CISSP 2018 Flash Cards
Remote location in a different geographic location from the contracting organization
Off-shore
Graceful transition to a standby device is generally known as? 1: High availability (HA) 2: Fail-secure 3: Active/Passive Pair 4: Failover
4: Failover
Zero-day
A threat that is exploited and was unknown before it was detected
Security Evaluation Criteria
TCSEC ITSEC Common Criteria
The concept of separating interface and implementation
Abstraction
Industrial Control Systems
'Industrial Control Systems (ICS)' are computer-based systems that monitor and control industrial processes that exist in the physical world. ICS are either data-driven or operated remotely. Well-known industrial control systems include: -Distributed control systems (DCS) -Programmable logic controllers (PLC) -Supervisory control and data acquisition (SCADA)
Corrective
'Minimize' the 'impact' of a threat agent, or 'modify' or 'fix' a situation '(recovery)'
Advanced Encryption Standard (AES) (Rijndael)
128- or 192- or 256-bit key / 10 or 12 or 14 rounds of substitution and transposition -2002 replaced 3DES as a US Government Standard
Secure Stagine Workflow
1: Dev 2: Test 3: Stage 4: Prod
CHAP Process
1: User enters login name and password at login screen 2: Workstation sends the user name (not password) to the authentication server 3: The Authentication Server verifies that the user name exists in its DB, generates a unique string of challenge text, and sends to the user 4: The workstation login process receives the challenge text. The workstation hashes the user password, appends it to the challenge text, and hashes the entire string 5: The workstation sends the hash value to the authentication server 6: The authentication looks up the user account and extracts the stored hash value of the user's password, appends it to the challenge text, and hashes the entire string 7: The authentication server compares its calculated hash value with the hash value received from the user 8: If the hashes are identical, the user is successfully authenticated. If the hashes are different, the authentication fails
The statement "password complexity must include upper case, lower case and at least one symbol" is best described as a? 1: Guideline 2: Standard 3: Baseline 4: Policy Statement
2: Standard
Which one of these attacks is most likely to result in data compromise? 1: RF interference 2: Signal jamming 3: Evil Twin 4: War chalking
3: Evil Twin
Triple DES (3DES)
64-bit key / 48 rounds of substitution and transposition using either 2 or 3 keys -1999 replaces DES as a US Government standard -Considered deprecated (weak)
Recommended temperature range for a Data Center
70-74F
Information Security Management Systems (ISMS)
A framework for designing, establishing, implementing, maintaining and monitoring an information security program in order to achieve the objectives of: Confidentiality Integrity Availability
Framework
A logical structure with the intent to document and organize processes.
Formula for ALE
ALE = SLE *ARO
Multicast wireless sensor network designed for "wearables"
ANT
Process of tracing actions to their source
Accountability
This hearing is conducted by a quasi-judicial body
Administrative
Airgap Isolation
Air-gap refers to computers or networks that are physically isolated from the Internet or to any other computers that are connected to the Internet. Air gaps generally are implemented where the system or network requires extra security, such as classified military networks or industrial control systems that operate critical infrastructure
Server Virtualization
Allocates the resources of the host to guest server (virtual) computers - The physical host computer hardware has processor, memory, storage, and networking components. Specialized software dynamically allocates resources - Guest computers (virtual machines) act exactly as though they are physical machines each with independent operating systems, applications, and network connections
SSL VPN Portal
An SSL VPN portal is a single connection to multiple services. - The user is authenticated by an SSL VPN gateway - The user is presented a web page - The SSL VPN tunnel can be used to access non-web based applications
Due Dilligence
An investigation of a business or person generally before entering into a contract. It is the care and caution a reasonable person would take. Due Dilligence must honor Due Care.
Threat model that focuses on system design
Architecture-centric
Process of securely storing unaltered data
Archiving
Examples include IP addresses, command and control connections, file changes
Artifacts
The stage of a DRP lifecycle that requires a non-biased independent review
Audit
Local Storage Security
Best practices include: - Encrypting data at rest - Securing network and communications interfaces - Implementing access control lists - Physically separate storage devices from other hardware and restricting access to switches - Monitoring (HIDS) - Implementing DLP - Having a backup and recovery plan
Bit by bit copy of source material that preserves all latent data
Bit Stream Image
Short, sturdy, vertical post used to divert traffic from an area
Bollard
Weaponization of devices for use in DDoS attacks
Botnet
Term applied to an algorithm or key that has proven to be exploitable
Broken
The term applied to an algorithm or key length known to be exploitable
Broken
The outcome of this attack is user impersonation
Broken authentication
Prolonged period of low voltage
Brownout
The basis of this type of investigation is a dispute between parties
Civil
Designed by the ISO - this is now a global evaluation criteria
Common Criteria
In this model, data owners decide subject access
DAC Discretionary Access Control
The term applied to multiple layers of controls
Defense in depth
Purging technique that uses a strong electromagnetic field
Degaussing
Term applied to a weak algorithm or key
Deprecated
Iterative & Incremental Project Models
Develop software by using 'repeated cycles (iteration)' related to adding specific functionaloty (incremental). - The 'spiral' model is an iterative approach that emphasizes risk analysis and use feedback per iteration - The 'Agile' model uses iterative and incremental processes that emphasizes 'timebox team-based collaboration' - Rapid application development (RAD) combines prototyping and iterative processes
An attack used to force a wireless device offline
Disassociation
This type of plan describes plans and procedures for recovering technology and facilities
Disaster Recover Plan (DRP)
Legally enforceable software use agreement
EULA End User License Agreement
Attribute = why Objective = understanding
Education
How well a control works
Effectiveness
Resource Management
Efficient and effective use of resources.
Firewall term for outgoing
Egress
This group publishes the Unified Framework for Information Security Ethics
Ethics Working Group
Term given to the unauthorized release or removal of data
Exfiltration
Users
Expected to follow operational security procedures.
This type of trial witness is allowed to proffer an opinion
Expert witness
The decision state when abnormal activity is incorrectly identified as normal
False Negative
The decision state when normal activity is incorrectly identified as abnormal
False Positive
Type 1 Biometric Errors
False Reject Rate (FRR)
This procedure format requires decision making
Flowchart
Another name for a "virtual machine"
Guest
System Integrity
Implies that a system will work as intended. AKA Trustworthy computing.
Hijacking
Intercepting communications between two or more systems. Enables an attacker to eavesdrop, capture, manipulate, and/or reuse data packets
Risk Treatment
Is how an organization reponds to identified risks--generally defined as actions taken to either 'accept' the level of risk or 'mitigate' the 'impact' of the undesirable or unfavorable outcome and/or enhance the likelihood of a 'positive outcome'.
The intersection of FRR and FAR
CER Crossover Error Rate
Organization in the US where vulnerabilities can be reported
CERT/CC
This authentication protocol relies on challenge textand a hashing algorithm
CHAP Challenge Handshake Authentication Protocol
First state in the US that required data breach disclosure and notification
California SB 1386 California Security Breach Information Act
This alternate site is basically an empty shell with HVAC and power
Cold Site
Evidence Collection and Preservation
Collection and preservation of physical and digital evidence is a critical aspect of forensic investigations. Rule of thumb -- assume evidence will be used in a court of law and act accordingly. - Preservation is key - Act in order of volatility - Maintain an evidentiary chain (chain of custody) for all physical and electronic evidence collected during the investigation
Data Compilation
Collection of data for "later use" to be determined.
This cloud deployment model is provisioned for the exclusive use of a well-defined group
Community Cloud
Role generally tasked with identifying applicable statutory, regulatory, and contractual requirements
Compliance Officer
Trustworthy Computing
Confidence that a system will act in a correct and predictable manner in every situation.
This security principle relates to unauthorized disclosure
Confidentiality
This type of assessment performs checks against guidance, best practices, and applicable standards
Configuration assessment
Process used to support the development, implementation, and maintenance of baselines and standards
Configuration management
Proxy Server Configurations
Normal / Forward Proxy Transparent Proxy Reverse Proxy
Process of integrating a new employee
Onboarding
Regulatory and Contractual Obligations
Organizations are responsible for complying with local, state, federal laws and regulations as well as agreements and contractual obligations. Consideration should be given to local customs, traditions, and practices (cultural, tribal and religious)
Payment card system information security contractually enforced framework
PCI DSS Payment Card Industry Data Security Standard
The endpoint in the release management process
PROD
Pretexting using email
Phishing
This type of control stops a threat agent from being successful
Preventative
Integrity
Principle that data and systems should be protected from unintentional, unauthorized, or accidental changes.
Specific instructions for carrying out a task
Procedure
Disk technology commonly used for fault tolerance
RAID
In this model, access is based on the subject's assigned roles
RBAC Role-based Access Control
Tokenization
Replaces sensitive data with non-sensitive substitutes known as tokens. - Tokenization does not alter the type or length of data - Tokenization requires less computational resources than encryption
Level of risk after controls are applied
Residual
Federal Information Processing Standard 199 (FIPS 199)
Requires that information and information systems be categorized as low, medium, or high security based upon confidentiality, integrity, and availability criteria: -'Confidentiality' as it relates to the impact of 'unauthroized disclosure' and/or 'unauthorized use' -'Integrity' as it relates to the impact of 'unauthorized modifications or destruction' -'Availability' as it relates to the impact of 'disruption of access to or use of the information
Ability of a subject to take an action (e.g. install software)
Rights
An extension of SSH to provide secure file transfer capabilities
SFTP
Appending random text to a string prior to hashing
Salting
This configuration is used to segregate high risk mobile applications
Secure Container
Type of key used to create a digital signature
Sender's private key
Breaking a process into tasks and assigning the tasks to various personnel
Separation of duties
Breaking a task into processes that are assigned to different subjects so that no one subject is in complete control
Separation of duties
This IDS response is to ignore the event as not applicable
Shunning
Examination of non-running code
Static analysis
This code assessment is an examination on non-running code
Static analysis
Building
The building includes: - Any structure containing critical functions essential to operations - Any structure containing sensitive information - Access points into the structure
This service generates a TGT Access Token
Ticket Granting Service
Potential danger to an asset
Threat
Handheld device that synchronizes with an authentication server
Token
In this IPsec mode only the payload is encrypted
Transport
This malware family often appears to be a legitimate application
Trojan
Awareness program test measure
True/False Multiple Choice
Principles used by a SSAE18 SOC2
Trusted Service Principles (TSP)
The number of keys used in asymmetric encryption
Two
Number of drives used for RAID 1
Two - mirrored drives
Requires firmware updates to be digitally signed
UEFI Unitec Extensible Firmware Interface
This software development project model emphasizes verification and validation at each phase
V-model
Process used to track files, source code, and configurations over time
Version Control
This malware family requires a host to replicate
Virus
Compromising a website or social media application frequented by the target
Watering Hole
Time, effort, and talent needed to achieve an objective
Workfactor
Tool that intercepts inadvertent drive writes
Write Blocker
[*] and Simple meaning
Write and Read
Symbol that indicates a registered trademark
®
Symbol that indicates an unregistered trademark
™
Control classification used to minimize the impact of a threat agent or fix a situation
Corrective
The process of tying individual log entries together based on related information
Correlation
This is the monetary value it takes to acquire, develop, maintain, or replace an asset
Cost
This is the use of a malicious script to transfer information objects between processes that are not supposed to communicate
Covert Channel
This solution is designed to detect and prevent data exfiltration
DLP
This host-based utility monitors program memory use
Data Execution Prevention (DEP)
EU Regulatory Compliance
Data Protection Directive / GDPR (EU) Cookie Law (EU)
Residual representation of data
Data Remanence
This phase of incident reponse focuses on identifying and analyzing IOAs and IOCs
Detection
Human
Disruption, manipulation, or compromise of people.
EU regulation that protects member data locally and abroad
GDPR General Data Protection Regulation
Using captured hashed credentials from one machine to successfully gain control of another machine
Pass-the-hash attack
Manipulating a trusted source of data
Poisoning
A table of precomputed hashes
Rainbow table
A previously unknown vulnerability for which there is no fix
Zero day
Remote access application that facilitates clear text connection to a remote system
Telnet
This type of VPN connection is transparent to the user
Always-on VPN
Controls boot up sequence
BIOS
These devices enforce enterprise security policies "in-the-cloud"
CASBs Cloud Access Security Brokers
Fixed length blocks of disk space
Cluster
SSO system embedded in Microsoft Active Directory
Kerberos
This report should always follow an exercise as well as a real event
Lessons learned
The first phase in a penetration test
Passive reconnaissance
Authentication factor that requires a physical device
Possession
Formal process used to make available code versions to various resources for simultaneous development
Provisioning
NFC is rooted in this technology
RFID
This document is used to solicit bids for a particular service or product and includes multiple criteria
RFP Request for Proposal
This process restores a system to an earlier point in time
Rollback
Requires that all boot loader components attest to their identity
Secure Boot
ISM Personnel
Should report as high as possible to maintain visibility, limit distortion, and minimize conflict of interest.
VPN tunnel configuration that allows the routing of some traffic over the VPN while letting other traffic direct access to the Internet
Split tunneling
This is the worth of an asset to its owner
Value
Weakness that can potentially be exploited
Vulnerability
An objective of this type of assessment is to identify host attributes and known CVEs
Vulnerability Assessment
Where would you place an SSL Accelerator? 1: Inline with web servers 2: In the DMZ 3: In the cloud 4: On premise
1: Inline with web servers
Synthetic transactions are used to measure this. 1: Response time 2: Throughput 3: Reaction time 4: Workload
1: Response time
This networking protocol can report on who joined the network, how they were authenticated and how long they were on. 1: NTLM 2: RADIUS 3: TACACS 4: EAP
2: RADIUS
Digital Signature
A 'digital signature' is a message digest that has been encrypted using a private key. The goal of a digital signature is 'integrity' and 'non-repudiation'. - Integrity is the assurance that the data has not been modified - Non-repudiation means that the signer 'cannot deny' sending the message. Conversely, the receiver can trust that the message came from the named signer.
Degaussing
A 'purging' technique that requires a machine or wand that produces a strong electromagnetic field which destroys all magnetically recorded data.
Virtualization
A technology that creates multiple environments from a single physical hardware system. In essence, a single physical machine emulates multiple systems
Risk Register
A tool used to document organizational risks and ancillary details such as owner, treatment measures, and monitoring tasks
Code that performs a function on behalf of an application
Agent
Embedded System Components
An embedded system generally has three "closed loop" components. -System on a chip (SOC) -Real-time OS (RTOS) -APP
Change Management
Applies a formal process to accomplish change. Key tasks include: - Proposed changes are evaluated for risks and benefits - Changes are prioritized in alignment with business needs - Changes are tested and roll-back strategies at the ready - Changes are authorized - Configuration management baselines are updated
Degree of confidence that a system will act in a correct and predictable manner
Assurance
This is a formal independent assessment of a Business Continuity Plan
Audit
Granting users and systems a predetermined level of access
Authorization
This penetration test approach does not provide any details of the test environment to the test team
Black box
What key would Mary use if she wants to send an asymmetrically encrypted data packet to Bob?
Bob's public key
Brewer-Nash (Chinese Wall)
Brewer-Nash is a context-oriented commercial model designed to defend against conflicts of interest. -Access controls change dynamically depending upon a user's previous actions
In this type of key attack, every possible key is tested (subject to time and resources)
Brute Force
Conceptual boundary that controls how processes are executed
CPU Protection Rings
Radio frequency distributed network
Cellular
Name of the room where a physically isolated network would be located
Clean room
Tactic or strategy to reduce or eliminate a vulnerability and/or likelihood or impact of an exploit
Control
This mechanism can be used to reduce likelihood and/or impact
Control (Safeguard, Countermeasure)
Injection of malicious code that executes in a browser
Cross Site Scripting (XSS)
Joint Exercises
Cyber incident scenarios should be included in business continuity exercises - Executive cybersecurity incident simulation exercise (extortion, denial of service) - Incident coordination simulation exercise - Response team simulation exercise - Communication and notification exercise
A broad term given to criminal activity that involves the Internet, a computer system, a computer network, or technology
Cybercrime
Temperature
Data Centers (inclusive of server rooms and networking closets) need to be kept cool - Recommended temperature for an area containing computing devices is between 70-74 degrees F - Damaging temperatures: Computers > 175F, Magnetic Storage > 100F, Paper products >350F
Data at a specific point in time
Data state
This IPS response appears to the attacker that it was successful
Deception
Extreme action that can be taken by (ISC)2 against a memeber
Decertification
Any action not explicitly allowed is denied
Default deny
This principle is expressed as "if not explicitly allowed, then access is denied"
Default deny
The intent of this model is to provide redundancy in the event that a security control fails or is exploited
Defense in depth / Layered defense
Multiple layers of controls
Defense-in-depth (Layered security)
Overwhelming system resources
DoS/DDoS
This term describes actions considered or taken due to threat of harm
Duress
Automated examination of running code
Dynamic analysis
Symmetric Recap
Feature - Attribute # of Keys - Single shared key Processing - Computationally efficient - Fast Strength - Difficult to break (large keys) Scalability - Not scalable Key Exchange - Inherently insecure
The category name for "lower level" models
Foundational
Primary reasons for job rotation and mandatory vacation
Fraud deterrent and detection
This key attack analyzes patterns
Frequency
Government and Sector Specific Regulations
GLBA HIPPA | HITECH FISMA
Determining the difference between RTO, RPO, and reality
Gap Analysis
The process of defining a virtual boundary around a specific physical area
Geofencing
The motivation for this adversary is to "make a statement"
Hacktivist
Hubs and Repeaters
Hubs and repeaters are OSI Layer 1 devices. - Repeaters amplify signals - Hubs retransmit a signal received on one connection point to all ports - Hubs are unsecure LAN devices (anyone can sniff the packets) that should be replaced with switches for security and increased bandwidth
#1 disaster response priority
Human health and safety
In an evacuation, the number one priority
Human life and safety
Business Continuity Planning Resources
ISO / IEC - ISO 22301:2012 Business Continuity Management Systems - Requirements FEMA - Business and industry guidance NIST - SP800-34 R1 Contingency Planning Guide for Federal Information Systems ISACA - Business Continuity - Disaster Recovery Planning Tool Other - Business Continuity Institute (BCI) - Management Resourses - Disaster Recovery Institute International (DRII) Professionsl Practices
International Organization for Standardization (ISO )Certifications
ISO 9001 Certified means the company has met the requirements detailed in the ISO 9000 Quality Management Systems standard ISO 27001 Certified means an organization has met the requirements detailed in the ISO 27000 Information Security Management System standard
Risk Treatment Options
Ignore - Act as if the risk doesn't exist Avoid - Eliminate the cause or terminate the associated activity Mitigate - Reduce the impact or likelihood by implementing controls or safeguards Deter - Discourage the threat acton or adversary taking action Share - Spread the risk among multiple parties Transfer - Assign the risk to another party via inurance or contractual agreement (subject to legal and regulatory constraints) Accept - Acknowledge the risk and monitor it
Important Privacy-related Regulations Regulation / Law GLBA (US) HIPPA (US) FERPA (US) Federal Privacy Act (US) COPPA (US) GDPR (EU) Cookie Law (EU)
Impact Financial records Medical records Student educational records Data collected by the government Online collection and use of data for minors under 13 Citizen data privacy protection Website cookie informa and consent requirements
Spoofing
Impersonating an address, system, or person. Enables an attacker to act as the trusted source and redirect/manipulate actions
Fail Safe - Fail Secure Principle
In event of an emergency, the organization's security structure must comply with safety, fire, and building codes Fail-safe implies that in an emergency situation, controls will default to open. Fail-secure implies that in an emergency situation, controls will default to locked.
