless Commonsense
Be sure to change the default password settings on all wireless devices. Never assume that a wireless connection is secure. configuring WPA2
IDSs use four primary approaches:
Behavior-Based Detection Signature-Based Detection Anomaly Detection Heuristic
BitLocker
BitLocker is a full disk encryption feature that can encrypt an entire volume with 128-bit encryption. When the entire volume is encrypted, the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer's security. Full disk encryption is sometimes referred to as hard drive encryption.
salt
Bits added to a hash to make it resistant to rainbow table attacks.
The three types of testing are described here:
Black Box White Box Gray Box
Bluesnarfing
Bluesnarfing is the gaining of unauthorized access through a Bluetooth connection. the attacker can copy data in the same way that they could with any other type of unauthorized access.
Bluejacking
Bluetooth technology is often used for creating personal area networks (PANs or WPANs), factorydefault PIN that you will want to change Bluejacking is the sending of unsolicited messages (think spam) over a Bluetooth connection. While annoying, it is basically considered harmless.
Bridge
Bridges are used to divide larger networks into smaller sections by sitting between two physical network segments and managing the flow of data between the two
Cryptanalysis Methods
Brute Force Frequency Analysis Known Plain Text Chosen Plain Text Related Key Attack Birthday Attack
Buffer Overflow
Buffer overflows occur when an application receives more data than it's programmed to accept.
Data Destruction and Media Sanitation
Burning Shredding Pulping Pulverizing Degaussing Purging Wiping
Issues Associated with Business Continuity
Business Continuity Planning (BCP) Critical Business Functions (CBFs)
Undertaking Business Impact Analysis
Business impact analysis (BIA) is the process of evaluating all of the critical systems (important to core business functions) in an organization to define impact and recovery plans. Analysis focuses on the impact a loss would have on the organization.
domain admin account
But domain admin accounts provide the user with complete and total control of your network.
privileged account.
By definition, any account that has significant rights on the network is a privileged account.
By jailbreaking the phone
By jailbreaking the phone, the user takes administrative/root control. This allows the user to install any application they wish, thus circumventing the security controls of the iTunes store. Jailbreaking should be strictly forbidden for any device that will connect to your network.
Storage Segmentation
By segmenting a mobile device's storage, you can keep work data separate from personal or operating system data. containerization. Data is contained within specific portions of the device.
CAST
CAST uses a 40-bit to 128-bit key Two additional versions, CAST-128 and CAST-256, also exist.
PTZ
Cameras that can pan, tilt, and zoom.
Capture Video
Capture any relevant video that you can.
Personal Identity Verification (PIV)
Card required of federal employees and contractors to gain access (physical and logical) to government resources.
Certificate Concepts
Certificate chaining refers to the fact that certificates are handled by a chain of trust. You purchase a digital certificate from a certificate authority (CA), so you trust that CA's certificate. self-signed certificate. it won't be trusted by browsers. It will instead generate a certificate error message.
Chapter 10 Social Engineering and Other Foes
Chapter 10 Social Engineering and Other Foes
Chapter 11 Security Administration
Chapter 11 Security Administration
Chapter 12 Disaster Recovery and Incident Response
Chapter 12 Disaster Recovery and Incident Response
Chapter 4 Identity and Access Management
Chapter 4 Identity and Access Management
Chapter 5 Wireless Network Threats
Chapter 5 Wireless Network Threats
Chapter 6 Securing the Cloud
Chapter 6 Securing the Cloud
Chapter 7 Host, Data, and Application Security
Chapter 7 Host, Data, and Application Security
Chapter 8 Cryptography
Chapter 8 Cryptography
Rail Fence Cipher
Ciphers that write message letters out diagonally over a number of rows then read off cipher row by row.
Clickjacking
Clickjacking involves an attacker using multiple transparent or opaque layers to trick a user into clicking a button or link on another page when they were intending to click on the top-level page. In this way, the attacker is "hijacking" clicks meant for one page and routing them to another page associated with another application, domain, or both.
community cloud
Cloud delivery model in which the infrastructure is shared by organizations with something in common.
Code Issues
Code reuse is quite common, but it can lead to security vulnerabilities. In many cases, this can be old code that is no longer used (dead code) Code reuse is related to the use of third-party libraries or software development kits (SDKs).
vishing
Combining phishing with Voice over IP (VoIP).
Common Access Card
Common access card (CAC). These cards are issued by the Department of Defense (DoD) as a general identification/authentication card for military personnel, contractors, and non-DoD employees.
Compensating
Compensating controls are backup controls that come into play only when other controls have failed.
Confidentiality and Strength
Confidentiality may be intended to prevent the unauthorized disclosure of information in a local network or to prevent the unauthorized disclosure of information across a network. A cryptographic system must do this effectively in order to be of value.
Context-Aware Authentication
Context-aware authentication takes into account the context in which the authentication attempt is being made.
Burning
Controlled incineration, or burning, is a good method for destroying hard copies of data (paper) and some media
physical controls
Controls and countermeasures of a tangible nature intended to minimize intrusions.
preventive controls
Controls intended to prevent attacks or intrusions.
detective control
Controls that are intended to identify and characterize an incident in progress (for example, sounding the alarm and alerting the administrator).
technical controls
Controls that rely on technology.
Scarcity
Convincing the person who is being tricked that there is a limited supply of something can often be effective if carefully done. convincing them that there are only 100 vacation requests that will be honored for the entire year and that they need to go to a fictitious website
Corrective
Corrective controls are, as the name implies, those intended to correct a situation: to prevent the recurrence of errors. quality circle teams
baselining
Creating a fundamental, or baseline, security level.
prototyping
Creating a version of an application that has only the bare minimum functionality so that it can be evaluated before further development.
typo squatting
Creating domains that are based on the misspelling of another.
Critical Business Functions (CBFs)
Critical business functions refer to those processes or systems that must be made operational immediately when an outage occurs.
asymmetric cipher
Cryptographic algorithms that use two different keys—one key to encrypt and another to decrypt. Also called public key cryptography.
Certificate Formats
DER CER CRT PEM PFX DER The DER extension is used for binary DER-encoded certificates. These files may also bear the CER or the CRT extension. (Base64) armored data prefixed with a -- BEGIN ... line. CER This is an alternate form of .crt
DNS Poisoning
DNS poisoning, the DNS server is given information about a name server that it thinks is legitimate when it isn't. This can send users to a website other than the one to which they wanted to go,
DLP
Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed.
Device Encryption
Data should be encrypted on the device so that if it does fall into the wrong hands,
Big Data
Data that is larger than what can be handled with traditional tools and algorithms.
NoSQL database
Datastores that do not use a relational structure.
Memorandum of understanding (MOU) and memorandum of agreement (MOA)
Define the terms and conditions for securely sharing data and information resources. It is important that it identify the purpose for the interconnection's existence.
Denial-of-service (DoS)
Denial-of-service (DoS) attacks prevent access to resources by users authorized to use those resources.
Regulatory Compliance
Depending on the type and size of your organization, there are any number of regulatory agencies' rules with which you must comply. Make sure that whoever hosts your data takes privacy and security as seriously as you do.
Various Control Types
Deterrent Preventive Detective Corrective Compensating Technical Administrative Physical
Internet of Things (IoT)
Devices that interact on the Internet, without human intervention.
How Many Disks Does RAID Need? Scenario 1 Your company has standardized on 5 TB disks. A new server will go online next month to hold the data files for a new division. The server will be disk-duplexed and needs to be able to store 8 TB of data. How many drives should you order?
Disk duplexing is the same as disk mirroring except that there is also a second controller. Fifty percent of the overall storage capacity must be used for RAID, so you must purchase four 5 TB drives. This will give you excess data capacity of 2 TB.
load balancing
Dividing a load for greater efficiency of management among multiple devices.
Step 4: Documenting and Reporting the Response
During the entire process of responding to an incident, you should document the steps you take to identify, detect, and repair the system or network.
EAP - FAST or Flexible Authentication via Secure Tunneling
EAP-FAST establishes a TLS tunnel for authentication, but it does so using a Protected Access Credential (PAC). EAP-TTLS (Tunneled Transport Layer Security) This protocol extends TLS. EAP is also used with 802.1.x. 802.1x is the IEEE standard for portbased network access control. It can be used on a LAN or a WLAN. 802.1x allows you to secure a port so that only authenticated users can connect to it. Radius Federation is a federation that is using RADIUS to authenticate between the various entities within the federation. Radius is Remote Authentication Dial In User Service.
Network segmentation VLAN
Each of these zones would have different technical needs. You can separate them by routers/switches or by using virtual local area networks (VLANs). is created when you configure a set of ports on a switch to behave like a separate network. You have essentially segmented your network by creating a logical subnetwork segment.
permission issues
Each user or service is provided only with sufficient permissions to do their job. Any permission beyond that is a permission issue that could lead to an access violation. Each user or service is provided only with sufficient permissions to do their job. Any permission beyond that is a permission issue that could lead to an access violation. compare each user's permissions to the requirements of their job.
Wi-Fi
Early Standards 802.11a was the first wireless standard. 5-GHz frequency and has a maximum data rate of 54 Mbps. The IEEE 802.11g standard operates in the frequency range of 2.4 GHz. 802.11g standard is 54 Mbps.
Elasticity
Elasticity is a major feature of cloud computing, meaning the ability to scale up resources as needed.
EMI Shielding
Electromagnetic interference (EMI) and radio frequency interference (RFI) are two additional environmental considerations. Motors, lights, and other types of electromechanical objects cause EMI, which can cause circuit overload, spikes, or electrical component failure.
Elliptic Curve Cryptography
Elliptic Curve Cryptography (ECC) provides similar functionality to RSA but uses smaller key sizes to obtain the same level of security. You can expect that ECC will be commonly implemented in mobile devices in the near future.
virtualization
Emulating one or more physical computers on the same host.
Least Privileges
Ensure that once a user is authenticated, he or she is only given just enough privileges to do their job.
Environmental Monitoring
Environmental concerns include considerations about water and flood damage as well as fire suppression. Environmental systems should be monitored to prevent the computer center's humidity level from dropping below 50 percent. Electrostatic damage is likely to occur when humidity levels get too low.
key principles is called Kerckhoffs'
Essentially, Kerckhoffs' principle states that the security of an algorithm should depend only on the secrecy of the key and not on the secrecy of the algorithm itself.
What Cryptography Should You Use?
Essentially, Kerckhoffs' principle states that the security of an algorithm should depend only on the secrecy of the key and not on the secrecy of the algorithm itself. secret algorithms have not been properly vetted. examine the algorithm for flaws.
secure baseline
Establishing a secure baseline is an important concept in secure networking. Essentially, this is a process whereby you find a baseline for any system, application, or service that is considered secure. Certainly, absolute security is not possible—the goal is "secure enough," based on your organization's security needs and risk appetite. By establishing a secure baseline, any change can be compared to that baseline to see if the change is secure enough
Authentication Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) is a framework frequently used in wireless networks and point-to-point connections.
Fault Tolerance
Fault tolerance is the ability of a system to sustain operations in the event of a component failure. This capability involves over-engineering systems by adding redundant components and subsystems.
Other Systems
File integrity checking systems are very common.
Fire Extinguishers
Fire extinguishers are portable systems. A, B, C, and D.
Firewalls
Firewalls are one of the first lines of defense in a network. The basic purpose of a firewall is to isolate one network from another.
Firewalls
Firewalls are one of the first lines of defense in a network. The basic purpose of a firewall is to isolate one network from another. Firewalls can work at many levels and, as such, be application-based or network-based. Most are configured as network based and work with access control lists (ACLs) to determine what is allowed in. All should operate on the principle of implicit deny
Fixed Systems
Fixed systems are usually part of the building systems. Water systems work with overhead nozzles. These systems are the most common method in modern buildings. Water systems are reliable and relatively inexpensive, and they require little maintenance. extreme damage to energized electrical equipment such as computers. These systems can be tied into relays that terminate power to computer systems before they release water into the building. Gas-based systems were originally designed to use carbon dioxide and later halon gas. FM200 The major drawback of gas-based systems is that they require sealed environments to operate.
tailgating
Following someone through an entry point.
The first is encryption.
For all data in transit, you should at least consider encrypting that data; this is particularly true for web applications.
Secure Staging Deployment Concepts
For applications, the first stage is the *development environment. This is where the application is developed. With proper testing, security flaws can be found while the application is in the development environment. *test environment, The more closely the test environment mimics the real environment, *Next is staging. Normally, any new addition to a network is deployed in stages, not simply put out to the entire network. This is particularly important with applications or even patches for existing applications and operating systems.
Intrusion detection systems
For intrusion detection systems, there must be collectors or sensors in every network segment. Without them, the IDS/IPS will be blind to activity in that segment.
steganography
For now, you need to understand that it is a process whereby you can hide data in files.
Wireless Scanners and Crackers
For this reason, scanning the wireless network, and even testing its security by attempting to crack it, is an important activity for any network administrator.
Understanding Incident Response
Forensics refers to the process of identifying what has occurred on a system by examining the data trail, Incident response encompasses forensics and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.
Frequency Analysis
Frequency analysis involves looking at the blocks of an encrypted message to determine if any common patterns exist.
Secure Systems Design Hardware and Firmware Security
Full disk encryption (FDE) is encrypting the entire disk, rather than a specific file or folder. This is recommended for full security of the system. Windows, beginning with Windows 7, offers BitLocker
Software Testing
Fuzzing dynamic testing static testing Stress testing Unit Testing Integration Testing System Testing User Acceptance Testing Regression Testing
Fuzzing
Fuzzing is the technique of providing unexpected values as input to an application in order to make it crash.
GOST
GOST is a symmetric cipher output of 256 bits.
compensating controls
Gap controls that fill in the coverage between other types of vulnerability mitigation techniques (where there are holes in coverage, we compensate for them).
compensating controls
Gap controls that fill in the coverage between other types of vulnerability mitigation techniques. (Where there are holes in coverage, we compensate for them.)
Geofencing
Geofencing relies on GPS tracking, but it goes a step further. With geofencing, the device will only function if it is within certain geographical locations.
data disposal
Getting rid of/destroying media no longer needed.
Background Checks
Given the need to protect data, one of the best ways to do so is to make sure those who are given access to it can be trusted.
GSM
Global system for mobile communications. This is commonly known as 2G.
Bots
Google uses the Googlebot to find web pages and bring back values for the index.) Botnet, however, has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder.
