Security+ 501 1.0 - 6.0
components
CA, Intermediate CA, CRL, OCSP, CSR, Certificate, Public key, Private key, Object identifiers (OID)
backup concepts
Differential, Incremental, Snapshots, Full
storage segmentation
when the device is used on the enterprise network, a corporate workspace with a defined selection of apps and a separate storage container is created
insiders
when the perpetrator of an attack is a member of, ex-member of, or somehow affiliated with the organization's own staff, partners, or contractors
vulnerabilities due to end-of-life systems
when the system has reached a point where it can no longer function as intended. This status can be reached for many reasons, such as lack of vendor support, a failure to instantiate on newer hardware, or incompatibility with other aspects of a system; valuable data that is still on the system before it is disposed
forward proxy
when we have a proxy on the inside of our network that we're using to help our users protect themselves from the internet
antispoofing
when you implement an access control list (ACL) with deny statements for private network addresses spaces
diffie-hellman
a key exchange method over an insecure communications channel; a key agreement protocol, published in 1976 by Whitfield Diffie and Martin Hellman
session affinity/source IP
a layer 4 approach to handling user sessions. It means that when a client establishes a session, it becomes stuck to the node that first accepted the request
certificate revocation list (CRL)
a list of certificates that were revoked before their expiration date
access control list (ACL)
a list of subjects and the rights or permissions they have been granted on the object; network traffic that can be filtered; allow or disallow traffic based on tuples
warm site
a location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed
biometric lock
a lock may be integrated with a biometric scanner
role-based awareness training
a system for identifying staff performing security-sensitive roles and grading the level of training and education required
short message service (SMS)
a system for sending text messages between cell phones
steganography
a technique for obscuring the presence of a message, often by embedding information within a file or other entity.
failover
a technique that ensures a redundant component, device, application, or site can quickly and efficiently take over the functionality of an asset that has failed
obfuscation
a technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.
obfuscation/camouflage
a technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.
heuristic
a technique that leverages past behavior to predict future behavior.
key stretching
a technique that strengthens potentially weak cryptographic keys, such as passwords or passphrases created by people, against brute force attacks
external actor
a threat actor that comes from outside the organization
internal actor
a threat actor that comes from within an organization
oauth (open authorization)
a token-based authorization protocol that is often used in conjunction with OpenID.
Network Scanners
a tool for probing a network for ports. The tool will report back to the user which ports are open ("listening"), which are closed and which are filtered. An example of a network scanner is Nmap.
skimming attack
a type of RFID attack in which an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card
ransomware
a type of Trojan malware that tries to extort money from the victim
birthday attack
a type of brute force attack aimed at exploiting collisions in hash functions
self-signed certificate
a type of digital certificate that is owned by the entity that signs it
Supervisory Control and Data Acquisition (SCADA)
a type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas
air gap
a type of network isolation that physically separates a network from all other networks.
air gaps
a type of network isolation that physically separates a network from all other networks.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
an email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCP)
an encryption protocol used for wireless LANs that addresses the vulnerabilities of the WEP protocol
multimedia message service (MMS)
an extension of short message service (SMS) that enables messages that include text, sound, images, and video clips to be sent from a cell phone or PDA to other phones or e-mail addresses
media access control filtering (MAC filtering)
applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
firewalls
are the devices principally used to implement security zones, such as intranet, demilitarized zone (DMZ), and the Internet
spam filter
are the first line of defense that protects organizations from phishing attacks
diffusion
change one character of the input, and many characters change of the output; makes ciphertext change drastically upon even the slightest changes in the plaintext input
identification of critical systems
compiling an inventory of its business processes and its tangible and intangible assets and resources
agile
focuses on iterative and incremental development to account for evolving requirements and expectations.
carrier unlocking
for either iOS or Android, this means removing the restrictions that lock a device to a single carrier
custom firmware
for some devices, it is necessary to exploit a vulnerability
distinguished encoding rules (DER)
format designed to transfer syntax for data structures
privilege escalation attack
gain higher-level access to a system to exploit a vulnerability
non-intrusive scan
gather information, don't try to exploit a vulnerability; vulnerability scanners; a test that does not disrupt the operations of a system;
bcrypt
generates hashes from passwords; a key-derivation function based on the Blowfish cipher algorithm
sideloading
giving users and businesses the flexibility to directly install apps without going through the storefront interface
dumpster diving
going through an organization's (or individual's) garbage to try to find useful documents (or even files stored on discarded removable media)
Platform-Specific guides
guides mean't for platforms
Vendor-Specific guides
guides mean't for vendors
active reconnaissance
has more risk of detection; the use of tools, such as network scanners & vulnerability scanners, to analyze a system, network or organization
unauthorized software
has the potential to bring malware into a network
logic bomb
having infected a system, a disgruntled person waits for a preconfigured system or user event to be triggered
stapling
having the SSL/TLS web server periodically obtain a time-stamped OCSP response from the CA
public cloud/multi-tenant
hosted by a third party and shared with other subscribers. This is what many people understand by "cloud computing." As a shared resource, there are risks regarding performance and security
license compliance violation
how software can only be used when properly licensed and under what circumstances you would find software being used outside of the license scope, which would therefore be problematic
finance
how the score is kept
passive
may sit on the inner network side of a firewall, on the DMZ, or on the WAN side. Placement on either the DMZ or inner network is preferable in that it will make less noise.
application server guide
secure configuration guides useful for configuring applications servers
network infrastructure devices
secure configuration guides useful for configuring network infrastructure devices
operating system guide
secure configuration guides useful for configuring operating systems
web server guide
secure configuration guides useful for configuring web servers
Secure IMAP
secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993
general purpose guides
security configuration guides that are generic in scope.
vendor diversity
security controls are sourced from multiple suppliers
file system security
security functions provided by access control lists (ACLs) for protecting files managed by the operating system.
interconnection security agreement (ISA)
security guide for Interconnecting Information Technology Systems. Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls
location-based policies
policies that prevent users from logging on from certain locations, or require that they log on only from specific locations.
password reuse
policy defines whether or not a user can ever use the same password again. Can be used in conjunction with password history.
personnel issues
policy violation, insider threat, social engineering, social media, and personal email
IEEE 802.1x
port-based network access control (NAC) with no access until authentication
something you have
possession (smart card, USB token, or key fob that contains a chip with authentication data, such as a digital certificate)
bluejacking
sending of unsolicited messages to another device via Bluetooth
ping
sends an echo request to a machine to determine if communication is possible.
filters
separates traffic from router
array index overflow
possible to exploit unsecure code to load the array with more values than it expects, creating an exception that could be exploited
satellite communications (SATCOM) connection
services such as voice and video calling, Internet access, faxing, and television and radio broadcasting.
legal implications
refer to the positive or negative legal consequences or commitments as a result of an action or choice made by an individual or group
aggregation
referring to the gathering of log and event data from the different network security devices used on the network.
inline
refers to being in between the firewall and the rest of the network environment.
banner grabbing
refers to probing a server to try to elicit any sort of response that will identify the server application and version number or any other interesting detail about the way the server is configured. This information allows an attacker to identify whether the server is fully patched and to look up any known software vulnerabilities that might be exposed.
supporting confidentiality
secrecy and privacy. Encryption (file-level, drive-level, email)
data encryption standard (DES)
symmetric encryption protocol. DES and its replacement 3DES are considered weak in comparison with modern standards, such as AES
split tunnel
the client accesses the Internet directly using its "native" IP configuration and DNS servers.
scheduling algorithm
the code and metrics that determine which node is selected for processing each incoming request
public key
the component of asymmetric encryption that can be accessed by anyone.
voice recognition
the computer's capability of distinguishing spoken words
security automation
the concept of scripted or programmed infrastructure can also be applied to security infrastructure (firewalls, IDS, SIEM, and privilege management)
safety
the condition of being protected from risk
collectors
to store and interpret (or parse) the logs from different types of systems (host, firewall, IDS sensor, and so on), and to account for differences between vendor implementations
host health checks
to verify the status of any system attempting to connect to the network
advanced malware tools
tools that can block malware from running by blocking file signature, heuristics/Anomalous behavior, sandboxing, virtualizing. Need to be routinely updated with the latest definitions.
patch management tools
tools used to manage security patches
transitive trust
the trust extends to other trusted domains. For example, if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A also trusts Domain C
remote access
the user's device does not make a direct cabled or wireless connection to the network. The connection occurs over or through an intermediate network, usually a public Wide Area Network
phishing
to email users with the purpose of tricking them to reveal personal information or click on a link
signs
to enforce the idea that security is tightly controlled. Beyond basic no trespassing signs, some homes and offices also display signs from the security companies whose services they are currently using. These may convince intruders to stay away
session hijacking attack
to impersonate a user on a website, using the session ID that is stored in their cookies
cameras
to perform facial recognition
impersonation
to pretend to be someone else in order to obtain personal or sensitive information
URL hijacking attack
to purchase a domain name that is similar to a legitimate domain name
protected cabling
to reduce the likelihood of emission spillage
accounting
tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted
hashing
transforming plaintext of any length into a short code called a hash
stream vs block
transmit byte by byte, vs in groups
jamming attack/interference attack
transmits noise or radio signals on the same frequency that is used by a wireless network, which prevents users from connecting to the network
security through obscurity
trying to keep the design of a security system secret as its only method of security; keeping something a secret by hiding it
disabling unnecessary ports and services
turning off any service that is not being used
identify common misconfigurations
typical results from a vulnerability assessment; use databases and dictionaries that consists of misconfigurations, such as open ports, weak passwords, default accounts and passwords, sensitive data and security & configuration errors
guest
unauthenticated users
Unencrypted credentials/clear text
unencrypted, readable data that is not meant to be encrypted
firewall
universal security control
firmware over-the-air (OTA) updates
updates can be delivered wirelessly, either through a Wi-Fi network or the data connection
vehicle
use a substantial amount of electronics, all of which can potentially have vulnerabilities that could be exploitable. As well as computer systems to control the vehicle's engine, steering, and brakes, there may be embedded systems for in-vehicle entertainment and for navigation (sat-nav), using Global Positioning Systems (GPS)
multipartite viruses
use both boot sector and executable file infection methods of propagation
hosted
used by a third party for the exclusive use of the organization. This is more secure and can guarantee a better level of performance but is correspondingly more expensive.
netcat or nc
used for reading from or writing to network connections using TCP or UDP.
track person hours
used to determine whether the cost of the incident was justified
third-party app stores
used to distribute unauthorized, non-approved applications. Can be downloaded by jailbroken/rooted devices.
downgrade attack
used to facilitate a Man-in-the-Middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths
zones/topologies
DMZ, Extranet, Intranet, Wireless, Guest, Honeynets, NAT, Ad hoc
Protocols
DNSSEC, SSH, S/MIME, SRTP, LDAPS, FTPS, SFTP, SNMPv3, SSL/TLS, HTTPS, Secure POP/IMAP
Connection methods
Cellular, WiFi, SATCOM, Bluetooth, NFC, ANT, Infrared, USB
Industry-standard frameworks and reference architectures
Regulatory, Non-regulatory, National vs. international- Industry-specific frameworks
time synchronization
SIEM logs may be collected from appliances in different geographic locations and, consequently, may be configured with different time zones. This can cause problems when correlating events and analyzing logs.
risk assessment
SLE, ALE, ARO, Asset value, Risk register, Likelihood of occurrence, Supply chain assessment, Impact, Quantitative, Qualitative,Testing, Penetration testing authorization, Vulnerability testing authorization, risk response techniques, accept, transfer, avoid, mitigate
Cloud deployment models
SaaS, PaaS, IaaS, Private, Public, Hybrid, Community
environment
Development, Test, Staging, Production
threat assessment
Environmental, Artificial/manufactured, Internal vs. external
continuity of operations planning (COOP)
Exercises/tabletop, After-action reports, Failover, Alternate processing sites, Alternate business practice
deprovisioning
The process of removing an application from packages or instances.
hybrid cloud
a combination of public and private clouds
tcpdump
a command-line packet sniffing utility.