Term that describes the placement location if it is in the flow of traffic
In-band (Inline)
This phase of incident management focuses on identifying threats and implementing controls
Incident preparation
This phase of incident management includes containment, eradication, and recovery
Incident response
This backup strategy resets the archive bit
Incremental
Secure against legal responsibility
Indemnification
Aggregation
Individual pieces of data are combined to create a bigger picture that may have greater sensitivity than individual parts.
Patch Management Best Practices
Industry patch management best practices recommendations include: - Deploy a phased approach - Standardize the process - Always have a rollback plan - Rollback restores the system to a chosen earlier point in time - Report risks to management - Align patch management with organizational needs for availability and risk tolerance level **NIST SP 800-40 rev3 - Guide to Enterprise Patch Management Technologies
Ability to derive information that is not explicitly available
Inference
Model that dictates that information should flow only in ways that do not violate the security policy of the system
Information Flow
Choose one correct answer in each drop-down list. Information assets are generally classified by 1: Content 2: Severity 3: Confidentiality 4: Sensitivity Infrastructure and physical assets are generally classified by 1: Asset value 2: Criticality 3: Context 4: MTD
Information assets are generally classified by 'Content' Infrastructure and physical assets are generally classified by 'Criticality'
Term applied to using code to manage configurations and automate provisioning of infrastructure (e.g. build testing and staging servers
Infrastructure as Code
Stream Cipher Components
Input = Plain Text Keystream = Set of random values - True Random Number Generators (TRNGs) - Pseudorandom Number Generators (PRNGs) --Initial seed - Cryptographically secure Pseudorandom Number Generator (CSPRNG) Function = XOR operation
There are four components of the United Framework of Professional Ethics for Security Professionals:
Integrity - Perform duties in accordance with existing laws, exercising the highest moral principles. Objectivity - Perform all duties in a fair manner and without prejudice. Professional Competence and Due Care - Perform services diligently and with professionalism. Confidentiality - Respect and safeguard information and exercise due care to prevent improper disclosure
Security objectives of a digital signature
Integrity and Non-repudiation
Information Security Benchmark
Intended to help an organization identify their cybersecurity capabilities and initiative and compare those efforts to peers or competitors of the same sector or size.
This type of audit evaluates control objectives and controls
Internal Controls
Largest international police organization, with 192 member countries
Interpol International Criminal Police Organization
The objective of this test is evidence of enterprise readiness
Interruption (Full scale)
This program is responsible for documenting and tracking assets
Inventory management
Disruptive Technologies
IoT and access to real-time data are the foundation of the next generation of disruptive technologies including: -Machine learning (ML) -Autonomous vehicles -Block chain -Fog computing -Architecture that uses collaborative edge computing devices for local resource pooling (storage, communication, configuration and management) to achieve better QoS, data mining, and redundancy
Redundant Array of Independent Disks (RAID)
Is a disk technology that combines multiple disk drive components into a logical unit for the purposes of fault tolerance (data redundancy) and/or performance improvement
Software Development Lifecycle (SDLC)
Is a framework defining tasks performed at each step in the software development process - ISO/IEC 12207 is an internaltional standard for software life-cycle processes Phase 1 - Feasibility Study Phase 2 - Requirements Definition Phase 3 - Design Phase 4 - Development Phase 5 - Final Testing & Implementation Phase 6 - Implementation Support
Fibre Channel over Ethernet (FCoE)
Is a layer 2 standards-based protocol that allows Fibre Channel frams to be carried over Ethernet links - FCoE, network (IP), and storage (iSCSI) data traffic can be consolidated using a single network - FCoE is not routable at the IP layer
Attribute-based access control (ABAC) [Emerging]
Is a logical access control model that controls access to objects by evaluating rules against the attributes of entities (both subject and object), operations, and the environment relevant to a request - ABAC supports a complex Boolean rule set that can evaluate many different attributes - The policies that can be implemented in an ABAC model are limited only to the degree imposed by the computational language and the richness of the available attributes
Source Code Escrow
Is a mechanism for acquiring source code in the event that the vendor goes out of business or violates contractual obligations to maintain the code. A neutral, trusted 3rd party holds the source code. Benefits include: - Risk mitigation - Business continuity - Leverage
Extensibility
Is additional functionality of the modification of existing functionality without significantly altering the original structure or data flow (e.g. streaming media) - Open standard is a standard that is publicly available and can be freely adopted and extended
OAuth 2.0
Is an 'authorization framework' that enabled 'applications' to obtain limited access to user accounts on an HTTP service such as Facebook or Twitter
Identity-as-a-Service (IDaaS) [Emerging]
Is an SaaS-based identity and access management solution. There are three core components: - Identity and governance administration (IGA) which is the provisioning of users to cloud applications - Access which includes user authentication, SSO and authorization supporting federation standards. - Intelligence which includes identity access log monitoring and reporting
Risk Tolerance
Is an acceptable variation in outcomes related to specific performance measures.
Procurement
Is the process of finding,acquiring, buying goods, services, or works from an external source, often via a competitive bidding process. - Request for Information (RFI) is used to solicit advice in addressing and/or solving a problem - Request for Proposal (RFP) is used to solicit bids (including approach, experience, capability, proof of concept, support) for a product or service - Invitation to tender (ITT) is used when a product or service is known in advance and the objective is best price and/or service
Vulnerability Management
Is the process of identifying, mitigatingm and responding to known or anticipated vulnerabilities and exposures - Up-to-date inventory of information assets (hardware, software, OSs, and ancillary devices) is the foundation of a vulnerability management program
Federal Rules of Civil Procedure
Key Federal Rules of Civil Procedure (FRCP) include: - FRCP 33: Defines business records that are created or kept in electronic format as discoverable giving the requesting party access to them. - FRCP Rule 37(e): Creates a safe harbor from sanctions if you did not preserve, and therefore no longer have, electronic data that's requested provided that certain conditions and circumstances are met. - FRCP 16: Courts expect organizations to be ready for litigation, including being fluent in the IT and network architecture.
On Premise vs Cloud Decisioning
Legal/Regulatory/Contractual - Need to evaluate legal, regulatory, or contractual restrictions or obligations. For example: -Country where data is stored, processed, or transmitted -Required controls Infrastructure - Need to evaluate the required investment to built, maintain, and support the infrastructure Availability - Need to evaluate capability of resources and ability to provision additional resources. DR & BC - Need to evaluate synergy with disaster recovery and business continuity strategies and requirements Security - Need to evaluate security and privacy requirements
This phase of incident response focuses on improving plans and procedures
Lessons Learned
What key would Mary use to decrypt an asymmetrically encrypted data packet sent by Bob?
Mary's private key
Maximum time a process or service can be unavailable without causing significant damage to the business
Maximum Tolerable Downtime (MTD) Maximum Tolerable Outage (MTO)
The process of dumping RAM
Memory Imaging
Operational Metrics
Metrics are a standard of measurement - Metrics allows us to move beyond subjective language and individual experience by providing a common framework for observation and comparison. - Operational metrics are used to measure effectiveness, efficiency, and performance and to make subsequent tactical decisions
This site is fully redundant with real-time data replication
Mirrored Site
This storage device connects to the network via IP, supports direct access (mapping), and addresses files by file name
NAS
Network Models
Network models describe layers of communication. From a security perspective, it is important to understand conceptually what happens at each layer, the dependencies, and the weaknesses. -The Open Systems Interconnection (OSI) reference model is structured into seven layers. - The OSI model was defined in 1984 and published as ISO/IEC 7498-1 - The TCP/IP (also known as the DoD) reference model is structured into four layers
Model that dictates whatever happens at one security level does not affect the security of other levels
Non-interference
This term describes changes that must go through the change management process
Normal Changes
Firewall ACLs
Permission - ALLOW or PERMIT to allow traffic. DENY to block traffic Protocol - Typically TCP or UDP (You can use IP to indicate both) Source - Where the traffic is coming from (host, range, wildcard, ANY) Destination - Where the traffic is going to (host, range wildcard, ANY) Port - Listening port (e.g. HTTP is port 80) Deny - Last rule at the end of an ACL is to block any traffic that wasn't previously allowed. Can be a statement (explicit) or a command (implicit)
Determines what actions a subject can perform on a file or folder (e.g. read)
Permissions
This statement generally describes what information will be collected and how it will be used
Privacy statement
Intrusion Detection Systems
Proximity - Measures magnetic field Motion - Detects physical disturbance Photometric - Changes in light Passive Infrared - Changes in heat Acoustical - Changes in noise Contact - Electrical circuit is broken
Metadata created by a user and is hidden or embedded in a file
Pseudo Metadata
This cloud deployment model has no restrictions as to who can provision resources
Public Cloud
This key is freely distributed
Public key
The purpose of this team is to monitor the exercise, inject communication as necessary, and evaluate activity
Purple team
This risk assessment methodology uses descriptive terminology
Qualitative
This type of risk assessment uses descriptive terminology
Qualitative
Attackers use error message disclosure for this purpose
Reconnaissance
This command is used to edit the Windows registry
Regedit
This utility reports on access to USBs and CD/DVDs
Removable Media Control (RMC)
The objective of this attack is to capture and reuse data packets
Replay
Set of rules that dictate how long unaltered data must be kept
Retention
Hashing algorithm created by the NSA
SHA Secure Hash Algorithm
This protocol is used for remote host management
SNMP
Evacuation Safety Plans and Drills
Safety plans including evacuation routes and "safe locations" should be posted and personnel trained. - Assembly places should be pre-assigned - Evacuation, shelter-in-place, and lock-down drills practiced - If circumstances allow, personnel should be instructed to secure confidential material and take access control devices with them. - No matter what else is happening -- human life and safety is always the number one priority
Salting
Salts are values appended to the input to negate the value of rainbow tables.
This mechanism is used to isolate untrusted applications or files
Sandbox
Email Security
Secure POP3 Secure IMAP S/MIME
The benefit of adding SSL to IMAP
Secure authentication
Security Code Review
Security code assessment is the process of examining and testing source code to verify that the proper security controls are present and work as intended
Symmetric key that is used only one time
Session Key
Timeframe inpact of awareness programs
Short-term
Incident Mgmt. Testing
Should be conducted on a periodic basis to assure readiness. - Exercises include tabletop and simulations - Participants should include the IMT team, external resources, and as applicable, executive management
A part of a system that, if it fails, will stop the entire system from working
Single Point of Failure (SPOF)
Space between the end of a file and the end of the cluster
Slack space
Targeted (to a group) version of phishing
Spear phishing
Mandatory implementation requirements (related to policies)
Standards
Original publication was the orange book -- followed by the rainbow series
TCSEC
This environment is used to merge code, isolate bugs, and measure performance and functionality
TEST
Common Vulnerabilities & Exposures
The 'Common Vulnerabilities and Exposures (CVE)' list is a database of information security vulnerabilities and exposures - The CVE provides a standardized identifier for a given vulnerability or exposure as well as a decription, advisories, and recommended actions - cve.mitre.orge - nvd.nist.gov
Network Virtualization (NSX)
The complete reproduction of a physical network in software - Network virtualization presents logical networking devices and services (e.g logical ports, switches, routers, firewalls, load balancers, VPNs) - Virtual networks offer the same features and guarantees of a physical network with the operational benefits and hardware independence of virtualization
Use Cases (Hashing)
The objective of hashing is proving integrity. -Validate that a message has not been changed during transmission (message digest) -Verify that a file has not been altered (checksum) -Verify that a forensic clone is intact
Downstream Liability
The potential liability incurred by a company whose computer systems are compromised and becomes the source of harm.
Jurisdiction
The power or right of a legal or political agency to exercise its authority over a person, subject matter, or territory. Jurisdiction considerations include: Privacy and security regulations (or lack of) Access of local governments to stored or transmitted data Attitudes towards "foreigners" Law enforcement
Data Protection -- Access Management
The primary objective of access management is to protect information and information systems from unauthorized access ('confidentiality'), modification ('integrity'), and disruption ('availability') Access control models dictates how subjects (users) access objects (resources) or how objects access objects Access control best practices dictate organizational behavior (e.g. dual control, separation of duty).
Corporate Governance
The system by which organizations are directed and controlled. Governace structures and principles identify the distribution of rights and responsibilities.
Asset-centric
The threat models begin by identifying asset value and motivation of threat agents
RPO unit of measurement
Time
This code testing determines if the application works as expected
Use Case (Positive testing)
Transmission of voice traffic over IP-based networks
VoIP
Process of seeking electronic data for use in a civil or criminal legal case
eDiscovery
Downgrade Attack
A 'downgrade attack' is an attack on a system or communications protocol that forces degradation to a lower-quality crypto mode (if available) designed for backward compatibility
Hashed MAC
A 'hashed message authentication code (HMAC) is a hashed value that includes a symmetric key. -An HMAC cannot be reproduced without knowing the key. -An HMAC provides integrity and data origin authentication -HMAC is used by cryptographic protocols such as the TLS and IPsec to verify the integrity of transmitted data during secure communications
Cybercrime
A broad term given to criminal activity that involves the Internet, a computer system, a computer network, or technology: Examples include data theft, data exfiltration, data modification, privacy violation, denial of service, command and control activity, and distribution and use of botnets. It is a global low-risk, high-reward venture.
Control
A control (sometimes called the coutermeasure or safeguard) is a tactic, mechanism, or strategy that accomplished one or more of the following: - Reduces or eliminates a vulnerability - Reduces or eliminates the likelihood that a threat agent will be able to exploit a vulnerability - Reduce or eliminates the impact of an exploit
Application Security Training
A critical first step to develop a secure application is an effective training plan that allows developers and programmers to learn secure coding principles and how they can be applied
Cryptographic Attacks
A cryptographic attack is the circumvention of a cryptographic system by exploiting a weakness in a code, cipher, cryptographic protocol, or key management scheme. - This process of finding a cryptographic weakness (vulnerability) is known as "cryptanalysis".
Quarantine and Remediation
A device that does not comply with the pre-admission policy is placed in a quarantine zone. 'Quarantine zone' options include: - Continue with limited access - Remediation to establish conform with preadmissions policy
Directory Services
A directory service is the centralized collection and distributed database (domain) of user data, computers, and trusted entities. Directory services include: - Lightweight Directory Access Protocol (LDAP) - Microsoft Active Directory (AD) which is Microsoft's implementation of LDAP LDAP attributes include: - Scalability (billion + user entries) - Distributable and synchronizable - Default LDAP port is 389, Secure LDAP is 636
Recovery Procedures
A disaster is not the time to figure out how to recover or restore a system, nor is it the time to determine inventory or search for vendor contracts. - All these items should be addressed beforehand and documented in recovery procedures and supporting documents. - Recovery procedures should include configuration information, contact information (including service contracts and SLAs) and recovery and resumption instructions - Appropriate access controls should be applied to recovery procedure documents
Disaster Recovery Plan Readiness
A disaster recovery plan (DRP) should be maintained in a state of readiness, which includes: - Personnel trained to fulfill their roles and responsibilities within the plan - Plans and strategies exercised to validate their content - Systems and system components tested on a scheduled basis to ensure their recovery and operability - Plan examination and auditing to ensure compliance with business objectives.
Supply Chain Disruption
A disturbance of the normal flow of goods, materials, and services in a supply chain. Example: facility damage, natural disaster, labor disputes, shortages etc
Extensible Authentication Protocol (EAP)
A general authentication framework. - There are more than 40 EAP-methods - EAP is widely used in 802.11 (wireless) networks
System and Data Recovery
A key component of disaster recovery is the capability to restore systems and data. Restoration requires that accurate and reliable copies of data and system configurations are maintained and tested. - Trafitional backup strategies use removable media (generally tape) - Current/emerging strategies use local or remote online storage - Order of recovery should be related to the BIA
Mantrap
A mantrap is a two-tier barrier. Entry door on one side and an exit door on the opposite side. One door of a mantrap cannot be unlocked and opened until the opposite door has been closed and locked.
Regulatory Expectations
A number of regulations and contractual obligations either expect or mandate that organizations will conduct security assessments on a scheduled basis. For example: - GLBA mandates US financial institutions to undergo periodic assessment T&E - FISMA mandates US federal agency T&E - PCI DSS mandates participating merchant T&E - Cyber insurance policies may require T&E - Business aggreements may require T&E
Self-signed Certificate
A self-signed certificate is signed by the person creating it. - The advantage is that there is no additional expense. - The disadvantages are that a self-signed certificate can easily be impersonated, will present the user with a warning message and cannot be revoked. - Use cases include an internal development server
SSL (TLS) VPN Gateway
A user connects to an SSL gateway or endpoint using a web browser - SSL/TLS capabilities are embedded in most web browsers
VM Escape Protection
A virtual machine escape occurs when a virtual machine and the host operating systems interact. This should never happen. - Over time, multiple exploted vulnerabilities have been identified. - It is essential that VM hosts are included in organizational vulnerability and patch management programs
Web Security Gateway (WSG)
A web security gateway is an application that operates as a proxy and can filter content, enforce rules, and inspect for malicious content at the application level (e.g. XSS exploits)
This symmetric algorithm is the current US government standard
AES/Rijndael
IPsec component that provides integrity but not confidentiality
AH Authentication Header
A sophisticated attack in which an attacker gains access to a network and stays there undetected for a long period of time
APT Advanced Persistent Threat
# of times an event is expected to occur in any one year
ARO Annualized rate of occurrence
This protocol is used for MAC to IP translation
ARP
No expectation of privacy statement should be included in this user agreement
Acceptable Use Policy (AUP) agreement
Accounting
Accounting is the logging of access and use of information resources.
Process Integration
Achieve operational synergies and efficiencies.
Acquisition Process
Acquisition is the process of getting something Phase 1: Feasibility Study Phase 2: Requirements Definition Phase 3: Selection and Aquisition Phase 4: Configuration Phase 5: Final Testing & Implementation Phase 6: Implementation Support
This software development project model emphasizes a timebox team approach
Agile
Always-on VPN
An always-on VPN starts automatically as soon as a client device recognizes an Internet connection - Connection and authentication are transparent to the user - Non-compliant devices are rejected
Supply Chain
An ecosystem of organizations, processes, people and resources involved in providing a product or service. Represents steps taken to get the product or service to the customer.