VM sprawl
Growth that occurs on a large number of virtual machines and requires resources—usually administration related— to keep up with.
Standards and Technology (NIST) Guide for Conducting Risk Assessments
Guide for Conducting Risk Assessments, Publication 800-30. Revision 1
It's important that an incident response plan establish at least the following items:
Guidelines for documenting the incident type and defining its category. This includes list(s) of information that should be collected about an incident and the procedures to gather and secure evidence. Resources used to deal with an incident. Defined roles and responsibilities for those who are involved in the investigation and response. This should identify members of the cyber-incident response team(s). Reporting requirements and escalation procedures including a list of outside agencies that should be contacted or notified and outside experts who can be used to address issues if needed.
Following Guidelines
Guidelines help an organization implement or maintain standards by providing information on how to accomplish the policies and maintain the standards. Provide a step-by-step process to accomplish a task.
HSM (hardware security module)
HSM (hardware security module) is a cryptoprocessor that can be used to enhance security. HSM is commonly used with PKI systems to augment security with certification authorities (CAs). HSMs are traditionally packaged as PCI adapters.
HSM (hardware security module)
HSM (hardware security module) is also a cryptoprocessor that can be used to enhance security. HSM is commonly used with PKI systems to augment security with CAs. As opposed to being mounted on the motherboard like TPMs, HSMs are traditionally PCI adapters.
Environmental Controls
HVAC Hot and Cold Aisles
Hacktivist
Hacktivists use hacking techniques to accomplish some activist goal. the skill levels of hacktivists vary widely. Many are working alone and have very limited resources. Hacktivists tend to be external attackers
Onboarding
His or her account should then be set up with least privileges.
Patch Management
Home users are usually advised to have automatic updates turned on. However, this is not recommended for large organizations—at least not for sensitive systems. 1. Read the description of the patch in question. Is this simply an update to functionality, or is it a vital security patch? Depending on the nature of the patch, you will decide when to schedule deployment. 2. Deploy the patch on a test system that is identical to the systems to which you intend to roll it out. This should let you quickly detect any serious or obvious issues. 3. If the patch passes the initial test, then roll it out to a small number of live systems. Wait some appropriate period of time and then continue the rollout in stages. What is an appropriate wait time will depend on the nature of the patch. Critical security patches should be deployed with as much haste as you can while still testing the patch. Capability upgrades can be slowly rolled out over a period of time. Documentation is also an important aspect of patch management. You need to document all patch deployment decisions, the rationale for such decisions, and any issues encountered. Good documentation will help smooth out future patch management issues.
Operating System Patch Management
Hotfix Patch Service Pack
Calculating a Timeframe for Critical Systems Loss
How long can the organization survive without a critical function? Some functions in an organization don't require immediate action whereas others do.
Exploiting Human Error
Human error is one of the major causes of encryption vulnerabilities. If an email is sent using an encryption scheme, someone else may send it in the clear (unencrypted). Another error is to use weak or deprecated algorithms. Over time, some algorithms are no longer considered appropriate.
Notification
IDS/IPS manager makes the operator aware of an alert.
IV (initialization vector)
IV (initialization vector) attacks are made possible due to weaknesses in Wired Equivalent Privacy (WEP), a wireless protocol designed to provide a privacy equivalent to that of a wired network.
Prioritizing Critical Business Functions
Identification of critical systems, and you should be clear about which applications or systems have priority based on the resources available.
watering hole attack
Identifying a site that is visited by those that they are targeting, poisoning that site, and then waiting for the results.
watering hole attack
Identifying a site that is visited by those whom they are targeting, poisoning that site, and then waiting for the results.
vulnerability scanning
Identifying specific vulnerabilities in your network.
Network Configuration Changes
If a certain IP address is found to be causing repeated attacks on the network, the IPS can instruct a border router or firewall to reject any requests or traffic from that address. effect permanently or for a specified period.
Terminating Processes or Sessions
If a flood attack is detected, the IPS can cause the subsystem, such as TCP, to force resets to all of the sessions that are under way.
Authority
If it is possible to convince the person you are attempting to trick that you are in a position of authority
chain of trust
If system A trusts system B, which in turn trusts system C, then the integrity testing should be in reverse order.
permanent
If that agent is always on that device, then it is said to be permanent
dissolvable
If that agent is installed only for that session, then it is said to be dissolvable
Adware
If the primary purpose of the malware application is to deliver ads, then it is classified as adware.
Other Methods
If the user selected a weak password, then it could be vulnerable to a dictionary attack. A dictionary attack involves attempting common words (such as words in a dictionary) that might be used as a password, hoping one will work.
snapshot
Image of a virtual machine at a moment in time.
Tunneling mode
In Tunneling mode, the data or payload and message headers are encrypted.
Discretionary Access Control
In a discretionary access control (DAC) model, network users have some flexibility regarding how information is accessed. This model allows users to share information dynamically with other users.
One-Tier Model
In a one-tier model, or single-tier environment, the database and the application exist on a single system.
Two-Tier Model
In a two-tier model, the client workstation or system runs an application that communicates with the database that is running on a different server.
VDI/VDE
In a virtual desktop environment (VDE), the user's session is run remotely. While it looks as if the resources like the folders, windows, wallpaper, and so on, exist locally, in reality they are all stored and running on a remote server. VDE is, essentially, the generic term for desktop virtualization.
intrusive versus nonintrusive.
In addition to classifying a penetration test based on the amount of information given to the tester, it is also possible to classify the test as intrusive versus nonintrusive.
latency
In cryptography, latency refers to the difference between the time you input plain text and the time get out cipher text.
enterprise mode.
In enterprise mode, a server handles distribution of cryptographic keys and/or digital certificates.
In general, there is little that you can do to prevent DoS or DDoS attacks. Many operating systems are particularly susceptible to these types of attacks. Fortunately, most operating system manufacturers have implemented updates to minimize their effects. Make sure that your operating system and the applications you use are up-to-date.
In general, there is little that you can do to prevent DoS or DDoS attacks. Many operating systems are particularly susceptible to these types of attacks. Fortunately, most operating system manufacturers have implemented updates to minimize their effects. Make sure that your operating system and the applications you use are up-to-date.
Cameras
In high-security and military environments, an armed guard as well as security cameras or video surveillance would be placed at the mantrap.
forensics
In terms of security, the act of looking at all the data at your disposal to try to figure out who gained unauthorized access and the extent of that access.
Key Exchange
In-band key Outof-band key exchange
In-band key
In-band key exchange essentially means that the key is exchanged within the same communications channel that is going to be encrypted.
Step 1: Identifying the Incident
Incident identification is the first step in determining what has occurred in your organization. Many IDSs trigger false positives when reporting incidents. False positives are events that aren't really incidents. Remember that an IDS is based on established rules of acceptance (deviations from which are known as anomalies) and attack signatures. first responders are those individuals who must ascertain whether it truly is an incident or a false alarm. The very first step, even with a suspected incident, is isolation. Literally disconnect them from the network while you analyze the situation. unplugging the network cable. A single spokesperson needs to be designated. Remember, what one person knows runs a risk of one hundred others also finding out.
Big Data
Increasingly, organizations have to store extremely large amounts of data, often many terabytes. Once you have a secure database configuration, the next issue is how SQL queries are executed. This is normally accomplished with stored procedures. Stored procedures are commonly used in many database management systems to contain SQL statements. it is particularly useful for legacy applications that might require an outdated version of an operating system.
personally identifiable information (PII)
Information that can be uniquely used to identify, contact, or locate a single person. Examples include Social Security number, driver's license number, fingerprints, and handwriting.
restricted information
Information that isn't made available to all and to which access is granted based on some criteria.
Infrared
Infrared was one of the early attempts to create wireless communications This means that if anything stood between the sender and the receiver, the transmission was blocked. This proved to be a fatal flaw of infrared technology.
stateful inspection
Inspections that occur at all levels of the network and provide additional security using a state table that tracks every communications channel.
Jamming
Interference can be unintentional (caused by other devices in the vicinity, for example) or intentional. When it is intentional, then it is referred to as jamming, as the intent is to jam the signal and keep the legitimate device from communicating. can be thought of as a type of denial-of-service (DoS) attack low-powered jammers, some of which hide by sending out signals and then stopping, hiding for a while, and then sending out signals again.
Intrusive tests
Intrusive tests involve actually trying to break into the network.
Network segmentation
Involves dividing your network into zones based on security needs.
bluejacking
Involves sending unsolicited messages to Bluetooth devices when they are in range.
A VPN concentrator
Is a hardware device used to create remote access VPNs. The concentrator creates encrypted tunnel sessions between hosts, and many use two-factor authentication for additional security. VPN concentrators are used at the networks gateway to connect VPN sites between the outside world and the inside world.
Secure boot
Is a process whereby the BIOS or UEFI makes a cryptographic hash of the operating system boot loader and any boot drivers and compares that against a stored hash. This is done to prevent rootkits and boot sector viruses. The stored hash is often protected or encrypted by a TPM. Another option is to store the hash in some secure server remote from the computer being protected. This leads to remote attestation.
A honeynet
Is the next logical extension of a honeypot. In this case, there is a fake network segment that appears to be a very enticing target. Some organizations set up fake wireless access points for just this purpose.
Application blacklisting
Is the process of listing banned applications.
sandboxing
Isolating applications to keep users of them from venturing to other data.
Password Cracker
It is a reasonable assumption that an attacker will attempt to crack passwords on your network. With this fact in mind, it is also reasonable that you should attempt to use password crackers on your network.
Adverse Actions
It is a sad but true condition in the workplace that administrative (usually adverse) actions must be taken against employees. The more detailed the policy, the less opportunity there is for something important to fall through the cracks and put all of your valuable data at risk.
Vulnerability Scanners
It is important that you scan your network for vulnerabilities. The goal is to find and correct vulnerabilities before an attacker finds them. Vulnerability scanners can be classified as active or passive
Take Hashes
It is important to collect as much data as possible to be able to illustrate the situation, and hashes must not be left out of the equation.
Talk to Witnesses
It is important to talk to as many witnesses as possible to learn exactly what happened and to do so as soon as possible after the incident.
confusion.
It is instead the concept that the relationship between the plain text, cipher text, and key are very difficult to see.
Personnel Issues
It is often said in cybersecurity that the greatest threat is the insider. Unfortunately, this is true.
Privilege Audits
It is possible that a given user has privileges that they no longer need. A privilege audit is meant to detect any situation where an account has more privileges than is required for his or her job tasks.
Record Time Offset
It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well.
Stealth Virus
It may attach itself to the boot sector of the hard drive. the stealth virus redirects commands around itself in order to avoid detection.
WPA2
It provides the Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)-Message Authentication Code (MAC) Protocol (CCMP) that delivers data confidentiality, data origin authentication, and data integrity for wireless frames.
GOST
It uses a 64bit block and a key of 256 bits.
tracert
It will tell you the entire path to a given address.
nslookup/dig
It will start by verifying that the machine can connect to the DNS server. Then, however, it also opens a command prompt wherein you can enter DNS-related commands.
Infrared Detection
Just as motion detectors work by identifying changes in motion, infrared detectors work by detecting changes in infrared radiation— traditionally thermal heat.
Data Integration/Segregation
Just as web-hosting companies usually put more than one company's website on a server in order to be profitable, data-hosting companies can put more than one company's data on a server. To keep this from being problematic, you should use encryption to protect your data.
Capture Screenshots
Just like video, capture all relevant screenshots for later analysis.
Kerberos
Kerberos authentication uses a key distribution center (KDC) to orchestrate the process. The KDC authenticates the principal (which can be a user, program, or system) and provides it with a ticket. When using Kerberos, the user authenticates to the KDC and is given a ticket granting ticket (TGT). This ticket is encrypted and has a time limit of up to 10 hours. the user's computer presents the KDC with the TGT; the TGT then sends that user's computer a service ticket, granting the user access to that service. Service tickets are usually only good for up to 5 minutes
Key Features
Key escrow A key recovery agent is an entity that has the ability to recover a key, key components, or plain-text messages as needed. Key registration is the process of providing certificates to users, and a registration authority (RA) typically handles this function when the load must be lifted from a CA.
Key Stretching
Key stretching refers to processes used to take a key that might be a bit weak and make it stronger, usually by making it longer. less susceptible to brute-force attacks.
WPS
Known as WiFi Protected Setup (WPS), this often requires the user to do something in order to complete the enrollment process: press a button on the router within a short time period, enter a PIN, or bring the new device close by (so that near field communication can take place). WPS attacks, brute-force attacks used to guess the user's PIN. disable WPS in devices that allow it
LDAP Injection
LDAP injection attack exploits weaknesses in LDAP (Lightweight Directory Access Protocol) implementations. user's input is not properly filtered
LEAP Lightweight Extensible Authentication protocol
LEAP Lightweight Extensible Authentication protocol LEAP is supported by many Microsoft operating systems LEAP uses a modified version of MS-CHAP.
Strong Authentication
Later in this chapter, we will be discussing different types of authentication. Make sure that you are using twofactor authentication whenever possible.
Continuing Education
Lifelong learning is a necessity in the workplace of today.
Lighting
Lighting can play an important role in the security of any facility. Poor lighting can lead to a variety of unwanted situations: someone sneaking in a door that is not well lit, an individual passing a checkpoint and being mistaken for another person, or a biometric reading failure. Lighting can also serve as a deterrent. Bright lighting in a parking lot, access way, or storage area, for example, can help reduce the risk of theft.
LDAP
Lightweight Directory Access Protocol (LDAP) is a standardized directory access protocol that allows queries to be made of directories
Risk Measurements
Likelihood-> The meaning of the word likelihood is usually selfexplanatory; however, actual values can be assigned to likelihood.
Load Balancer
Load balancing refers to shifting a load from one device to another. Scheduling is a key issue with load balancing: determining how to split up the work and distribute it across servers.
Logs
Log files record events
Passive Response
Logging Notification Shunning
Logging
Logging involves recording that an event has occurred and under what circumstances.
Logic Bomb
Logic bombs are programs or code snippets that execute when a certain predefined event occurs.
Document Network Traffic and Logs
Look at network traffic and logs to see what information you can find there.
dumpster diving
Looking through trash for clues—often in the form of paper scraps—to find users' passwords and other pertinent information.