DDoS mitigator
a hardware device that identifies and blocks real-time distributed denial of service (DDoS) attacks.
SSL/TLS accelerators
a hardware interface that helps offload the resource-intensive encryption calculations in SSL/TLS to reduce overhead for a server.
Password-Based Key Derivation Function 2 (PBKDF2)
a key derivation function used in key stretching to make potentially weak cryptographic keys such as passwords less susceptible to brute force attacks
root certificate
a self-signed public key certificate that identifies the root CA
certificate authority (CA)
a server that can issue digital certificates and the associated public/private key pairs
kerberos
an authentication service that is based on a time-sensitive ticket-granting system.
alarms
an electrical, electronic, or mechanical device that serves to warn of danger by means of a sound or signal.
smart cards
credit card sized card containing a microchip for data storage and processing.
types/category
crucial to enabling swift identification and remediation of the incident
detective
may not prevent or deter access, but it will identify and record any attempted or successful intrusion
network intrusion detection system (NIDS)
(network intrusion detection system) A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.
intimidation (principle)
"there will be bad things if you don't help" and "if you don't help me, the payroll checks won't be processed"
Network Intrusion Prevention System (NIPS)
(Network-Based Intrusion Prevention System) An inline security device that monitors suspicious network and/or system traffic and reacts in real time to block it.
domain information groper (dig)
(domain information groper) Utility to query a DNS and return information about a particular domain name.
router
A network device that links dissimilar networks and can support multiple alternate paths between location-based parameters such as speed, traffic loads, and cost.
symmetric algorithms
AES, DES, 3DES, RC4, Blowfish/Twofish
mobile device management concepts
Application management, Content management, Remote wipe, Geofencing, Geolocation, Screen locks, Push notification services, Passwords and pins, Biometrics, Context-aware authentication, Containerization, Storage segmentation, and Full device encryption
geographic considerations
Off-site backups, Distance, Location selection, Legal implications, Data sovereignty
automation/scripting
Automated courses of action, Continuous monitoring, Configuration validation
key stretching algorithms
BCRYPT, PBKDF2
agreement types
BPA, SLA, ISA, MOU/MOA
deployment models
BYOD, COPE, CYOD, Corporate-owned, VDI
routing and switching use case
Basic layer 2 switches provide ports and Virtual LANs (logical groupings of clients) for wired and (via an access point) wireless devices. Traffic between logical networks is controlled by layer 3 switches with LAN routing functionality. WAN/edge routers provide services such as web, email, and communications access for corporate clients and VPN access to the corporate network for remote clients
data destruction and media sanitization
Burning, Shredding, Pulping, Pulverizing, Degaussing, Purging, Wiping
cipher modes
CBC, GCM, ECB, CTR, Stream vs. block
camera use
CCTV cameras
data acquisition
Capture system image, Network traffic and logs, Capture video, Record time offset, Take hashes, Screenshots, Witness interviews
nslookup
Command-line program in Windows used to determine exactly what information the DNS server is providing about a specific host name.
data sensitivity labeling and handling
Confidential, Private, Public, Proprietary, PII, PHI
account policy enforcement
Credential management, Group policy, Password complexity, Expiration, Recovery, Disablement, Lockout- Password history, Password reuse, Password length
Implementation vs. algorithm selection
Crypto service provider, Crypto modules
network address allocation use case
DHCP provides an automatic method
certificate formats
DER, PEM, PFX, CER, P12, P7B
incident response plan
Documented incident, types/category definitions, Roles and responsibilities, Reporting requirements/escalation, Cyber-incident response teams, Exercise
authentication protocols
EAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, IEEE 802.1x, RADIUS Federation
file transfer use case
Email and Instant Messaging (IM)
hardware/firmware security
FDE/SED, TPM, HSM, UEFI/BIOS, Secure boot and attestation, Supply chain, Hardware root of trust, EMI/EM
biometric factors
Fingerprint scanner, Retinal scanner, Iris scanner, Voice recognition, Facial recognition, False acceptance rate, False rejection rate, Crossover error rate
cross-site scripting (XSS) attack
HTML or JavaScript code entered into a web page form to retrieve sensitive information from the website; one of the most powerful input validation exploits
environmental controls
HVAC, Hot and cold aisles, Fire suppression
tokens
Hardware, Software, HOTP/TOTP
recovery sites
Hot site, Warm site, Cold site
pass-the-hash (PtH) attack
If an attacker can obtain the hash of a user password, it is possible to present the hash (without cracking it) to authenticate to network protocols; an attack that discovers the hash of a user's password and uses it to log on to the system as the user
behavioral-based detection
In IDSs and IPSs, an operation mode where the analysis engine recognizes baseline normal traffic and events, and generates an incident when an anomaly is detected.
full tunnel
Internet access is mediated by the corporate network, which will alter the client's IP address and DNS servers and may use a proxy.
access control lists (ACLs)
It is also possible to apply permissions to ensure only authorized users can read or modify the data
general concepts
Least privilege, Onboarding/offboarding, Permission auditing and review, Usage auditing and review, Time-of-day restrictions, Recertification, Standard naming convention, Account maintenance, Group-based access control, Location-based policies
impact
Life, Property, Safety, Finance, Reputation
common use cases
Low power devices, Low latency, High resiliency, Supporting confidentiality, Supporting integrity, Supporting obfuscation, Supporting authentication, Supporting non-repudiation, Resource vs. security constraints
access control models
MAC, DAC, ABAC, Role-based access control, Rule-based access control
hashing alorithms
MD5, SHA, HMAC, RIPEMD
recording microphone
MDM software may also be able to lock down use of features
personnel management
Mandatory vacations, Job rotation, Separation of duties, Clean desk, Background checks, Exit interviews, Role-based awareness training, Data owner, Systems administrator, System owner, User, Privileged user, Executive user, NDA, Onboarding, Continuing education, Acceptable use policy/rules of behavior, Adverse actions
special purpose
Medical devices, Vehicles, Aircraft/UAV
Time synchronization use case
Network Time Protocol (NTP)
logs
OS and applications software can be configured to record data about activity on a computer. Logs can record information about events automatically.
concepts
Online vs. offline CA, Stapling, Pinning, Trust model, Key escrow, Certificate chaining
data roles
Owner, Steward/custodian, Privacy officer
certificate-based authentication
PIV/CAC/smart card, IEEE 802.1x
methods
PSK vs Enterprise vs Open, WPS, Captive portals
segregation/segmentation/isolation
Physical, Logical (VLAN), Virtualization, Air gaps
Benchmarks/secure configuration guides
Platform/vendor-specific guides, Web server, Operating system, Application server, Network infrastructure devices, General purpose guides
incident response process
Preparation, Identification, Containment, Eradication, Recovery, Lessons learned
secure coding techniques
Proper error handling, Proper input validation, Normalization, Stored procedures, Code signing, Encryption, Obfuscation/camouflage, Code reuse/dead code, Server-side vs. client-side, execution and validation, Memory management, Use of third-party libraries and SDKs, Data exposure
physical access control
Proximity cards, Smart cards
asymmetric algorithms
RSA, DSA, Diffie-Hellman, Groups, DHE, ECDHE, Elliptic curve, PGP/GPG
Secure DevOps
Security automation, Continuous integration, Baselining, Immutable systems, Infrastructure as code
security device/technology placement
Sensors, Collectors, Correlation engines, Filters, Proxies, Firewalls, VPN concentrators, SSL accelerators, Load balancers, DDoS mitigator, Aggregation switches, Taps and port mirror
tunneling/VPN
Site-to-site, Remote access
non-persistence
Snapshots, Revert to known state, Rollback to known configuration, Live boot media
code quality and testing
Static code analyzers, Dynamic analysis (e.g., fuzzing), Stress testing, Sandboxing, Model verification
in-band
The management channel could use the same network as the link being monitored (in-band)
enforcement and monitoring
Third-party app stores, Rooting/jailbreaking, Sideloading, Custom firmware, Carrier unlocking, Firmware OTA updates, Camera use, SMS/MMS, External media, USB OTG, Recording microphone, GPS tagging, WiFi direct/ad hoc, Tethering, Payment method
hypervisor
Type I, Type II, Application cells/container
operating systems
Types, Network, Server, Workstation, Appliance, Kiosk- Mobile OS, Patch management, Disabling unnecessary ports and services, Least functionality, Secure configurations, Trusted operating system, Application whitelisting/blacklisting, Disable default accounts/passwords
account types
User account, Shared and generic accounts/credentials, Guest accounts, Service accounts, Privileged accounts
defense-in-depth/layered security
Vendor diversity, Control diversity, Administrative, Technical, User training
Use cases
Voice and video, Time synchronization, Email and web, File transfer, Directory services, Remote access, Domain name resolution, Routing and switching, Network address allocation, Subscription services
Voice and video use case
Voice over IP (VoIP), web conferencing, and Video Teleconferencing (VTC)
write once, run everywhere
WORM
Cryptographic protocols
WPA, WPA2, CCMP, TKIP
types of certificate
Wildcard, SAN, Code signing, Self-signed, Machine/computer, Email, User, Root, Domain validation, Extended validation
peripherals
Wireless keyboards, Wireless mice, Displays, WiFi-enabled MicroSD cards, Printers/MFDs, External storage devices, Digital cameras
obfuscation
XOR, ROT13, Substitution ciphers
use of third-party libraries and SDKs
a common solution to rewriting code but may introduce vulnerabilities into an application if they are not securely coded or are improperly used.
single point of failure
a component or system that would cause a complete interruption of a service if it failed
honeypot
a "fake" server designed to appear like the real thing. It's meant to be a trap for attackers. Because it's bait, any traffic to it can be assumed to be malicious.
staging environment
a "production like" environment to test installation, configuration and migration scripts. Performance testing, load testing, processes required by other teams, boundary partners, etc.
privacy-enhanced electronic mail (PEM)
a DER-encoded binary file can be represented as ASCII characters (letters and numbers, easy to email, readable)
permanent agent
a NAC agent that is installed on a client. It checks the client for health.
dissolvable agent
a NAC agent that runs on a client, but deletes itself later. It checks the client for health. Compare with permanent agent.
secure boot
a UEFI feature that prevents unwanted processes from executing during the boot operation.
ifconfig
a UNIX/Linux-based utility used to gather information about the IP configuration of the network adapter or to configure the network adapter. It has been replaced with the ip command in most Linux distributions.
virtual desktop environment (VDE)
a VM that runs a desktop operating system
ipconfig
a Windows-based utility used to gather information about the IP configuration of a workstation.
full
a backup type in which all selected files, regardless of prior state, are backed up.
yagi
a bar with fins
least privilege
a basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
Public Key Cryptography Standards #12 (PKCS#12/.P12)
a binary format used to store a server certificate, intermediate certificate, and a private key in one file that can be encrypted and having a PFX format with file extension
fingerprint scanner
a biometric technology that can detect the unique patterns and swirls of an individual's finger.
Wi-Fi Protected Setup (WPS) attack
a brute force attack that attempts to discover the PIN of a wireless device that uses Wi-Fi Protected Setup (WPS)
group policy
a centralized configuration management feature available for Active Directory on Windows Server systems
NT LAN manager authentication (NTLM)
a challenge-response authentication protocol created by Microsoft for use in its products
service set identifier (SSID)
a character string that identifies a particular wireless LAN (WLAN).
certificate issues
a client rejecting a server certificate (or slightly less commonly, an authentication server rejecting a client's certificate)
botnets
a collection of compromised computers under the control of a master node; can be utilized in other processor intensive functions and activities; robot networks
Security as a Service (SECaaS)
a computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security
Infrastructure as a Service (IaaS)
a computing method that uses the cloud to provide any or all infrastructure needs.