Embedded System Defined
An embedded system is an electronic product that contains a microprocessor and software designed to perform a specific task. An embedded system can either be fixed or programmable -Embedded systems are found in consumer, cooking, industrial, automotive, medical, commercial, and military applications -Embedded systems range from very small personal devices to large-scale environments. For example, digital watches, health meters, printers/MFDs, camera systems, routers, sensor traffic lights, automotive safety, and industrial control systems.
Information Security Classification Policy
An information security classification policy should include the following statements (or equivalent) -The company will use a three-tiered data classification scheme of legally protected, internal use only, and public (example only) -The company will publish definitions of each classification -Each classification will have handling and protection standards -Asset owners are responsible for assigning classifications -Classifications will remain in force, regardless of the location or state of the asset at any given time
Background Check
An investigative report. It may include criminal, financial, credit and/or education history, workers compensation claims, and public records. The depth and breath should specifically be related to job roles and responsibilities and level of access. The applicant has a right to privacy. Consent should always be requested.
Asset Definition
Any data, device, or other component of the envrionment that supports information or information system related activities. The 'value' of an asset is the worth of the asset to the owners, authorized users, and unauthorized users. -Asset value can include the cost of liability or compromise The 'cost' of an asset is the monetary value it takes to acquire, develop, maintain, or replace it.
This firewall operates at the 7th layer of the OSI model
Application Layer
Asset Custodian Responsibilites
Asset (system, data, and resource) custodian responsibilities include: -Implementing protection mechanisms -Monitoring for problems or violations -Reporting suspected incident -Common custodian roles include network administrators, IT specialists, database administrators, application developers, application administrators, and librarians
This process results in independent evidence-based assurance
Audit
Positive identification of a person or system
Authentication
The process of proving an identity to an operating system or application
Authentication
Example of this SE principle "This is Detective Jones calling"
Authority
Key policy-related responsibility of the Board of Directors (or equivalent)
Authorization
Accumulation of access rights, permissions, and privileges over time
Authorization creep
Authorization
Authorization is granting users and systems a predetermined level of access to resources.
This feature is used to remove all data and applications on the device after a prespecified number of failed logins
Auto-wipe
Hardware/Firmware Security Components
BIOS - Basic Input Output System UEFI - Unified Extensible Firmware Interface Secure Boot - Secure Boot TPM - Trusted platform module HSM - Hardware security module FDE/SED - Full disk encryption/senf-encrypting drives CPU Rings - Conceptual boundaries
Securing Embedded Devices
Best Practice for Evaluation & Security: -Research supply chain including chip manufacturer and operating system -Research available security controls -Immediately change the default credential -Implement strong authentication controls -Disable unnedded features and services -Disable clear text Telnet login and use SSH instead -Segregate embedded devices -Restrict remote access to devices -Include devices in patch management program
Beyond the Perimeter
Beyond the perimeter includes: - Information that can be obtained without breaching the perimeter/building - The area beyond the perimeter where protective security measures can be projected - Information or assets which are taken offsite and require protection
Finger scan is an example of this type of authentication
Biometric
Biometric Adoption
Biometric systems are the most trustworthy (even more so when combined with another factor); however, adoption has been influenced by cost, enrollment time, and user acceptance During the enrollment process, the biometric registration system takes multiple measurements and goes through a series of validation processes. - The measurements are either hashed or encrypted - Biometric systems may inadvertently detect drug usage, illness, and pregnancy
Biometric - Something You Are or Do
Biometrics refers to "human characteristics" Something you are is a physiological characteristic - Physiological biometric markers include fingerprints, fingerscans, retina scans, iris scans, facial recognition, vascular patterns, palm scans, and hand geometry. Something you do iss a behavioral trait - Behavioral biometric traits include voice pattern recognition, keystroke dynamics, and signature dynamics Adoption and accuracy are the most significant implementation challenges
Shortwave low power technology based on 802.15
Bluetooth
The role of this body is primarily oversight and fiduciary. 1: Owners 2: Board of Directors (or equivalent) 3: Executive management 4: Chief Information Security Officers
Board of Directors (or equivalent)
Panoply of Plans (NIST SP 800-34 R1)
Business Continuity Plan (BCP) - Overall strategy and plan for sustaining the business Continuity of Operations Plan (COOP) - Business unit plan and procedures for operational activities Crisis Communication Plan (CCP) - Plan and procedures for internal and external communications Disaster Recovery Plan (DRP) - Plan and procedures for recovering technology and facilities Occupancy Emergency Plan (OEP) - Plan and procedures for minimizing loss of life and property Cyber Incident Response Plan (CIRP) - Plan and procedures for mitigating a cyber attack
Process used to identify essential services and MTD
Business Impact Analysis (BIA)
Controls Framework and Guidance
COBIT - Set of control objectives for IT management developed by ISACA and the IT Governance Institute ISO /IEC 27000 Series - International standards of developing and maintaining an information management system NIST SP800-53 - Set of controls to protect information systems belonging to the federal government and private subcontractors NIST Cybersecurity Framework - Designed for public and private use to enhance and measure cyber resilience SANS Critical Security Controls (CIS) - Recommended set of actions for cyber defense. A principal benefit of the CIS is that they prioritize and focus a smaller number of actions with high pay-off results.
Security Testing
Can be automated scanning, manual functionality testing, or a combination with the objective of identifying potential points of exploitation - Commonly tested exploits include input validation bypass, injection, XSS, parameter tampering, cookie poisoning, user privilege escalation, credential manipulation, directory traversal, backdoors and debug options, and configuration subversion.
Disaster Response
Can be either chaotic or orderly. The difference between these two scenarios is established procedures, assigned responsibilities, and practiced response. Disaster response has three immediate goals: - Protect the health and safety of employees, customers, first responders, and the public at large - Minimize damage to property and the environment - Evaluate the situation and determine the next steps
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Can be used for large scopes - Facilitated workshops involving business process teams - Developed at the Carnegie Mellon University Software Engineering Institute (CM SEI)
Connection Methods and Exploits
Cellular - Radio frequency distributed network //Denial of service attacks WiFi - Radio frequency contained network //Multiple (Lesson 30.3) SATCOM - Satellite communications network //Exploit of design flaws that can result in injection, interception, and manipulation Bluetooth - Shortwave network //Bluejacking and bluesnarfing NFC - Near field communication network //Eavesdropping, interception, and theft ANT - "Wearables" sensor network //Eavesdropping, interception, impersonation
In this architecture, the processing unit is a mainframe or terminal host
Centralized computing
A log that establishes evidence integrity
Chain of Custody
Related Infosec organizational roles include:
Chief Risk Officer (CRO) Chief Information Security Officer (CISO) Information Security Officer (ISO) Information Assuance Officer (IAO) or manager (IAM)
Class of fire that involes ordinary combustibles
Class A
Fire Classes
Class of fire / Type of Fire / Type of Extinguisher A - Ordinary combustibles; wood, paper, rubber, fabrics, and many plastics / Water, dry powder, Halon B - Flammable Liquids and Gases: gasoline, oils, paint, lacquer, and tar / Carbon dioxide, dry powder, halon C - Fire involving Live Electrical Equipment / Carbon dioxide, Dry powder, Halon D - Combustible Metals or combustible Metal Alloys / Special agents K - Fires in cooking appliances that involve combustible cooking media: vegitable or animal oils and fats
Tricking a user into clicking on a button, picture, or link
Clickjacking
What it is called if a hash function produces the same output for two different inputs
Collision
Act that makes unauthorized access to US federal government, financial institution system, or any system used for interstate or foreign commerce a crime
Computer Fraud and Abuse Act
US federal laws specific to Computer Crime
Computer Fraud and Abuse Act National Information Infrastructure Protection Act of 1996 Wiretap Act Electronic Communications Privacy Act
Term applied when a compuer is used in the act of committing a crime
Computer crime
Set of activities used to establish and maintain system integrity
Configuration Management(CM)
Center for Internet Security (CIS) Benchmarks
Consensus-bases best practices for the secure configuration of a target system. NOTE: Widely accepted by government, business, industry and academia.
This phase of incident reponse focuses on minimizing damage
Containment
Asset sensitivity generally relates to this characteristic
Content
802.11 Security Protocols
Control / Authentication / Key / Encryption / Integrity / Status WEP / Preshared Key (PSK) or open / 64- or 128-bit key. All users and services use the same key / RC4 Stream Cipher / 32-bit CRC Hash / Insecure WPA / Enterprise RADIUS, certificate or Personal PSK / Separate keys (TKIP), 256-bit key / RC4 Stream Cipher / 64-bit MIC / Temporary fix, Superseded by WPA2 WPA2 / Enterprise RADIUS, Certificate, or Personal PSK / Separate keys, 256-bit key and block size / AES Block Cipher / CCMP / Current standard. Vulnerable if using Wi-Fi Protected Setup (WPS)
Locks
Conventional Lock - Key controlled cylinder - susceptible to "bumping" Pick Resistant Lock - Conventional locks that have complex and difficult to reproduce keys Cipher Lock - Uses a programmable key pad Electronic (digital) Lock - Cipher lock with centralized control and auditing capabilities Biometric Lock - Biometric recognition - may also require a key code
EU law that includes website inform and consent requirements
Cookie Law
Wi-Fi Protected Setup (WPS)
Created by the Wi-Fi Alliance and introduced in 2006, the goal was to make it easy to add new devices to an existing network without entering long passphrases - The PIN flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, within the WPS PIN, the network's WPA/WPA2 pre-shared key - All WPS devices are vulnerable to unauthorized access if not kept in a secure area--an unauthorized user can connect by pressing the WPS button to command the router to make a WPS connection
The burden of proof for this type of case is "beyond a reasonable doubt"
Criminal
This type of plan includes procedures for internal and external communications
Crisis Communications Plan (CCP)
Expanded view of information security to include external relationships and global threats
Cybersecurity
Codependency
Cybersecurity and business continuity are codependent - Conduct regular joint plan review to establish hierarchy of plans - Collaborate in defining incident classifications and thresholds - Merge exercise program coordination efforts - Standardize communication and collaboration tools - Optimize after action (lessons learned) reporting
Automated tools designed to detect and prevent data exfiltration
DLP Data Loss Prevention
This solution is designed to prevent and report on malicious and.or accidental exfiltration
Data Loss Prevention (DLP)
Acceptable Use Policy Elements
Data Protection - Data classification and handling standards Authentication - Login requirements including password standards and use of tokens and.or biometrics Application - Procurement, installation, and licensing Communication - Written and verbal communication use and limitations (including personal email) Internet - Use, activity, and engagement (including social media) Mobile Device - Use, configuration, activity, and device protection Remote Access - Use, configuration, activity, and physical security Incident Reporting - Instructions on how to spot and report suspicious activity
Combining data from different operational systems for further analysis
Data Warehousing
BI Components
Data Warehousing - Combines data from different operational systems so that the data can be queried and analyzed over time Data Mining - Process of analyzing data with tools that look for trends, patterns, correlations, or anomalies resulting in metadata Predictive Analytics - The use of data, statistical algorithms, and machine learning techniques to identify the likelihood of future outcomes based on historical data Aggregation - Data is presented in a summarized format
The term used to descibe a situation where data is exfiltrated, extracted, or there is a loss of internal control
Data breach
Unintential distribution of data
Data leakage
DLP Automation
Data loss prevention (DLP) automated tools are designed to detect and prevent data exfiltration ('unauthorized release or removal of data') -DLP technologies locate and catalogue data based on a predetermined set of handling standards -DLS tools monitor target data while in use, in motion, and at rest
Process of analyzing data for metadata
Data mining
Combining multiple datasources into a larger database for retrieval and analysis
Data warehousing
The log analysis process of filtering out duplicate entries or noise
Deduplication
This type of credential should always be changed before putting a system or application into production
Default
Intellectual Property (IP)
Describes a wide variety of property created by musicians, authors, artists, designers, and inventors. Intellectual property can be used in commerce or can be artistic or literary work. Intellectual property law includes patents, trademarks, copyrights, trade secrets, and software licensing.
Software development model that couples IPPD and Agile processes
DevOps
ISO/IEC 15408 Common Criteria
Developed in 1993 by the ISO, the "Common Criteria' provides a universal structure and language for expressing product and system requirements -Incorporates components of TCSEC, ITSEC, CTCPEC (Canadian Trusted Computer Product Evaluation Criteria), and various Federal criteria -The Common Criteria evaluates products against a protection profile -Common Criteria rating categories are 'functional' and 'assurance' -Results are published in a certified products list
In this architecture, there is no central authority and each node is responsible for its own security
Distributed system
Match the following access control concepts Terms Dual control Need to know Authorization creep Default deny Separation of duties Definitions - Accumulation of access rights and permissions over time - Demonstrated reason for requiring access - Any access or action not explicitly allowed - is forbidden - Breaking a task into separate processes that are assigned to different subjects - Requiring more than one subkect to complete a specific task
Dual control - Requiring more than one subkect to complete a specific task Need to know - Demonstrated reason for requiring access Authorization creep - Accumulation of access rights and permissions over time Default deny - Any access or action not explicitly allowed - is forbidden Separation of duties - Breaking a task into separate processes that are assigned to different subjects
Which term best describes the reasonable care and caution taken before entering to a contract or agreement? 1: Due diligence 2: Director duties 3: Downstream liability 4: Due care
Due diligence
A vairent of this authentication protocol is used in 802.11 wireless networks
EAP Extensible Authentication Protocol
Incident Response (IR) Process - Eradication
Eliminate components of the incident - Examples include deleting malware, disabling breached accounts, mitigating associated vulnerabilities
Removing Unused Programs
Every application has potential vulnerabilities. Applications advertise via listening ports. If the application is not being used, uninstalling it reduces the potential attack surface. - Make sure to remove all components and earlier versions. - If an application is required, ensure that it is included in your vulnerability and patch management programs
Workplace Safety
Every organization has a responsibility to protect personnel and provide safe workplaces. Workplace safety planning includes: - Realistic threat analysis - Written procedures - Awareness traininig - Drills Workplace safety also extends to privacy, monitoring, travel, and off premise work environment
Static Code Analysis
Examination of non-running code (static) for vulnerabilites
Dynamic Analysis
Examination of runnind code for vulnerabilities (automated)
Security Code Review
Examination of source code to verify that the proper security controls are present and work as intended
US federal government classification system
FIPS 199
These US rules apply to electronic evidence, preservation, and presentation
FRCP Federal Rules of Civil Procedures
Capacity of a system to operate even if one or more components fail
Fault Tolerant
Perimeter Gates and Fences
Fencing is the first line of non-natural defense Fencing height guidelines: - Fences 3-4 feet tall deter casual intruders - Fences 6-7 feet are too tall to easily climb - Fences 8 feet and taller deter more determined intruders especially when augmented with razor and electical wire There are 4 Underwriters Laboratory (UL) rate classes of gates (1-4). Each step up requires additional levels of protection - Gates may be opened via an access control system
One of the events this utility reports on is changes to DLLs
File Integrity Checker (FIC)
Filters
Filters are designed to evaluate requests, content, or instructions - Filters can be implemented as hardware appliances or software applications/utilities - Filters can be stand-alone or integrated security services
Information Security Models
Focus on interactions and provide structure and rules to be followed to accomplish a specific objective (e.g. confidentiality, integrity, and availability) -Foundational (lower level) models inclides State Machine, Non-Interference, and Information Flow -Relationship (higher level) models include Bell-LaPadula, Biba, Clark-Wilson, Harrison-Ruzzo-Ullman (HRU) and Brewer Nash
Storage Media Management
Focuses on protecting local, cloud, and removable storage with a focus on access and environmental controls
Fuzzing
Fuzz testing, or fuzzing, is an automated testing technique used to discover coding errors and security loopholes by inputting invalid, unexpected, or semi-random data, called 'fuzz', and monitoring the application response - A fuzzer is a program that automatically injects data into a program/stack
Process of determining an object's position based on its latitude and longitude
Geolocation
In this architecture, resources are shared in such a way to appear to be one large computer
Grid computing
Set Security Policies
Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment
Designed to help users understand and conform to a policy or standard
Guidelines
Match the following terms: Term: HRU Clark-Wilson Brewer-Nash Bell-LaPadula Biba Definitions -Conflict of interest defense -Integrity enforced by access permissions -No read up. No write down -No read down. No write up -Access triple
HRU - Integrity enforced by access permissions Clark-Wilson - Access triple Brewer-Nash - Conflict of interest defense Bell-LaPadula - No read up. No write down Biba - No read down. No write up
Physical device whose function is cryptoprocessing
HSM Hardware Security Module
User Training
Handling standards should be succinctly documented in a usable format. -Handling standard compliance should be referenced in the Acceptable Use Policy -Users should be introduced to handling standards during the onboarding process. -Handling standards should be reinforced throughout the user lifecycle
This term is applied to the process of configuring security related settings and minimizing vulnerabilites
Hardening
Cryptographic technique used to prove integrity
Hashing
Humidity and ESD
High humidity can cause corrosion and low humidity can cause excessive static electricity. - Relative humidity between 45-60% is acceptable for areas that are processing data. - Electrostatic discharge (ESD) is the release of static electricity when two objects touch. ESD can damage or destroy electronic components. - ESD can be minimized by the use of antistatic grounding workbenches, mats, bags, and wristbands - Electrical storms can increase the ESD risk
Policies
High-level statements (governance communications) intended to communicate rules and expectations and to provide direction. Standards, baselines, guidelines, and procedures support the implementation of a policy.