Loops
Loops can occur when more than one bridge or switch is implemented on the network. In this scenario, the devices can confuse each other by leading one another to believe that a host is located on a certain segment when it is not. To combat the loop problem, technologies such as the Spanning Tree Protocol (STP) enable bridge/switch interfaces to be assigned a value that is then used to control the learning process and prevent loops. Since switches can be subject to DoS attacks, flood guards are used to look for and prevent malicious traffic from bringing the switch to a halt. Switch ports can represent quite a weakness and port security is crucial.
Message Digest Algorithm
MD5, MD4, and MD2. MD5 is the newest version of the algorithm. It produces a 128-bit hash
File and Database Security
Maintaining security of your network will necessitate maintaining security of your most sensitive data. that is, the principle of least privileges.
Track Man-Hours and Expenses
Make no mistake about it; an investigation is expensive. justify them if necessary to superiors, a court, or insurance agents.
IP spoofing
Making the data look as if it came from a trusted host when it didn't (thus spoofing the IP address of the sending host).
Man-in-the-Middle Attacks
Man-in-the-middle attacks clandestinely place something (such as a piece of software or a rouge router) between a server and the user about which neither the server's administrators nor the user is aware. intercepts data and then sends the information to the server as if nothing is wrong.
Mandatory Access Control
Mandatory access control (MAC) is a relatively inflexible method for how information access is permitted. In a MAC environment, all access capabilities are predefined. it is also considered the most secure security model.
Extranet and Intranet
Many organizations utilize websites that are only accessible within the organization's network. These are referred to as intranets. An intranet is only accessible to internal employees, and it is already protected by the company's firewalls, antimalware, and other security measures.
Remote Wipe/Sanitation
Many programs, such as Microsoft Exchange Server 2016 or Google Apps, allow you to send a command to a phone that will remotely clear the data on that phone. This process is known as a remote wipe,
Memory Vulnerabilities
Memory leaks are usually caused by failure to deallocate memory that has been allocated. This is a variable that, rather than store data, points to the memory address of another variable. This can lead to the problem of pointer dereferencing.
attack surface reduction (ASR)
Minimizing the possibility of exploitation by reducing the amount of code and limiting potential damage.
ARP spoofing
More commonly known as ARP poisoning, this involves the MAC (Media Access Control) address of the data being faked.
Filtering
Most access points offer some level of filtering. It should be turned on and configured.
Memorandum of understanding (MOU)/Memorandum of agreement (MOA)
Most commonly known as an MOU rather than MOA, this is a document between two or more parties defining their respective responsibilities in accomplishing a particular goal or mission, such as securing a system.
Database Systems
Most modern database systems provide the ability to back up data or certain sections of the database globally without difficulty. Larger-scale database systems also provide transaction auditing and data-recovery capabilities.
Master Image
Most newer operating systems allow you to create a model user system as a disk image on a server; the disk image is downloaded and installed when a failure occurs.
Antivirus Software
Most viruses have characteristics that are common to families of virus. Your antivirus software manufacturer will usually work very hard to keep the definition database files current.
cloud bursting
Moving the execution of an application to the cloud on an as-needed basis.
NFC and RFID
Near field communication (NFC) is a technology that requires a user to bring the client close to the AP in order to verify—often through radio frequency identification (RFID) or Wi-Fi—that the device is present. 4cm (1.6 inches) as the distance. RFID is widely used for identification, authentication, and tracking applications.
Nessus
Nessus is the most widely used vulnerability scanner. It is a commercial tool that has tens of thousands of documented vulnerabilities in its library.
This usually means websites that provide information.
Netcraft.com This provides information about websites including what operating system they are running. Shodan.io This site is a vulnerability search engine. You can search your own network's domain name for vulnerabilities. isc.sans.edu This is the SANS Institute cyber storm center, and it will provide information on current cyber threats.
Network aggregation switches
Network aggregation switches are another device for which there is no definitive placement advice. Such switches aggregate multiple streams of bandwidth into one.
Failure to Patch
Network items such as firewalls, access points, switches, and routers all have operating systems that must be patched, just as you patch your computers.
After-Action Reports
Never, after recovery from any disaster/incident, fail to have the recovery team meet for an afteraction review.
Nonrepudiation
Nonrepudiation prevents one party from denying actions that they carried out.
Role-Based Awareness Training
Not all employees are equal, and that is especially truly when it comes to data access.
Device Access Control
Not every employee should have one.
Notification
Notification communicates event-related information to the appropriate personnel when an event has occurred.
Honeypot
Nova Network Security Honeynet Project Web Application Security Project
Nova Network Security
Nova sells a product that is both an intrusion detection system and a honeypot: www.novanetworksecurity.com/.
Object identifiers
Object identifiers, or OIDs, are used in X.509 certificate extensions (and are thus optional). These are values that help identify objects. They are dot separated numbers usually. For example, OID 2.5.4.6 might correspond to the country-name value.
Benchmarks/Secure Configuration Guides Operating System
Obviously, the operating system running on your computer(s) must be securely configured.
Offboarding
Offboarding is a bit simpler. When someone leaves the company, for any reason, that user's accounts must all be immediately suspended. It is important to disable them for a period of time before deleting them. time-of-day restrictions
IPSec
Offers higher security, and it's becoming the encryption system used in many secure VPN environments.
Offsite Storage
Offsite storage refers to a location away from the computer center where paper copies and backup media are kept.
Script Kiddies
Often such attackers may rely almost entirely on automated tools they download from the Internet. You can readily find tools to automate denial-of-service (DoS) attacks, create viruses, make a Trojan horse, or even distribute ransomware as a service. In general, the motivations of script kiddies revolve around trying to prove their skill. And by resources, we mean time as well as money. A script kiddy cannot attack your network 24 hours a day. He or she must work a job or go to school and attend to other life functions. It is not common for a script kiddy to be an insider.
Rainbow tables
Oftentimes, you will want to dump the hashes to an external file so that you can import them into a rainbow table tool. Rainbow tables
Other Issues
Older systems can also represent a security vulnerability. There is a point at which vendors no longer patch older systems. These end-of-life systems can be quite vulnerable.
Open Web Application Security Project (OWASP)
On the OWASP website, www.owasp.org, you can find a range of resources for web application security. Perhaps OWASP is most well-known for their top 10 vulnerability list.
On the Security+ exam, if you are asked about an algorithm for exchanging keys over an insecure medium, unless the context is IPsec, the answer is always Diffie-Hellman.
On the Security+ exam, if you are asked about an algorithm for exchanging keys over an insecure medium, unless the context is IPsec, the answer is always Diffie-Hellman.
cloud access security broker
On-premise or cloud-based security policy enforcement points.
Regression Testing
Once a system is deployed, whenever a change is made, not only must the change be tested, but all of the systems that might be affected by that change should also be tested.
cloud bursting.
One common implementation of cloud computing is to take advantage of cloud bursting. This means that when your servers become too busy, you offload traffic to resources from a cloud provider. Technologies that make much of the load balancing/prioritizing possible employ the QoS (Quality of Service) protocols.
Exit Interviews
One of the best ways to find problems is to listen— not talk—to those with whom you work.
Change Management
One of the biggest risks an organization faces involves change: either implementing or failing to implement. The discipline of change management is focused on how to document and control for a change. The key in every instance is to document everything and focus on the extent and scope of what is affected by every change.
Signs
One of the least expensive physical security tools that can be implemented is a sign.
Step 3: Recovery/Repairing the Damage
One of your first considerations after an incident is to determine how to restore access to resources that have been compromised. In the case of a DoS attack, a system reboot may be all that is required. If a system has been severely compromised, as in the case of a worm, it might not be possible to repair it. It may need to be regenerated from scratch.
Three different models are explained here:
One-Tier Model Two-Tier Model Three-Tier Model
One-Time Pads
One-time pads are the only truly completely secure cryptographic implementations. they use a key that is as long as a plain-text message. one-time pad keys are used only once and then discarded.
Onsite Storage
Onsite storage usually refers to a location on the site of the computer center that is used to store information locally. Onsite storage containers are designed and rated for fire, moisture, and pressure resistance.
OAUTH
Open Authorization standard. It is a common method for authorizing websites or applications to access information.
OATH
Open Standard for Authorization (OATH) is a common method for authorizing websites or applications to access information. It allows users to share information with third-party applications. allows access tokens to be issued to third-party clients with the approval of the resource owner.
OpenID
OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID.
sandboxing
Operating in an isolated environment.
embedded system
Operating system in a device, sometimes on a single chip.
Outof-band key exchange
Outof-band key exchange means that some other channel, other than the one that is going to be secured, is used to exchange the key.
Data Roles
Owner Steward/Custodian Privacy Officer
PBKDF2
PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to produce a derived key.
Firewalls function as one or more of the following:
Packet filter Proxy firewall Stateful packet inspection firewall
Passive scanning
Passive scanning involves methods to search your network that do not directly interact with the network. This usually means websites that provide information.
PAP
Password Authentication Protocol is an old and insecure method of authentication. Essentially the username and password are sent in clear text. PAP was used before packet sniffers became widely available. It is now insecure and should not be used.
The first step in creating secure accounts
Password complexity Password age Password history password length Passphrases are becoming more common.
Good Passwords
Passwords should be at least 10 characters long, implement complexity requirements, and be changed from time to time.
Password Storage
Passwords should be stored as a hash using a salt algorithm. Ensure that once a user is authenticated, he or she is only given just enough privileges to do their job.
intrusive tests
Penetration-type testing that involves trying to break into the network.
nonintrusive tests
Penetration/vulnerability testing that takes a passive approach rather than actually trying to break into the network.
Fencing, Gates, and Cages
Perimeter security, whether physical or technological, is the first line of defense in your security model.
Peripherals
Peripherals also present security issues. There are so many peripherals available today, including wireless keyboards and mice, displays, WiFi enabled cards, printers, scanners, external drives, digital cameras, and more coming all the time.
Nonpersistence
Persistent images are those that stay the same, while nonpersistent are those that are temporary. They can exist only in RAM or be changes that are overwritten on a reboot by a persistent/frozen image.
PII
Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual.
whaling
Phishing only large accounts.
Physical
Physical controls are those put in place to reduce the risk of harm coming to physical property, information, computer systems, or other assets.
Tokens/Cards
Physical tokens or FOBs are anything that a user must have on them to access network resources, and they are often associated with devices that enable the user to generate a one-time password authenticating their identity. SecurID, from RSA
Pinning
Pinning is a method designed to mitigate the use of fraudulent certificates. Basically, once a public key or certificate has been seen for a specific host, that key or certificate is pinned to the host. Certificate authorities can be online or offline.
Implementing Policies Instead of using valuable time trying to figure out what to do, employees will know exactly what to do.
Policies provide the people in an organization with guidance about their expected behavior. Scope Statement Policy Overview Statement Policy Statement Accountability Statement Exception Statement
Polymorphic Virus
Polymorphic viruses and polymorphic malware of any type —change form in order to avoid detection. from your antivirus the virus will encrypt parts of itself to avoid detection. When the virus does this, it's referred to as mutation. common characteristics
impersonation
Pretending to be another person to gain information.
Pretty Good Privacy
Pretty Good Privacy (PGP) is a freeware email encryption system.
Private
Private information is intended only for internal use within the organization. In many cases, this type of information is also placed on a need-to-know basis—unless you need to know, you won't be informed.
Privilege Escalation
Privilege escalation involves a user gaining more privileges than they should have.
control
Processes or actions used to respond to situations or events.
secure coding
Programming in a manner that is secure.
Protected Extensible Authentication Protocol
Protected Extensible Authentication Protocol This protocol encrypts the authentication process with an authenticated TLS tunnel.
Protocol Analyzer
Protocol analyzers, also called packet sniffers. These tools look at the current traffic on a network and allow you to view that traffic and capture a copy of the traffic for later analysis. In this section
Address Resolution Protocol (ARP)
Protocol used to map known IP addresses to unknown physical addresses.
Public Key Infrastructure X.509/Public Key Cryptography Standards
Public Key Cryptography Standards (PKCS) PKCS #7: Cryptographic Message Syntax Standard PKCS #12: Personal Information Exchange Syntax Standard
Public
Public information is primarily made available either to the larger public or to specific individuals who need it.
PASS method:
Pull, Aim, Squeeze, and Sweep. Fire extinguishers usually operate for only a few seconds Most fire extinguishers require an annual inspection.
Pulping
Pulping reduces paper to liquid slurry before making it available for reuse in post-consumer products.
Purging
Purging data is simply removing it and the traces of it. This is usually done with storage devices, such as hard drives, and is often referred to as sanitation.
jamming
Purposely obstructing or interfering with a signal.
integer overflow
Putting too much information into too small of a space that has been set aside for numbers.
Scenario 3 Access speed is of the utmost importance on a web server. You want to purchase some fast 3 TB hard drives and install them in a RAID 0 array. How many drives will you need to purchase to host 900 GB of data?
RAID 0 doesn't perform any fault tolerance and doesn't require any extra disk space. You can obtain 9 TB of data by using three disks.
RAID Level 0
RAID 0 is disk striping. It uses multiple drives and maps them together as a single physical drive. This is done primarily for performance, not for fault tolerance. If any drive in a RAID 0 array fails, the entire logical drive becomes unusable.
RAID Level 1
RAID 1 is disk mirroring. Disk mirroring provides 100 percent redundancy because everything is stored on two disks. If one disk fails, another disk continues to operate. The failed disk can be replaced, and the RAID 1 array can be regenerated.
RAID Level 3
RAID 3 is disk striping with a parity disk. RAID 3 arrays implement fault tolerance by using striping (RAID 0) in conjunction with a separate disk that stores parity information.
RAID Level 5
RAID 5 is disk striping with parity, and it is one of the most common forms of RAID in use today. It operates similarly to disk striping, as in RAID 0. The parity information is spread across all of the disks in the array instead of being limited to a single disk, as in RAID 3. Most implementations require a minimum of three disks and support a maximum of 32.
RSA
RSA is named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is an early public key encryption system that uses large integers as the basis for the process.
Race conditions
Race conditions are a vulnerability related to multithreaded applications. When a multithreaded application does not properly handle various threads accessing a common value, this can lead to unpredictable values for that variable. This is called a race condition.
Redundancy
Redundancy refers to systems that either are duplicated or fail over to other systems in the event of a malfunction. Failover refers to the process of reconstructing a system or switching over to other systems when a failure is detected.