Platform as a Service (PaaS)
a computing method that uses the cloud to provide any platform-type services.
Software as a Service (SaaS)
a computing method that uses the cloud to provide application services to users.
order of restoration
a concept that dictates what types of systems to prioritize in disaster recovery efforts
separation of duties
a concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
service level agreement (SLA)
a contractual agreement setting out the detailed terms under which a service is provided
asset value
a corporate share's portion of the corporation's net worth, represented by its assets minus its liabilities
secure hash algorithm (SHA)
a cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2
ephemeral key
a cryptographic key that is generated for each execution of a key-establishment process and that meets other requirements of the key type (e.g., unique to each message or session)
Public Key Cryptography Standards #7 (PKCS#7 P7B)
a cryptographic message-syntax standard associated with the .p7b file
email blocking
a data loss prevention (DLP) technique for blocking the copying of files at the email
USB Blocking
a data loss prevention (DLP) technique for blocking the copying of files to a USB flash drive
cloud based blocking
a data loss prevention (DLP) technique for blocking the copying of files to the cloud
insider threat
a deliberate effort on the part of an employee to cause damage to the network, reveal company secrets, or adversely effect the operation of the enterprise
privacy impact assessment (PIA)
a detailed study to assess the risks associated with storing, processing, and disclosing PII. The study should identify vulnerabilities that may lead to data breach and evaluate controls mitigating those risks
hardware token
a device held by a user that displays a number or a password that changes frequently, such as every 60 seconds. The number is synchronized with a server and used as a onetime password.
bridge
a device similar to a switch that has one port for incoming traffic and one port for outgoing traffic.
proxy
a device that acts on behalf of one end of a network connection when communicating with the other end of the connection.
correlation engine
a device that aggregates and correlates content from different sources to uncover an attack
hardware security module (HSM)
a device that generates, manages and securely stores encryption keys
access point (ap)
a device that provides a connection between wireless devices and can connect to wired networks
risk register
a document highlighting the results of risk assessments in an easily comprehensible format (such as a "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
a family of message digest algorithms; a message digest algorithm designed as an alternative to MD5 and SHA
data exposure
a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the appropriate access controls; refers to ensuring that data is only available to those with a "need to know"
code signing
a form of digital signature that guarantees that source code and application binaries are authentic and have not been tampered with.
code signing
a form of digital signature that guarantees that source code and application binaries are authentic and have not been tampered with; refers to the generation of a digital signature for a piece of code so that users can verify that it originates from a legitimate party and has not been modified in transit
proprietary
a form of the confidential classification. Disclosure of proprietary data could have a significant negative effect on an organization
memorandum of agreement (MOA)
a formal agreement (or contract) that contains specific obligations rather than a broad understanding. If one party fails to fulfill its obligations, the other party will be able to seek redress under the terms of the agreement through the courts
blowfish
a freely available 64-bit block cipher algorithm that uses a variable key length.
hot site
a fully configured alternate network that can be online quickly after a disaster.
burning
a good method for destroying data on paper. However, disposing of data on USB drives, DVDs, CDs, or other storage media via burning can give off toxic fumes, making it an environmental issue. This method should be used mainly for data on paper
virtual local area network (logical)
a logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.
keylogger
a malicious program that records keystrokes that actively attempts to steal confidential information
internal threat
a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems
network access control (NAC)
a means of ensuring endpoint security—ensuring that all devices connecting to the network conform to a "health" policy (patch level, anti-virus/firewall configuration, and so on)
false acceptance rate (FAR)
a measurement of the percentage of invalid users that will be falsely accepted by the system. This is called a Type II error. Type II errors are more dangerous than Type I errors.
false rejection rate (FRR)
a measurement of valid users that will be falsely rejected by the system. This is called a Type I error.
hoax
a message that tells of impending doom from a security threat that doesn't exist
loop prevention
a method of preventing switching loop or bridge loop problems. Both 51? and RSTP prevent switching loops.
pretty good privacy (PGP)
a method of securing emails created to prevent attackers from intercepting and manipulating email and attachments by encrypting and digitally signing the contents of the email using public key cryptography
certificate chaining
a method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
authentication
a method of validating a particular entity's or individual's unique credentials.
pulping
a method that turns paper into a liquid slurry. This is only for data on paper and the disadvantages outweigh advantages, including having to haul the paper to a pulping facility and ensuring that the paper will be secure until pulping occurs
motion detection
a motion-based alarm is linked to a detector triggered by any movement within an area (defined by the sensitivity and range of the detector), such as a room
Industrial Control System (ICS)
a network managing embedded devices (computer systems that are designed to perform a specific, dedicated function)
anomaly-based detection
a network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside the acceptable range.
lightweight directory access protocol (LDAP)
a network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information
directory services use case
a network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers
switch
a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address.
crypto-malware
a new generation of ransomware as your data is unavailable until you provide cash
salt
a nonce most commonly associated with password randomization that makes the password hash unpredictable; a security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to ("salting") each plaintext input.
development environment
a package for programming, usually including an editor with syntax highlighting and other features and an interactive command line
stored procedures
a part of a database that executes a custom query. The procedure is supplied an input by the calling program and returns a pre-defined output for matched records. This can provide a more secure means of querying the database. Any stored procedures that are part of the database but not required by the application should be disabled; group of SQL statements stored in a Relational Database Management System that make functionality available to users of the database. Users should only have access to the minimum set of stored procedures necessary to do their job.
cloud storage
a particular type of Software as a Service where the vendor provides reliable data storage and backup
pre-shared key (PSK)
a passphrase to generate the key that is used to encrypt communications
hacktivist (hacking activist)
a person or group who launches cyber attack(s) as part of an activist movement to promote a political agenda
pivot
a system and/or set of privileges that allow the tester to compromise other network systems (lateral spread); to use various tools to gain additional information
witness interviews
a person who sees an event when it takes place. It is imperative to call the witness to assist the investigation process. The witness can testify about how the event occurred, where and when it occurred, and other information related to the event in question
VM sprawl avoidance
a phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where the administrator can no longer manage them effectively. A policy for developing and deploying VMs must be established and enforced.
vishing (voice phishing)
a phishing attack conducted through a voice channel (telephone or VoIP, for instance)
rollback to known configuration
a physical instance might not support snapshots but has an "internal" mechanism for restoring the baseline system configuration, such as Windows System Restore
snapshots
a point-in-time copy of data maintained by the file system
cipher block chaining (CBC)
a popular mode of operation relatively easy to implement; an encryption mode of operation where an exclusive or (XOR) is applied to the first plaintext block
gnu privacy guard (GPG)
a popular open-source implementation of PGP
rivest cipher 4 (RC4)
a popular streaming symmetric-key algorithm
cold site
a predetermined alternate location where a network can be rebuilt after a disaster.
memorandum of understanding (MOU)
a preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts. MOUs almost always have clauses stating that the parties shall respect confidentiality, however
intranet
a private network that is only accessible by the organization's own personnel.
extranet
a private network that provides some access to outside parties, particularly vendors, partners, and select customers.
legal hold
a process designed to preserve all relevant information when litigation is reasonably expected to occur.
reporting requirements/escalation
a process for indicating to whom information should be distributed and at what point the security event has escalated to the degree that specific actions should be implemented.
memory leak
a process that takes memory without subsequently freeing it up could be a legitimate but faulty application or could be a worm or other type of malware. To detect a memory leak, look for decreasing Available Bytes and increasing Committed Bytes
after-action reports
a process to determine how effective COOP and DR planning and resources were
microsoft challenge handshake authentication protocol (MS-CHAP)
a protocol that strengthens the password authentication provided by Protected Extensible Authentication Protocol (PEAP)
digital signature algorithm (DSA)
a public key encryption standard used for digital signatures that provides authentication and integrity verification for messages
rivest shamir adleman (RSA)
a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest
stream cipher
a relatively fast type of encryption that encrypts data one bit at a time.
secure shell (SSH)
a remote administration and file-copy program that supports VPNs by using port forwarding, and that runs on TCP port 22
mandatory vacations
a requirement that employees are forced to take their vacation time, during which someone else fulfills their duties.
data owner
a role with overall responsibility for data guardianship
man trap
a secure entry system with two gateways, only one of which is open at any one time.
flood guard
a security control in network switches that protects hosts on the switch against SYN flood and ping flood DoS attacks.
recertification
a security control where user access privileges are audited to ensure they are accurate and adhere to relevant standards and regulations.
screen locks
a security feature that requires the user to enter a PIN or a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications
pinning
a security feature where a certain web server is linked with a public key to minimizing the risk of forged certificates
Domain Name System Security Extensions (DNSSEC)
a security protocol that provides authentication of DNS data and upholds DNS data integrity.
Transport Layer Security (TLS)
a security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection.
weak implementations
a security system that has known vulnerabilities
Internet Protocol Security (IPSec)
a set of open-non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet
redundant array of independent/ inexpensive disks (RAID)
a set of vendor-independent specifications that support redundancy and fault tolerance for configurations on multiple-device storage systems
bluetooth connection
a short-range wireless radio network transmission medium normally used to connect two personal devices, such as a mobile phone and a wireless headset.
network address translation (NAT)
a simple form of Internet security that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.
ROT13
a simple letter substitution cipher that replaces a letter with the 13th letter after it, in the alphabet
session keys
a single-use symmetric key used for encrypting all messages in one communication session
demilitarized zone (DMZ)
a small section of a private network that is located behind one firewall or between two firewalls and made available for public access.
tokens/cards
a smart lock may be opened using a magnetic swipe card or feature a proximity reader to detect the presence of a wireless key fob or one-time password generator (physical tokens) or smart card
software defined networking (SDN)
a software application for defining policy decision on the control plane
host-based firewall/personal firewall
a software application running on a single host and designed to protect only that host
crypto service provider (CSP)
a software library that implements the Microsoft CryptoAPI
hijacking attack
a software or system takeover
data loss/leak prevention (DLP)
a software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands
data loss prevention (DLP)
a software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands.
stress testing
a software testing method that evaluates how software performs under extreme load
testing risk assessment
a software testing type which is based on the probability of risk
security information and event management (SIEM)
a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
whaling
a spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other "big beasts")
multipurpose proxy
a special proxy that "knows" the application protocols that it supports. For example, an FTP proxy server implements the protocol FTP.
guest account
a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource
trusted platform module (TPM)
a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.
near filed communication (NFC) connection
a standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID.
remote authentication dial-in user service
a standard protocol used to manage remote and wireless authentication infrastructures
IEEE 802.1X
a standard that authenticates users on a per-switch port basis by permitting access to valid users but effectively disabling the port if authentication fails.
object identifiers (OID)
a string of decimal numbers used to uniquely identify the objects (e.g., syntaxes, data elements, and other parts of distributed applications). OIDs are usually found in SNMP, X.500 directories, and OSI applications where uniqueness is crucial.
normalization
a string that is stripped of illegal characters or substrings and converted to the accepted character set. This ensures that the string is in a format that can be processed correctly by the input validation routines; refers to transforming user input into the expected format before processing it.
database security
a subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.
advanced encryption standard (AES)
a symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES
twofish
a symmetric key block cipher, similar to Blowfish, consisting of a block size of 128 bits and key sizes up to 256 bits.
initialization vector (IV)
a type of nonce used for randomizing an encryption scheme; a technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption.
server operating system (SOS)
a type of operating system that is designed to be installed and used on a server computer
SSL decryptors
a type of proxy used to examine encrypted traffic before it enters or leaves the network
load balancer
a type of switch or router that distributes client requests between different resources, such as communications links or similarly configured servers. This provides fault tolerance and improves throughput.
block cipher
a type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks. It is usually more secure, but is also slower, than stream ciphers
Unified Extensible Firmware Interface (UEFI)/ Basic Input Output System (BIOS)
a type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security. A firmware interface that initializes hardware for an operating system boot.