Honeypots and Honeynets
Honeypots are decoy systems used to attract and examine attacker-activity and techniques - 'High-interaction' honeypots are "live" systems - 'Low-interaction' honeypots emulate the production environment 'Honeynets' are multiple linked honeypots that simulate a network environment
This software monitors and restricts local host ingress and egress traffic
Host Firewall
This host-based software reports on local suspicious activity
Host Intrusion Detection (HIDS)
Circulation pattern where rows of server racks are oriented so that the front of servers face each other
Hot / Cold aisle
This configuration supports adding a component without interruption
Hot Plug
HTTPS
Hypertext Transfer Protocol (HTTP) is the underlying protocol used by websites and defines what actions browsers and webservers should take in response to commands. HTTP is a clear text protocol and subject to eaves dropping, replay and MiTM attacks. - HTTPS (Hypertext Transfer Protocol Secure) is an extension to HTTP that adds support for SSL and TLS in order to encrypt communications between a browser and a website (TCP port 443) - Use case: secure web connectivity and authentication
Software or firmware components that can virtualize system resources
Hypervisor
Business process related to provisioning, education, auditing, and deprovisioning
IAM Identity and Access Management
These systems monitor processes in the physical world
ICS Industrial Control Systems
Entrance / Exit Access Control
ID Card / Badge - Identification card with or without picture (non-electronic) Smart card - Card with integrated circuitry used in conjunction with a card reader Biometric - Use of biometric technology to identify and authenticate a person Access Logs - Requirement to document access (sign in / sign out) Audit Logs - Logs generated by smart and biometric systems Mantrap - Two tier barrier
Network Access Devices
IDS / IPS (Network) - Monitors and reports on intrusions (IDS) and can take action (IPS) Firewalls - Controls ingress and egress traffic Filters - Filters access (e.g. SPAM, Content, DLP. URL) Proxy - Acts on behalf of a client (e.g. forward, transparent) WSG - Web Security Gateway
Email Security -- Secure IMAP
IMAP is used to receive email from an email server to a local email account - Downloaded files remain on the email server -- important if you use multiple devices to access email - IMAP allows clear text authentication (port 143) - Use case: Secure IMAP is an extension of IMAP that supports SSL/TLS for secure login (port 993)
Proactive early warning sign that an attack may be imminent or already underway
IOA Indicator of Attack
Proactive early warning sign of an attack
IOA Indicator of an Attack
Evidence that a system or netowkr has been compromised or exploited
IOC Indicator of Compromise
Substantive or corroborating evidence that a system or netowkr has been exploited
IOC Indicator of Compromise
This protocol is used for addressing and routing
IP
VoIP Related Terminology
IP Convergence - IP as the standard transport for transmitting all information VoIP - Transmission of voice traffic over IP based network IP Telephony - Full suite of VoIP enabled services previously provided by a PBX
IPsec
IPsec is the defacto standard for IP based VPNs - Host-to-host, host-to-site, and site-to-site connections - Native to IPv6 and a bolt-on to IPv4 - Uses cryptography to provide authentication, integrity, confidentiality, and non repudiation
Sector-specific member-driven information sharing organizations
ISACs Information Sharing and Analysis Centers
Information Sharing and Analysis Centers (ISACs)
ISACs collect, analyze and disseminate actionable sector specific threat information to their members and provide members with tools to mitigate risks and enhance resiliency. The concept of ISACs was introduced and promulgated pursuant to Presidential Decision Directive-63 (PDD-63), signed May 22, 1998, after which the federal government asked each critical infrastructure sector to establish sector-specific organizations to share information about threats and vulnerabilies. nationalisacs.org/member-isacs
The process of maintaining awareness of ongoing vulnerabilities, threats, and risks
ISCM Information Security Continuous Monitoring
Developed by a European consortium to evaluate functionality and assurance independently
ITSEC
US Fair Credit Reporting Act (FCRA)
If a consumer report is a factor in a negative hiring decision (adverse action). the applicant is entitled to know the source of information used against them.
Match the following items Terms: Impact Threat Risk Exploit Vulnerability Definition: -Potential danger -Taking advantage of a vulnerability -Magnitude of harm -Measurment of impact and likelihood -Weakness
Impact - Magnitude of harm Threat - Potential danger Risk - Measurement of impact and likelihood Exploit - Taking advantage of a vulnerability Vulnerability - Weakness
Implementation
Implementation objective is to use tools and methodologies uniformly. Reports should be generated for the intended audience. - Automation is employed whenever possible - Interoperable data specifications (e.g. XML and SCAP) are used so data can be collected once and reused as applicable - Operational processes such as patch management are informed by and complement (not replaced by) the ISCM process
Data Integrity
Implied information is known to be good, and that the information can be trusted as being complete, consistent, and accurate.
Managing Risk
Implies that the level of risk is understood, and is either accepted or being actively controlled (treated) and in either case, monitored.
CERT Information Sharing & Disclosure
In the US, identified flaws can be reported to the CERT Coordination Center (CERT/CC). CERT/CC serves as a coordinating body that works with affected vendors to resolve vulnerabilities. - "Vulnerabilities reported to the CERT/CC will be disclosed to public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors" - "Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established staandard may result in earlier or later disclosure"
CDN Hybrid Mode
In the hybrid CDN model, content is served using both dedicated servers and peer-user-owned computers. - Threats include bandwidth usage, P2P distribution of malware, and the introduction of executable files and unauthorized system access - Mitigating controls include firewall restrictions, QoS, and user security awareness training.
This term is used to describe a set of instructions for planning for and responding to a specific scenario
Incident playbook
Handling Standards
Inform custodians and users how to protect the information they use and systems they interact with. -Handling standards dictate by 'classification' level how information must be stored, transmitted, communicated, accessed, retained, and destroyed. -Handling standards may extend to incident management and breach notification -Handling standards extend to automated tools such as DLP (data loss prevention) solutions.
ISM Responsibilities
Information Security Management (ISM) responsibilities: Being a subject matter expert and security champion Managing the information security program Communicating with executive managment Coordinating the budget for information security activities Ensuring the development and upkeep of governance documents
Security objective of hashing is to prove this
Integrity
Security principle related to hashing
Integrity
This security principle relates to unauthorized modification
Integrity
Trademarks
Intended to protect recognizable names, icons, shape, color, sound, or any combination used to represent a brand, product, service, or company Trademark law created exclusive rights ® is used to indicate a registered trademark ™ is used to indicate an unregistered trademark A servicemark ℠ is used to identiry a specific service A trademark or service mark can be renewed every 10 years
This testing evaluates the connection between two or more components
Interface testing
Intruder Incident Response
Intruder access to physical devices can result in a successful attack and exploit - Users should be trained to recognize and report suspicious activity. Users should question intruders only in safe situations - ONLY trained personnel should confront an intruder
Uniquely identified physical devices that have embedded computing system, sensors, actuators and network connectivity
IoT Internet of Things
Identity and Access Management (IAM)
Is a business process with the objective of "enabling the right individuals to access the right resources at the right times and for the right reasons" - IAM functions include provisioning, education, auditing, and deprovisioning - IAM functions takes place throughout the employee lifecycle - IAM functions are a shared responsibility - Managers, owners, HR, IT, physical security, information security, and aduit
Multiprotocal Label Switching (MPLS)
Is a scalable, protocol-independent transport technique for high performance networks. - Operates between OSI Layers 2 and 3 - Data packets are assigned labels (tags) - MPLS label edge routers (LER) make packet forwarding decisions based on the short path label contents and quality of service (QoS) requirements - The LER at the outbound point in the MPLS cloud removes the label and forwards the packet using standard IP routing information
Configuration Management (CM)
Is a set of practices designed to ensure that configuration items are deployed in a consistent state and stay that way through their lifetime
Something You Know
Is a shared secret known to the user and the authentication system - Passwords, passphrases, and PINS are data strings (letters, numbers, symbols) - Cognitive passwords (challenge questions) utilize a preselected question and answer based on fact, opinion, or memory - Out-of-wallet password (challenge questions) are answers to questions derived from subscription databases
Security Assertion Markup Language (SAML)
Is an open standard that provides user authentication and authorization services - One-to-many model End user (Principal) Identity Provider (idP) - SAML-compliant authentication service Service Provider (SP) - SAML-compliant web application
Legal Hold
Is an order that suspends the modification, deletion, and/or destruction of records and media. - A legal hold can be issued to avoid evidence spoliation - Evidence spoliation is the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying evidence
Digital Evidence
Is any information or data of value to an investigation that is stored on, received by, or transmitted by an electronic device including: - Device memory - Media such as hard drives, USBs. tapes., and other storage devices - Logs, records, and audit trails - Text messages, emails, pictures and videos, and internet searches
Vulnerability
Is defined as a hardware or software weakness that can potentially be exploited. Common examples of vulnerabilities include: - Operating systems and application flaws - Broken versions - Weak ciphers - Improper input/output handling - Poor coding
Supply Chain Dependency
Is defined as the reliance on a source to provide a product or service.
Virtual Private Network
Is designed to facilitate secure remote access communication over a public network. - VPNs are a cost effective alternative to dedicated point to point connections by transforming the Internet into a secure circuit
Session Initiation Protocol (SIP)
Is designed to manage multimedia connections such as VoIP, video calls, and instant messaging over IP. - SIP provides ''integrity protection' by utilizing MD5 hash functions - SIP supports 'encryption mechanisms' including TLS. - SIP privacy extensions include callerID suppression
Redundancy
Is duplication of critical components or functions with the intention of increasing reliability and mitigating the risks associated with single point of failure (SPOF) - Redundancy can be configured to require manual intervention (e.g. spare parts) or to be automatic (fail-over) - 'Passive' (standby) components are inactive until a failure occurs - 'Active' components operate in parallel with the primary system to provide continuous service without noticable inturruption
Location - Somewhere You Are
Is location based - either physical or logical - A physical location can be geographic or situated in proximity to a specific device - A logical location is an IP Address
Authorization Creep
Is the accumulation of access rights, permissions, and privileges over time. - Promotions, lateral moves, cross-training and temporary coverage may contribute to authorization creep.
Fault Tolerance
Is the capability of a system to continue to operate in the event of failure of one or more system components. - Fault tolerant systems rely on redundant components (e.g. power supply, disk storage) - Components are continually monitored for availability - Failures are transparent to users (with the exception of potential degradation of service
Swapping
Is the process of replcaing a failed component - 'Warm swap' is the ability to insert and remove hardware while the system is in a suspended state - 'Hot swap' is the ability to insert and remove hardware while the system is running - 'Hot plug" is the ability to add a component without interruption
Exploitation
Is the stage where the testers explout target systems to compromise them. Depending upon the ROE, this phase may be undertaken as "proof of concept" or actual exploit - 'Persistence' is the act of installing or modifying services, installing malware or rootkits, creating backdoors, and/or creating accounts that will survive reboots. - 'Pivoting' is the act of using a weakness on one system to access a better protected system - 'Escalation of privilege' is the act of exploiting a vulnerability to gain elevated access to a resource
Risk Assessment
Is used to identify inherent risk, the control environment, known vulnerabilities and exposures, threat likelihood and impact and ultimately, the residual risk to the organization - Application security risks include unauthorized access (confidentiality), unauthorized or unintentional modeification (integrity), and disruption (availability). - The risk assessment methodology can be qualitative, quantitative, or hybid - Risk management options include acceptance, mitigation, sharing, transfer, and avoidance
Risk Appetite Statement
It is a board (or equivalent) approved governance document designed to provide guidance on the levels of risk that constituents are empowered to take. Risk appetite definitions can provide consistency in the decision-making process. It enables people to take well calculated risks when opportunities arise, and conversely, to identify when a more cautious approach should e taken to mitigate a threat.
Denial of Service Attack
Jamming - Overwhelming wireless frequencies with illegitimate traffic - Frequency becomes unavailable for legitimate traffic Disassociation (aka Disauthentication) - Spoofing a disassociate message which forces a device to reassociate - Device is continually "knocked offline" - Can be used as a precursor to an Evil Twin attack
Compliance Officer, Information Security Officer, Privacy Officer
Joint responsibility for identification of and ensuring compliance with applicable organizational regulatory, and contractual security and privacy requirements.
Cryptanalysis Approach
Known Ciphertext - A sample of ciphertext is available without the plaintext associated with it Known Plaintext - A sample of ciphertext and the corresponding known plaintext is available Chosen Plaintext - Can choose the plaintext to get encrypted and obtain the corresponding ciphertext Chosen Ciphertext - Can select the ciphertext and obtain the corresponding plaintext.
MPLS device that makes packet forwarding decisions
LER Label Edge Router
Labeling Objective
Labeling is the vehicle for communicating the assigned classification to custodians, users and applications (e.g. access control, DLP). -Labels make it easy to identify the data classification -Labels can take many forms: electronic, print, audio, or visual. -Labels should be appropriate for the intended audience. -Labels transcend institutional knowledge and provide staility in environments that experience personnel turnover
Digital Certificates
Mechanisms used to generate a private key and to associate a public key with a collection of components sufficient to authenticate the claimed owner. - The X.509 standard defines the certificate format and fields for public keys - The X.509 standard defines the distribution procedures. - The current version of X.509 for certificates is v3 - Certificate use object identifiers or OIDs which are globally unambiguous persistent names
Data "about data"
Metadata
Exploit Tools
Metasploit - Attack simulator Wireshare - Protocol analyzer W3AF - Web application attack Backtrack - Packet sniffing and injection Cain & Abel - Cracking encrypted passwords or network keys SQLmap - Exploiting SQL injection
Standard of measurement
Metrics
Incident Response (IR) Process - Containment
Minimize the damage - Examples include shitting down a system, disconnecting it from a network, disaling certain functions
This type of testing identifies if an application can shut down gracefully if it encounters unexpected behavior
Misuse case
Name given to controls used to reduce risk
Mitigating
Performance Measurment
Monitoring and reporting on achievements.
Multimedia and Content
Multimedia includes (but is not limited to): - Remote (virtual) meetings - Instant messaging and chat services - Content distribution networks (CDN)
This function maps private IP addresses to public IP addresses
NAT
Organization that fomalized the ISCM program for federal agencies
NIST (SP 800-126)
This US framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk
NIST Cybersecurity Framework
Information Security Continuous Monitoring (ISCM)
NIST SP800-137 defines ISCM as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management solutions - The ISCM process was designed to support the NIST risk management framework requirement for on-going and iterative monitoring
The US government repository of standards-based vulnerability management data
NVD National Vulnerability Database
The motivation for this adversary can be disruption, IP theft, influence, fear and/or sabatoge
Nation-state
Primary US federal anti-hacking statue
National Information Infrastructure Protection Act
NFC
Near Field Communication (NFC) is a short-range wireless technology that requires close proximity and/or device contact. NFC is rooted in RFID technology -NFC is used in commerce (e.g. contactless payment systems such as Apple pay), smartphone (sharing contacts, photos, videos or files), identity and access tokens, and gaming -Range is less than 20 cm -Security concerns include eavesdropping, interception, and theft
Commonly used privacy framework
OECD Privacy Principles
The purpose of this plan is to create a safe environment for building occupants
Occupant Emergency Plan (OEP)
Provisioning Lifecycle Phase 1
Onboarding, Account Request, User Agreement, Credential Management - Account creation request. Request may be directed in house or to an IDaaS provider - User agreements are signed -- AUP / Confidentiality agreement - User accounts created and group memebership established - Credentials assigned - Orientation training
Intellectual Property Law
Patents Trademarks Copyrights Trade Secrets
All merchants that accept payment cards are required to comply with this standard
Payment Card Industry Data Security Standard (PCI DSS)
The objective of this test is to exploit (actual or proof of concept) weaknesses
Penetration Test
The act of activating malware or configuring services that survive a reboot
Persistence
Frames contain what type of addressing
Physical
Cryptographic Terminology - Cipher
Plaintext (cleartext) - Human readable text Ciphertext - Encrypted and/or human unreadable text Cipher - A technique that transforms plaintext into ciphertext and back to cleartext Algorithm - A cryptographic algorithm is a mathematically complex modern cipher Stream Cipher - Algorithm that works with one bit at a time Block Cipher - Algorithm that works with blocks of data
443 is an example
Port
The use of data mining, algorithms, and machine learning to identify the likelihood of future outcomes
Predictive analytics
This phase of incident response establishes and exercises incident management capability
Preparation
A private sector classification often used to identiry intellectual property
Proprietary
In a firewall ACL, this is expressed as TCP, UDP, or IP
Protocol
Rainbow Tables
Publically available tables of precomputed hashes.
Qualitative
Qualitative risk assessments use descriptive terminology such as high, medium, and low or normal, elevated, and severe
This type of risk assessment uses numeric and monetary values
Quantitative
Quantitative
Quantitative risk assessments assign numeric and monetary values to all elements of the assessment
RADIUS vs TACACS+
RADIUS Protocol - UDP or TCP Ports - 1812 &1813 or 1645 & 1646 Encryption - Only the password Combines authentication and authorization Primary use - Network access TACACS+ Protocol - TCP Ports - 49 Encryption - Entire payload Separates authentication and authorization Primary use - Device administration
This exercise is conducted primarily to check procedure accuracy and familiarity
Read through (Desk Check)
Management validates that rights and permissions assignment are correct
Recertification
This alternate site is based on an agreement with another facility
Reciprocal Site
Metric related to the amount of time allocated for system recovery
Recovery Time Objective (RTO)
Team Descriptions
Red Team - External entities that emulate the behaviors and techniques of likely attackers Blue Team - Internal security team (defenders) Purple Team - Independent 3rd party that monitors both teams in real time, evaluates activity, if applicable, facilitates communication, and recommends enhancements
Duplication of components
Redundancy
eDiscovery (also called electronic discovery)
Refers to any 'process' in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civi; or criminal legal case. -Federal Rules of Civil Procedure (FRCP) and Federal Rules of Evidence (FRE) apply to the process of preparing and producing electronically stored information (ESI), as well as for resolving related disputes.
eDiscovery
Refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. - Federal Rules of Civil Procedure (FRCP) and Federak Rules of Evidence (FRE) apply to the process of preparing and producing electronically stored information (.ESI), as well as for resolving related disputes
Trade Secrets
Refers to proprietary business and technical information, processes, designs, or practices that are confidential and critical to a business Trade secrets do not require any registration and remain the only legal control for IP to remain undisclosed An organization has to take reasonable steps to protect its secrecy
Order of Volatility
Refers to the acquisition of evidence before it disappears, is overwritten, or is no longer useful. The goal is to create a snapshot of the environment as it existed at the time of the attack or incident. For example: - Dynamic data (RAM) - Dump files - Temp files - Log files - Static data (media)
In this type of XSS attack, the user is manipulated into sending a malicious string to the webserver
Reflected
Regulatory Framework
Reflective of regulatory expectations and examination requirements. Well known Framework: FDIC Cybersecurity Assessment Tool (CAT)
Replication Strategies
Replication is an automated process that streams copies of data to one or more locations in real time or near time Point-in-Time - Periodic snapshots replicated. If recplicated, snapshots are pointer-based, just changes transmitted Asynchronous Replication - Write is considered complete as soon as local storage commits. Remote storage updated with a slight time lag Synchronous Replication - Data written in two locations (local and remote). Both write operations must successfully complete before the system can proceed. Guaranteed zero data loss
Controls Guidance
Resources for researching and selecting controls include: -NIST Special Publications 800 Series -NIST Federal Information Processing Standards (FIPS) -NIST National Cybersecurity Framework -National Security Agency (NSA) IA Mitigation Guidance -ISO 27002:2013
Match the Incident Management component with the associated activity Components: Response Preparation Prevention Detective Activities: - Containment - Training - Controls implementation - Monitoring
Response - Containment Preparation - Training Prevention - Controls implementation Detective - Monitoring
Business Continuity Governance
Responsibilities include: - Board of Directors (or equivalent) approval of Business Continuity policies - Board of Directors (or equivalent) oversight of BCP strategies, plans, and testing - Management oversight of BCP preparedness including external parties
Privacy Officer
Responsible for developing, implementing, and administering all aspects of an organizations privacy compliance program.
Codification
Roles and responsibilities should be documented in policies, job descriptions, or employee manuals and supported by agreements such as acceptable use agreements, nondisclosure agreements (NDA), or confidentiality agreements.