Redundant Array of Independent Disks
Redundant Array of Independent Disks (RAID) is a technology that uses multiple disks to provide fault tolerance.
Refactoring
Refactoring is the name given to a set of techniques used to identify the flow and then modify the internal structure of code without changing the code's visible behavior. In the malware world, this is often done to look for opportunities to take advantage of weak code and look for holes that can be exploited.
High Availability
Refers to the measures, such as redundancy, failover, and mirroring, used to keep services and systems operational during an outage. With high availability, the goal is to have key services available 99.999 percent of the time (also known as five nines availability).
URL hijacking
Registering domains that are similar to those for a known entity but based on a misspelling or typographical error.
A number of organizations have examined risk-related issues associated with cloud computing. These issues include the following:
Regulatory Compliance User Privileges Data Integration/Segregation
Working with RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a mechanism that allows authentication of remote and other network connections. A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether an incoming caller is authorized.
Retrovirus
Retroviruses can directly attack your antivirus software and potentially destroy your virus definition database file.
Acting on Your Risk Assessment four possible responses
Risk Avoidance Risk Transference Risk Mitigation Risk Acceptance
Risk Acceptance
Risk acceptance is often the choice that you must make when the cost of implementing any of the other responses exceeds the value of the harm that would occur if the risk came to fruition. Risk acceptance is nothing more than acknowledging that a risk exists and choosing to do nothing about it. Every firm has a different level of risk tolerance (sometimes called a risk appetite) that they are willing to accept.
Risk Avoidance
Risk avoidance involves identifying a risk and making the decision not to engage any longer in the actions associated with that risk.
Risk Mitigation
Risk mitigation is accomplished any time you take steps to reduce risk.
Role-Based Access Control
Role-based access control (RBAC) models approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or by responsibility. This is also sometimes called group-based control or group-based permissions.
Ron's Cipher
Ron's Cipher or Ron's Code RC4, RC5, and RC6. RC5 uses a key size of up to 2,048 bits. It's considered to be a strong system. RC4 is popular with wireless and WEP/WPA encryption. It is a streaming cipher that works with key sizes between 40 and 2,048 bits
rooting.
Root is the term for an administrator in Linux, and Android phones use Linux.
Rootkits
Rootkits are software programs that have the ability to hide certain things from the operating system.
Round-robin load balancing
Round-robin load balancing is incredibly simple: the first client request is sent to the first group of servers, the second is sent to the second, and so on. When the end of the list is reached, the load balancer loops back and goes down the list again.
Rule-Based Access Control
Rule-based access control (RBAC) uses the settings in preconfigured security policies to make all decisions.
cross-site scripting (XSS)
Running a script routine on a user's machine from a website without their permission.
SATCOM
SATCOM is an acronym for satellite communications. anyone can purchase a satellite phone A person can connect to a satellite without ever going through your company network.
Secure Hash Algorithm
SHA is a one-way hash that provides a hash value that can be used with an encryption protocol. produces a 160-bit hash value. SHA-2 has several sizes: 224, 256, 334, and 512 bit. SHA-2 is the most widely used, but SHA-3 has been released. Although SHA-3 is now a standard, there simply are no known issues with SHA-2,
When you compute risk assessment, remember this formula:
SLE × ARO = ALE
SQL Injection
SQL (Structured Query Language) is the de facto language used for communicating with online (and other relational) databases. always to filter input. SQL injection attack (also known as a SQL insertion attack), an attacker manipulates the database code to take advantage of a weakness in it.
stored procedures
SQL statements written and stored on the database that can be called by applications.
Sandboxing
Sandboxing involves running apps in restricted memory areas to provide escape protection.
Wireless Attack Analogy
Sandwich shop attacks
Mobile Devices
Screen Lock Strong Password Context-Aware Authentication Device Encryption Remote Wipe/Sanitation Voice Encryption GPS Tracking Geofencing Application Control Storage Segmentation Asset Tracking Device Access Control Content Management
privacy filters
Screens that restrict viewing of monitors to only those sitting in front of them.
SAML
Security Assertion Markup Language (SAML) is a markup language, much like HTML. it defines security authorization. SAML is used to exchange authentication and authorization information between identity providers and service providers.
SIEM
Security information and event management (SIEM) software combines security information management (SIM) and security event management (SEM) functions to provide real-time analysis of security alerts.
General Security Policies
Security policies define what controls are required to implement and maintain the security of systems, users, and networks.
perimeter security
Security set up on the outside of the network or server to protect it.
Separation of Duties Policies
Separation of duties policies are designed to reduce the risk of fraud and to prevent other losses in an organization.
cold aisles
Server room aisles that blow cold air from the floor.
Service Pack
Service packs are a cumulative assortment of the hotfixes and patches to date. These should always be applied but tested first to be sure that no problems are caused by the update.
Faraday Cage
Shielding refers to the process of preventing electronic emissions from your computer systems from being used to gather intelligence A Faraday cage usually consists of an electrically conductive wire mesh or other conductor woven into a "cage" that surrounds a room. The conductor is then grounded. Because of this cage, few electromagnetic signals can either enter or leave the room.
SPAP
Shiva Password Authentication Protocol simply encrypts the username and password. This prevents a packet sniffer from getting the username and password, but it does nothing to limit replay attacks or session hijacking
Shredding
Shredding reduces the size of objects with the intent of making them no longer usable. Strip shredders are usually the fastest because they cut the paper in only one direction; A cross-cut shredder cuts the paper in more than one direction, and it is usually more secure than a strip shredder. Micro shredders are types of cross-cut shredders that produce very small pieces.
Shunning
Shunning, or ignoring an attack, is a common response even though it is a violation of every security policy.
Mean Time to Failure
Similar to MTBF, the mean time to failure (MTTF) is the average time to failure for a nonrepairable system.
Smartcards
Smartcards are generally used for access control and security purposes. The card itself usually contains a small amount of memory that can be used to store permissions and access information. A password or PIN is required to activate most smartcards, and encryption is employed to protect the contents. With many smartcards, if you enter the wrong PIN multiple times (usually three), the card will shut down to enhance security further.
data loss prevention (DLP)
Software or techniques designed to detect attempts to exfiltrate data.
rootkit
Software program that has the ability to obtain root-level access and hide certain things from the operating system.
spyware
Software programs that work—often actively—on behalf of a third party.
ransomware
Software that demands payment before restoring the data or system infected.
adware
Software that gathers information to pass on to marketers or that intercepts personal data such as credit card numbers and makes it available to third parties.
antivirus software
Software that identifies the presence of a virus and is capable of removing or quarantining the virus.
scareware
Software that tries to convince unsuspecting users that a threat exists.
SDN
Software-defined networking (SDN) is a relatively recent trend that can be useful both in placing security devices and in segmenting the network. Essentially in an SDN, the entire network is virtualized. This allows a relatively easy segmentation of the network. It also allows the administrator to place virtualized security devices in any place that he or she wishes.
Identifying Critical Systems and Components
Sometimes your systems are dependent on things that you would not normally consider. Basic utilities such as electricity, water, and natural gas are key aspects of business continuity.
Exception Statement
Sometimes, even the best policy doesn't foresee every eventuality. The exception statement provides specific guidance about the procedure or process that must be followed in order to deviate from the policy. Not a loophole. Instead of using valuable time trying to figure out what to do, employees will know exactly what to do.
Managing Spam to Avoid Viruses
Spam is defined as any unwanted, unsolicited email
Scalability
Speaking of scaling both up and down,
Implementing Policies for Vendors
Standard operating procedure (SOP). This serves as the baseline for business and, if properly written, covers what is expected on a regular basis. Outlines what to do when things aren't running as well as they should, such as which vendor to call when the communications server crashes, whom to notify when their keypads won't allow access to the server room, and so on.
BYOD
Stands for Bring Your Own Device.
CYOD
Stands for Choose Your Own Device.
COPE
Stands for Company-Owned and -Provided Equipment.
EDGE
Stands for Enhanced Data Rates for GSM Evolution. This does not fit neatly into the 2G/3G/4G spectrum. It is technically considered pre-3G, but it was an improvement on GSM (2G). So, we could consider it a bridge between 2G and 3G technology developed by the European Telecommunications Standards Institute (ETSI).
LTE
Stands for Long-Term Evolution. This is a standard for wireless communication of high-speed data for mobile devices. It is what is commonly called 4G.
UMTS
Stands for Universal Mobile Telecommunications Systems. This is a 3G standard based on GSM. It is essentially an improvement over GSM.
Stapling
Stapling is a method used with OCSP, which allows a web server to provide information on the validity of its own certificate rather than needing to go to the certificate vendor. This is done by the web server essentially downloading the OCSP response from the certificate vendor in advance and providing that to browsers. When a key is compromised, a revocation request should be made to the CA—immediately.
Stateful inspection
Stateful inspection is also referred to as stateful packet inspection (SPI) filtering In stateful inspection (or stateful packet filtering), records are kept using a state table that tracks every communications channel; it remembers where the packet came from and where the next one should come from.
Stateful packet inspection firewall
Stateless firewalls make decisions based on the data that comes in the packet, for example, and not based on any complex decisions.
Stateless firewalls
Stateless firewalls make decisions based on the data that comes in—the packet, for example— and not based on any complex decisions.
static testing
Static code analyzers are tools that simply read through the source code trying to document vulnerabilities.
Steganography
Steganography is the process of hiding a message in a medium such as a digital image, audio file, or other file. The most common way this is done today is called the least significant bit (LSB) method. If you changed the very last bit (the least significant bit in each byte), then that would not make a noticeable change in the image.
onsite storage
Storing backup data at the same site as the servers on which the original data resides.
offsite storage
Storing data off the premises, usually in a secure location.
Stress testing
Stress testing is another aspect of software testing. This involves subjecting the target system to a workload far in excess of what it would normally encounter.
Strong Password
Strong passwords can also be augmented with biometrics. Using a fingerprint or even facial
stress testing
Subjecting a system to workloads that are extreme.
Working with Symmetric Algorithms
Symmetric algorithms require both the sender and receiver of an encrypted message to have the same key and processing algorithms. secret key or private key If a key is lost or stolen, the entire process is breached. If you wish to encrypt messages with a friend in another city, how do you exchange keys? Symmetric methods use either a block or stream cipher.
Other Issues
System sprawl is a common problem for many networks. As the network grows, it becomes more difficult to track all the equipment and software on the network.
TLS
TLS adds encryption and authentication to the protocol.
TLS
TLS is not the only way to encrypt traffic, but it is an effective and widely supported method.
Technical
Technical controls are those controls implemented through technology.
control types
Technical, physical, or administrative measures in place to assist with resource management.
near field communication (NFC)
Technology that enables communication between devices when they're "touched" together. Often used to verify (often through RFID or Wi-Fi) that the device is present.
TACACS, TACACS+, XTACACS
Terminal Access Controller Access Control System (TACACS) Extended TACACS (XTACACS) replaced the original version and combined authentication and authorization with logging to enable auditing. TACACS+ allows credentials to be accepted from multiple methods, including Kerberos. The TACACS client-server process occurs in the same manner as the RADIUS process. TACACS+ has become widely accepted as an alternative to RADIUS.
Active Response
Terminating Processes or Sessions Network Configuration Changes Deception
Automation/Scripting
Thanks to sophisticated monitors and sensors, it is possible to use automation/scripting in a wide variety of scenarios to preplan automated courses of action
Backup Server Method
The Backup Server method establishes a server with large amounts of disk space whose sole purpose is to back up data. With the right software, a dedicated server can examine and copy all the files that have been altered every day.
CA Certificate
The CA certificate is issued by one CA to another CA. The second CA, in turn, can then issue certificates to an end entity.
DNS spoofing
The DNS server is given information about a name server that it thinks is legitimate when it isn't.
Data Encryption Standard
The Data Encryption Standard (DES) It's based on a 56-bit key DES actually generates a 64-bit key, but 8 of those bits are just for error correction and only the 56 bits are the actual key.
A PIA
The Department of Homeland Security (DHS), for example, uses it to identify and mitigate privacy risks by telling the public what personally identifiable information (PII) it collects, why it is collected, and how it is used, accessed, shared, safeguarded, and stored.
Full Archival Method
The Full Archival method works on the assumption that any information created on any system is stored forever. All backups are kept indefinitely using some form of backup media. Some organizations that have tried to do this have needed entire warehouses to contain their archival backups.
Grandfather, Father, Son Method
The Grandfather, Father, Son method is based on the philosophy that a full backup should occur at regular intervals, such as monthly or weekly. It's a common practice for an organization to keep a minimum of seven years in archives.
Honeynet Project
The Honeynet project is an open source honeypot and honeynet project: www.honeynet.org/.
802.1x
The IEEE standard that defines port-based security for wireless network access control.
IPSec
The IP Security (IPsec) protocol is designed to provide secure communications between systems. This includes system-to-system communication in the same network, as well as communication to systems on external networks.
incident response plan (IRP).
The IRP outlines what steps are needed and who is responsible for deciding how to handle a situation. The term incident has special meanings in different industries. If no one is qualified, you need to identify a third party that you can contact.
Infrastructure as a Service
The Infrastructure as a Service (IaaS) model utilizes virtualization, and clients pay a cloud service provider for resources used. traditional utility model used by electric, gas, and water providers. GoGrid is a well-known example
Institute of Electrical and Electronics Engineers
The Institute of Electrical and Electronics Engineers (IEEE) is an international organization focused on technology and related standards. PKC, wireless, and networking protocol standards.
ISO Standards
The International Organization for Standardization (ISO), as the name suggests, is the de facto source for international standards.
Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is an international community of computer professionals that includes network engineers, vendors, administrators, and researchers.
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is the source for many of the national standards in the United States.
National Security Agency
The National Security Agency (NSA) is responsible for creating codes, breaking codes, and coding systems for the U.S. government. support Department of Defense (DoD) activities.
North American Electric Reliability Corporation (NERC)
The North American Electric Reliability Corporation (NERC) publishes standards for electrical power companies. Patching of all systems. This standard requires that all registered entities check for new patches at least once every 35 days.
Payment Card Industry Data Security Standard (PCI-DSS)
The Payment Card Industry Data Security Standard is the one used by Visa, Mastercard, American Express, and Discover.
Platform as a Service
The Platform as a Service (PaaS) model is also known as cloud platform services. In this model, vendors allow apps to be created and run on their infrastructure Amazon Web Services and Google Code.