WiFi Direct/ad hoc
a type of wireless network where connected devices communicate directly with each other instead of over an established medium.
ad hoc
a type of wireless network where connected devices communicate directly with each other instead of over an established medium.
password complexity
a typical strong network password should be 12-16 characters. a longer password or passphrase might be used for mission critical systems or devices where logon is infrequent. no single words—better to use word and number/punctuation combinations. mix upper and lowercase (assuming the software uses case-sensitive passwords)
recovery
a user configured to restore encrypted data in the event that the original key is lost
capture system image
a very effective way of preserving evidence, data, and verify its integrity
virtual desktop infrastructure (VDI)
a virtualization implementation that separates the personal computing environment from a user's physical computer
application cells/containers
a virtualized environment that holds only the necessary operating system components (such as binary files and libraries) that are needed for a specific application to run. Also called an container. This not only reduces the necessary hard drive storage space and Random Access Memory (RAM) needed but also allows for containers to start more quickly because the entire operating system does not have to be started.
backdoor
a way of bypassing normal authentication in a system
full device encryption
a way to assure data at-rest is secure even in the event of loss or theft is to usE.
likelihood of occurrence
a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability.
faraday cage
a wire mesh container that blocks external electromagnetic fields from entering into the container
ANT connection
a wireless sensor protocol that uses a part of the 2.4 GHz range that is reserved for industrial, scientific, and medical or ISM
privileged account
able to install and remove programs and drivers, change system-level settings, and access any object in the file system
rule-based access control
access is determined through system-enforced rules as the system checks the ACLs for that object
validation
act of confirming or verifying
injection attack
adding your own information into a data stream
role based access control (RBAC)
administrators provide access based on the role of the user and rights are gained implicitly instead of explicitly
recovery
after the incident has been contained, it's important to restore all your affected systems and services as soon as possible
quantitative risk assessment
aims to assign concrete values to each risk factor
crypto module
algorithms underpinning cryptography that are interpreted and packaged as a computer program or programming library.
Configuration compliance scanner
all of this is a lot of work and automation goes a long way. SCAP is the security content automation protocol. It's a protocol for managing information related to security configurations, and validating them in an automated way. There are tools to help with this, some that are SCAP compliant.
on-premise
all of your applications and all of the servers are going to be running in a data center. It's inside of a building and have complete control over everything that happens with those systems.
differential
all selected files that have changed since the last full backup are backed up.
incremental
all selected files that have changed since the last full or incremental backup (whichever was most recent) are backed up.
unified threat management (UTM)
all-in-one security appliances and technologies that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss Prevention, content filtering, and so on
alternate business practices
allow the information flow to resume to at least some extent
Enterpise
allows WLAN authentication to be integrated with the wired LAN authentication scheme
USB On The Go (OTG)
allows a port to function either as a host or as a device
encryption
allows a program to require a secret key for access to certain data
standard naming convention
allows better administrative control over network resources. The naming strategy should allow administrators to identify the type and function of any particular resource or location at any point in the directory information tree
remote access trojan (RAT)
allows the attacker to remotely access the PC, upload files, and install software on it
group-based access control
allows you to set permissions (or rights) for several users at the same time
system sprawl/undocumented assets
also be the root of security issues; an overabundance of systems that are not being uses; assets that are not being tracked, indicating poor loss prevention and poor inventory control
standalone AP
also referred to as thick access points, do not require a controller and are generally used in smaller environments.
site-to-site
always on, or almost always; a VPN that can be accessed automatically by users
access points
among the most common points of attack; measures should be taken to prevent unauthorized access, such as outdated firmware, default username and passwords, unlocked management interfaces, and more
certificate
an X.509 digital certificate is issued by a certificate authority (CA) as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization
security assertion markup language (SAML)
an XML-based data format used to exchange authentication information between a client and a service
fat AP
an access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller
social engineering
an activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.
domain hijacking
an adversary gains control over the registration of a domain name, allowing the host records to be configured to IP addresses of the attacker's choosing
random/pseudo-random number generation
an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers
HMAC-based One-time Password (HOTP)
an algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message
terminal access controller access control system plus
an alternative to RADIUS developed by Cisco. The version in current use is TACACS+; TACACS and XTACACS are legacy protocols
software token
an app, or other software that generates a token for authentication.
hardware security module (HSM)
an appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
nonce
an arbitrary number used only once in a cryptographic communication, often to prevent replay attacks.
denial-of-service (DOS) attack
an attack from one attacker against one target
distributed denial-of-service (DDoS) attack
an attack from two or more attackers against one target
dictionary attack
an attack that attempts to discover a password from words in the dictionary
man-in-the-middle (MITM) attack
an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other by redirecting network traffic and inserting malware
extensible authentication protocol (EAP)
an authentication framework; a wireless authentication protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication
openID connect (OIDC)
an authentication layer that sits on top of the OAuth 2.0 authorization protocol.
context-aware authentication
an authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, and more.
shibboleth
an identity federation method that provides single sign-on capabilities and enables websites to make informed authorization decisions for access to protected online resources.
memory management
an important aspect of secure coding. Mistakes like freeing the memory associated with a pointer twice can open an application up to attack.
proper error handling
an important component of secure coding. Program crashes are an indicator of potentially exploitable code, so appropriate error handling helps protect applications both by ensuring correct functionality and revealing indicators of potential coding flaws.
Wi-Fi Protected Access (WPA)
an improved encryption scheme for protecting Wi-Fi communications, designed to replace WEP.
Wi-Fi Protected Access 2 (WPA2)
an improved version of WPA that does not support older network cards and offers both secure authentication and data encryption. It uses EAP for a variety of authentication methods—most often EAP-PSK. (16)
Time-based One-time Password (TOTP)
an improvement on HOTP that forces one-time passwords to expire after a short period of time
steward/custodian
an individual who has been assigned or is responsible for the day-to-day proper storage, maintenance and protection of information
privacy officer
an individual who is responsible for overseeing the proper handling of PII
universal serial bus (USB) connection
an industry standard that establishes specifications for cables and connectors and protocols for connection, communication and power supply (interfacing) between computers, peripherals and other computers
standard operating procedure (SOPs)
an inflexible, step-by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed by SOPs.
privacy threshold assessment (PTA)
an initial audit to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a PIA must be performed. PTAs must be repeated every three years
Wi-Fi Protected Setup (WPS)
an insecure feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN
protected distribution
an intruder could attach eavesdropping equipment to the cable; an intruder could cut the cable
substitution ciphers
an obfuscation technique where each unit of plaintext is kept in the same sequence when converted to ciphertext, but the actual value of the unit changes.
mobile operating system (MOS)
an operating system for mobile phones, tablets, smartwatches, 2-in-1 PCs (that can be convert to a laptop mode or detach and work as a tablet mode), smart speaker, or other mobile devices
Industry-Specific Framework
an organization can structure their IT departments to best serve the overall need of the organization
clean desk
an organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.
documented incident
an outline that defines in detail what is and is not an incident that requires a response.
resource exhaustion
an overload of requests sent from an attacker to a resource, which can cause the system to slow down and prevent legitimate users from accessing it
rogue access point (AP)
an unauthorized wireless access point (WAP) installed in a computer network to capture traffic
lessons learned
analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident
alternate processing sites/recovery sites
another location that can provide the same (or similar) level of service
live boot media
another option is to use an instance that boots from read-only storage to memory rather than being installed on a local read/write hard disk
policy violation
any act that bypasses or goes against an organizational security policy; be familiar with outcomes, such as retraining, reassignment, and termination. The severity of the outcome will be determined by the seriousness of the breach.
key exchange
any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
adware
any type of software or browser plug-in that displays commercial ads, offers, and deals
application blacklisting
anything not on the prohibited blacklist can run
security guards
armed or unarmed, can be placed in front of and around a location to protect it. They can monitor critical checkpoints and verify identification, allow or disallow access, and log physical entry events. They also provide a visual deterrent and can apply their own knowledge and intuition to potential security breaches. The visible presence of guards is a very effective intrusion detection and deterrence mechanism, but is correspondingly expensive
discretionary access control (DAC)
as the owner, they have control who has access and can modify access at any time
exercise
aspects of incident response plan should regularly be tested in a simulated real-world environment
transfer/sharing
assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities)
user certificate
associate a certificate with a user with a powerful electronic "id card"
boot sector viruses
attack the disk boot sector information, the partition table, and sometimes the file system
secret algorithm
attempting to hide details of the cipher amounts to "security by obscurity"
brute force attack
attempts every possible combination in the key space in order to derive a plaintext password from a hash
rainbow table attack
attempts to discover the password of a hash using a table of pre-computed hashes; redefine the dictionary approach
permission issues
audits should be done to verify that personnel have correct access. Shouldn't have too much, but just the appropriate amount
secure token
authentication mechanism that can identify and authenticate. Tell servers (resources) what access rights a user possesses. Can allow or deny access.
challenge handshake authentication protocol (CHAP)
authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks
biometric
authentication schemes based on individuals' physical characteristics.
principles of social engineering
authority, intimidation, consensus, scarcity, familiarity, trust & urgency
qualitative risk assessment
avoids the complexity of the quantitative approach and is focused on identifying significant risk factors.
Logs and events anomalies
be sure to check for any suspicious activity that appear in logs. Verify that logging is enabled to capture these
agent
best for frequently disconnected machines or machines in the DMZ, based on pull technology
implicit deny
block any traffic that has not matched a rule. Typically the final default rule
counter mode (CTR)
block cipher mode that acts like a stream cipher and encrypts successful values of a "counter"
intent/motivation (attribute of actors)
boredom, raised awareness about a cause, greed, revenge, money
heating, ventilation, and air conditioning (HVAC)
building control systems maintain an optimum heating, cooling, and humidity level working environment for different parts of the building.
band selection/width
can affect availability and performance.
displays
can be manipulated by sending it instructions coded into pixel values in a specially crafted web page
media gateway
can be provisioned as a dedicated appliance or as software running on a server
VM escape protection
can be reduced by using effective service design and network placement when deploying VMs
Wireless scanners/cracker
can be used to detect the presence of such networks and report the network name (SSID), the MAC address of the access point (BSSID), the frequency band (2.4 or 5 GHZ) and radio channel used by the network, and the security mode
vulnerabilities due to lack of vendor support
can become an issue at several different levels. The most obvious scenario is when the original manufacturer of the item, be it hardware or software, no longer offers support.
misconfiguration/weak configuration
can cause a system to be taken down; a disabled network, stopped email communications or stopped network traffic
WiFi-enabled MicroSD cards
can connect to a host Wi-Fi network to transfer images stored on the card. Unfortunately, it is straightforward to replace the kernel on this type of device and install whatever software the hacker chooses
Protocol Analyzer
can decode a captured frame to reveal its contents in a readable format. You can choose to view a summary of the frame or choose a more detailed view that provides information on the OSI layer, protocol, function, and data.
safe
can feature key-operated or combination locks but are more likely to come with electronic locking mechanisms. Safes can be rated to a particular cash value for the contents against various international grading schemes
improperly configured accounts
can have two different types of impact. On the one hand, setting privileges that are too restrictive creates a large volume of support calls and reduces productivity. On the other hand, granting too many privileges to users weakens the security of the system and increases the risk of things like malware infection and data breach
network operating system (NOS)
can host shared folders and files, enabling them to be copied or accessed over the local network or via remote access (over a VPN, for instance)
organized crime
can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution; a group of people who launch a cyber attack(s), except they function like a legitimate business
heap overflow
can overwrite stored variables of some sort in an area of memory allocated by the application during execution, with unexpected effects. An example is a known vulnerability in Microsoft's GDI+ processing of JPEG images
push notification services
can push a notification to all managed devices. Can be used for a large scale update of software.