This malware family targets OS kernel, boot record, and firmware in order to gain privileged system access
Rootkit
These Layer 3 devices forward packets using IP addresses and protocols such as RIP, OSPF, and BGP
Routers
Routers
Routers are Layer 3 forwarding devices. - Routers forward packets using IP addresses and routing protocols - Access can be controlled via port or IP address ACLs - Routers can perform NAT functions - Routers support different WAN technologies. - Routers support various routing protocols such as RIP, OSPF, EIGRP, and BGP
SCAP Validation
SCAP validation program is implemented through the NIST National Voluntary Laboratory Accreditation Program (NVLAP) - NISTIR 7511 Security Content Automation Protocol Validation program requirements - NIST validated SCAP products and modules (National Vulnerability Database)
SIEM Reporting
SIEM reporting generally includes: - Automated alerts based on preset triggers (immediate issues) - sent to a dashboard or via a communications channel - Graphic and text security, operational, and compliance reporting
Agreement that specifies the service commitment
SLA Service Level Agreement
An organization has determined that one hour of ecommerce is worth $10,000. If one server in the server farm failed, the ability to service customers would degrade 15%. Based on past experience, they anticipate a failure 3 times a year. Match the quantitative risk assessment components. Terms: SLE AV ARO ALE EF Definitions: -15% -3 -$1,500 -$4,500 -$10,000
SLE - $1,500 AV - $10,000 ARO - 3 ALE - $4,500 EF - 15%
SSAE 18 Report Versions
SOC 1 - Report of controls relevant to user entities financial statements - Agreed upon scope SOC 2 - Based upon Trusted Services Principles (TSP) SOC 2, reports on controls intended to mitigate risk related security, availability processing integrity, confidentiality, and privacy - Organization chooses categories; not controls - Criteria provided by the AICPA SOC 3 - Same as SOC 2 but does not detail testing performed and is designed for public distribution
Appliance that is specifically designed to perform SSL/TLS encryption and decryption functions
SSL/TLS Accelerator
This configuration management variant focuese on the integration of security requirements
SecCM Security-focused Configuration Management
The Future of Secure DevOps
Secure DevOps is a game changer - Developers at the frontline of security - Automated, continuous, and integrated security testing - Resilient applications and infrastructure
This secure protocol is used to download (and delete) emails from a server to an email client
Secure POP3
Email Security -- Secure POP3
Secure POP3 - POP3 is used to receive email from an email server to a local email account. - Downloaded files are removed from the email server (default) - POP3 allows clear text authentication (port 110) - Use case: Secure POP3 is an extension of POP3 that supports SSL/TLS for secure login (port 995)
SSH / SFTP
Secure Shell (SSH) is a cross platform protocol that establishes a secure connection between an SSH server and an SSH client. - SSH is used to administer systems remotely, provide a command shell on a remote network, or tunnel other protocols (TCP port 22) - SSH is a secure replacement for cleartext telnet, rlogin, rsh, and rsync. - SFTP is an extension of SSH 2.0 to provide secure file transfer capabilities - Use case: Remote access and administration
NIST Security Education, Training, and Awareness (SETA)
Security -- Attribute, Level, Objective, Teaching Method, Test Measure, Impact Timeframe Education -- Why, Insight, Understanding, Discussion/Seminar/reading, Essay, Long-term Training -- How, Knowledge, Skill, Lecture/case study/hands-on, Problem solving, Intermediate Awareness -- What, Information, Awareness, Interactive/video/posters/games, True or False/multiple choice, Short-term
Written by the vendor to document product specification (used by the Common Criteria)
Security Target
This category of patch is designed to fix a security vulnerability
Security Update
Application Restrictions
Security policies can be used to control application access - An application 'whitelising' policy allows only applications that are explicitly given permission to execute. All other applications are denied - An application 'blacklisting' policy allows all applications to execute with the exception of those that are explicitly denied
Scope
Selection of assessment objects are influenced by system criticality, information sensitivity, regulatory requirements, and contractual obligations. Relevant scoping elements include: - Size of the system being assessed - Complexity of the environment - Feasibility of sampling
Network Attached Storage (NAS)
Self-contained storage device that connects to the network via IP, supports direct access (mapping), and addresses files by file name
Semi-qualitative (Hybrid)
Semi-qualitative risk assessments assign a numeric weighted scale to the descriptive values (e.g. high=5, medium=3, low=1) and incorporates deterministic formulas
Information that is not classified but still needs distribution controls
Sensitive but Unclassified (SBU) Controlled Unclassified Information (CUI)
When a task is broken down into processes and the processes are assigned to different parties
Separation of duties (SoD)
Recovery Strategies
Should be based on the outcome of a business impact analysis. - The business impact analysis (BIA) identifies the impact of a disruption on 'essential' services, systems, and infrastructure - The outcome of a business impact analysis (BIA) is a prioritized matrix of services, systems, and infrastructure - Recovery strategies encompass facility, technology, data recovery, people, and processes
Online Storage
Should be secured in accordance with its classification and handling standards. The following should be considered: - Location (on-site/off-site) - Country (polotocal and regulatory considerations) - Environmental controls - Physical security - Logical security - Sovereignty/ownership
Covert observation social engineering technique
Shoulder Surfing
Asymmetric encryption is best suited for this relative block size
Small
This type of access card includes integrated circuitry
Smart card
Traditional Backup Rotation Cycles
Son - One full backup cycle (generally daily) - The daily full backups are rotated on a daily basis Father-Son - Two full backup cycles (generally weekly and monthly) - The daily (incremental or differential) backups are rotated on a daily basis - The weekly backups are rotated on a weekly basis Grandfather-Father-Son - Three or more full backup cycles (generally weekly, monthly, and annually) - The daily (incremental or differential) backups are rotated on a daily basis - The weekly backups are rotated on a weekly basis - Monthly backups are rotated on a monthly basis
This is when a neutral, trusted 3rd party holds the source code
Source code escrow
Source Code Vulnerability
Source code vulnerabilities (code weakness) can affect functionality, performance, and security. - Examples of source code vulnerabilities include improper or weak input/output validation, memory vulnerabilities, time and communication issues, and developer access
Match the following items: Terms: Spoofing Poisoning Denial of Service Hijacking Definitions: -Impersonating an address, system, or person -Intercepting and manipulating communications -Overwhelming system resources -Manipulating a trusted source of data
Spoofing - Impersonating an address, system, or person Poisoning - Manipulating a trusted source of data Denial of Service -Overwhelming system resources Hijacking - Intercepting and manipulating communications
Types of Changes (ITIL terminolog)
Standard - Changes that are anticipated in the normal course of business and have established policies and procedures (e.g. patch management) Normal - Changes that must go through the change process before being approved and implented Emergency Changes - Emergency changes are ones which the timing is critical and is subject to the change management process post-implementation
Standards, Baselines, and Guidelines
Standards serve as specifications for the implementation of policy and dictate Mandatory requirements. Baselines are the aggregate of standards for a specific category or grouping such as a platform, device type, ownership or location. Guidelines help people understand and conform to a standard. Guidelines are customized to the intended audience and are not mandatory.
Cipher technique that uses XOR operation and works with one bit at a time
Stream
Access Control Models & Techniques
Subject based - Mandatory access control (MAC) - Discretionary access control (DAC) - Role-based access control (RBAC) - Attribute-based access control (ABAC) Objective based - Rule based access control - Content based access controls - Context based access control - Constrained interfaces
This cipher technique replaces one character or bit for another
Substitution
Cipher Techniques
Substritution Cipher - Replaces one character or bit for another character or bit. The key is the shift pattern Transposition Cipher - Moves characters or bits to another place within the block. The key is the transposition code. Confusion - The process of changing the values. Complex substitution functions are used to create confusion. Diffusion - The process of changing the order. Sending bits through multiple rounds of transposition is used to create diffusion.
Change Management KPIs
Successful Changes - The number of changes that have been completed successfully compared to the total number of completed changes. The higher the percentage of successful changes, the better Backlog of Changes - The number of changes that are not yet completed. While this absolute number depends on the size of the organization, it should not grow over time Emergency Changes - The number of completed "emergency" changes. This absolute number depends on the size of the organization and should not increase over time.
ISO/27005
Supports the requirements of an ISO 27000 information security management system - Does not specify a specific methodology but does detail a structured sequence of iterative processes
Systems Security Engineering [NIST SP 800-160]
System Security Engineering -A specialty engineering disipline of systems engineering -Applies scientific, mathematical, engineering, and measurement principles, concepts, and methods to coordinate, orchestrate, and direct the activities of various security engineering and other contributing engineering specialties -Provides a fully integrated system-level perspective of system security Security and other Specialties -Performs and contributes to systems security engineering activities and tasks -Contributions are seamlessly integrated through the systems security engineering activities and tasks -Reflects the need and means to achieve a miltidiciplinary, SE-oriented approach to engineering trustworthy secure system
Roles and Responsibilites
System custodians are generally tasked with configuring activity and error reporting and responding to output. - Access to reports may be dependent upon system privileges Security analysts are responsible for analyzing security-related activity and error reporting. They generally are not responsible for authorizing or implementing change - Security analysts typically report to the C/ISO
Procurement Evaluation Criteria
System response time - Time that a system takes to respond to a user query System reaction time - Time it takes to log in to a system or application System throughput - Quality of useful work per unit of time (i.e. data transfer - Mbps) System workload - Ability to handle the anticipated volume of work System utilization - System availability vs system downtime Turnaround time - Time that a vendor takes to 'fix' a problem (post report) Research and Disclosure - Identification of vulnerabilities and public notification Vulnerability Management - Frequency of patch release and post-implementation support End of Life (EOL) - EOL cycle, notification and support **In addition to vendor due dilligence, contractual terms and SLA evaluation
The product or system to be rated (used by the Common Criteria)
TOE Target of Evaluation
Hardware chip responsible for protecting keys, certificates, and hashes specific to the system hardware
TPM Trusted Platform Module
Anti-Remanence Techniques Recap
Technique / Description / Result Wiping - Overwrites all addressable storage and indexing location multiple times --Clearing Degaussing - Using an electromagnetic field to destroy all magnetically recorded data --Purging Shredding - Physically breaking media into pieces --Destruction Pulverizing - Reducing media to dust --Destruction Pulping - Chemically altering media --Destruction Burning - Incinerating media --Destruction
Remote Access Applications
Telnet Terminal Emulation Port 23. Telnet facilitates the connection to a remote system and the execution of commands. - Telnet provides basic authentication (user name and password) - Telnet communication is clear text Secure Shell (SSH) Terminal Emulation Port 22 - SSH facilitates the connection to a remote system and the execution of commands. - SSH creates a secure encrypted tunnel to the remote system Remote Desktop Software (RDP) Port 3389 - Software or OS feature that allows a desktop environment to be run remotely Virtual Private Network (VPN) Port depends upon protocol - VPN is a secure private connection between two endpoints - Host-to-Host, Host-to-Network, or Network-to-Network
Testing Objectives
Testing is used to identify vulnerabilities (weakness), substantiate strengths, and predict the likelihood of exploitation - Testing techniques may include vulnerability assessments, penetration testing, password cracking, and social engineering as well as incident response and disaster response/business continuity exercises. - Testing can be intrusive and can have an operational impact
Archiving
The 'process' of 'securely' storing 'unaltered data' for later potential retrieval. Data should be: -Retained in accordance with a documented schedule -Stored securely in accordance with its classification -Securely disposed of at the end of the retention period NOTE: Backup and replication is the process of making copies of data to ensure recoverability. They are 'distinct' processes
Access Triple
The Clark-Wilson model uses a three-part relationship (subject/program/object) known as 'access control triple' -Users cannot access and manipulate objects directly but must access information through a program
Software End of Life (EOL)
The EOL date is when software is no longer supported by the publisher including features, features, functionality, and security updates - Publishers generally post their EOL policies and provide ample notice - EOL is a particularly vulnerable time if organizations continue to use unprotected operating systems and applications
Kerberos Security
The Kerberos Server should be a hardened single purpose server The Kerberos Server is a single point of failure and should be implemented in high availability mode
PCI DSS
The PCI DSS framework includes stipulation regarding storage, transmission, and processing of payment card data. Six core principles require technical nad operational security controls, testing requirements, and an attestation process.
Gramm-Leach-Bliley Act (GLBA)
The Safeguards Rule requires financial institutions to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Safeguards Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard cursomer information in their care.
Health Insurance Portability and Accounting Act (HIPPA) | Health Information Technology for Economic and Clinical Health (HITECH)
The Security Rule requires covered entitites implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information in their care and shared with business partners.
US Security Regulations
The US does not currently have a national information security standard. There are: Government information security requirements Sector-specific information security regulations State information security laws State data breach notification laws
Audit Report Executive Briefing
The audit report is delivered to the highest level of management (board of directors, audit committee, executive management) as stated by the Audit Charter - If management requests that auditor's assistance in implementing recommendations, the auditor has a duty to carefullt consider how such actions may adversely impact the auditor's independence
Crime Prevention through Environmental Design (CPTED)
The basic premise is that the proper design and effective use of the physical environment can lead to a reduction in the incidence and fear of crime
Normal / Forward Proxy
The clients (browsers) are configured to send requests to the proxy server. - The proxy server receives the request, fetches the content and stores a copy for future use. - The next time another client requests the same web page, the proxy server just replies to the request with the content in its cache thus improving the overal request-reply speed
Trusted Computing Base
The combination of all the security mechanisms within a computer including hardware, software, and firmware
Motivation
The driving force behind any attack. Organizations should identify what information, service, or power an organization possesses that is of value to an adversary
Plans (Programs)
The function of the plan (also known as program) is to provide strategic and tactical instructions and guidance on how to execute an initiative or how to respond to a situation within a certain timeframe, usually with defined stages and within designated resources. A detailed proposal for doing or achieving something
FIPS 199 Security Categories
The generalized format for expressing the security category is: -Security Category of information type (SC) = {(confidentiality, impact), (integrity, impact), (availability, impact)} -Based upon the security category the information system is subject to a set of security requirements
Bell-LaPadula
The goal of Bell-LaPadula model is 'confidentiality'. -'Simple (read) confidentiality rule': A subject cannot read data at a higher security level (No Read Up) as secrets may be revealed to them -'Star [*] (write) confidentiality rule': A subject cannot write information to a lower security level (No Write Down) as secrets may be revealed to others.
Harrison-Ruzzo-Ullman Model (HRU)
The goal of Harrison-Ruzzo-Ullman Model (HRU) is integrity. -A finite set of operations can be performed on an object to ensure integrity -Enforced by access permissions
Encryption
The goal of encryption is confidentiality Turn cleartext to ciphertext: Cleartext --> Cipher + Key -> Ciphertext Turn ciphertext to cleartext: Ciphertext --> Cipher + Key --> Cleartext
Biba
The goal of the Biba model is 'integrity' -Simple (read) integrity rule: A subject cannot read data at a lower security level (No Read Down) as they might be misled. -Star [*] (write) integrity rule: A subject cannot write information to a higher security level (No Write Up) as they might mislead others
Clark-Wilson
The goal of the Clark-Wilson model is data integrity. -Prevent unauthorized users from making modifications -Prevent authorized users from making improper modifications -Maintain internal and external consistency NOTE: See Access Triple
Supply Chain Risk Management (SCRM)
The implementation of strategies to manage uncertainty, identify vulnerabilities, and ensure continuity. Activities include: -Inclusion in the enterprise risk management program -Supply chain due dilligence -Clear and consistent communication rebaseline requirements and expectations -Contingency plans -Ongoing monitoring
Risk Appetite
The level of risk that an entity will accept in pursuit of its mission and objectives. Risk appetite can vary by category of risk
Lightweight Cryptography
The majority of modern cryptographic algorithms were designed for desktop/server environments. Many of these algorithms cannot be implemented in resource constrained devices (e.g. automotive systems, Internet of Things [IoT], smart grid). *Embedded systems -Emerging lightweight cryptographic algorithms are being developed to support low power devices as well as low latency and high resiliency requirements
Risk
The measurement of likelihood and impact of a threat event. Risk is inherently neight good nor bad. Risk taking can be beneficial and it's often necessary for advencement. Risk taking can be detrimental and result in undesireable consequences
Secure Staging
The process of planning, scheduling and controlling the movement of developed or acquired code. - The primary goal is to protect the integrity of the "live" production environment and ensure that security baselines are met. - Environment, in the context of secure staging, refers to the hose device (physical or virtual) including connectivity
Asset Classification
The purpose is to ensure that assets are properly identified and 'protected' throughout their lifecycles. Asset classification inform handling instructions, control decisions, audit scope, and regulatory compliance activities. -Information assets are generally classified by 'content' -Infrastructure and physical assets are generally classified by 'operational criticality'.
STAGE (aka Pre-PROD)
The staging environment (STAGE) is used to ensure that the application behaves as expected and confirms that is does not adversely impact existing applications - The staging environment should mirror the production environment - No actual code development should ever take place on a staging server (no developer permissions). - Security testing should always take place at this stage - Rolback procedures should be tested - Management approval (sign-off) should be given before an application moves into production
Attacker-centric
The threat models start with identifying an attacker and then evaluate the attacker's goals and potential techniques
Software Development Project Models
There are multiple models that can be used for software development - Models can be sequential, iterative, incremental, or a hybrid - A project plan may call for development of a prototype sample of the code for proof of conecpt purposes - Applications that are subject to a strict certification may need to include a 'cleanroom' approach, which is a structured and formal method of development and statistical quality control with the goal of eliminating defects prior to release
Information Security Policies
These codify the high-level requirements for protecting information and information assets and ensuring confidentiality, integrity, and availability. Written information security policies may be a regulatory or contractual compliance requirement. Each aspect of the information security program should have corresponding policy documents. Policies must be approved by executive management
Body that makes the final decision regarding (ISC)2 Code of Ethics complaints
(ISC)2 Board of Directors
What would be the best order to collect the following evidence types? Static data Dynamic data Dump files Log files
1: Dynamic data 2: Dump files 3: Log files 4: Static data
Which of the following Common Criteria components is written by the product vendor? 1: Security target 2: Assurance matrix 3: Protection profile 4: Target of evaluation
1: Security target
These asset inventory applications is used to discover and document devices and characteristics such as services, users, and groups. 1: Audit tools 2: Enumeration tools 3: Configuration tools 4: Mapping tools
2: Enumeration tools
This emerging connection method is primarily used in commerce. 1: ANT 2: RFID 3: NFC 4: Bluetooth
3: NFC
Content Distribution Network (CDN)
A large distributed system of servers, Internet service providers, and network operations. - The goal of a CDN is to serve content to end users with high availability and high performance
Indicator of Attack (IOA)
A proactive early warning sign that an attack may be imminent or already underway.
Access Management
Access management controls are security mechanisms that control how subjects and objects communicate and interact with each other and the flow of information. - A 'subject' is an 'active entity' that requests access to an object or to the data within an object - An 'object' is an entity being accessed or the item being acted upon.