SSID
The Service Set Identifier (SSID) is used by the access point of a wireless LAN to identify itself and is intended to be unique for a particular area/entity on a network.
Software as a Service
The Software as a Service (SaaS) model is the one often thought of when users generically think of cloud computing. In this model, applications are remotely run over the web. Salesforce.com. Costs are usually computed on a subscription basis.
Web Application Security Project
The Web Application Security project has a collaborative project that supports a distributed honeypot: http://projects.webappsec.org/w/page/29606603/Distributed%20Web
X.509
The X.509 standard defines the certificate formats and fields for public keys.
X.509
The X.509 standard is the most widely used standard for digital certificates.
dictionary attack
The act of attempting to crack passwords by testing them against a list of dictionary words. With today's powerful computers, an attacker can combine one of many available automated password-cracking utilities with several large dictionaries or "wordlists" and crack huge numbers of passwords in a matter of minutes. Any password based on any dictionary word is vulnerable to such an attack.
VM escape
The act of breaking out of one virtual machine into one or more others on the same physical host.
intrusion
The act of entering a system without authorization to do so.
disaster recovery
The act of recovering data following a disaster in which it has been destroyed.
fire suppression
The act of stopping a fire and preventing it from spreading.
Administrator
The administrator is the person responsible for setting the security policy for an organization and is responsible for making decisions about the deployment and configuration of the IDS.
The algorithm must have few or no collisions
The algorithm must have few or no collisions. This means that hashing two different inputs does not give the same output.
attack surface
The area of an application that is available to users—those who are authenticated and, more importantly, those who are not.
Asset value (AV)
The assessed value of an item (server, property, and so on) associated with cash flow.
interference
The byproduct of electrical processes. One common form of interference is Radio Frequency Interference (RFI), which is usually projected across a radio spectrum.
PRNG
The cipher key used with symmetric algorithms should be a random number. However, this poses a problem. Orderly algorithms don't produce truly random numbers. generate keys for symmetric ciphers. Another use of PRNGs is to generate initialization vectors (IVs). IVs are numbers that should be used only once and are added to a key to make the algorithm stronger.
analyzer
The component or process that analyzes the data collected by the sensor.
Honeypots and Honeynets
The concept of a honeypot is a separate system that appears to be an attractive target but is in reality a trap for attackers (internal or external). The second item that a honeypot provides is that since it is not a real system, no legitimate users ever access it. Therefore, you are free to turn on an absurd amount of monitoring and logging for that system.
Laws and Regulations
The consumer retains the ultimate responsibility for compliance.
working copy backup
The copy of the data currently in use on a network.
PASS method
The correct method of extinguishing a fire with an extinguisher: Pull, Aim, Squeeze, and Sweep.
Single Loss Expectancy (SLE)
The cost of a single loss when it occurs. This loss can be a critical failure, or it can be the result of an attack.
(RTP).
The data is transmitted with realtime transfer protocol (RTP). sRTP (secure realtime transfer protocol).
Data Source
The data source is the raw information that the IDS or IPS uses to detect suspicious activity.
Placing Security Devices
The easiest device to place is the firewall. You are probably already aware that you need a firewall at your network's perimeter. At every junction of a network zone. All modern switches and routers have firewall capabilities.
Symmetric Cipher Modes
The easiest is Electronic Code Book (ECB). This simply means to use the algorithm without any modification at all. The second mode, quite commonly used, is cipher-block chaining (CBC). What CBC does is that when one block is finished encrypting, before the second block is started, the output of the first block is XOR'd with the plain text of the next block. even if every single block of plain text were identical, the outputs would be different. Counter mode (CTM or CTR) is used to convert a block cipher into a stream cipher.
software-defined network (SDN)
The entire network, including all security devices, is virtualized.
There are two other variations on BYOD that are used by some organizations.
The first is Choose Your Own Device (CYOD). Company-Owned and -Provided Equipment (COPE).
The first is Choose Your Own Device (CYOD).
The first is Choose Your Own Device (CYOD). With this approach, the company creates a list of approved devices that meet the company's minimum security standards.
Content Management
The first is controlling what applications are installed on a mobile device.
General Secure Coding Guidelines
The first is encryption. code signing is recommended Version control and change management
Insiders
The first issue is skill level. An insider might be of any skill level. He or she could be a script kiddy or very technically skilled. The second issue is motivation. Insiders' reasons and goals can span the range of motivations. working alone limited financial resources and time. They already have some access to your network and some level of knowledge.
Wireless
The first issue is the wireless protection protocol being implemented. There are three choices: WEP, WPA, and WPA2. you should simply use WPA2
pwdump
The first step for many password cracking tools is to get a copy of the local password hashes from the Windows SAM file. The SAM file, or Security Accounts Manager, is where Windows stores hashes of passwords. The program pwdump will extract the password hashes from the SAM file.
Intrusion Detection Systems
The first thing to keep in mind is that no HIDS/HIPS is 100 percent effective. All such systems will have some false positives (legitimate traffic labeled as an attack) and false negatives (attacks labeled as legitimate traffic). The key is to interpret what your HIDS/HIPS is telling you properly in order to determine if you need to alter the configuration to get more accurate readings.
Forensics from the Security+ Perspective
The five steps outlined here will help in all incident response situations.
bluesnarfing
The gaining of unauthorized access through a Bluetooth connection.
Guideline Statements
The guideline statements provide the step by-step instructions or procedures on how to accomplish a task in a specific manner.
Structured Query Language (SQL)
The language used by all relational databases.
key management
The management of all aspects of cryptographic keys in a cryptosystem, including key generation, exchange, storage, use, destruction and replacement.
Manager
The manager is the component or process the operator uses to manage the IDS or IPS
Recovery time objective (RTO)
The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.
Maximum Tolerable Downtime (MTD)
The maximum period of time that a business process can be down before the survival of the organization is at risk.
Mean Time Between Failures
The mean time between failures (MTBF) is the measure of the anticipated incidence of failure for a system or component.This measurement determines the component's anticipated lifetime.
Mean Time to Restore
The mean time to restore (MTTR) is the measurement of how long it takes to repair a system or component once a failure occurs. (This is often also referenced as mean time to repair.)
Mean Time to Restore (MTTR)
The measurement of how long it takes to repair a system or component once a failure occurs.
Mean Time Between Failures (MTBF)
The measurement of the anticipated lifetime of a system or component.
Mean time to failure (MTTF)
The measurement of the average of how long it takes a system or component to fail.
End-Entity Certificate
The most common is the end-entity certificate, which is issued by a CA to an end entity. An end entity is a system that doesn't issue certificates but merely uses them.
Legal and Compliance
The most important thing is to uncover which laws and policies govern your organization and then make certain you fully understand and comply with them. Remember that ignorance of the law is never a justifiable defense, and the legal obligation is on you to comply.
Organized Crime
The motive is simply illegal profits. moderately skilled to highly skilled. have more resources, both in terms of time and money
netcat
The netcat utility also does not come with the operating system, but it is a free download for Windows or Linux. This utility allows you to read and write to network connections using either TCP or UDP.
netstat
The netstat command is also part of both Windows and Linux. It displays current network connections.
Domain Name System (DNS)
The network service used in TCP/IP networks that translates hostnames to IP addresses.
SSL and TLS
The number of steps in the handshake depends on whether steps are combined and/or mutual authentication is included. The number of steps is always between four and nine, inclusive, based on who is doing the documentation.
Operator
The operator is the person primarily responsible for the IDS/IPS.
access point (AP)
The point at which access to a network is accomplished. This term is often used in relation to a wireless access point (WAP).
Access point (AP or wireless AP)
The point at which access to a network is accomplished. This term is often used in relation to a wireless access point.
access point (AP)
The point at which access to a network is accomplished. This term is often used in relation to a wireless access point.
crossover error rate (CER)
The point at which the FRR and FAR are equal. Sometimes called the equal error rate (ERR).
Recovery Point Objective (RPO)
The point last known good data prior to an outage that is used to recover systems.
least privilege policy
The policy of giving a user only the minimum permissions needed to do the work that must be done.
VM Escape Protection
The possibility exists that a crash in another customer's implementation could expose a path by which a user might hop ("server hop") to your data.
Exposure Factor (EF)
The potential percentage of loss to an asset if a threat is realized.
Router
The primary instrument used for connectivity between two or more networks is the router. Routers work by providing a path between the networks. Most routers can be configured to operate as packet-filtering firewalls and use access control lists (ACLs). antispoofing protections. Antispoofing protections work by performing switch port, MAC address, and/or source address verification. Routers are your first line of defense, and they must be configured to pass only traffic that is authorized by network administrators.
least privileges
The principle that any user or service will be given only enough access privileges to do its job and no more.
Privacy Officer
The privacy officer, or chief privacy officer (CPO), is the person within an organization charged with safeguarding personal information.
The private key
The private key is kept private, and only the owner (receiver) knows it.
Risk
The probability that a particular threat will occur, either accidentally or intentionally, leaving a system vulnerable and the impact of this occurring.
Risk Calculation
The process of calculating the risks that exist in terms of costs, number, frequency, and so forth.
Degaussing
The process of degaussing is used to remove data from magnetic storage media such as hard drives and magnetic tapes.
information classification
The process of determining what information is accessible, to what parties, and for what purposes.
encapsulation
The process of enclosing data in a packet.
Step 2: Investigating the Incident
The process of investigating an incident involves searching logs, files, and any other sources of data about the nature and scope of the incident. If possible, you should determine whether this is part of a larger attack, a random event, or a false positive. You might find that the incident doesn't require a response if it can't be successful. change in policies is required to deal with a new type of threat.
hardening
The process of making a server or an application resistant to an attack.
Operating system hardening.
The process of making a system as secure as it can be, without the addition of thirdparty software, devices, or other security controls, is often termed operating system hardening.
Infrastructure as Code (IaC)
The process of managing and provisioning computer datacenters through machine-readable definition files.
failover
The process of reconstructing a system or switching over to other systems when a failure is detected.
database normalization
The process of removing duplication in a relational database.
data acquisition
The process that is used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated is known as legal hold.
Onboarding
The process used to train a new employee and bring them up to speed with the organization, its clients, its products, and so forth is known as onboarding.
Detective
The purpose of a detective control is to uncover a violation.
false acceptance rate (FAR)
The rate at which a biometric solution allows in individuals it should have rejected.
false rejection rate (FRR)
The rate at which a biometric solution rejects individuals it should have allowed.
Stateful vs. Stateless Firewalls
The real difference between SPI and simple packet filtering is that SPI tracks the entire conversation while packet filtering looks only at the current packet.
Recovery Point Objective
The recovery point objective (RPO) is similar to RTO, but it defines the point at which the system needs to be restored.
Recovery Time Objective
The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.
Databases and Technologies
The relational database has become the most common approach to database implementation. Structured Query Language (SQL). Databases need patching just like other applications. You should configure them to use access controls and provide their own levels of security.
privilege escalation
The result when a user obtains access to a resource that they wouldn't normally be able to access. Privilege escalation can be done inadvertently by running a program with Set User ID (SUID) or Set Group ID (SGID) permissions or by temporarily becoming another user (via su or sudo in Unix/Linux or RunAs in Windows). It can also be done purposefully by an attacker seeking full access.
Scope and Purpose
The scope and purpose section provides an overview and statement of the guideline's intent.
Integrity
The second major reason for implementing a cryptographic system involves providing assurance that a message wasn't modified during transmission. Integrity can be accomplished by adding information such as redundant data that can be used as checked using a hashing algorithm.
Scope and Purpose
The section of a guideline that provides an overview and statement of the guideline's intent
bluejacking
The sending of unsolicited messages over a Bluetooth connection.
network access control (NAC)
The set of standards defined by the network for clients attempting to access it. Usually, NAC requires that clients be virus free and adhere to specified policies before allowing them on the network.
exercise responses to emergencies before they happen
The six steps of any incident response process should be as follows: Preparation Identification Containment Eradication Recovery Lessons learned
hypervisor
The software that allows virtual machines to exist. The machine running the hypervisor is known as a host, while the instances of virtual machines are known as guests.
Scenario 2 Your primary server is currently running four 3 GB disks in a RAID 5 array. Storage space is at a premium, and a purchase order has just been approved for four 5 TB disks. If you still use a RAID 5 array, what is the maximum data storage space this server will be able to host?
The solution that will generate the most data storage capacity is to install all eight drives (the four current ones and the four new ones) into the server. The array must use the same size storage on each drive; thus, all eight drives will appear as if they are 3 TB drives. Under this scenario, 21 TB can be used for data storage, and 3 TB will be used for parity.
Spyware
The spyware program monitors the user's activity and reports it to another party without informing the user that it is doing so.
Audit
The standards documents provide a mechanism for both new and existing standards to be evaluated for compliance. The process of evaluation is called an audit
Steward/Custodian
The steward, or custodian, is the person (or people) who has operational responsibility for the physical and electronic security of the data.
cryptography.
The study of cryptographic algorithms is called cryptography. The study of how to break cryptographic algorithms is called cryptanalysis. The two subjects taken together are generally referred to as cryptology.
Backdoor
The term backdoor attack The original term backdoor referred to troubleshooting and developer hooks into systems that often circumvented normal authentication. During the development of a complicated operating system or application, programmers add backdoors or maintenance hooks. The second type of backdoor refers to gaining access to a network and inserting a program or utility that creates an entrance for an attacker.
Malware and Crypto-Malware
The term malware is used to refer to software that does harm If the malware incorporates cryptography, then it can be referred to as crypto-malware, which is simply a subset of malware.
Threat Vectors
The term threat vector is the way in which an attacker poses a threat. This can be a particular tool that they can use against you (a vulnerability scanner, for example) or the path(s) of attack that they follow
Three-Tier Model
The three-tier model effectively isolates the end user from the database by introducing a middle-tier server. This approach is becoming common in business today. The middle server can also control access to the database and provide additional security.
User Issues
The weakest point in security for many organizations is the end user. training and education. Security training is just as important as any technology that you can purchase or policy that you can implement.
launch a web page when users first connect.
The web page may list acceptable use policies or require some authentication. This page must be navigated before full access to network resources is granted. The term for this web page is a captive portal.
extranet
Then the company decides to provide a few of their largest suppliers with direct access to that intranet ordering service. This is now an extranet.
Antimalware
There are a variety of antimalware applications, including standard antivirus as well as advanced antimalware applications.