systems administrator
can share resources (folders, printers, and other resources) to make them available for network users
automated alerting and triggers
can take an amount of data comparable to a fire hose and shrink it down to the mere trickle that you are looking for. This data can then be run through rules that the system administrator creates which then fires off notification alerts to the system administrator's email informing of said events
level of sophistication (attributes of actors)
can vary depending on the number and skill level of individuals working together as an organized crime
resources/funding (attribute of actors)
can vary depending on the number and skill level of individuals working together as an organized crime
automated courses of action
can work to maintain or to restore services with minimal human intervention or even no intervention at all. For example, you might configure services that are primarily hosted on physical infrastructure to failover to cloud-based instances, or conversely, have a cloud-based system failover to a backup site with physical servers. You could also use automation to isolate a network segment if a computer worm outbreak is detected.
near field communications (NFC) attack
captures data from mobile devices that use near field communication (NFC)
integer overflow
causes the target software to calculate a value that exceeds these bounds. This may cause a positive number to become negative (changing a bank debit to a credit, for instance). It could also be used where the software is calculating a buffer size; if the attacker is able to make the buffer smaller than it should be, he or she may then be able to launch a buffer overflow attack
wildcard
certificates based on the name of the server
command line tools
ping, netstat, tracert, nslookup and dig, ipconfig/ifconfig, tcpdump, nmap, netcat or nc
perfect forward secrecy (PFS)
change the method of key exchange; a characteristic of session encryption that ensures if a key used during a certain session is compromised, it should not affect data previously encrypted by that key
access violations
changed system files, missing system files, and other evidence of unusual file states and possible access violations on the system
media access control (MAC) spoofing attack
changes the Media Access Control (MAC) address configured on an adapter interface or asserts the use of an arbitrary MAC address
static code analyzers
check the logic of applications without actually running the code. This is a more difficult but less risky of determining the functionality of code.
location selection
choosing the location for a processing facility or data center requires considering multiple factors
EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
cisco's proposal to address the shortcomings of LEAP
wireless mice
clickjacking issues
private cloud
cloud infrastructure that is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With private cloud computing, organizations can exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations
compiled code
code that is converted from high-level programming language source code into lower-level code that can then be directly executed by the system.
capture video
collect and preserve digital video evidence for legal proceedings
hash-based message authentication code (HMAC)
combine a hash with a secret key; a method (described in RFC-2104) used to verify both the integrity and authenticity of a message by combining cryptographic hash functions, such as MD5 or SHA-1, with a secret key
Temporal Key Integrity Protocol (TKIP)
combines the secret root key with the IV and adds a sequence counter to prevent replay attacks; a mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard
macro viruses
common in microsoft office
wireless
computer network that uses wireless data connections between network nodes
appliance operating system (AOS)
computer with software or firmware that is specifically designed to provide a specific computing resource. Such devices became known as appliances because of the similarity in role or management to a home appliance, which are generally closed and sealed, and are not serviceable by the user or owner
infrared (IR) connection
computers equipped with an IR sensor could transfer files and other digital data over short-range wireless signals
wearable technology
computing devices that are worn on various parts of the body.
active-active
configurations consist of n nodes, all of which are processing concurrently
active-passive
configurations use a redundant node to failover
usage auditing and review
configuring the security log to record key indicators and then reviewing the logs for suspicious activity. Behavior recorded by event logs that differs from expected behavior may indicate everything from a minor security infraction to a major incident
WiFi connection
connection via a universal wireless network standard that uses radio waves
cellular connection
connection via cell phone towers that provides high speed transmission
site-to-site
connects two or more local networks, each of which runs a VPN gateway (or router/VPN concentrator)
replay attack (cryptography attacks)
consists of intercepting a key or password hash then reusing it to gain access to a resource, such as the pass-the-hash attack. This type of attack is prevented by using once-only session tokens or timestamping sessions
controller-based AP
controller-based Access points are also known as thin clients and require a controller for centralized management (updates, configuration, etc.) and do not need to be manually configured
technical
controls implemented in operating systems, software, and security appliances. Examples include Access Control Lists (ACL) and Intrusion Detection Systems
physical
controls such as alarms, gateways, and locks that deter access to premises and hardware are often classed separately
administrative/management
controls that determine the way people act, including policies, procedures, and guidance. For example, annual or regularly scheduled security scans and audits can check for compliance with security policies
physical
controls that restrict, detect, and monitor access to specific physical areas or assets through measures such as physical barriers, physical tokens, or biometric access controls.
lock types
conventional, deadbolt, electronic
consensus/social proof (principle)
convince based on what's normally expected; "your co-worker Jill did this for me last week"
administrative control/user training
could ensure that the media is not left unattended on a desk and is not inserted into a computer system without scanning it first
vulnerable business processes
could result in disclosure, modification, loss, destruction, or interruption of critical data or it could lead to loss of service to customers; aspects of a business that are vulnerable to security risks, such as the shopping cart of a company's website, a web server or a back-end database server
technical control/endpoint security
could scan the media for malware or block access automatically
nmap
created by Gordon Lyon in 1999 for network scanning and mapping. Check out their website, which is also clearly from the late 90s.
identification
creating an account or ID that identifies the user, device, or process on the network; the process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
account maintenance
creating an account, modifying account properties, disabling an account, changing an account's password, and so on
authentication issues
credential violations, what to do in the event of credential leaks, system breaches that result in the invalidation of all passwords, and steps to follow after an account impersonation incident
offline brute force attack
cryptographic attack where the attacker steals the password and then tries to decode it by systematically guessing possible keystroke combinations that match the encrypted password
online brute force attack
cryptographic attack where the attacker tries to enter a succession of passwords using the same interface as the target user application
layer 2
data link
private
data of a personal nature and intended only for internal use. Significant negative impact to the organization if disclosed
data sovereignty
data stored in a country is subject to the laws of that country
personally identifiable information (PII)
data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them)
weak cipher suites and implementations
data that it is storing and processing may not be secure. It may also allow a malicious attacker to masquerade as it, causing huge reputational damage; weak encryption technologies
attestation
declare something to be true
proxies
deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on (providing it conforms to the rules)
default configuration
default installation is (theoretically) secure but minimal. Any options or services must explicitly be enabled by the installer; a default username/password that is susceptible to being exploited by an attacker
agentless
designed for centralized, based on push technology
web application firewall
designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks
infrared detection
detects moving heat sources
identification
determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders
SSL accelerators
device that speeds up the process of SSL handshake encryption. The SSL handshake requires some cryptographic overhead. Requires a lot of CPY Cycles. Offload the SSL process to a hardware accelerator. Often integrated into a load balancer.
distance
dictate the need to ensure the recovery site is located far enough from the main data center so as not to be affected by a single incident
risk response techniques
different options available when dealing with risks.
parabolic
dish or grid
load balancer
distributes client requests across available server nodes in a farm or pool
stateless
does not keep track of traffic flows
compensating
does not prevent the attack but restores the function of the system through some other means, such as using data backup or an alternative site
secure baseline
each development environment should be built to the same specification, possibly using automated provisioning
baselining
each development environment should be built to the same specification, possibly using automated provisioning.
sandboxing
each development environment should be segmented from the others. No processes should be able to connect to anything outside the sandbox. Only the minimum tools and services necessary to perform code development and testing should be allowed in each sandbox
virtual IPs
each server node or instance needs its own IP address, but externally a load-balanced service is advertised using a Virtual IP (VIP) address (or addresses)
privileged user
employees with access to privileged data should be given extra training on data management and PII plus any relevant regulatory or compliance frameworks
correlation
enables SIEM to look for similarities, repeating occurrences, and patterns of the event data
protected extensible authentication protocol (PEAP)
encapsulates EAP in a TLS tunnel, one certificate on the server; similar to EAP-TLS, PEAP is an open standard developed by a coalition made up of Cisco Systems, Microsoft, and RSA Security
confusion
encrypted data is drastically different from the plaintext; makes the relationship between an encryption key and its ciphertext as complex and opaque as possible
weak/deprecated algorithms
encryption algorithms that have been cracked and are not considered secure. Avoid proprietary encryption algorithms and "security by obscurity". Avoid MD5, SHA-0, SHA-1 and DES. WEP and WPA are considered weak ciphers.
full disk encryption (FDE/SED)
encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself.
symmetric algorithm
encryption schemes that use a shared cryptographic key for both encryption and decryption of data
galois/counter mode (GCM)
encryption with authentication; an encryption mode of operation that adds authentication to the standard encryption services of a cipher mode
virtual private network (VPN) concentrator
encryption/decryption access device for private data traversing a public network; sometimes called a VPN-enabled router
lighting
enormously important in contributing to the perception that a building is safe and secure at night. Well-designed lighting helps to make people feel safe, especially in public areas or enclosed spaces, such as parking garages. Security lighting also acts as a deterrent by making intrusion more difficult and surveillance (whether by camera or guard) easier
continuing education
ensure that the participants do not treat a single training course or certificate as a sort of final accomplishment. Skills and knowledge must be continually updated to cope with changes to technology and regulatory practices
tailgating
entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint
cloud access security broker (CASB)
enterprise management software designed to mediate access to cloud services by users across all types of devices
improper error handling
errors that give users information that is too detailed and is not logged
penetration testing/ethical hacking
essentially involves thinking like an attacker and trying to penetrate the target's security systems; exploits vulnerabilities
subject alternative name (SAN)
extension to an X.509 certificate; the subdomains are listed as extensions. If a new subdomain is added, a new certificate must be issued
social media
familiar with company acceptable usage policies, how to prevent access to such social media sites via firewalls and filters on the network, as well as group policy implementations to restrict such access
shimming
filling in the space between two objects
network-based
filters traffic by port number; can encrypt traffic into/out of the network; can proxy traffic; most firewalls can be layer 3 devices (routers) firewalls that are better suited for placement at network or segment borders
misconfigured devices
firewalls, content filter, and access points
jailbreaking
iOS is more restrictive than Android so the term "jailbreaking" became popular for exploits that enabled the user to obtain root privileges, sideload apps, change or add carriers, and customize the interface
patch management
identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.
reputation
if a business damages their reputation, this might hurt them in the future
lockout
if an incorrect passcode is entered, the device locks for a set period. This could be configured to escalate (so the first incorrect attempt locks the device for 30 seconds while the third locks it for 10 minutes, for instance). This deters attempts to guess the passcode
low latency
if cryptography is deployed with a real time-sensitive channel, such as voice or video, the processing overhead on both the transmitter and receiver must be low enough not to impact the quality of the signal
hot and cold aisles
if multiple racks are used, install equipment so that servers are placed back-to-back not front-to-back, so that the warm exhaust from one bank of servers is not forming the air intake for another bank
Data sanitization tools
if you need to get rid of data, there are special data sanitization tools to help. These allow you to "destroy, purge or otherwise identify for destruction" data on systems. Probably pretty use for government and other highly regulated industries.
offline certificate authority
in PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise.
online certificate authority
in PKI, a CA that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks
trust model
in PKI, a description of how users and different CAs exchange information and certificates.
key management
in cryptography, the process of administering cryptographic keys, often performed by a CA, and including the management of usage, storage, expiration, renewal, revocation, recovery, and escrow. In physical security, a scheme for identifying who has copies of a physical key or key card.
adverse actions
in disciplining or firing an employee, the employer is discriminating against them in some way
weak security configurations
include replacing old hardware with compliant versions that have better security features, firmware updates, and configuration updates and updating network configurations to prevent unauthorized access
something you do
indicating action, such as gestures on a touch screen.