Accountability
Accountability is the process of tracing actions to the source.
The process of an authority granting approval to operate a product, system, or process
Accreditation
An attack that uses a voltage glitch to cause a program to malfunction
Active Side Channel
Control Implementations
Administrative (Managerial) Physical Technical (Logical)
Audit opinion rendered when the target is not in conformance or when the evidence is misleading or misstated
Adverse opinion
A switch that provides connectivity for other switches
Aggregation switch
Compensating
Alternate controls designed to accomplish the intent of the original controls as closely as possible, when the originally designed controls cannot be used due to limitations of the environment or financial constraints
Audit Examination Opinions
An audit examination report can provide three types of opinions: unqualified, qualified, and adverse. - Unqualified opinion is rendered when the auditor does not have any significant reservations - Qualified opinion is rendered when there are minor deviations or scope limitations - Adverse opinion is rendered when the target is not in conformance with the control objectives or when the evidence is misleading or misstated.
Risk Management Framework
An information security risk management framework should complement the organizations' risk management framework and be in conformance with regulatory requirements.
This replication process considers "write" complete as soon as the local storage commits
Asynchronous replication
Organization that is leading the international fight against software IP theft
BSA
Model that states no simple down, no * up
Biba
US regulation that governs online collection and use of data for minors under 13
Children's Online Privacy Protection Act (COPPA)
CPU Protection Rings
Conceptual boundaries that control how processes are executed. A 'process' is a set of instructions and assigned resources. -Each process has a PID (process ID) and a level of trust (ring number) assigned to it. -The level of trust determines the level of access to system resources, drivers, and data
This type of assessment is known to a limited subset of personnel
Covert
Board of Directors | Equivalent
Decision-making body such as owners, managing partners, or applicable government officials' responsibilities include: Oversight and authorization Fiduciary, legal, and regulatory responsibilities Standards of due care and due dilligence
The term applied to a key or algorithm known to be "weak"
Deprecated
Dual Control & Separation of Duties
Dual control is the practice of having more than one subject or key required to complete a specific task (requestor and approver) Separation of duties is the breaking down of a task into processes that are assigned to different subjects so that no one subkect is in complete control
Legal term applied to the standard of care exercised by a prudent person
Due Care
The term used to describe the investigation of a business or person generally before entering into a contract.
Due Dilligence
This phase of incident response focuses on eliminating the threat
Eradication
In a BIA context, this means the absence of the service would cause irreparable harm
Essential
This occurs when a threat agent successfully takes advantage of a vulnerability
Exploit
This backup rotation has two full backup cycles
Father-son
Architecture that uses collaborative edge computing devices for local resource pooling
Fog computing
Directors & Executive Management
From a legal, regulatory, and fiduciary perspective, they are ultimately responsible for the actions (or inactions) of the organization.
EU Data Protection Regulation that also address the export of personal data outside of the EU
General Data Protection Regulation (GDPR)
Rights
Generally refer to the ability of a subject to take an action; for example, the right to log on remotely, install software, and create user accounts - Rights can be assigned to user accounts, group accounts, or resources
Device Tracking
Geolocation Geofencing
Application Layer Protocols (Not Inclusive)
HTTP - Formatting and transmitting FTP - File transfer SMTP - Email transmission DNS - Host/domain to IP translation RIP - Routing protocol SNMP - Remote host management
This port 443 protocol is used to encrypt data communications between a browser and a website
HTTPS
Cyber Threat Actors
Hacker / Script Kiddies Organized Crime Hacktivist Nation-states Insiders Competitors
Fingerprint for Authenticity & Integrity
Hash of the original media Hash of the examined media Hash of the cloned media
Intercepting communications between two or more systems
Hijacking
This cloud deployment model facilitates portability of data and applications between public and private cloud infrastructures
Hybrid Cloud
IP Convergence
IP Convergence is the use of the Internet Protocol (IP) for transmitting different types of traffic (e.g. voice, data, music, video, TV, teleconferencing) over a single network - Introduces standardization - Reduce the number of service providers - Introduces single point of failure (SPOF) - Introduces consolidated attack vectors
Full suite of VoiP enabled services previously provided by a PBX
IP Telephony
Information Systems Assets
Information and information system assets should be assigned to an 'owner' (steward) and a 'custodian'.
Principal that focuses on protection from unintentional, accidental, or inadvertent change
Integrity
A framework can also be the basis of a common evaluation by:
Internal stakeholders External auditors Third parties
Global Approach to Privacy
Internationally, the OECD Privacy Principles (www.oecd.org) is the most commonly used framework. Principles include collection limitation, data quality, purpose specification, use limitation, security safeguard, openness, individual participation, and accountability. Canadian - Personal Information Protection and Electronic Documents Act (PIPEDA) Mexican - The Protection of Personal Data Held by Private Companies European Union Data Protection Directive (EU DPD) / General Data Protection Regulations (GDPR)
Inherent Risk
Level of risk before treatment
Business Impact Metrics
Maximum Tolerable Downtime (MTD) Maximum Tolerable Outage (MTO) Recovery Time Objective (RTO) Recovery Point Objective (RPO)
Risk Managment
Mitigate risk to an acceptable level.
Complementary Organizational Roles
Privacy Officer Compliance Officer Physical Security Officer Internal Audit
Used by organizations to identify PI and determine how to treat the data
Privacy Threshold Assessment
Accounts that have the most powerful rights
Privileged
A device that does not comply with NAC policies is places in this zone
Quarantine
This entity offloads some of the work from the CA
RA Registration Authority
Testing that should be done after an update is implemented
Regression testing
Hypervisor
Software or firmware components that can virtualize system resources. - Type 1 (bare metal/native) hypervisors run directly on the system hardware - Direct access to hardware. No operating system to load as the hypervisor is the operating system (e.g VMWare VCenter) -Type 2 (hosted) hypervisors run on a host operating system that provides virtualization services - Type 1 is faster and more efficent but with greater hardware requirements and expense
Symmectric Encryption
Symmectric means the 'same' key is used to encrypt and decrypt -Symmetric key may also be referred to as 'single' key, 'shared' key, or 'session' key. The key dictates what parts of the algorithm will be used, in what order, and with what values.
This software controlled failover requires two primary systems. Each machine monitors the other (heartbeat) and takes over when a failure occurs
Symmetric High Availability
Use Case
Symmetric and Asymmetric ciphers work in tandem. - Symmetric encryption best suited for encrypting 'large data' blocks - Asymmetric encryption is best suited for encrypting 'small data sets' and is generally used for key exchange and digital signatures
Object-based Access Controls
Technique - Description - Enforcement Rule-based - Access based on situational if-then statements - Global policy, Rules Content Dependent - Filter based on the data being acted upon - Keywords, Categories Context Dependent - Access based on collection or sequence of actions - Rules, Security Policy Constrained Interface - Menus and shells - Database views - Access restricted by functionality - Design, configuration
VPN Tunneling
VPNs isolate the network frames from the surrounding network using a process known as 'encapsulation' or 'tunneling' - Full tunneling requires all traffic to be routed over the VPN - Split tunneling allows the routing of some traffic over the VPN while letting other traffic directly access the Internet
This process is used to track and document baseline configurations over time
Version control
Engineering for Success [NIST SP 800-160]
"Don't focus on what is 'likely' to happen--but instead, focus on what 'can' happen and be prepared. -This means proactively planning and designing to prevent the loss of an asset that you are not willing to accept; to be in a position to minimize the consequences should such a loss occur; and to be in an informed position to reactively recover from the loss when it does happen."
Code - Browser Specific Attacks to Know
'Cross-Site Scripting' --Injection of malicious code that executes in a browser - Resulting in session hijacking, redirection, or bypassing access controls 'Cross-site Request Forgery' --Exploiting the trust relationship between a website and a browser - Resulting in unauthorized access and theft and/or credential modification
Grid Computing
'Grid computing' is a sharing of CPU and other resources across a network (often the Internet - e.g. seti@home project) in a way that all machines function as one large computer. Grid participants can be heterogeneous and multitasking Security considerations: -Transmission between nodes -Authentication controls -Activity isolation
Spoofing Attacks to Know
'IP Address Spoofing' - Using a trusted IP address for authentication - Using a trusted IP address to receive a response - Using a fake IP address to disguise the sender - Using an appropriated IP address to redirect an attack 'MAC (Media Access Control) Address Spoofing' - Using a trusted MAC address for access - Using a trusted MAC address to circumvent licensing - Using a fake MAC address to mask the identity of a device
Detective
'Identify' and 'report' a threat agent, action, or incident
Code Attacks to Know
'Injection' --Tricking an application into including unintended commands - Executing unauthorized commands or obtaining access 'Buffer Overflow' --Writing excess data into system memory that overruns the buffers boundary and overwrites adjacent memory locations - Executing authorized commands 'Refactoring' --Restructuring code without changing external behavior - Manipulating code with malicious intent
Large-scale Parallel Systems
'Large-scale parallel systems' are disparate systems working in concert. Examples include cluster computing, grid computing, and cloud computing. Security considerations: -Distributed ownership and management -Dependencies (SPOF) -Force multiplier effect (dramatic increase efficiency and/or capability -Big data aggregation
Relationship (higher level) models
'Relationship' security models address the interaction between subjects and objects -'Subjects' are active entities, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state -'Objects' are passive entities that contain or teceive information or instructions
ICS/SCADA Threats and Vulnerabilities
'SCADA' usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (e.g. electrical grid, oil and gas pipelines) Security considerations: -Weak authentication -Use of outdated OS -Inability to patch systems -Unauthorized remote access
Preventative
'Stops' a threat agent from being successful
Notable US State Legislation
(2003) SB 1386 the California Security Breach Information Act (2010) 201 CMR 17 Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts Data protection requirements including encryption www.ncsl.org End of life destruction/disposal requirements www.ncsl.org Data breach disclosure and notification requirements www.ncsl.org
Body that investigates the opines on (SIC)2 Code of Ethics complaints
(ISC)2 Ethics Committee
Block Cipher Modes
**Electronic Codebook (ECB) - Each block is independent (doesn't hide patterns--not suitable for long messages). **Cipher Block Chaining (CBC) - Includes an initialization vector (IV) and a component of the previous ciphertext to leverage randomization. Counter (CTR) Mode - Does not have any dependencies. Converts block cipher to a stream cipher using XOR functions Galios/Counter Mode (GCM) - An efficient mode of operation for symmetric key cryptographic 128-bit blocks. GCM can take advantage of parallel processing **Most likely a question on test for ECB and CBC
Quantitative Risk Assessment Elements
- Asset value (AV) expressed in $ - Exposure factor (EF) expressed as a % - Single loss expectancy (SLE) expressed in $ - Annualized rate of occurence (ARO) expressed in # - Annualized loss expectancy (ALE) expressed in $ - Cost/benefit analysis (CBA) expressed in $
Alternate Site Contract Considerations
- Availability - Access - Priority - Usage - Equipment - Warranties - Audit - Testing - Security
Mobile Workplace Challenge
-The lack of traditional technical security - The lack of traditional physical security protections -Need for local storage -The mixing of personal and business use -The opportunity for mobile devices to be malicious code carriers
A Business Impact Analysis (BIA) is used by management to:
-Understand organizational continuity requirements -Make investment decisions -Guide the development of incident response, disaster recovery, and business contingency (continuity) plans
This dence is designed to deter casual intruders 1: 3-4 feet tall 2: 6-7 feet tall 3: Berm 4: Razor wire
1: 3-4 feet tall
Arrange the levels of a capabilities maturity model Quantitatively managed Defined Optimized Managed Ad hoc
1: Ad hoc 2: Managed 3: Defined 4: Quantitatively managed 5: Optimized
Which key should Bob use to send Alice a confidential encrypted message? 1: Alice's public key 2: Bob's private key 3: Bob's public key 4: Alice's private key
1: Alice's public key
Which of the following statements best describe the relationship between change management and configuration management? 1: Change management is a subset of configuration management 2: Change management and configuration management are unrelated 3: IT is responsible for configuration management and Audit is responsible for change management 4: Both change management and configuration management rely on documented baselines
1: Change management is a subset of configuration management
WSG Workflow
1: Client is configured to use WSG as proxy server 2: Client URL request is filtered through the WSG 3: The WSG analyzes the destination website files, content, and requests 4: Decision to connect or block
This software or appliance is tasked with enforcing security policies "in the cloud" 1: Cloud access security brokers 2: Proxy servers 3: Managed service providers 4: DLP
1: Cloud access security brokers
Test and Operational Data Flor
1: Collect Output 2: Analyze Data 3: Produce Actionable Intelligence 3 Types of actionable intelligence: Operational Metrics - Operational metrics drive vulnerability, threat, and risk management operational and control decisions Key Performance Indicatore - Inform management Business Intelligence - Supports alignment and long-term planning
"Read our hundreds of great reviews" is an example of this social engineering principle. 1: Concensus 2: Familiarity 3: Trust 4: Authority
1: Concensus
Which of the following is not an evidence collection imperative? 1: Creating a media clone 2: Maintaining an evidentiary chain 3: Acting in order of volatility 4: Avoiding contamination
1: Creating a media clone
Match the roles with the descriptions Roles: 1: Custodian 2: Internal Audit 3: Owner 4: Information Security Officer 5: Physical Security Officer 6: Compliance Officer Descriptions: 1: Responsible for a subset of information 2: Management and monitoring of protection mechanisms 3: Identifying building and facility risks and mitigation 4: Assessment of controls commensurate with policy 5: Ensuring conformity with laws and regulations 6: Managing the information security program
1: Custodian - Management and monitoring of protection mechanisms 2: Internal Audit - Assessment of controls commensurate with policy 3: Owner - Responsible for a subset of information 4: Information Security Officer - Managing the information security program 5: Physical Security Officer - Identifying building and facility risks and mitigation 6: Compliance Officer - Ensuring conformity with laws and regulations
Which of the following processes prevents injection attacks? 1: Input and output validation 2: Sanitization 3: Rejection of user supplies input 4: Encrypted session controls
1: Input and output validation
Threat Intelligence Program Workflow
1: Planning 2: Collection 3: Distribution 4: Analysis 5: Action
The Board of Directors votes affirmatively to allow the organization to operate an e-commerce site for the next twelve months. Which term below best describes this vote? 1: Acceptance 2: Affirmation 3: Accreditation 4: Authority
3: Accreditation
This group is responsible for determining maximum tolerable downtime (MTD). 1: Board of directors 2: IT department 3: Business unit 4: Information security department
3: Business unit
_________ best describes the use of the IP protocol to transmit a variety of formats including voice, data, multimedia, television, and music 1: Open standard 2: Unified communications 3: Convergence 4: Extensibility
3: Convergence
The term applied to a weak crypto component. 1: Broken 2: Downgraded 3: Deprecated 4: Exploitable
3: Deprecated
Which statement below best describes control effectiveness? 1: Effectiveness is how often a control is used 2: Effectiveness is what control does 3: Effectiveness is how well a control works 4: Effectiveness is how much value a control adds
3: Effectiveness is how well a control works
Reporting and ongoing security monitoring are emphasized in this regulation that specifically applies to federal agencies 1: GLBA 2: HIPAA 3: FISMA 4: FERPA
3: FISMA
This type of procedure is generally used if decision making is required. 1: Simple step 2: Graphic 3: Flow chart 4: Hierarchal
3: Flow chart
One of the mitigation strategies for this vulnerability is input and output validation 1: Broken authentication 2: Weak cryptographic controls 3: Injection 4: XSS
3: Injection
Which one of the following actions has the highest priority? 1: Destruction policy 2: Owner control 3: Legal hold 4: Retention schedule
3: Legal hold
This is the first canon of the (ISC)2 Code of Ethics. 1: Advance and protect the profession 2: Provide dillegent and competent service to principles 3: Protect society, the common good, necessary public trust and confidence, and the infrastructure 4: Act honorably, honestly, justly, responsibly, and legally
3: Protect society, the common good, necessary public trust and confidence, and the infrastructure
The objective of this type of disaster recovery exercise is accuracy and familiarity with plans and procedures 1: Parallel 2: Full-scale 3: Read-through 4: Walk-through
3: Read-through
A DLP solution is configured to quarantine any email that contains credit card numbers and notify the sender that the email has stopped. What control classification and implementation best apply to this scenario? 1: Technical control implementation, compensating control classification 2: Administrative control implementation, detective and deterrent control classification 3: Technical control implementation, detective and preventative control classification 4: Administrative control implementation, detective and corrective control classification
3: Technical control implementation, detective and preventative control classification
Which statement best describes the concept of privacy 1: The right of an individual to know how personal information is secured 2: The right of an individual to be compensated for use of personal information 3: The right of an individual to control the use of their personal information 4: The right of an individual to correct or delete their personal information
3: The right of an individual to control the use of their personal information
Symmetric algorithm that uses a 64 bit key and puts the block through 48 rounds of substitution and transposition
3DES
This family of malware can self-replicate and takes advantage of network transport to spread 1: Virus 2: Spyware 3: Trojan 4: Worm
4: Worm
-Data Encryption Standard (DES)
64-bit key size / 16 rounds of substitution and transposition -1977 established a US Government standard -1998 demonstrated that it could be "broken" in less than 56 hours
Arrange the policy lifecycle in the correct order. 1: Approve 2: Adopt 3: Reauthorize 4: Write 5: Publish 6: Plan
6: Plan 4: Write 1: Approve 5: Publish 2: Adopt 3: Reauthorize
Privacy Threshold Assessment (PTA)
To identify PII that has been acquired by the organization and to determine how to appropriately treat the data. PTAs generally include the following information: -Description of the system -What PII, if any, is collected or used -From whom is the PII collected and why -Archiving requirements -Protection requirements (regulatory, contractual, and ethical) NOTE: PTAs are used extensively by the US Federal Government
Enterprise Security Technologies
Tools - Purpose - Output Application whitelising - Explicitly specifies allowed applications - Application access (allowed and denied) Removable Media Control (RMC) - Controls access to and use of removable media (USB, CD/DVD) - Media access (allowed and denied) Advanced Malware Tools - Identify malicious code that could evade or subvert anti-virus software - Suspicious or malicious files. Suspicious or malicious endpoint activity. Suspicious or malicious traffic Patch Management Tools - Inventories patches, identifies missing patches, manages deployment - patch inventory, missiong patches, patch deployment schedule, patching errors
This US National Security classification is applied when disclosure is expected to cause exceptionally grave danger to national security
Top Secret
National Security Definitions
Top Secret (TS) - Expected to cause 'exceptionally grave' danger to national security. Sectet (S) - Expected to cause 'serious damage' to national security Confidential - Exprected to cause damage to national security Unclassified - No threat to national interest
Log Analysis Tools
Trend/Variance Detection Decision Engine - Identifies anomalies in system or user behavior Signature Detection Decision Engine - Identifies "known" event or sequence of events Security Information and Event Managment (SIEM) - Automation tool - SIEM solutions offer real time data capture (continuous monitoring), event correlation analysis, and reporting - SIEM produccts can analyze data from many sources, identify significant events, report outcomes, and send alerts - SIEM products can integrate with threat intelligence feeds - SIEM products can also include security knowledge bases, incident tracking, and reporting capabilities
Number of algorithms needed to produce a digital signature
Two *Hashing algorithm *Digital signature algorithm
Metadata
Type - Description - Examples File System Metadata - Created by the operating system and includes file attributes and security permissions - File size, location, creation date, date of last access, data of last write, and whether a file is hidden, compressed, or archived Application Metadata - Created by the specific application and includes user and file activity information - Title, author, subject, keywords, creation and modification dates, time in use, and revision history Pseudo Metadata - Created by the user and is hidden or embedded in the document - Comments, track changes, formulas, speakers notes, embedded graphics, and audio or video files
Smart Cards Types and Features
Type - Security features - Specific Use Smart Card - Embedded chip and one or more certificates - N/A Common Access Card (CAC) - Smart card that includes a picture of the user. Used for both visual identification and computer access. - DoD Personal Identity Verification (PIV) - Smart card that includes a picture of the user. Used for both visual identification and computer access. - Federal Agencies Contactless Card - Contactless smart card that can be read without inserting into a reader device (read range 1-3') - N/A Proximity Card - Contactless smart card that can be read without inserting into a reader device (Read range up to 15") - N/A
Point-in-time SSAE18 audit type
Type 1
This type of hypervisor has direct access to hardware
Type 1
Match the SSAE related term with the correct description Terms Type 1 Type 2 SOC3 SOC2 SOC1 Descriptions - Based on Trusted Service Principles - Measures effectiveness for a specific period - Designed for public distribution - Point in time report - Relevant to user entities financial statements
Type 1 - Point in time report Type 2 - Measures effectiveness for a specific period SOC3 - Designed for public distribution SOC2 - Based on Trust Service Principles SOC1 - Relevant to user entities financial statements
SSAE 18 Types
Type 1 - Reports on controls placed in operation as of a point in time. Evaluation of design and implementation; not operating effectiveness Type 2 - Reports on the design, implementation and operating effectiveness over a period of time (generally six or twelve months) - Includes test of operating effectiveness results - Emphasis on evidntial matter The cover of the report will either show an "as of" date or a period of time - e.g. September 1, 2018 - August 1, 2018
Sensitive but Unclassified (SBU)
US federal agencies use the Sensitive but Unclassified (SBU) designation when information is not classified but still needs to be protected and requires strict controls over its distribution. There are over 100 different labels for SBU including: -For official use only -Limited official use -Sensitive security information -Critical infrastructure information Executive order 13556 created a standard designation Controlled Unclassified Information (CUI). Implementation is in progress.