Protocols
There are modern authentication protocols, such as Kerberos, which are discussed later in this chapter. You should ensure that you are using these protocols.
Developing Policies, Standards, and Guidelines
There is a difference between "top-down policies" (those that use the support of upper management) and "bottom-up policies" (often generated by the IT department with little intradepartmental support).
When setting up Wi-Fi encryption, there are two modes you can use.
There is preshared key (PSK) mode enterprise mode.
Placing Security Devices correlation engines
These are applications that look at firewall logs, often from diverse firewalls, and attempt to correlate the entries to understand possible attacks.
Placing Security Devices Distributed DoS (DDoS) mitigator.
These are devices that attempt to detect DDoS attacks and to stop them.
business partner agreements (BPAs)
These outline responsibilities and obligations (as well as the sharing of profits and losses) between business partners.
postmortem
These simple questions can help you adjust the procedures. This process is called a postmortem, and it's the equivalent of an autopsy.
diffusion and confusion.
These terms come from information theory.
PAP, SPAP, and CHAP
These three authentication protocols represent the evolution of authentication. The oldest, PAP
user account
These will be assigned to human users of your network.
Understanding Various Types of Application/Service Attacks
They might be doing it for the sheer fun of it. They might be criminals attempting to steal from you. They might be individuals or groups who are using the attack to make a political statement or commit an act of terrorism.
Replay Attacks
They occur when information is captured over a network. A replay attack is a kind of access or modification attack. In a distributed environment, logon and password information is sent between the client and the authentication system. The attacker can capture the information and replay it later. This can also occur with security certificates from systems such as Kerberos: the attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time sensitivity.
OWASP Zap
They publish a list of top vulnerabilities. They also publish a free tool to scan for website vulnerabilities.
certificate authorities (CAs)
Third-party organizations called certificate authorities (CAs) manage public keys and issue certificates
Security and the Cloud Multitenancy
This "multitenant" nature means that workloads from different clients can be on the same system, and a flaw in implementation could compromise security.
Invisible Secrets
This a low-cost commercial product that can hide data in either an image or sound file. You can find out more at www.invisiblesecrets.com.
Diffie-Hellman
This algorithm is used primarily to generate a shared secret key across public networks. The process isn't used to encrypt or decrypt messages; it's used merely for the creation of a symmetric key between two parties.
Confidential
This classification is used to identify low-level secrets; it's generally the lowest level of classification used by the military. Unclassified.
Deep Sound
This is a free download that allows you to hide data in sound files: http://jpinsoft.net/deepsound.
Segmentation and Defense in Depth
This is a fundamental precept of security. It simply means that it should never be the case that your security is either all or primarily focused on your network's borders. Security should be extended throughout the network.
Public Key Infrastructure (PKI) One of the first steps in getting a certificate is to submit a certificatesigning request (CSR).
This is a request formatted for the CA. This request will have the public key that you wish to use and your fully distinguished name (often a domain name). The CA will then use this to process your request for a digital certificate.
dynamic testing
This is a type of dynamic testing, purposefully testing with unexpected values to find security vulnerabilities.
Open Stego
This is an open source steganography tool that can be found at www.openstego.com. It is somewhat limited, but it will provide basic steganography.
The most widely used method is the certificate revocation list (CRL).
This is literally a list of certificates that a specific CA states should no longer be used. CRLs are now being replaced by a real-time protocol called Online Certificate Status Protocol (OCSP).
User Acceptance Testing
This is often called beta testing. A test group of users is given access to the system to test it. They are usually testing to see if the system meets their needs.
sideloading
This issue is comparable to sideloading with Android devices.
Driver Manipulation
This manipulation causes the driver(s) to be bypassed altogether or to do what it was programmed to do—
security through obscurity
This means that something is not particularly secure, just that the details are hidden and you hope that no attacker finds them.
Brute Force
This method simply involves trying every possible key. It is guaranteed to work, but it is likely to take so long that it is simply not usable.
air-gap.
This occurs when one or more systems are literally not connected to a network. Having an air-gapped backup server is often a good idea. This is one certain way of preventing malware infections on that system.
Performance Criteria
This part of the standards document outlines how to accomplish the task. It should include relevant baseline and technology standards. Baselines provide a minimum or starting point for the standard.
Accountability Statement
This policy should address who (usually expressed as a position, not the actual name of an individual) is responsible for ensuring that the policy is enforced. consequences
Extensible Authentication Protocol - Transport Layer Security
This protocol utilizes TLS in order to secure the authentication process. EAP-TLS utilize X.509 digital certificates to authenticate the users.
Roles and Responsibilities
This section of the guidelines identifies which individuals or departments are responsible for accomplishing specific tasks.
Reference Documents
This section of the standards document explains how the standard relates to the organization's different policies, thereby connecting the standard to the underlying policies that have been put in place.
Roles and Responsibilities
This section of the standards document outlines who is responsible for implementing, monitoring, and maintaining the standard.
IEEE 802.11ac
This standard was approved in January 2014. It has a throughput of up to 1 gbps with at least 500 mbps. It uses up to 8 MIMO.
IEEE 802.11n-2009
This technology gets bandwidth of up to 600 Mbit/s
Cutover Test
This test shuts down the main systems and has everything fail over to backup systems. You should never do a cutover test if you have not already done a simulation and parallel test. If the cutover test fails, your entire system is offline; in essence, you have created a disaster.
Identifying Critical Functions
To identify critical functions, a company must ask itself, "What functions are necessary to continue operations until full service can be restored?" Every department should be evaluated to ensure that no critical processes are overlooked.
Barricades/Bollards
To stop someone from entering a facility, barricades or gauntlets can be used. These are often used in conjunction with guards, fencing, and other physical security measures, but they can be used as stand-alones as well.
intrusion detection system (IDS)
Tools that identify attacks using defined rules or logic and are considered passive. An IDS can be network based or host based.
intrusion prevention system (IPS)
Tools that respond to attacks using defined rules or logic and are considered active. An IPS can be network based or host based.
Secure Protocols
Transport Layer Security was originally used to encrypt web traffic. HTTP (Hyper Text Transfer Protocol) was secured with TLS to become HTTPS. All banking websites and e-commerce websites use HTTPS to protect sensitive information. becomes SMTPS, POP3S, IMAPS. The "S" is for secure.
Transport
Transport mode encrypts only the payload.
Troubleshooting Common Security Issues
Troubleshooting Common Security Issues
Trusted platform modules (TPMs)
Trusted platform modules (TPMs) are dedicated processors that use cryptographic keys to perform a variety of tasks. For example, they can be used to authenticate devices. TPMs can also be used to facilitate FDE. Usually a TPM will be on the motherboard of the computer.
Two of the most common types of DoS attacks are
Two of the most common types of DoS attacks are: The ping of death crashes a system by sending Internet Control Message Protocol (ICMP) packets (think echoes) that are larger than the system can handle. Buffer overflow attacks, as the name implies, attempt to put more data (usually long input strings) into the buffer than it can hold. Code Red, Slapper, and Slammer are all attacks that took advantage of buffer overflows
Assessing Privacy
Two privacy-related concepts with which you should be familiar are the privacy impact assessment (PIA) and privacy threshold assessment (PTA).
Type II hypervisor
Type II hypervisor model, also known as hosted, is dependent on the operating system and cannot boot until the OS is up and running.
hoax
Typically, an email message warning of something that isn't true, such as an outbreak of a new virus. A hoax can send users into a panic and cause more harm than the virus.
Typo Squatting and URL Hijacking
Typo squatting (also spelled typosquatting) and URL hijacking are one and the same. a known entity but based on a misspelling or typographical error. The best defense against typo squatting is to register those domains around yours for which a user might intentionally type in a value when trying to locate you.
unauthorized software.
Unauthorized software is closely related to license compliance violations. Copyrights are serious legal issues, and your company should strive to comply with copyright laws.
Usage Audits
Usage audits literally audit what the account is doing.
Type C
Use: Electrical Retardant composition: Nonconductive chemicals
Type B
Use: Flammable liquids Retardant composition: Fire-retardant chemicals
Type D
Use: Flammable metals Retardant composition: Varies; type specific
Type A
Use:Wood and paper Retardant composition:Largely water or chemical
Company-Owned and -Provided Equipment (COPE).
Using COPE, the company has complete control of the devices, and thus it can ensure a higher level of security. However, this approach has its own issues. The first is the issue of cost. second issue is personal use of these devices leads to personal data on company-owned equipment. Virtual Desktop Infrastructure (VDI) for mobile phones.
Cross-Site Scripting and Request Forgery
Using a client-side scripting language, it is possible for an attacker to trick a user who visits the site into having code execute locally. When this is done, it is known as cross-site scripting (XSS). The next time a user visits that section of the website, the script is executed. The way to prevent this attack is to filter input, much like with SQL injection.
clickjacking
Using multiple transparent or opaque layers to trick a user into clicking a button or link on another page when they had intended to click on the top page.
anomalies
Variations from normal operations.
Version control and change management
Version control and change management is another concept common to all programming. Source code control tools, some of which are open source (such as Subversion and Git),
VDI
Virtual desktop infrastructure (VDI) is the process of running a user desktop inside a virtual machine that lives on a server in the datacenter. It enables fully personalized desktops for each user yet maintains centralized management and security.
Type II hypervisor
Virtualization method that is dependent on the operating system.
Type I hypervisor
Virtualization method that is independent of the operating system and boots before the OS.
Voice Encryption
Voice encryption can be used with mobile phones and similar devices to encrypt transmissions.
Vulnerability Scanning
Vulnerability scanning allows you to identify specific vulnerabilities in your network, and most penetration testers will start with this procedure so that they can identify likely targets to attack. A penetration test is essentially an attempt to exploit these vulnerabilities.
Wi-Fi Encryption
WEP WPA WPA2
Wired Equivalent Privacy (WEP)
WEP stands for Wired Equivalent Privacy. You can see by its name that the WEP protocol was intended to make a wireless network as secure as a wired network. However, it was flawed, and it is now recommended you don't use it.
WPA
WPA couples the RC4 encryption algorithm with TKIP (Temporal Key Integrity Protocol). Essentially, TKIP mixes a root key with an initialization vector. This key mixing means that there is effectively a new key for each packet.
WPA Wi-Fi Protected Access (WPA)
WPA uses Temporal Key Integrity Protocol (TKIP), which is a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet.
WPA2
WPA2 favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES. The most important thing to recall about WPA2 is that it fully implements the 802.11i Wi-Fi security standards.
shoulder surfing
Watching someone when they enter their username, password, or sensitive data.
Benchmarks/Secure Configuration Guides Web Server
Web servers are an obvious security concern. By their very nature, they are exposed to the entire world and thus are susceptible to a variety of attacks. At the same time, they cannot be locked down as securely as other servers. This is due to the fact that you must allow unknown visitors to connect to your website. That is, in fact, the very reason why you publish a website.
Use of Open Source Intelligence
Websites and tools are available that allow you to gather information on current threats or even on specific issues.
PHI
What CompTIA refers to as personal health information (PHI) is more commonly known as protected health information and should be thought of as a subset of PII that is protected by law.
What is now called an IPS was formerly known as an active IDS.
What is now called an IPS was formerly known as an active IDS.
Risk Transference
What you do instead is share some of the burden of the risk with someone else, such as an insurance company. Another risk transference possibility involves employing external consultants for assistance with solutions in areas where internal IT is weak and requiring the external consultants to guarantee their work.
Unit Testing
When a functioning unit is complete, whether it is a module, programming class, or complete application, it should be tested. This is usually done by the programmer(s). The testing can be either dynamic, static, or both.
Zero-Day Exploits
When a hole is found in a web browser or other software and attackers begin exploiting it the very day it is discovered by the developer
Zero-Day Exploits
When a hole is found in a web browser or other software and attackers begin exploiting it the very day it is discovered, bypassing the one-totwo-day response time that many software providers need to put out a patch once a hole has been found, this is known as a zero-day exploit. This exploit can occur before the vendor is even aware of the vulnerability. Responding to a zero-day exploit can be very difficult. If attackers learn of the weakness the same day as the developer, then they have the ability to exploit it until a patch is released. Often, the only thing that you as a security administrator can do, between the discovery of the exploit and the release of the patch, is to turn off the service. Although this can be a costly undertaking in terms of productivity, it is the only way to keep your network safe.
Recovering a System
When a system fails, you'll be unable to reestablish operation without regenerating all of the system's components. This process includes making sure that hardware is functioning, restoring or installing the operating systems, restoring or installing applications, and restoring data files. It can take several days on a large system. With a little forethought, you may be able to simplify the process and make it easily manageable.
An older method was the replay attack.
When a user sends their login information, even if it is encrypted, the attacker captures it and later sends the same information. Password cracking can be done online or offline.
Another issue is resource exhaustion.
When an application continuously allocates additional resources (such as memory), eventually the finite resources of the host machine are exhausted, leading the system to hang or crash.
The use of personal email at work is another security concern.
When an employee checks their personal email from a company workstation, any malware that might be sent to that email address will now infect the company network.
Owner
When it comes to data, the owner is the person (or people) identified (by law, contract, or policy) with the responsibility for granting access to users and ensuring appropriate use of the information.
pivot.
When it is possible to attack a system using another, compromised system, this is known as doing a pivot. With pivoting (also known as island hopping), a compromised system is used to attack another system on the same network following the initial exploitation.
Pod slurping
When portable devices are plugged directly into a machine, they bypass the network security measures (such as firewalls) and allow data to be copied in what is known as pod slurping.
sandbox
When there is any doubt about a new item on the network, put the new item into a sandbox. A sandbox is a term for a test environment that is completely isolated from the rest of the network.
collision
When two different inputs into a cryptographic hash produce the same output, this is known as a collision.
Multifactor Authentication
When two or more access methods are included as part of the authentication process, you're implementing a multifactor authentication system.
Integration Testing
When two or more units are connected, they should be tested to ensure that they function together. This is usually done by the programmer(s). This testing is usually dynamic testing.
System Testing
When you have a complete functioning system, it should be tested. This is often done by a separate testing team. This testing is usually dynamic testing.
Access Issues
Whenever there is any situation where someone is able to access data they should not be able to access, then that is an access violation.