strategic intelligence/counterintelligence gathering
information about the changing nature of certain problems and threats for the purpose of developing response strategies and reallocating resources
protected health information (PHI)
information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results
open-source intelligence
information that is available via websites and social media
data-in-use
information that is currently being created, deleted, read from, or written to
data-at-rest
information that is primarily stored on specific media, rather than moving from one medium to another
data-in-transit
information that primarily moves from medium to medium, such as over a private network or the Internet.
improper input handling
input that allows attacks, such as buffer overflow and injection attacks
type 1 hypervisor/bare metal
installed directly onto the computer and manages access to the host hardware without going through a host OS
active tools
interact in a way that can be detected. One passive example is using Wireshark to examine traffic after the fact. An active example is port scanning using Nmap.
proper input validation
involves confirming that user input is of a type and in a format expected by the program and, if not, handling the error appropriately.
model verification
involves testing or proving that an application actually functions in the way that the model says that it should
Electromagnetic Pulse (EMP)
is a very powerful but short duration wave with the potential to destroy any type of electronic equipment
honeynets
is an entire decoy network
dead code
is executed but has no effect on the program flow. For example, there may be code to perform a calculation, but the result is never stored as a variable or used to evaluate a condition
type II hypervisor/guest OS (host-based)
is itself installed onto a host operating system
System on Chip (SoC)
is one where most of the activities for that particular system take place within an embedded system
shared/generic account
is one where passwords (or other authentication credentials) are known to more than one person
workstation operating system (WOS)
is primarily designed to run applications. Those applications can be text processor, a spreadsheet application, presentation software, video or audio editors, games, etc
Electromagnetic Interference (EMI)
is the effect unwanted electromagnetic energy has on electronic equipment
kiosk operating system (KOS)
is the system and user interface software designed for an interactive kiosk or Internet kiosk enclosing the system in a way that prevents user interaction and activities on the device outside the scope of execution of the software.
hardware root of trust/trust anchor
is used to scan the boot metrics and OS files to verify their signatures, then it signs the report and allows the NAC server to trust it
server-side
it can be time-consuming, as it may involve multiple transactions between the server and client
program viruses
it's part of the application
personal email
items such as malware and email viruses; blocking access is one such common solution, and could come up in the exam as a way to troubleshoot and prevent such access from occurring.
round-robin
just means picking the next node
wireless keyboards
keylogging issues
private key
known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely.
key strength
larger keys tend to be more secure and can prevent brute-force attacks; the resiliency of a key to resist attacks
Regulatory Framework
laws and regulations which set out the legal requirements of indiv. businesses/organisations in terms of limits to their pollution and activities and consequences imposed if exceeded government establishes agencies responsible for monitoring and enforcing these regulations (Context of Use: DPI, EPA, usually when problem has already risen)
non-disclosure agreement (NDA)
legal basis for protecting information assets; used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences
time-of-day restrictions
limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours whenoversight and monitoring can be performed to prevent fraud, abuse, or intrusion
containment, eradication, and recovery
limiting the scope and impact of the incident. The typical response is to "pull the plug" on the affected system, but this is not always appropriate. Once the incident is contained, the cause can then be removed and the system brought back to a secure state
out-of-band
link that offers better security
facial recognition
looks for unique measurements in an individual's face
life
loss of life or injury to others
stateful
maintaining information about the session established between two hosts (including malicious attempts to start a bogus session); remember the "state" of the session; everything within a valid flow is allowed
preservation
maintenance of a resource in its present condition, with as little human impact as possible.
supporting non-repudiation
make sure the signature isn't fake. confirm the authenticity of data. Digital signature provides both integrity and non-repudiation.
preparation
making the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and establishing confidential lines of communication. It also implies creating a formal incident response plan
viruses
malware that can reproduce itself as it does not need to click on anything, and it needs you to execute a program
worm
malware that self-replicates and doesn't need user input
spyware
malware that spies on you through advertising, identity theft, and affiliate fraud
improper certificate and key management
manage your keys and certificates; this needs to be well planned; Important decisions, can't do this on the fly • What will be the organization's certificate authority? • How will the CA content be protected? • How will intermediate CAs be created and managed? • Who will validate and sign the organization's certificates? • What is the validation process? • And many more
memory/buffer vulnerability
manipulating memory can be advantageous and relatively difficult to accomplish
digital cameras
may be equipped with Wi-Fi and cellular data adapters to allow connection to the Internet and posting of images directly to social media sites
National Framework
may be used to demonstrate compliance with a country's legal regulatory compliance requirements or with industry-specific regulations
deterrent
may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion, example are cameras
radio frequency identification (RFID) attack
means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else; a sniffing, replay or DoS attack on a radio-frequency identification system (RFID) system
social engineering (hacking the human)
means of getting users to reveal confidential information
virtual desktop infrastructure (VDI)
means provisioning a workstation OS instance to interchangeable hardware
baseline deviation
means testing the actual configuration of clients and servers to ensure that they are patched and that their configuration settings match the baseline template
application whitelisting
means that nothing can run if it is not on the approved whitelist
disablement
means that the account will no longer be an active account and that the user keys for that account are retained which would not be the case if the account was deleted from the system
always-on VPN
means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user's cached credentials to authenticate. Microsoft has an Always On VPN solution for Windows Server 2016 and Windows 10 clients (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) and an OpenVPN client can be configured to autoconnect (https://openvpn.net/vpn-server-resources/setting-your-client-to-automatically-connect-to-your-vpn-when-your-computer-starts).
remote access
means that the user's device does not make a direct cabled or wireless connection to the network
remote access use case
means that the user's device does not make a direct cabled or wireless connection to the network
Email and web use case
media gateway servers must connect to untrusted networks
personal identity verification card (PIV)
meets the standards for FIPS 201, in that it is resistant to tampering and provides quick electronic authentication of the card's owner.
refactoring
metamorphic malware and is a different program each time it is downloaded
competitors
might be facilitated by employees who have recently changed companies and bring an element of insider knowledge with them
standard users
might require training on product- or sector-specific issues
continuous monitoring
might use a locally installed agent or heartbeat protocol or may involve checking availability remotely
typo squatting attack
misspelled domains can be profitable depending on the frequency that users enter the misspelled name (for example, visiting amazoon.com or amazun.com)
Bring Your Own Device (BYOD)
mobile deployment model that describes how employees can use their own personal mobile devices to get work done, if they so choose
supporting obfuscation
modern malware tries to hide itself. Encrypted data hides the active malware code. Decryption occurs during execution.
rootkit
modifies core system files as part of the kernel; represents a class of backdoor malware that is harder to detect and remove
host-based intrusion detection system (HIDS)
monitors a computer system for unexpected behavior or drastic changes to the system's state
choose your own device (CYOD)
much the same as COPE but the employee is given a choice of device from a list
machine/computer certificate
necessary to issue certificates to servers, PCs, smartphones, and tablets, regardless of function
elliptic curve
needs large integers composed of two or more large prime factors and is an asymmetric encryption; an asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields
permission auditing and review
needs to be put in place so that privileges are reviewed regularly
password authentication protocol (PAP)
obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping
fencing/gate/cage
needs to be transparent (so that guards can see any attempt to penetrate it), robust (so that it is difficult to cut), and secure against climbing (which is generally achieved by making it tall and possibly by using razor wire). Fencing is generally effective, but the drawback is that it gives a building an intimidating appearance
cyber-incident response teams
needs to have a very specific set of skills to combat each incident deftly
layer 3
network layer
Open
no authentication password is required; the client is not required to authenticate. This mode would be used on a public AP (or "hotspot")
accept/retention
no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed
dynamic link library (DLL) injection
not a vulnerability of an application but of the way the operating system allows one process to attach to another; To perform DLL injection, the malware must already be operating with sufficient privileges (typically, local administrator or system privileges). It must also evade detection by anti-virus software. One means of doing this is code refactoring.
disassociation attack
not completely disconnected, but neither can it communicate on the network until it reassociates; an attack that removes a wireless client from a wireless network by using a spoofed MAC address of the client and sending a disassociation frame to the network
passive reconnaissance
not likely to alert the target of the investigation as it means querying publicly available information; the use of open-source intelligence and vulnerability scanning to analyze a system, network or organization
application whitelisting
nothing can run if it is not on the approved whitelist
replay attack (application/service attacks)
occur when an attacker captures some communication between two parties, and then re-transmits it later. This might get them authenticated, or repeat a transaction
race conditions
occur when the outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer; the condition in which two or more applications attempt to access a resource at the same time
external threat
occurs when an individual or a group seeks to gain protected information by infiltrating and taking over profile of a trusted user from outside the organization
DNS poisoning attack/pollution attack
occurs when modifying the DNS server
service account
often used by scheduled processes, such as maintenance tasks, or may be used by application software, such as databases, for account or system access
Realtime Operating System (RTOS)
often used for time-sensitive embedded controllers, of the sort required for the modulation and frequency shifts that underpin radio-based connectivity
resource vs security constraints
on-going battle. Browser support vs. supported encryption. Make sure browser supports encryption type. VPN software support vs. supported algorithms. Make sure VPN concentrator can support the clients being installed on workstations.
watering hole attack
once a visitor visits an unsecured website infected with malware, the visitor's computer is infected with malware
reverse proxy
one that is sitting on the outside of the internet, and anyone who needs to gain access to an internal service such as a web server will first connect to a proxy
cross-site request forgery (XSRF) attack
one-click attack, session riding
script viruses
operating system and browser-based
asymmetric algorithm
operations are performed by two different but related public and private keys in a key pair
Steganography Tools
or "stego" for short, is frequently found in CTFs. Stego is the science of hiding messages in other content. The book has nothing else to say about that so just... be aware, I guess?
Rogue System Detection
organizations will also use topology discovery as an auditing technique to build an asset database and identify non-authorized hosts or network configuration errors
international Framework
others simply mandate "best practice"
exclusive OR (XOR)
outputs true when inputs differ; an operation that outputs to true only if one input is true and the other input is false
buffer overflow attack (compare and contrast types of attacks)
overwriting a buffer of memory that spills over into other memory areas
domain validation
owner of the certificate has some control over a DNS domain
camera systems (CCTV)
part of a physical security system
passive tools
passive tools do not interact with the system in a way that allows detection
penetration testing vs. vulnerability scanning
penetration testing exploits vulnerabilities, while vulnerability scanning just scans for vulnerabilities
take hashes
performed before and after the creation of a forensic image
authentication header (AH)
performs a cryptographic hash on the packet plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality and is consequently not often used.