A border security device that performs multiple security functions including firewall, IDS/IPS, and filtering
UTM
Electronic Communications Privacy Act
Unauthorized access or damage to electronic messages in storage.
Computer Fraud and Abuse Act
Unauthorized access to federal government, financial institution system, or any system used for interstate or foreign commerce.
Something that must occur before the next task can successfully execute
Upstream dependency
Example of this SE principle "Act before it is too late"
Urgency
Threat Modeling
Use threat modeling to anticipate the threats to which the software will be subjected. Threat modeling involves identifying key assets, decomposing the application, identifying and categorizing the threats to each asset or component, rating the threats based on a risk ranking, and then developing threat mitigation strategies that are implemented in design, code, and test cases
x.509 v3 Digital Certificate Fields
Version - Version # of the certificate Serial Number - Unique identifier Signature - Algorithm used to sign the certificate Issuer - Name of isurer Validity - Valid date of certificate Subject Name * - Name of owner Public Key - Public key of named owner Issuer Unique ID - ID of the Certificate Authority Subject Unique ID - ID of subject **Some certificates will include a Subject Alternate Name (SAN) that allows the owner to specify additional host names (sites, IP addresses, common names)
Term applied to an environment when the number of virtual machines are out of control
Virtualization Sprawl
VM Sprawl and Avoidence
Virtualization sprawl occurs when the number of virtual machines is out of control -- potentially unmanaged, unnecessary, and not in compliance with licensing agreements. - Virtual machines should be treated the same as physical computers and subject to asset management, capacity, and configuration management
OWASP 20q7 #1 Injection
Vulnerability = Injection Description - Tricking an application into including unintended commands in the data sent to an interpreter (e.g. OS, LDAP, SQL) Flaw - Improper input/output validation Impact - Can result in unauthorized access, data exfiltration, and data corruption Mitigation - Use of "safe" API. Positive "whitelist" input and output validation
Cookie Law (EU)
Web cookies inform and consent requirements ec.europa.eu
Web Vulnerabilities
Web systems are paticularly vulnerable due to their level of exposure, accessibility, and rapid rate of change. -Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code -System owners, developers, and system administrators need to work together to ensure that the entire stack is configured properly. -Resource OWASP Top 10 owasp.org
High profile phishing target
Whale
Within Site
Within site includes: - The area within the perimeter up to the boundary of the asset or building
Digital certificate standard
X.509
This vulnerability allows an attacker to inject malicious code that runs in the victim's browser
XSS
Traditional Computing Environment
"Traditional" computing environments encompass a variety of architecture and processing models including: -Centralized -Client/Server -Distrubuted -Large Scale -Grid -ICS/SCADA
Poisoning Attacks to Know
'ARP Cache Poisoning' --MAC-to-IP address resolution - Using a poisoned ARP cache to redirect traffic to a malicious host - Using a poisoned ARP cache to stop traffic 'DNS Cache Poisoning' --Domain/host name-to-IP address resolution - Diverting website traffic to a malicious site - Diverting website traffic to a non-existent site
Deterrent
'Discourage' a threat agent from acting
Data abstraction, data hiding, and steganography can all be classified as this type of data protection control 1: Access managment 2: Obfuscation 3: State 4: Cryptographic
2: Obfuscation
Baseline Configuration (BC)
A set of specificaitons for a 'configuration item (CI)', that has been reviewed and agreed on (authorized), and which can be changed only through change control procedures
Mathematically complex modern cipher
Algorithm
Hybrid Solution
Alice wants to send Bob an encrypted message. Use a symmetric cipher and a session key to encrypt the message. Use asymmetric cipher and bob's public key to encrypt the session key. Both encrypted messages are sent at the same time. Bob's private key decrypts the session key which is then used to decrypt the encrypted message from Alice
Strategic Alignment
Aligning departmental strategies with business strategy to support organizational goals.
Privileged Escalation
Attacker focuses on obtaining elevated access to resources that are normally protected from an application or user
Opportunistic Attack
Attacker takes advantage of a vulnerable target (not previously known to them)
Amplification
Attacker uses an amplification factor to multiply its power
Threat Categorization Models
Attacker-centric Archietecture-centric Asset-centric
Examples of this inventory attribute include local, server, and cloud
Location
The process of keeping logs that normally would be discarded because they contain records of activity of particular interest
Log preservation
Another name for a technical control
Logical
Logistics
Logistical considerations include location, timing, and notification Location - Access to the target (physical and logical) - Account creation (physical and logical) Timing - Business vs nonbusiness hours - Production vs maintenance window Notification - Internal, third party, customer
Geolocation
Process of determining an objects position based on its latitude and longitude (GPS, cell triangulation, WiFi proximity, IP address) - Active device/user tracking - Locate a lost device - Multifactor authentication
The process of finding, acquiring, and buying goods and services
Procurement
Hashing
Produces a visual representation of a data set Variable Length Input --> Hash function --> Unique One-way Fixed Length Output (Fingerprint) *The original message remains intact
How non-statistical sampling selection is determined
Professional judgement
Employee Awareness Programs
Programs should include: -Onboarding (inital and at 3 months) which includes policies, best practices, social engineering, duress, and reporting suspicious activity. -Annual compliance and "hot topic" training (instructor-led, recorded, online) -Videos, demonstrations, examples, and interactive quizzes are very effective -On-going awareness program which includes posters, games, contests, prizes and surveys -As needed, situational awareness communications
Code of Ethics Canons
Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.
Contract with a 3rd party that specifies the level of performance that is expected
SLA Service Level Agreement
AV * EF = ?
SLE Single Loss Expectancy
NIST Special Publication Series #
SP-800
This secure protocol is used to minimize the impact of packet loss
SRTP Secure real-time Transport Protocol
Controls report standard designed by the AICPA
SSAE 18
Audit assessment standard commonly used by technology oriented service organizations
SSAE18 SOC2
Cross platform secure replacement for cleartext telnet, rlogin, rsh, and rsync
SSH
Remote access application that creates a secure encrypted terminal emulation session
SSH
Protocol developed in 1995 to establish a secure TCP communications - now considered deprecated
SSL
VPN protocol that uses a client side browser
SSL (TLS)
This environment should mirror the production environment
STAGE
This log analysis tool identifies "known" events
Signature Detection
Card with integrated circuitry used in conjunction with a card reader
Smartcard
A class of techniques used to manipulate people by deception
Social Engineering
Software Security
Software (application security) is based on the CIA objectives - Confidentiality of the information stored, processed, and transmitted - Integrity of the data and the system - Availability of the application to authorized subjects and objects
Software Encryption
Software encryption generally relies on symmetric block ciphers. - Software encryption can be applied at different layers in the storage stack including disk, partition, operting system, application, database, folder, and file level.
Potentially intrusive activity used to identify vulnerabilities (weakness), substantiate strengths, and predict the likelihood of exploitation
Testing
This intellectual property mechanism is designed to protect a brand or product representation
Trademark
Cost vs Complexity vs Availability
Traditional Recovery - Tape backup - Low complexity - Low cost - Recovery measured in hours to days Enhanced Recovery - Automated Solutions - Medium complexity - Low cost - Recovery measured in hours to days - More recoverable data Rapid Recovery - Asynchronous replication - High complexity - Moderate cost - Recovery measured in hours Continuous Availability - Synchronous replication - High complexity - High cost - Recovery measured in seconds
Attribute = how Objective = skill
Training
Assigning risk to other parties
Transference
Risk Assessment
Used to identify the level of risk. Risk is assessed by evaluating the combination of the 'likelihood of occurence', and the 'impact' if the circumstance or event occurs. The target of a risk assessment can be internal systems/process or external supply chain relationships (e.g. vendors, business partners)
Group responsible for interacting with information systems in accordance with organizational policies and standards
Users
This function explicitly enforces the convenience principle of allow all and restrict only what is harmful
Blacklist
Type of sampling that includes all items in a certain time period or sequence
Block sampling
The Bluetooth attack exploits a protocol weakness to takeover a device
Blueborne
Requiring more than one subject or key to complete a task
Dual control
Requiring more than one subject to complete a specific task
Dual control
Policy Attributes
Endorsed Relevant Realistic Attainable Adaptable Enforceable Inclusive
Endpoint IDS/IPS
Endpoint ISD/IPS (known as HIDS - host IDS) monitors and analyzes local behavior as well as network connectivity and can (if IPS functionality is available) be configured to take a corresponding action
Colorless, odorless gaseous halocarbon fire suppression with no residue. Safe for human beings
FM-200
Regulation that requires safeguarding electronic health information
Health Insurance Portability and Accountability Act (HIPPA)
This detection approach continually trains itself on behavior and accumulates learned knowledge
Heuristic
Cloud based service related to creating and managing accounts
IDaaS Identity-as-a-Service
Demonstrated reason for access
Need to know
Who should be allowed to alter log files
No one
The term applied to the use of IP for transmitting different types of traffic over a single network
IP convergence
This multidisciplinary management technique was pioneered by the DoD
IPPD Integrated Product and Process Development
This device can monitor, report on, and respond to intrusions
IPS
Defacto standard protocol for VPN connections
IPsec
IPsec Modes
IPsec can be implemented in two modes: - Transport mode is used for end-to-end protection between client and server. - The IP payload is encrypted - Transport is the default mode of IPsec - Tunnel mode is used between server-server, server-gateway, or gateway-gateway (two direct endpoints) - The entire packet is encrypted
In this cloud service model, the customer is provided with "bare metal" resources
IaaS Infrastructure-as-a-Service
User Name
Identification is generally expressed as a user name - User names should conform to an adopted naming convention - User names should be unique for accountability - User names should be nondescriptive
This type of test evaluates performance in normal and peak conditions
Load
Distribution of workloads across multiple computing resources
Load balancing
Load Balancer
Load balancing improves the distribution of workloads across multiple computing resources and prevents resource overload (resulting in a denial of service) - One of the most commonly used applications of load balancing is to provide a single internet service from multiple servers, sometimes known as a server farm
Load Balancer Scheduling
Load balancing scheduling techniques include affinity, round-robin DNS, and persistence. - Affinity is the process of associating a user's IP address with a single server. - Persistence is the process of associating application layer information with a single server - Round-robin DNS associates multiple IP addresses with a single domain name. Clients are given IP addresses in a round-robin fashion
Denial of Service (DoS)
Overwhelming system resources Enables an attacker to make services unavailable for their intended use
Role responsible for decisions related to classification
Owner
Their responsibilities include assigning an asset value, classifying the asset, and authorizing access permissions
Owner (Steward)
Members of management responsible for protecting a subset of information and/or systems
Owners
Examples include Social Security number and biometric data
PI, PII, or NPII Personal Information Personally Identifiable Information Non-public Personal Information
In this cloud service model, the computing resources and the underlying operating system is provided
PaaS Platform-as-a-Service
The term used to describe the social engineering technique of entering a building close behind or with authorized personnel
Piggybacking / Tailgating
When an unauthorized person enters a checkpoint close behind or in concert with authorized personnel
Piggybacking/Tailgating
Term used to describe the use of unlicensed software
Piracy
The unauthorized copying or distribution of software
Piracy
First step in a threat intelligence program workflow
Planning
High-level governance documents
Policies
High-level statement intended to communicate rules and expectations and to provide direction
Policy
The outcome when operational synergies and efficiencies are achieved
Process Integration
Data Mining
Process of analyzing data with tools that look for trends, correlations, or anomalies resulting in metadata.
This type of media storage should be physically separated from other hardware and access to switches restricted 1: SAN 2: Mobile 3: Removable 4: DAS
1: SAN
Group responsible for approval of BCP policies and oversight or strategies
Board of Directors (or equivilent)
This intellectual property mechanism is designed to protect a novel invention
Patent
Right of an individual to control use of their personal data
Privacy
This development methodology is built on the premise that collaboration between developers and operational teams is essential 1: Secure DevOps 2: DevOps 3: Zachman 4: SABSA
2: DevOps
Which of the following is a true statement? 1: Incremental restore is faster 2: Differential backs up all files created or modified since the backup 3: Incremental has a higher restore success rate 4: Differential resets the archive bit
2: Differential backs up all files created or modified since the backup
Which of the following penetration testing approaches provides the mose useful assessment of incident response capabilities? 1: White box 2: Double blind 3: Grey box 4: Blind
2: Double blind
Which IDS/IPS determination is the most problematic? 1: False positive 2: Fase negative 3: True negative 4: True positive
2: Fase negative
An organization should have very mature processes in place before initiating this type of disaster recovery test. 1: Tabletop 2: Interruption 3: Parallel 4: Functional
2: Interruption
In this access control model, access is based on the relationshop between the subject's clearance and need to know and the object's classification level 1: DAC 2: MAC 3: RBAC 4: ABAC
2: MAC
__________ is a suite of technical specifications for communicating security flaws and configuration information 1: DOD 5220:22M 2: SCAP 3: ISCM 4: CVE
2: SCAP
This solution generally provides real time data capture, event correlation analysis, and reporting 1: NAC 2: SIEM 3: UTM 4: DLP
2: SIEM
The US public sector labels "for official use only", "limited official user", and "critical infrastructure information" are used for this classification 1: Confidential 2: Sensitive but unclassified 3: Proprietary 4: Unclassified
2: Sensitive but unclassified
Which of the following best describes a zero day threat? 1: A threat that is in the wild and has the potential to cause significant harm 2: The potential exploit of a vulnerability for which a fix has not yet been released 3: Denotes the day a threat was identified 4: A vulnerability that has been publicly announced
2: The potential exploit of a vulnerability for which a fix has not yet been released
A web application authenticates and connects to an e-commerce backend database and updates the order entry table. Identify the relationship. 1: The web application is the object and the e-commerce database is the subject 2: The web application is the subject and the e-commerce database is the object 3: The web application and the e-commerce database are both subjects 4: The web application and the e-commerce database are both objects
2: The web application is the subject and the e-commerce database is the object
This issue arises when the number of VM devices spiral "out of control" 1: VM Escape 2: VM Sprawl 3: NSX 4: VDI
2: VM Sprawl
The objective of __________ software testing is to determine if the application can gracefully handle invalid output or unexpected behavior 1: unit 2: negative 3: validation 4: multi-condition coverage
2: negative
Which of the folliwing is not a true statement about archiving? 1: Archived documents should not be modified. 2: Archived documents should be securely disposed of at the end of the retention period 3: Archived documents should not be backed up 4: Archiving documents should be stored securely in accordance with its classification level
3: Archived documents should not be backed up
Which authentication system does Active Directory incorporate? 1: Federated Identity 2: Shared Credentials 3: Kerberos 4: Enterprise SSO
3: Kerberos
Term that describes the use of IT solutions that are managed outside of and without the knowledge of the IT department 1: Outsourcing 2: SecaaS 3: Shadow IT 4: CASB
3: Shadow IT
* and simple properties describe what a subject can to to an obkect. What are the * and simple properties? 1: *=delete, simple =write 2: *=modify, simple=read 3: *=read, simple=write 4: *=write, simple=read
4: *=write, simple=read
This agreement generally includes a no expectation of privacy and electronic monitoring clauses. 1: Remote Access Agreement 2: Nondisclosure Agreement 3: Service Level Agreement 4: Acceptable Use Policy Agreement
4: Acceptable Use Policy Agreement
This sampling method might include all items in a selected time period, numerical sequence or alphabetical sequence. 1: Statistical 2: Stop and Go 3: Fixed 4: Block
4: Block
Which of the following is generally not included in an ROE document? 1: Data handling requirements 2: Target environment 3: Reporting expectations 4: Engagement fee
4: Engagement fee
Which of the following is not a significant ICS/SCADA issue? 1: Difficulty patching systems 2: Weak authentication 3: Unauthorized remote access 4: Excessive power consumption
4: Excessive power consumption
An organization wants to ensure that in an emergency situation all exits will default to unlocked. This approach is best described as? 1: Shelter in place 2: Evacuation friendly 3: Fail secure 4: Fail safe
4: Fail safe
The primary motivation of this threat actor is making a political statement. 1: Hacker 2: Cyber-terrorist 3: Nation-state 4: Hacktivist
4: Hacktivist
This concept promotes using automation to replace rather than fix 1: Baselining 2: Infrastructure as code 3: Continuous integration 4: Immutable systems
4: Immutable systems
Which statement best describes the use of KPIs? 1: KPI's drive risk management decisions 2: KPI's support long term planning 3: KPI's measure threat levels 4: KPI's measure progress towards meeting performance targets
4: KPI's measure progress towards meeting performance targets
In this type of attack, the attacker takes advantage of a vulnerable target 1: Targeted 2: Zero day 3: Amplification 4: Opportunistic
4: Opportunistic
This exploitation technique uses a weakness on one system to access a better protected system 1: Persistence 2: Teaming 3: Escalation of privileges 4: Pivoting
4: Pivoting
These are high level statements intended to communicate rules and expectations. 1: Baselines 2: Guidelines 3: Standards 4: Policies
4: Policies
A business unit has determined that their application has a MTD of 2 hours. Which statement below supports this requirement 1: MTO = 2 2: RTO = 2 3: RPO < 2 4: RTO < 2
4: RTO < 2
Influencing the state of the resource between time of checks and time of use is known as? 1: Code reuse 2: Maintenance hook 3: Covert channel 4: Race condition
4: Race condition
__________ access controls are based on situational if-then statements. 1: DAC 2: Role-based 3: Constrained Interface 4: Rule-based
4: Rule-based
Which secure protocol minimizes the risk of VoIP denial of service attack? 1: SMTP 2: SSH 3: SSL 4: SRTP
4: SRTP
This is the practice of concealing a file within another file 1: Encryption 2: Aggregation 3: Cryptanalysis 4: Steganography
4: Steganography
Internet of Things (IoT)
"The Internet of Things is the network of physical objects or 'things' embedded with electronics, software, sensors, and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator, and/or other connected devices. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure" --Wikipedia -Consumer-oriented devices with bias towards usability and ease of access. -Architected, deployed, and managed with a noticeable lack of attention to security
Type of biometric marker that includes fingerprints and retina scans
Physiological
Hijacking Attacks to Know
'Man-in-the-Middle (MiTM)' --Spoofing and/or poisoning - Exploiting real-time processing of transactions, conversations or data transfer 'Replay' --Capturing and reusing packets - Reusing authentication data / credentials - Replaying the packe over and over causing a denial of service 'Man-in-the Browser (MitB) --Internet version of MiTM - Manipulating the browser to control a session including what is displayed 'Session Hijacking' - Stealing session cookies to "take over" a user's active session
Inventory Tools
'Network mapping tools' are used to create physical and logical diagrams. -Popular network mapping tools include Solarwinds, Spiceworks, ManageEngine, and Nmap 'Network enumeration tools' discover and document devices and characteristics such as operating systems, open ports, listening network application and services, shares, users, and groups. -Popular enumeration tools include DumpSec and Nessus 'Audit tools' are designed to track licenses and unlicensed software. -www.bsa.org/anti-piracy/tools-page
Mobile Device Ownership & Deployment
- Company-owned Business Only (COBO) - Choose Your Own Device (CYOD) - Company-owned Personal Enabled (COPE) - Bring Your Own Device (BYOD)
Local Storage Primer
- Direct Attached Storage (DAS) - Network Attached Storage (NAS) - Storage Area Network (SAN) - Network Unified Storage (NUS)
Business Impact Analysis Process
- Identify Essential Services & Dependencies (Business) - Determine Maximum Tolerable Downtime (MTD) - Determine Recovery Point Objective (RPO) (DATA) - Identify Infrastructure and Dependencies - Determine Current RTO & RPO - Gap analysis - Report to Management
Penetration Test Phases
- Passive Reconnaissance - Active Reconnaissance - Attack Planning - Attack and Exploitation - Reporting - Remediation and Retesting
Data Breach Disclosure & Notification Requirements
- Sector-specific federal security legislation have breach notification requirements. - 48 states, DC, Guam, Puerto Rico, and the Virgin Islands have data breach notification requirements related to the disclosure of PII. - Data Protection Directive / GDPR (EU) has breach disclosure and notification standards and requirements - PCI-DSS has breach notification requirements.