Firewalls and Related Devices
Whether you are using a host-based firewall or a web-application firewall (WAF), you will still need to know how to interpret the logs of these systems. As with HIDS/HIPS, you will ultimately have to refer to the documentation for your specific firewall in order to interpret the results properly. Each vendor's logs will have a different format, so you will need to review the documentation that came with your firewall. We've provided a basic understanding of how firewall logs work. It is important to realize that firewall logs can contain a wealth of information about attempted breaches of your network.
Access Point
While an access point (AP) can technically be used for either a wired or wireless connection, in reality the term is almost exclusively associated with a wireless-enabling device today. An AP works at Layer 2 (the data link layer) of the OSI model, Depending on the size of the network, one or more APs might be required to provide coverage. APs come in all different shapes and sizes. Many are cheaper and designed strictly for home or small-office use. Such APs have lowpowered antennas and limited expansion ports. Higher-end APs used for commercial purposes have high-powered antennas, enabling them to extend how far the wireless signal can travel. To connect to a wireless AP, you need a service set identifier (SSID) name. The AP might broadcast the SSID APs can be configured not to broadcast the SSID or to cloak it. Wireless devices ship with default SSIDs, security settings, channels, passwords, and usernames. To protect yourself, it is strongly recommended that you change these default settings.
Types of Certificates
Wildcard certificates, as the name suggests, can be used more widely, usually with multiple subdomains of a given domain. Subject Alternative Name (SAN) is not so much a type of certificate as a special field in X.509. (IP addresses, domain names, and so on) Machine/computer certificates are X.509 certificates assigned to a specific machine. Email certificates are used for securing email. Secure Multipurpose Internet Mail Extensions (S/MIME) uses X.509 certificates to secure email communications. User certificates are used for individual users Root certificates are used for root authorities. These are usually selfsigned by that authority. Domain validation certificates are among the most common certificates. Extended validation certificates, as the name suggests, require more validation of the certificate holder; thus, they provide more security.
Wiping
Wiping goes further than purging and is also known as overwriting or shredding. With wiping, the data that was there is first replaced with something else and then removed. The simplest overwrite technique writes a pattern of zeros over the original data.
WEP
Wired Equivalent Privacy, encryption was an early attempt to add security, but it fell short because of weaknesses in the way the encryption algorithms are employed. The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) technologies were designed to address the core problems with WEP.
Limit Admin Access
Wireless access points have an administrative panel. This should only be accessible via a physical connection, not via wireless.
ARP Poisoning
With ARP poisoning (also known as ARP spoofing), the MAC (Media Access Control) address of the data is faked. launch a DoS attack.
false negative
With a false negative, you are not alerted to a situation when you should be alerted. In this case, you miss something crucial and it slips right by.
Full Tunneling
With a full tunnel configuration, all requests are routed and encrypted through the VPN
Rainbow Tables and Salt
With a rainbow table, all of the possible hashes are computed in advance. each has all the possible two-letter, three-letter, four-letter, Now if you search the table for a given hash, the letter combination in the table that produced the hash must be the password that you are seeking. A countermeasure, called Salt, refers to the addition of bits at key locations, either before or after the hash. Using Salt, should someone apply a rainbow table attack, the hash they search for will yield a letter combination other than what you actually typed in.
Network Scanners
With network scanning, you are literally trying to find out what is on your network. A network scanner or network mapper can enumerate everything on your network, giving you an up-to-the-minute view of what is on your network. It is also a perfect way to detect rogue systems. It is entirely possible that someone has added a computer, wireless access point, or even multiple servers that you didn't know about.
Pulverizing
With pulverizing, media (usually documents) are fed into a pulverizer that uses hydraulic or pneumatic action to reduce the materials to loose fibers and shards.
Ransomware
With ransomware, software—often delivered through a Trojan (discussed in a moment)—takes control of a system and demands that a third party be paid. encrypting the hard drive changing user password information
Security as a Service (SECaaS)
With this model, a large service provider integrates their security services into a corporate infrastructure and makes them available on a subscription basis. Due to economies of scale, the solution is more cost effective when total cost of ownership is factored in. authentication, antivirus, antimalware/spyware, and intrusion detection.
CHAP
With this protocol, when users send their username and password to the server (encrypted, of course), the server first authenticates the user. Then once authentication is complete, the server directs the client computer to generate some random number (often a cryptographic hash) and send that to the server (encrypted as well, of course). Then the server will periodically challenge the client to reproduce that number/hash. If the client session has been compromised, then the client will be unable to produce that number/hash, and the server will terminate the session. Microsoft has a proprietary version of this called MS-CHAP.
Parallel Test
With this test, you start up all backup systems but leave the main systems functioning.
Transitive Access
With transitive access, one party (A) trusts another party (B). If the second party (B) trusts another party (C), then a relationship can exist where the first party (A) also may trust the third party (C). This is sometimes described as transitive trust.
Hardware-Based Encryption Devices
Within the advanced configuration settings on some BIOS configuration menus, for example, you can choose to enable or disable TPM. A trusted platform module (TPM) can be used to assist with cryptographic key generation. TPM is the name assigned to a chip that can store cryptographic keys, passwords, or certificates. TPM can be used to protect smartphones and devices other than PCs as well. It can also be used to generate values used with whole disk encryption such as BitLocker. BitLocker can be used with or without TPM.
User Files
Word processing documents, spreadsheets, and other user files are extremely valuable to an organization. Fortunately, although the number of files that people retain is usually large, the number of files that change after initial creation is relatively small.
Types of Storage Mechanisms
Working Copies Onsite Storage Offsite Storage
Working Copies
Working copy backups, sometimes referred to as shadow copies, are partial or full backups that are kept at the computer center for immediate recovery purposes.
Implementation
Yes, selecting a strong algorithm (such as AES 256 bit) is a good idea for cryptography. However, the algorithm must also be implemented properly. cryptographic modules and cryptographic providers.
Risk actions for the scenario Risk avoidance
You begin moving services from the older server to other servers and remove the load to avoid the risk of any services being affected by its demise.
TPM
You can choose to enable or disable TPM. A trusted platform module (TPM) can be used to assist with hash key generation. TPM is the name assigned to a chip that can store cryptographic keys, passwords, or certificates. TPM chip may be installed on the motherboard.
Risk actions for the scenario Risk acceptance
You know the server could fail but hope that it doesn't. You neither write nor submit reports because you don't want to rock the boat and make your boss unhappy with you. With luck, you'll have transferred to another division before the server ever goes down.
In application whitelisting
You make a list of allowed apps, and only those applications may be installed.
Asset Tracking
You must have a method of asset tracking. serial number or as complex as a GPS locator
Risk actions for the scenario Risk mitigation
You write up the possibility of failure and submit it to your boss while also moving crucial services from that server to others
Risk actions for the scenario Risk transference
You write up the possibility of the server failing along with details of what you think should be done to prevent it, and you submit your findings to your boss while keeping a copy for yourself. If the server does fail, you have proof that you documented this possibility and made the appropriate parties aware of the situation
Crafting a Disaster-Recovery Plan
Your backup plan for data is an integral part of this process.
Configuration Issues
Your firewall(s) provide the frontline of protection for your network. Unfortunately, modern firewalls have become increasingly complex. This can lead to a misconfigured firewall.
Estimating the Tangible and Intangible Impact on the Organization
Your organization will suffer losses in an outage. These losses will be tangible in nature, such as lost production and lost sales. Intangible losses will also be a factor.
Cable Locks
a cable lock between a laptop and a desk prevents someone from picking it up
passive reconnaissance
accessing the system, such as collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering.
Nation-States/APT
advanced persistent threats (APTs). advanced techniques Second, the attacks continued for a significant period of time. In some cases, the attacks continued for years. targeting intellectual property or other economic assets.
Act in Order of Volatility
always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone. the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts.
Camera vs. Guard
always running and can record everything The benefit of a guard is that the person can move about, apply intelligence to situations, and collect evidence.
Always-on VPN
always-on VPNs. As the name implies, an always-on VPN is one on which the user is already authenticated and able to use as needed. They are popular with mobile devices where persistent connections are common and thus are sometimes alternatively referred to as mobile VPNs.
Exploitation Frameworks
an additional step of actually attempting exploits on their network. This is often done as part of a penetration test.
Analyzer
analyzes the data collected by the sensor.
ElGamal
and several variations of ElGamal have been created, including Elliptic Curve ElGamal. ElGamal and related algorithms use what is called an ephemeral key.
hosted model
another provider assumes the responsibility for supplying you with the virtual access you need. You contract with them for a specific period of time
Real-time operating systems (RTOSs)
are another issue. These operating systems are designed to process data as quickly as possible.
Hardware security modules (HSMs)
are devices that handle digital keys. They can be used to facilitate encryption as well as authentication via digital signatures. Most HSMs support tamperresistant mechanisms.
False positives
are events that aren't really incidents.
Domain Name System Security Extensions (DNSSEC)
are security specifications for security DNS (Domain Name System). digitally signed DNS responses. risk of DNS attacks such as DNS poisoning.
Related Key Attack
attacker can obtain cipher texts encrypted under two different keys. plain text and matching cipher text.
Known Plain Text
attacker having pairs of known plain text along with the corresponding cipher text. all German Naval messages ended with Heil Hitler.
Chosen Plain Text
attacker obtains the cipher texts corresponding to a set of plain texts of their own choosing. attempt to derive the key thus decrypt other messages encrypted with that key.
RIPEMD
based on MD4 RIPEMD-160 (RIPEMD-256 and RIPEMD-320, respectively)
Bcrypt
bcrypt is used with passwords, and it essentially uses a derivation of the Blowfish algorithm converted to a hashing algorithm to hash a password and add Salt to it.
Hashing Algorithms
be one-way Variable-length The algorithm must have few or no collisions.
Two of the key components of BCP are
business impact analysis (BIA) and risk assessment.
FTP (File Transfer Protocol)
can also be secured with TLS to become FTPS. If you are transferring files with sensitive information, then you should use FTPS rather than FTP. As an alternative to FTPS there is SFTP, and SCP. Secure File Transfer Protocol and Secure Copy both secure file transfer but they secure with SSH (Secure Shell) rather than SSL/TLS. The use of SFTP, SCP, or FTPS is always recommended if any sensitive files are being transferred.
Configuration Issues
change default settings or default passwords. appropriate training for a given piece of equipment. Whether you use Firefox, Edge, Chrome, Opera, Safari, or some other browser, you can select the security settings. Only WPA2 fully implements the 802.11i security requirements.
Identification vs. Authentication
claim to be anyone (identification). To prove it (authentication),
Cloud Access Security Brokers
cloud access security brokers (CASBs) are actually on-premise or cloud-based security policy enforcement points. They exist between the cloud service users and the cloud service providers for the purpose of combining (and adding) enterprise security policies as resources are accessed. gatekeeper.
Risks Associated with Cloud Computing
cloud computing means hosting services and data on the Internet instead of hosting it locally.
code signing is recommended
code signing is recommended. By digitally signing code, such as ActiveX components in web pages or device drivers, the end user who is installing the software can be confident as to the software's origin.
Solar Winds
commercial network scanner
ROT13
common substitution cipher is ROT13, and it is also one commonly asked about on the Security+ exam. Thus an A becomes an N, a B becomes an O, and so forth. One of the easiest ways to solve ROT13 text messages is to take a sheet of paper and write the letters from A to M in one column and from N to Z in a second.
Platform as a Service (PaaS)
consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.
Understanding Containers and Application Cells
containers are now thought by most to be their successor. Sometimes referred to as "Docker containers," after the application that introduced the technology, with containers, a piece of software is bundled with everything that it needs to run
Credentialed vs. Noncredentialed
credentialed, The difference is that a credentialed vulnerability scan uses actual network credentials to connect to systems and scan for vulnerabilities. Nessus vulnerability scanner: Not Disrupting Operations or Consuming Too Many Resources operations are executed on the host itself rather than across the network.
Armored Virus
difficult to detect or analyze. Armored viruses cover themselves with protective code that stops debuggers
Digital Certificate Issues
digital certificates also must be configured and implemented properly.
active reconnaissance
directly focuses on the system (port scans, traceroute information, network mapping, and so forth)
Directory Traversal/Command Injection
directory traversal attack. If the attacker can gain access to the root directory of a system (which is limited from all but administrative users), they can essentially gain access to everything on the system.
Disassociation
disassociation attack (commonly known as a deauthentication attack). the intruder sends a frame to the AP with a spoofed address to make it look like it came from the victim and disconnects them from the network.
Interconnection Security Agreement (ISA)
documents the technical and security requirements for establishing, operating, and maintaining the interconnection.
Domain Hijacking
domain hijacking involves an individual changing the domain registration information for a site without the original registrant's permission.
escalation of privilege
escalation of privilege—that is, a hole created when code is executed with higher privileges than those of the user running it.
Voice and video calls
established with session initiation protocol (SIP)
A type K
extinguisher that is marketed for use on cooking oil fires can also be found in stores. In actuality, this is a subset of class B extinguishers.
Personnel Issues
failure to follow policies
Competitors
financial gain. The skill level can vary, but it tends to be moderate to highly skilled, competitors will use a disgruntled insider Another related phenomenon relates to dark web markets that actively traffic in stolen information.
Biometrics
fingerprint scanners, full hand scanners, eye scanners (including retinal or iris scanners), facial recognition, or voice recognition. false acceptance rate (FAR) and a false rejection rate (FRR). it is recommended that both rates be equal. The point at which the FRR and FAR are equal is called the crossover error rate (CER) or sometimes the equal error rate (ERR).
Private Cloud
for exclusive use by a single organization comprising multiple consumers a private cloud is owned by the organization, and they act as both the provider and the consumer.
Community Cloud
for exclusive use by a specific community of consumers from organizations that have shared concerns
Public Cloud
for open use by the general public.
shared account
for several uses. This is sometimes called a generic account. have individual accounts for individual users. lab on a college campus that only has access to the lab systems and no other resources, you might have a generic account labuser This could include clients or business partners who are visiting your facilities for a brief period of time. Humans are not the only entities that may require access to network resources. You might have software that needs to access your network, separately from human involvement.
Secure Systems Design self-encrypting drive (SED)
has a controller chip built into it that automatically encrypts the drive and decrypts it, provided the proper password is entered. The encryption key used in SEDs is called the media encryption key (MEK). Locking and unlocking a drive requires another key, called the key encryption key (KEK), supplied by the user. The KEK is used to decrypt the MEK, which in turn is what encrypts and decrypts the drive.