Network Mapping
performs host discovery and identifies how the hosts are connected together on the network
penetration testing authorization
permission to perform a penetration test
vulnerability testing authorization
permission to perform a vulnerability test.
spear phishing
phishing with inside information by making the attack more believable (by attacking high profile targets like a CEO)
something you are
physical characteristic (fingerprint, face, eye, palm)
preventive
physically or logically restricts unauthorized access
something you know
piece of knowledge (password, PIN)
Backup Utilities
pretty self-explanatory, but at scale, backups become an issue. If you have an entire enterprise to worry about, there are hundreds or thousands of servers and workstations. Each of those need to be backed up on an automated schedule. And, the data needs to be segregated, managed, etc. at scale.
data execution prevention (DEP)
prevent areas in memory marked for data storage from executing code (running a new program)
host-based Intrusion Prevention System (HIPS)
prevent system files from being modified or deleted, prevent services from being stopped, log off unauthorized users, and filter network traffic
content filters
prevent viruses or Trojans infecting computers from the Internet, block spam, and restrict web use to authorized sites; understand basic payload structures and basic encoding formats, such as ASCII, Hex and Unicode, as well as processed results when dealing with content filters
port security
preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.
screen filters
prevents anyone but the user from reading the screen (shoulder surfing)
conventional lock
prevents the door handle from being operated without the use of a key. More expensive types offer greater resistance against lock picking
canonical encoding rules (CER)
primarily a Windows X.509 file extension
Passwords and PINs
private phrases or words that give a particular user a unique access to a particular program or network
active logging
proactively logging in activity
encryption
process of converting readable data into unreadable characters to prevent unauthorized access.
rules
processes traffic according to access control list rules; traffic that does not conform to a rule that allows it access is blocked.
pointer dereference
programming technique that references a portion of memory; Application crash, debug information displayed, Denial of Service, etc; a failed dereference operation that can corrupt memory and sometimes cause an application to crash
redundancy/fault tolerance
protection against system failure by providing extra capacity
supporting integrity
prove the message was not changed. prevent modification of data. Validate the contents with hashes. File download, password storage, etc.
supporting authentication
prove the source of the message. password hashing. Protect the original password. Add salts to randomize the stored password hash.
network traffic and logs
provide empirical evidence if the forensic analysts properly collect and preserve them
captive portals
provides a way to authenticate to a network or at least have you agree to certain terms and conditions
common access card (CAC)
provides certificate-based authentication and supports two-factor authentication
HyperText Transfer Protocol Secure (HTTPS)
provides for encrypted transfers, using SSL/TLS and port 443
diffie-hellman ephemeral mode (DHE)
provides for secure key exchange by using ephemeral keys
elliptic curve diffie-hellman ephemeral
provides for secure key exchange by using ephemeral keys and elliptic curve cryptography
address resolution protocol (arp)
query or manipulate a device's ARP table.
electronic lock
rather than a key, the lock is operated by entering a PIN on an electronic keypad. This type of lock is also referred to as cipher, combination, or keyless
shredding
reducing the size of objects to render them useless. These objects can be sheets of paper, CDs and DVDs. Cross-cut and micro-shredders are preferable to strip shredding, as they make the shredded pieces smaller and therefore even harder to use
distributive allocation
refers to the ability to switch between available processing and data resources to meet service requests. This is typically achieved using load balancing services during normal operations or automated failover during a disaster.
modes of operation
refers to the way a cryptographic product processes multiple blocks
bluesnarfing
refers to using an exploit in Bluetooth to steal information from someone else's phone
password history
remembers past passwords and prevents users from reusing passwords
wiping
removing data from a data storage device. Wiping is a synonym for sanitization or purging. The techniques discussed above all lead to a form of data wiping, depending on the thoroughness/quality of the wiping
printers/multifunction devices (MFD)
represent a powerful pivot point on an enterprise network
untrained users
represent a serious vulnerability because they are susceptible to social engineering and malware attacks and may be careless when handling sensitive or confidential data
medical devices
represent an array of systems potentially vulnerable to a wide range of attacks. It is important to recognize that use of these devices is not confined to hospitals and clinics but includes portable devices such as cardiac monitors/ defibrillators and insulin pumps
executive user
require training on compliance and regulatory issues and may need a good understanding of technical controls, secure system architecture and design, and secure supply chain management depending on the business function they represent
disable default accounts/passwords
required to harden the OS of a workstation PC
corrective
responds to and fixes an incident and may also prevent its reoccurrence
roles and responsibilities
right people and that they know exactly what their role and responsibility are within the incident response plan
evil twin attack
rogue access point disguising as a legitimate one
antenna types and placement
rubber ducky antenna, yagi, parabolic,
application-based
run as software on any type of computing host
identify lack of security controls
scan for lack of up-to-date patches or lack of a running antivirus software
identify vulnerability
scan for vulnerabilities without interrupting normal operations; scan vulnerabilities to determine which ones to mitigate; The scanner looks for everything; Well, not _everything; The signatures are the key; The vulnerabilities can be cross-referenced online; Almost all scanners give you a place to go; National Vulnerability Database: http://nvd.nist.gov/; Microsoft Security Bulletins; Some vulnerabilities cannot be definitively identified; You'll have to check manually to see if a system is vulnerable; But the scanner gives you a heads-up
retinal scanner
scan patterns of blood vessels in the back of the retina
acceptable use policy (AUP)/fair use policy/rules of behavior
sets out what someone is allowed to use a particular service or resource for
driver manipulation
shimming and refactoring
credential management
should instruct users on how to keep their authentication method secure (whether this be a password, smart card, or biometric ID). The credential management policy also needs to alert users to different types of social engineering attacks
personal email
should never be used to conduct official company business. Should only be access at work if the company permits. Acceptable use policies should explicitly state what is permissible.
screenshots
shouldn't trust the software tools on the perpetrator's machine. Therefore, it's unwise to use native screen-capture tool for taking screenshots
netstat
shows network connections to/from a system.
template
similar to a master image, this is the build instructions for an instance. Rather than storing a master image, the software may build and provision an instance according to the template instructions
intermediate certificate authority (CA)/hierarchical
single CA issues certs to intermediate CAs; issue certificates to subjects (leaf or end entities)
scarcity (principle)
situation will not be this way for long; must make the change before time expires
proximity cards
small credit card-sized cards that activate when they are in close proximity to a card reader. They are often used by authorized personnel to open doors.
passively test security controls
sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types vulnerabilities; identify vulnerabilities without exploiting them
general security policies
social media networks/applications, personal email
antivirus
software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on.
Vulnerability scanner
software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.
web application firewall (WAF)
software designed to run on a server to protect a particular application only (a web server firewall, for instance, or a firewall designed to protect an SQL Server® database). This is a type of host-based firewall and would typically be deployed in addition to a network firewall
remote wipe
software that allows deletion of data and settings on a mobile device to be initiated from a remote server.
trojan
software that pretends to be something else, so it can conquer your computer
Password cracker
software used to determine a password, often through brute force or dictionary searches.
network operating system (NOS) firewall
software-based firewall running under a network server OS, such as Windows® or Linux®. The server would function as a gateway or proxy for a network segment
external media
some Android and Windows devices support removable storage; such as a plug-in Micro SecureDigital (SD) card slot; some may support the connection of USB-based storage devices
event deduplication
some errors may cause hundreds or thousands of identical error messages to spawn, temporarily blinding the reporting mechanisms of the SIEM system. This type of event storm is identified as a single event.
low power devices
some technologies require more processing cycles and memory space. This makes them slower and means they consume more power. Consequently, some algorithms and key strengths are unsuitable for handheld devices and embedded systems, especially those that work on battery power. Another example is a contactless smart card, where the card only receives power from the reader and has fairly limited storage capacity, which might affect the maximum key size supported
key escrow
someone else holds your decryption keys; in key management, the storage of a backup key with a third party.
script kiddies
someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks
trust (principle)
someone who is safe; "I'm from IT, and I'm here to help"
familiarity/liking (principle)
someone you know; "we have common friends"
false positive
something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not.
false negative
something that is identified by a scanner or other assessment tool as not being a vulnerability, when in fact it is.
barricades/bollards
something that prevents access. As with any security system, no barricade is completely effective; a wall may be climbed or a lock may be picked, for instance. The purpose of barricades is to channel people through defined entry and exit points
multifactor authentication (MFA)
something you are, something you have, something you know, somewhere you are, something you do
runtime code
source code that is interpreted by an intermediary runtime environment that runs the code, rather than the system executing the code directly.
password length
specifies the minimum number of characters in the password
tabletop exercises
staff "ghost" the same procedures as they would in a disaster, without actually creating disaster conditions or applying or changing anything
shoulder surfing
stealing a password or PIN (or other secure information) by watching the user type it. Despite the name, the attacker may not have to be in close proximity to the target—they could use high-powered binoculars or CCTV to directly observe the target remotely
avoid
stop doing the activity that is risk-bearing
off-site backups
stored in a location separate from the computer or mobile device site
EAP Transport Layer Security (EAP-TLS)
strong security, wide adoption; requires a client-side certificate for authentication using SSL/ TLS
social media networks
such as Twitter, LinkedIn®, and Facebook
external storage devices
such as USB flash drives (and potentially any other type of firmware), presents adversaries with an incredible toolkit
removable media control
such as flash memory cards, USB-attached flash and hard disk storage, and optical discs
payment methods
such as wire transfer, bitcoin, or premium rate phone lines
EAP Tunneled Transport Layer Security (EAP-TTLS)
supports other authentication protocols in a TLS tunnel; enables a client and server to establish a secure connection without mandating a client-side certificate
vulnerabilities due to embedded systems
systems that are included within other systems. This term can apply to a stand-alone, single-purpose system designed to provide specific functionality to an overall system; out-of-date security patches; deployments with default configurations
immutable systems
systems that are replaced rather than changed. For example, rather than updating a server, the entire server would be replaced.
heating, ventilation, and air conditioning (HVAC)
systems that provide and regulate heating and cooling
fire suppression
systems work on the basis of the Fire Triangle. The Fire Triangle works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn
content management
tags corporate or confidential data and prevents it from being shared or copied to unauthorized media or channels, such as non-corporate email systems or cloud storage services
asset management
takes inventory of and tracks all the organization's critical systems, components, devices, and other objects of value
home automation
technology makes heating, lighting, alarms, and appliances all controllable through a computer and network interface
host-based firewall/personal firewall
tend to be program-or process-based; implemented as a software application running on a single host designed to protect that host only
least functionality
that a system should run only the protocols and services required by legitimate users and no more
dynamic analysis
that the application is tested under "real world" conditions using a staging environment
application proxy
that the proxy itself understands the way applications operate so that it's able to take a request for an application and proxy that request on the user's behalf
transport mode
the IP header for each packet is not encrypted, just the data (or payload). This mode would be used to secure communications on a private network (an end-to-end implementation).
message digest 5 (MD5)
the Message Digest Algorithm was designed in 1990 by Ronald Rivest, one of the "fathers" of modern cryptography. The most widely used version is MD5, released in 1991, which uses a 128-bit hash value. It is used in IPSec policies for data authentication
file integrity check
the OS package manager checks the signature or fingerprint of each executable file and notifies the user if there is a problem
high resiliency
the ability to quickly recover from resource vs. security constraints
collision
the act of two different plaintext inputs producing the same exact ciphertext output.
amplification attack/ Distributed Reflection DoS (DRDoS) attack
the adversary spoofs the victim's IP address and attempts to open connections with multiple servers; Those servers direct their SYN/ACK responses to the victim server. This rapidly consumes the victim's available bandwidth; a more powerful TCP SYN flood attack
signal strength
the amount of power used by the radio in an access point or station.
single loss expectancy (SLE)
the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). EF is the percentage of the asset value that would be lost
annual loss expectancy (ALE)
the amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO)
known cipher text attack
the analyst has obtained the ciphertext but has no additional information about it. The attacker may use statistical methods such as frequency analysis to try to break the encryption
IP Spoofing attack
the attacker changes the source and/or destination address recorded in the IP packet
known plain text attack
the attacker knows or can guess some plaintext presented in a ciphertext, but not its exact location or context. This can greatly assist with analysis
buffer overflow (impact associated with types of vulnerabilities)
the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data
mean time to repair/replace/recover
the average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure
architecture/design weaknesses
the best security system fails if you don't have locks on the doors; the network doors aren't always visible; examine every part of the network: • Ingress • VPN • Third-party access • Internal controls • Account access • Front door access • Conference room access
execution
the carrying out or completion of some task
white box (full disclosure) test
the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. Useful for simulating the behavior of a privileged insider threat
black box (blind) test
the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform the reconnaissance phase. Useful for simulating the behavior of an external threat
collision attack
the creation of a hash from different passwords by a hashing algorithm; different messages are unlikely to produce the same digest
Corporate Owned, Personally-Enabled (COPE)
the device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in force)
corporate owned, business only (COBO)
the device is the property of the company and may only be used for company business
firewalls
the devices principally used to implement security zones, such as intranet, demilitarized zone (DMZ), and the Internet
transparent proxy
the end users have no idea there's a proxy in the middle, and no additional configuration needs to occur on the operating system to be able to take advantage of the proxy
supply chain
the end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.
production environment
the environment for the actual system operation. It includes hardware and software configurations, system utilities, and communications resources. Also called the operational environment.
artifical/manufactured
the evaluation and assessment of the intentions of people who could pose a threat to an organization, how they might cause harm, and their ability and motivation to carry out the task
supply chain assessment
the evaluation of tradeoffs in your supply chain, including delivery times, inventory availability, transportation costs, facility costs, inventory investment and which suppliers to purchase from, to find the highest service and lowest cost supply chain design
testing environment
the hardware and software that are used to test (usually integration testing and system testing) a software product
control diversity
the idea is that to fully compromise a system, the attacker must get past multiple security controls
geolocation
the identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.
escalation of privilege
the initial exploit might give them local administrator privileges. They might be able to use these to obtain system privileges on another machine and then domain administrator privileges from another pivot point.
recovery time objective (RTO)
the length of time it takes after an event to resume normal business operations and activities
user account
the logon ID required for any user who wants to access a Windows computer
recovery point objective (RPO)
the longest period of time that an organization can tolerate lost data being unrecoverable
public
the lowest data classification level. Public data disclosure will not have a significant negative impact on an organization
confidential
the most sensitive classification level. Generally, this data is for internal use only. If disclosed, it will have a significant negative impact for the organization
federation
the notion that a network needs to be accessible to more than just a well-defined group, such as employees
annual rate of occurrence (ARO)
the number of times an incident is expected to occur in a year
nation states/advanced persistent threat (APT)
the ongoing ability of an adversary to compromise network security (to obtain and maintain access) using a variety of tools and techniques
trusted operating system (TOS)
the operating system component of the TCB that protects the resources from applications
mandatory access control (MAC)
the operating system limits the operation on an object based on security clearance levels
order of volatility (OOV)
the order in which volatile data should be recovered from various storage locations and devices after a security incident occurs
mitigate/remediate
the overall process of reducing exposure to or the effects of risk factors
owner
the person who has final organizational responsibility for classifying, labeling, protecting and storing the information
triple DES (3DES)
the plaintext is encrypted three times using different subkeys
rubber ducky antennas
the plastic-coated variants often used on access points
crossover error rate (CER)
the point at which FRR and FAR meet. The lower the CER, the more efficient and reliable the technology
job rotation
the policy of preventing any one individual performing the same role or tasks for too long. Personnel should rotate between job roles to prevent abuses of power, reduce boredom, and improve professional skills
geofencing
the practice of creating a virtual boundary based on real-world geography.
version control
the practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.; an ID system for each iteration of a software product
cloud
the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer
continuous integration
the principle that developers should commit updates often (every day or sometimes even more frequently). This is designed to reduce the chances of two developers spending time on code changes that are later found to conflict with one another
legal and compliance
the process by which a business ensures that it observes and complies with the external statutory laws and regulations
data exfiltration
the process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
GPS tagging
the process of adding geographical identification metadata, such as the latitude and longitude where the device was located at the time, to media such as photographs, SMS messages, video, and so on
data retention
the process of an organization maintaining the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations
change management
the process of approving and executing change in order to assure maximum security, stability, and availability of IT services.
impact
the process of assessing the probabilities and consequences of risk events if they are realized
vulnerability scanning
the process of auditing a network (or application) for known vulnerabilities; scans for vulnerabilities
onboarding
the process of bringing in a new employee, contractor, or supplier.
domain name resolution use case
the process of converting a domain name into a public IP address.
virtualization
the process of creating a simulation of a computing environment, where the virtualized system can simulate the hardware, operating system, and applications of a typical computer without being a separate physical computer.
provisioning
the process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.
authorization
the process of determining what rights and privileges a particular entity has.
offboarding
the process of ensuring that all HR and other requirements are covered when an employee leaves an organization.
exit interview
the process of ensuring that an employee leaves a company gracefully
analytics
the process of reviewing the events and incidents that trigger IDS/IPS.
onboarding
the process of welcoming a new employee to the organization
elasticity
the property by which a computing environment can instantly react to both increasing and decreasing demands in workload.
scalability
the property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.
high availability
the property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.
mean time between failures (MTBF)
the rating on a device or component that predicts the expected time between failures
chain of custody
the record of evidence history from collection, to presentation in court, to disposal.
non-credenialed scan
the scanner cannot login to the remote device; one that proceeds without being able to log on to a host. Consequently, the only view obtained is the one that the host exposes to the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces but they are not given any sort of privileged access
Secure POP
the secured version of the protocol, operating over TCP port 995 by default
record time offset
the server and workstation times often slightly differ (or out of sync to some degree) from actual time
electronic code book (ECB)
the simplest encryption mode and too simple for most use cases; an encryption mode of operation where each plaintext block is encrypted with the same key
authority (principle)
the social engineer is in charge; "calling from the help desk/office of the CEO/police"
expiration
the specified amount of time when an account expires to eliminate the possibility that it will be forgotten about and act as possible system backdoors
persistence
the tester's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor
tunnel mode
the whole IP packet (header and payload) is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN). This is also referred to as a router implementation.
tethering
there are also various means for a mobile device to share its cellular data or Wi-Fi connection with other devices
aggregation switches
these are functionally similar to layer 3 switches, but the term is often used for high-performing switches deployed to aggregate links in a large enterprise or service provider's routing infrastructure.
Exploitation frameworks
these are toolsets designed to help attackers exploit systems. Some of these tools include automation. Groupings of these tools represent (sorta) standardized ways of attacking, and a framework for moving through an attack. The most famous example is Metasploit.
secure cabinets/enclosures
these can be supplied with key-operated or electronic locks
Non-Regulatory Framework
they do not attempt to address the specific regulations of a specific industry but represent "best practice" in IT security governance generally
application management
they focus on managing a part of the device, not all of it, When the device is joined to the corporate network through enrollment with the EMM software, it can be configured into a corporate "workspace" mode in which only a certain number of whitelisted applications can run
containerization
this allows the employer to manage and maintain the portion of the device that interfaces with the corporate network
property
this includes damage to business property, property of others, or environmental damage
deadbolt lock
this is a bolt on the frame of the door, separate to the handle mechanism
passive test access point (TAP)
this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port
snapshot/revert to known state
this is a saved system state that can be reapplied to the instance
master image
this is the "gold" copy of a server instance, with the OS, applications, and patches all installed and configured. This is faster than using a template, but keeping the image up to date can involve more work than updating a template.
infrastructure as code
this is the principle that when deploying an application, the server instance supporting the application can be defined and provisioned through the software code. Imagine a setup program that not only installs the application but also creates a VM and OS on which to run the application.
community cloud
this is where several organizations share the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies
switched port analyzer/mirror port
this means that the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports)
integrity measurement
this process determines whether the development environment varies from the secure baseline
background checks
this process essentially determines that a person is who they say they are and are not concealing criminal activity, bankruptcy, or connections that would make them unsuitable or risky
encapsulating security payload (ESP)
this provides confidentiality and authentication by encrypting the packet rather than simply calculating an HMAC. ESP attaches three fields to the packet (a header, a trailer [providing padding for the cryptographic function], and an Integrity Check Value).
system owner
this role is responsible for designing and planning computer, network, and database systems. The role requires expert knowledge of IT security and network design
aircraft/unmanned aerial vehicle
this sector ranges from full-size fixed wing aircraft to much smaller multi-rotor hover drones
rooting
this term is associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device
environmental
those caused by some sort of failure in the surrounding environment. These could include power or telecoms failure, pollution, or accidental damage (including fire)
subscription services use case
those services that offer membership for a fee, usually on a monthly or annual basis
mission-essential functions
those that MUST occur. If they don't occur, or are performed improperly, the mission of the business is directly impacted
sensors
to aggregate data outputs from multiple sources
secure configurations
to allow the OS and applications software to execute that role
initial exploitation/weaponization
used to gain some sort of access to the target's network. This initial exploitation might be accomplished using a phishing email and payload or by obtaining credentials via social engineering
replay attack (wireless attacks)
used to make the access point generate lots of packets, usually by replaying ARP packets at it, and cycle through IV values quickly
digital signatures
used to prove the identity of the sender of a message and to show that a message has not been tampered with since the sender posted it. This provides authentication, integrity, and non-repudiation. To create a digital signature using RSA encryption, the private key is used to encrypt the signature; the public key is distributed to allow others to read it
cable locks
used to secure portable computers, external hard drives, and other portable pieces of hardware to a table or other object
email certificate
used to sign and encrypt email messages, typically using S/MIME or PGP
horizontal privilege escalation
user A can access user B resources
single sign-on (SSO)
user only has to authenticate to a system once to gain access to all the resources to which the user's account has been granted rights
attribute-based access control (ABAC)
users can have complex relationships to applications and data, and access may be based on many different criteria
RADIUS Federation
uses 802.1X as the authentication method and RADIUS on the backend, EAP to authenticate
initialization vector (IV) attack
uses a number, the IV, to find a wireless protocol's pre-shared key and use packet injection techniques on the network
Transport Layer Security (TLS)
uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection.
Secure Sockets Layer (SSL)
uses certificates for authentication and encryption to protect web communication.
iris scanner
uses pattern-recognition techniques based on images of the irises of an individual's eyes.
code reuse
using a block of code from elsewhere in the same application or from another application to perform a different function (or perform the same function in a different context). The risk here is that the copy and paste approach causes the developer to overlook potential vulnerabilities (perhaps the function's input parameters are no longer validated in the new context)
client-side
usually restricted to informing the user that there is some sort of problem with the input before submitting it to the server. Even after passing client-side validation, the input will still undergo server-side validation before it can be posted (accepted). Relying on client-side validation only is poor programming practice.
zero day attack
vulnerability that is exploited before the developer knows about it or can release a patch
development life-cycle models
waterfall, agile
smart devices/IoT
wearable/technology, home automation
new threats/zero day
what you don't know can really hurt you; And you won't even see it coming Vulnerabilities are sitting in your system,waiting for someone to find them; Some problems are hidden for years As soon as the problem is discovered (day zero), patch it; There isn't always time to properly test; Balance severity with stability WannaCry ransomware hit on May 12, 2017; However, the patch had been available since March 14
vertical privilege escalation/elevation
where a user or application can access functionality or data that should not be available to them. For instance, a user might have been originally assigned read-only access (or even no access) to certain files, but after vertical escalation, the user can edit or even delete the files in question
mail gateaway
where all the information coming in and out is filtered through that gateway before ever coming into an internal email server
stack overflow
where an attacker could use a buffer overflow to change the return address, allowing the attacker to run arbitrary code on the system. Two examples of this are the Code Red worm, which targeted Microsoft's IIS web server (version 5) and the SQLSlammer worm, which targeted Microsoft SQL Server® 2000
false positive
where legitimate behavior is identified as an incident; a reported vulnerability that does not exist
VPN concentrators
where the functionality is part of a router or dedicated security appliance
waterfall
where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.
somewhere you are
where the user is located
man-in-the-browser (MITB) attack
where the web browser is compromised by installing malicious plug-ins or scripts or intercepting API calls between the browser process and DLLs
thin AP
while one that requires a wireless controller in order to function is known as a thin AP
business partners agreement (BPA)
while there are many ways of establishing business partnerships, the most common model in IT is the partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers
tracert or traceroute
windows command for tracing the route a packet takes over the network.
urgency (principle)
works alongside scarcity; "act quickly, don't think"
ARP poisoning attack
works by broadcasting unsolicited ARP reply packets; Because ARP is an antiquated protocol with no security, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address
credentialed scan
you are a normal user, emulates an insider attack; given a user account with logon rights to various hosts plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also demonstrates what an insider attack or one where the attacker has compromised a user account may be able to achieve
clickjacking attack
you are clicking on a button, but you are actually clicking on something else
intrusive scan
you will try out the vulnerability to see if it works; an exploitation framework; a test that disrupts the operations of a system; also known as a penetration test; attempts to exploit vulnerabilities