Data execution prevention (DEP)
has become increasingly popular. Microsoft introduced this with Windows Vista. When an application tries to launch, the user must approve the execution before it can proceed. Even if the malware is blocked, you would want to know that there was an attempt to execute.
Multi-alphabet Substitution
have multiple substitutions. For example, you might shift the first letter by three to the right, the second letter by two to the right, and the third letter by one to the left; then repeat this formula with the next three letters.
disaster-recovery plan, or scheme
helps an organization respond effectively when a disaster occurs. Disasters may include system failure, network failure, infrastructure failure, and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses.
Penetration Testing
hire penetration testers to test their system's defenses. the same techniques that a hacker would use to find any flaws in a system's security.
Hot and Cold Aisles
hot aisles and cold aisles With a hot aisle, hot air outlets are used to cool the equipment, whereas with cold aisles, cold air intake is used to cool the equipment.
Physical Control
hotspots. Using a mobile device, it would be possible for someone to begin broadcasting an SSID that is similar to the one used by your actual corporate wireless access point
The Type I
hypervisor model, also known as bare metal, is independent of the operating system and boots before the OS.
Lock Types
in many different sizes, shapes, types, and designs. As an administrator, you need to make sure that the lock being used for a purpose is able to fulfill that purpose.
MAC filtering
in which each host is identified by its MAC address and allowed (or denied) access based on that, can increase security dramatically.
LanHelper
inexpensive network mapper and scanner
Input Vulnerabilities
input not being properly checked. All input should be validated.
Other Issues
installation of unauthorized software. Unlicensed software SMS/MMS
IDS vs. IPS
intrusion detection systems (IDSs) intrusion prevention systems (IPSs)
Buffer overflows
involve attempting to load more data into an array than the array can hold. overwriting something. If a program has appropriate, robust error handling, then in the event of a problem, the user will simply see an error message box.
Nonintrusive tests
involve passively testing of security controls—performing vulnerability scans and probing for weaknesses but not exploiting them.
TCP/IP hijacking
involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly, and it gives the attacker access to the session and to all the information on the original system.
Server-side validation
involves validating data after the server has received it. This process can include checking business logic to see if the data sent conforms to expected parameters. It is unusual to have just server-side validation. You may have systems with only client-side validation, but server-side validation is normally done in conjunction with client-side validation.
ipconfig/ip/ifconfig
ipconfig in Windows (ifconfig in Linux) is one of the more basic network commands. It will provide you with information about your network interfaces.
Hybrid Cloud
is a composition of two or more distinct cloud infrastructures an amalgamation of private and public clouds. When you start mixing in community clouds, it often becomes more of an extension of the community cloud rather than a hybrid cloud.
User training
is a critical topic in cybersecurity. First and foremost, users (including technical users) must be properly trained in the use of technical controls. The best firewall in the world is far less effective if the technical staff are not appropriately trained (and getting your technical staff Security+ certified is a good first step!).
The Internet of Things (IoT)
is a growing issue. At first, this encompassed primarily automated industrial devices. However, it has even spread to private homes. As more people embrace technologies such as smart thermostats and similar devices, the security issues become a greater concern. the first ever ransomware for smart thermostats. Wearable technology comes in many forms. This can be exercise related devices or medical devices. In either case, sensitive personal information is stored on the device. industrial systems have long used smart technology in heating, ventilation, and air conditioning (HVAC). These systems use smart technology to regulate air flow and temperature.
HSM Hierarchical storage management (HSM)
is a newer backup type. HSM provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and it can be configured to provide the closest version of an available real-time backup. hardware security module as well—a method of transient cryptographic key exchange.
A virus
is a piece of software designed to infect a computer system. They get in in 3 ways: *On contaminated media (DVD, USB drive, or other) *Through email and social networking sites *As part of another program
NFC Near field communications (NFC)
is a radio wave transmission that automatically connects when in range.
ThreatCrowd
is a search engine that enables you to find information about the latest threats.
DLL injection
is a situation in which the malware tries to inject code into the memory process space of a library.
Banner Grabbing
is a technique that attackers use to gather information about a website before launching an attack. A banner is a text file on a web server that describes the operating system and the web server software. If an attacker can grab the banner, then he or she will have information about the web server to plan the attack.
Triple-DES Triple-DES (3DES)
is a technological upgrade of DES. It increases the key length to 168 bits (using three 56-bit DES keys).
Sandboxing
is an increasingly popular way to provide secure applications. If the application is operating in isolation from the host environment, it is highly unlikely that any security breach of the application can affect the host operating system.
ISO 27002
is another ISO standard widely used in cybersecurity. This standard recommends best practices for initiating, implementing, and maintaining information security management systems (ISMSs).
Social engineering
is essentially using interpersonal skills to attempt to elicit information. Social media is also a problem in many ways. distracting employees and reducing productivity information exfiltration
Unlicensed software
is itself a subset of the topic of asset management.
distributed denial-of-service (DDoS) attack
is similar to a DoS attack. multiple computer systems (often through botnets) to conduct the attack against a single organization. DDoS attack is that the latter uses multiple computers—all focused on one target. DDoS is far more common—and effective—today than DoS.
An ephemeral key
is simply a key that exists only for that session. Essentially, the algorithm creates a key to use for that single communication session, and it is not used again.
A third mode, sometimes called open
is simply unsecure. This is sometimes used for public Wi-Fi that has no access to any sensitive data, but it is simply a portal to access the Internet.
Recertification
is the process whereby you determine if given accounts still require the privileges that they have.
Cryptography
is the science of altering information so that it cannot be decoded without a key.
GPS Tracking
it also has removable storage
Pass the Hash
it is possible for an attacker to send an authenticated copy of the password hash value (along with a valid username) and authenticate to any remote server
Worm
its primary purpose is to replicate.
Secure Configurations
least functionality. This is similar to the concept of least privileges. The system itself should be configured and capable of doing only what it is intended to do and no more. The next issue is to lock down the system as much as possible. This involves disabling all default passwords and any default accounts you don't use. If there are default accounts that you don't use, shut them down. Along with disabling default accounts is the disabling of default services. If you are not using a service, why do you have it turned on?
General Concepts
least privileges. This means that each account is given only the privileges that entity (user or service) needs to do their job.
Conversely, with affinity balancing
like services are sent to like servers.
Consensus
listening intently to what they are saying, validating their thoughts. By being so incredibly nice, the social engineer convinces the other party that there is no way their intentions could possibly be harmful.
Distributive Allocation
load balancing, distributive allocation allows for distributing the load (file requests, data routing, and so on) so that no device is overly burdened. This can help with redundancy, availability, and fault tolerance.
computer restrictions
location-based controls. Location-based controls are any type of controls that limit accounts based on where the person is attempting to sign in. naming conventions. Account names should not reveal the job role. dmnadmin001
Mantrap
mantrap (also occasionally written as man-trap). Mantraps require visual identification, as well as authentication, to gain access. it allows only one or two people into a facility at a time. It's usually designed to contain an unauthorized, potentially hostile person physically until authorities arrive.
arp
maps IP addresses to MAC addresses. Unlike the other commands, this one will only work with at least one flag
The public key
may be truly public or it may be a secret between the two parties.
Diffusion
means that a change in a single bit of input changes more than one bit of the output.
SMS/MMS
messages can also be a security risk, albeit a minor one.
Aircrack
most popular tools for scanning and cracking Wi-Fi
Ophcrack
most widely used password cracking tools. Ophcrack is important because it can be installed on a bootable CD. Ophcrack offers a small rainbow table free of charge; you must purchase the larger rainbow tables.
The Enigma Machine
multi-alphabet substitution cipher. When each key was hit, a different substitution alphabet was used. The Enigma machine used 26 different substitution alphabets.
Wireshark
network packet sniffers.
agentless solutions
network scans done by the NAC and allowed on the network.
Network Access Control (NAC)
network term-307 access control (NAC) The best way to think of NAC is as a set of standards defined by the network for clients attempting to access it so that only known devices meeting specified requirements can connect. The device that is attempting to connect to the network must have something (usually an agent) running on it to verify the device, whether or not it is running up-to-date virus software, and perform any other host health check that the administrator wants to run.
nmap
nmap is a free download for Windows or Linux. It is not part of the operating system. It is often used to port scan machines. You can scan a range of IP addresses as well as a single IP.
A PTA,
on the other hand, is more commonly known as an "analysis" rather than an "assessment."
Vulnerability Scanning
passive tests are really just vulnerability scans and not penetration tests, whereas active tests provide more meaningful results.
Personal Identification Verification Card
personal identity verification (PIV) to federal employees and contractors.
Command-Line Tools
ping netstat tracert nslookup/dig arp ipconfig/ip/ifconfig nmap netcat
ping
ping is a fundamental networking utility. It is part of both Windows and Linux. The ping utility is used to find out if a particular website is reachable.
Working with NIPSs
prevention
Quantitative vs. Qualitative Risk Assessment
qualitative (opinion-based and subjective) Whenever you see the word qualitative, think of a best guess or opinion of the loss, including reputation, goodwill, and irreplaceable information; pictures; or data that get you to a subjective loss amount. quantitative (cost-based and objective),Whenever you see the word quantitative, think of the goal as determining a dollar amount.
Trust
reciprocation.
Planning for Recovery Sites
recovery sites, alternate sites, or backup sites. alternate site is alternative site
How Viruses Work
render your system inoperable or spread to other systems. If your system is infected, the virus may try to attach itself to every file in your system and spread each time you send a file or document to other users.
waterfall method
requirements gathering, design, implementation (also called coding), testing (also called verification), deployment, and maintenance. Each stage is completely selfcontained. Once one stage is completed, then you move on to the next stage.
HVAC
rest of the HVAC (heating, ventilation, and air-conditioning) system. It's a common practice for modern buildings to use a zone-based air-conditioning environment, which allows the environmental plant to be turned off when the building isn't occupied. A computer room will typically require full-time environmental control.
risk assessment.
risk assessment is concerned with evaluating the risk or likelihood of a loss.
Familiarity
same interests same activities gain positive attention
SIEM
security information and event management (SIEM). SIEM products provide real-time analysis of security alerts that are flagged by network appliances and software applications (aggregation). aggregate and correlate the events that come in time synchronization event deduplication: removing multiple reports on the same instance automated alert and trigger criteria write once-read-many (WORM) protection: information, once written, cannot be modified, thus assuring that the data cannot be tampered with once it is written to the device.
On-Premise vs. Hosted vs. Cloud
servers used for virtualization can be located just about anywhere. If you choose to locate them within the physical confines of your location, then they are said to be on-premise.
Session Hijacking
session hijacking describes when the item used to validate a user's session, such as a cookie, is stolen and used by another to establish a session with a host that thinks it is still communicating with the first party. Numerous types of attacks use session hijacking, including man-inthe-middle and sidejacking. prevent session hijacking are to encrypt the sessions, encourage users to log out of sites when finished
Cross-site request forgery—also known as XSRF
session riding, and one-click attack—involves unauthorized commands coming from a trusted user to the website. The best protection against cross-site scripting is to disable the running of scripts (and browser profiles).
Authentication (Single Factor) and Authorization
single-factor authentication (SFA), because only one type of authentication is checked. traditional username/password combination.
unified threat management (UTM) system
sometimes called a USM (unified security management) system, includes combinations of all the other devices we discussed earlier in this chapter, including firewall, IDS, and antivirus, as well as other items, such as load balancing and VPN.
MAC and IP Spoofing Attacks
spoofing attack is an attempt by someone or something to masquerade as someone else. A common spoofing attack that was popular for many years on early Unix and other timesharing systems involved a programmer writing a fake logon program. It would prompt the user for a user ID and password. No matter what the user typed, the program would indicate an invalid logon attempt and then transfer control to the real logon program. As mentioned in the discussion of ARP poisoning, with ARP spoofing the MAC address of the data is faked. With IP spoofing, the goal is to make the data look as if it came from a trusted host when it didn't (thus spoofing the IP address of the sending host).
tcpdump
tcpdump is a common packet sniffer for Linux. tcpdump -i eth0 tcpdump -c 100 -i eth0 tcpdump -D
a block cipher
the algorithm works on chunks of data, encrypting one and then moving to the next.
Birthday Attack
the birthday theorem. The basic idea is this: How many people would you need to have in a room to have a strong likelihood that two would have the same birthday (month and day, but not year)? This 49 percent is the probability that 23 people will not have any birthdays in common; thus, there is a 51 percent (better than even odds) chance that 2 of the 23 will have a birthday in common. So for an MD5 hash, you might think that you need 2128 +1 different inputs to get a collision
Other Issues
the business processes themselves can be vulnerabilities. Failure to perform background checks properly or to verify vendors are vulnerabilities.
In PSK mode
the client and the wireless access point must negotiate and share a key prior to initiating communications.
Infrastructure as a Service (IaaS)
the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
Software as a Service (SaaS)
the consumer is to use the provider's applications running on a cloud infrastructure.
With a stream cipher
the data is encrypted one bit, or byte, at a time.
Security Guards
the most expensive physical security tools that can be implemented is a guard.
Without sandboxing
the possibility of hopping is increased, but sandboxing greatly diminishes this possibility.
One-Time Passwords
these can be used one time and never again. time-based one-time password (or TOTP) such that a password is issued but is only good for a finite period of time.
Intimidation
threats, with shouting, or even with guilt.
Urgency
time is of the essence.
transparency as "a proxy
transparency as "a proxy that does not modify the request or response
Account Types
user account domain admin account privileged account. shared account
HMAC (hash-based message authentication code)
uses a hashing algorithm along with a symmetric key. MD5 hash.
Client-side validation
usually works by taking the input that a user enters into a text field and, on the client side, checking for invalid characters or input. This process can be as simple as verifying that the input does not exceed the required length, or it can be a complete check for SQL injection characters. In either case, the validation is accomplished on the client web page before any data is sent to the server.
Secure Programming Programming Models
waterfall method Agile development
XML Injection
when users enter values that query XML (known as XPath)
Split
whereas with a split tunnel, only some (usually all incoming requests) are routed and encrypted over the VPN.
chain of custody
which covers how evidence is secured, where it is stored, and who has access to it.
Understanding Hypervisors
which is the software/hardware combination that makes it possible. are two methods of implementation: Type I and Type II.
VDI
with virtual desktop infrastructure (VDI), the user's desktop is running inside a virtual machine that resides on a server in a datacenter.