Digital Infrastucture Attack Categories
- Spoofing - Poisoning - Hijacking - Denial of Service (DoS) - Code
Cyber Attack Terms to Know
- Targeted Attack - Opportunistic Attack - Amplification - Privileged Escalation - Advanced Persisten Threat (ATP) - Zero-day
Company-owned Personal Enabled (COPE)
- Users get issued a device for both professional and personal use - Company owned
Company-owned Business Only (COBO)
- Users get issued a device for professional use - Company owned
Choose Your Own Device (CYOD)
- Users get to select their own device for professional use - Company owned
Bring Your Own Device (BYOD)
- Users get to select their own device for professional use - User owned
Symmetric Algorithms
-Data Encryption Standard (DES) -Triple DES (3DES) -Advanced Encryption Standard (AES) (Rijndael) Others to recognize: Blowfish, IDEA (used on PGP), Twofish (open source), RC4 (stream cipher - considered insecure. Used in WEP)
Sourcing Decision Making Process
-Define the product, function, or service to be outsourced. -Define the requirements -Define the associated metrics -Identify any legal, regulatory or contractual obligations -Identify risks and risk mitigation strategies -Conduct due dilligence reviews -Codify the relationship -Monitor the supply chain
Why are embedded devices vulnerable?
-Devices are desiggned for functionality and convenience -- not security -Devices are powered by specialized computer chipts/RTOS. The chips are inexpensive and profit margins slim. Strong incentive to use open source operating systems and components. Often the software is outdated. -Little incentive to maintain chips/RTOS. Often, patches are not available. If available, expertise to install is rare or the incentive nil.
Qualitative Methodologies
-NIST SP 800-30 -Facilitated Risk Analysis Process (FRAP) -The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) -ISO/27005
This plan addresses the overall strategy and plan for sustaining a business 1: BCP 2: DRP 3: CCP 4: OEP
1: BCP
Disaster Recovery Plan (DRP) Lifecycle
1: BIA 2: Assess current environment 3: Select and define strategies 4: Develop plans and procedures 5: Train users 6: Exercise the plan 7: Review/update the plan 8: Audit the plan
Arrange the DRP life cycle components in the correct order - Develop plans and procedures - Review and update the plan - Define strategies - Train users - BIA - Exercise the plan
1: BIA 2: Define strategies 3: Develop plans and procedures 4: Train users 5: Exercise the plan 6: Review and update the plan
Secure Aquisition & Implementation
1: Business and resiliency requirements 2: Define selection criteria 3: Review security documentation 4: Understand configuration options 5: Conduct an initial risk assessment 6: Make GO | STOP decision 7: Conduct a vendor assessment 8: Make GO | STOP decision 9: Evaluate in test environement (dummy data) 10: Update risk assessment 11: Business unit decision 12: Install and test 13: Move into production and monitor 14: Vulnerability and patch management support
This type of mobile device is owned by the organization and is configured for both personal and professional use. 1: COPE 2: COBO 3: CYOD 4: BYOD
1: COPE
Trusted Certificate Lifecycle
1: CSR - Certificate Signing Request (CSR) 2: Certificate is issues 3: Certificate is published 4: Certificate is received 5: Certificate Installed 6: Certificate renewed, suspended, revoked or expired 7: Key is destroyed
This social engineering technique is accomplished when an intruder enters a building in the company of others 1: Tailgating 2: Covert observation 3: Whaling 4: Impersonation
1: Tailgating
This type of assessment is used to identify personal information that has been acquired by the organization and to determine how to treat the data 1: Privacy threat assessment 2: Privacy threshold assessment 3: Privacy risk assessment 4: Privacy impact assessment
2: Privacy threshold assessment
This secure protocol does not use SSL/TLS 1: Secure POP3 2: SFTP 3: HTTPS 4: FTPS
2: SFTP
Minimum fence height to deter determined intruders
8 feet
This 802.11 standard addresses security
802.11i
Rules of Engagement
A rules of engagement (ROE) document details the parameters and expected assessor conduct of the assessment (exam/test) ROE components include: - Scope - Level of expertise / methodology - Logistics and communication plan - Data handling requirements - Reporting expectations - Assessor responsibilities - Legal considerations
Bluetooth
A shortwave radio low power technology for exchanging data based on the 802.15 standard. Bluetooth uses include headsets, hearing aids, wireless speakers, PC input/out, health sensors, real-time location systems, GPS receivers, bar codes, traffic control devices, and game consoles -Range is 10-24m depending on the version Subject to bluejacking, bluesnarfing, and Blueborne -Bluejacking is injecting an unsolicited message -Bluesnarfing is unauthorized device pairing -Blueborne exploits protocol weakness to "take over" the device
Kerberos
A single sign-on (SSO) system that can be embedded in operating systems and directory services (including Microsoft Active Directory) to provide secure 'mutual' authentication - Mutual authentication is when both the subject and the object (resource) identify themselves to each other
Shibboleth
A standards-based, open source software for web SSO across or within organizational boundaries - The Shibboleth software implements widely used federated identity standards, primarily SAML to provide a federated SSO and attribute exchange framework. - Shibboleth also provides 'extended privacy functionality' allowing a user and their home site to control the attributes released to each application
Agreement that details proper use of information and information systems
AUP Agreement Acceptable Use Policy Agreement
These locks have complex and difficult to reproduce keys
Pick Resistant
Infernence
Ability to derive information that is not explicitly available.
This policy allows only applications that are explicitly given permission to execute
Application whitelisting
Emanations Security (EMSEC)
Attackers can use radio signals, sounds, and vibrations to obtain information. Protection mechanisms include shielding, filtering, and masking. - TEMPEST is a NSA and NATO emanation certification program that includes both classified and unclassified protection standards - Fiber optic has no electromagnetic emanations
Weak Implementation
Attackers take advantage of misconfigurations, weak keys, broken or deprecated versions. - 'Deprecated' means that the use of the algorithm and key length is allowed, but the user must accept some risk (weakness). - 'Broken' means that the algorithm and/or key length is exploitable
Windows Update Service is an example of this patch management approach
Automated
This disk image can be used to restore operating system files
Automated System Recovery (ASR)
Fuzzing
Automated testing technique used to discover coding errors and security loopholes by inputting invalid, unexpected, or semi-random data, called fuzz, and monitoring the application response
Principle that relates to operations and accessibility
Availability
This change management KPI tracks the number of changes that are not yet completed
Backlog
Three principles of physical security
Deter, detect, and delay
Asymmetric algorithm primary used for key exchange
Diffie-Hellman
The outcome of this drives the recovery strategy
BIA Business Impact Analysis
Process of making copies of data for recoverability purposes
Backup or Replication
Group ultimately responsible for the actions of the organization from a fiduciary perspective
Board of Directors
Governance Ecosystem
Board of Directors Executive Management Organizational Roles Functional Roles
Network Unified Storage (NUS)
Consolidate file based and block based access in one storage platform, combining the NAS and SAN model
Configuration Guidance
Can be in the form of a narrative, checklist, spreadsheet, or installation files. Changes should be subject to configuration management and change control processes.
Power Protection
Category / Description / Mitigating Control Blackout - Prolonged period without power / Battery backup (UPS), Alternate power supply (generator), Supplier diversity [ Brownout - Prolonged period of low voltage Sag - Moment of low voltage Surge - Prolonged period of high voltage Spike - Moment of high voltage - Voltage regulators, surge protectors, power line conditioners, battery backups (UPS) ] Power Supply Failure - Failure of internal power supply or fan / Redundant power supply
Optimal location within a building for a Data Center
Center of the facility
Class of fire that involves live electrical equipment
Class C
Online Backup Strategies
Cloud Backup Services - Scheduled backup to an Internet location Disk Shadowing - Data is written to (and read from) two or more independent disks. Process is transparent to the user Electronic Vaulting - Files copies as they changed and periodically transmitted to a backup location Remote Journaling - Transaction logs copied and periodically trasmitted to a backup location Automated System Recovery (ASR) - Disk image that can be used to restore OS files
Software Security Assessment Options
Code assessment - Examination and testing of code Vulnerability assessment - Identification of known vulnerabilities Configuration assessment - Review of configuration and audit settings Security testing - Testing to identify potential exploits Risk assessment - Determaning the application inherent and residual risks Application audit - Independent review of functionality and effectiveness Logging and monitoring - Ongoing activity review Regression test - Testing conducted whenever a change is made to the code
This type of control is substituted when another control cannot be used due to organizational or environmental limitations
Compensating
CASE Tools
Computer-aided Software Engineering (CASE) suites include diagramming aids, a library of standard function source code, tools to define application programming interfaces (APIs), version control tools, code review tools, and project management tools
Environmental Impact
Computers, electronic equipment, and transmission media are sensitive to environmental factors such as heat, humidity, air flow, and power quality - Environmental imbalance can impact stability, availability, and integrity - HVAC systems should be continually monitored and set to alarm for deviations - HVAC system access to controls should be restricted and changes logged
Principle that only authorized subjects have access
Confidentiality
Security principle related to encryption
Confidentiality
Security-focused CM
Configuration management has trafitionally been the domain of the IT department - Security-Focused Configuration Management (SecCM) builds on the general concepts, processes, and activities of configuration management and focuses on the security requirements of the organization and information systems
This cipher outcome used complex substitution functions
Confusion
Role tasked with responding to activity and error reporting
Custodian
Their responsibilities include implementing protection mechanisms and monitoring for violations
Custodian
Functional role responsible for implementing, managing, and monitoring protection mechanisms
Custodians
Convergence
Cyber (information) and physical security controls and responsibilities overlap. A convergence model recogizes the relationship and promotes cooperation and coordination - The consequences of unauthorized (malicious) physical access to information systems and devices can be significant
The anti-remanence result of pulverizing, pulping, burning, and shredding
Destruction
Forcing a system to use a lesser crypto mode
Downgrade attack
This environment is used for experimentation, proof of concept, and code development
DEV
This filter blocks certain files from being exfiltrated
DLP
Data Emanation
Data emanation (or signal emanation) is the electromagnetic (EM) field generated by a coax or copper cable or network devices, which can be manipulated to eavesdrop on conversations or to steal data. - A Faraday cage or shield is an enclosure used to block electromagnetic (EM) fields (incoming and outgoing) - Faraday bags are often used in digital forensics to prevent remote wiping and alteration of criminal digital evidence
Software Piracy
Defined by the Business Software Alliance as the "unauthorized copying or distribution of copyrighted software Piracy includes copying, downloading, sharing, selling, or installing multipple copies on to personal or work computers The Digital Millennium Copyright Act (DMCA) makes it illegal to create products that circumvent copyright protections such as a license key
The desired result of a "jamming" attack
Denial of Service
Departmental Considerations
Departmental business continuity plans should be reviewed in light of the following considerations: - Are cybersecurity and data protection requirements taken into account? - Have recovery sites (including work from home) been evaluated for technical and physical security? - Have 3rd parties and external resources been vetted and do they have appropriate agreements in place? - Does the department know how to "speak" to cybersecurity issues?
National Framework
Designed for use in a specific country or consortium (e.g. USA, EU) Well known Framework: NIST Cybersecurity Framework
Control classification used to discourage a threat agent
Deterrent
Control Classifications
Deterrent Preventative Detective Corrective Compensating **Note: A control can (and often does) have miltiple classifications depending upon context.
Control Cross-Over Examples Door Alarm (Physical Control)
Deterrent - Discourages use of an alarmed door Preventative - N/A Detective - Reacts to the door being opened or threshold crossed Corrective - Sounds an alarm that might scare off the intruder
The term used to describe when software will no longer be supported
End of Life (EOL)
Match the following cryptographic objectives Terms: Digital certificate Encryption Digital signature Hashing Objectives: Integrity Nonrepudiation Confidentiality Authentication
Digital certificate - Authentication Encryption - Confidentiality Digital signature - Nonrepudiation Hashing - Integrity
A message digest that has been encrypted with a private key
Digital signature
Cryptographic technique used for non-repudiation
Digital signature
Roles and Responsibilities
Directors & Executive Management Compliance Officer, Information Security Officer, Privacy Officer Owners Stewards Custodians Users
DRP Training Objectives
Disaster recovery requires a team effort. Disaster recovery training objectives vary by audience. - BOD, executives, and business line management objective is insight and endorsement - DR teams objective is knowledge and competency - General population objective is awareness and instruction
A confirmed (or high probability) breach may trigger this public-facing activity
Disclosure and notification
This sampling approach is used when illegal activity is suspected
Discovery (or Exploratory) sampling
Data is written to (and read from) two or more independent disks
Disk shadowing
Clearing technique that overwrites addressable storage multiple times
Disk wiping
Physical Infrastructure
Disruption or destruction of physical structures and facilities.
Rummaging through trash in search of information
Dumpster Diving
Duress
Duress is the threat of harm that may result in a person taking an action that they would not normally do. - Scenario analysis can be used to identify potential situation, determine controls, and provide training to potential targets - Enforcing least privilege, dual control, and separation of duties minimizes the impact of duress - In all cases, personnel safety is paramount
Each block is independent in this block cipher mode
ECB Electrionic Codebook
Power
Electrical power supplied to electronic devices must have consisten voltage and a minimum of interference. - Devices need to be protected against surges, spikes, sags, brownouts and blackouts
This process copies files as they are changed and periodically transmits them to a backup location
Electronic vaulting
This is the release of static electricity when two objects touch
Electrostatic discharge (ESD)
Secure Deletion
Ensures that the deleted file or file fragments cannot be retrieved and/or reconstructed. Techniques to counter data remanence include: 'Clearing' - The removal of data in such a way that data cannot be recovered using 'normal system functions of recovery utilites' 'Purging' The removal of data that 'cannot' be reconstructed by 'any known technique' 'Destruction' - The physical act of destroying media in such a way that it cannot be reconstructed.
Storage Area Network (SAN)
Enterprise-level storage network of devices. They are connected by a high speed private network using fiber channel, FCoE, or iSCSI connections
The term used to describe services that must be provided during a disruption of services
Essential
Incident Response (IR) Process - Preparation
Establish incident management capability
Threat Intelligence
Evidence-based knowledge about an emerging threat that can be used to inform control decisions. The true value of threat intelligence is in its application. Changing the security model from reactive to proactive - if you understand your adversaries, you can develop tactics to combat current attacks and plan better for future threats.
This attack uses a rouge access point to spoof an SSID
Evil Twin
Spoofing Attack
Evil Twin - Rogue access point with the same SSID - Enables an attacker to "trick" a user into connecting to an attacker controlled network - May also impersonate a "captive portal" to capture credentials and/or payment information - Can be used as a stepping stone to a MiTM attack
Passive assessment activity with minimal anticipated operational impact
Examination
Supply Chain Risks
Examples: -Loss of control (process, product, service) -Degradation or disruption of service -Single point of failure (SPOF) -Non-compliance -Poor vulnerability management -Limited visibility -Unreported incidents -Business failure
Code
Exploiting weaknesses in server or client side code or applications. Enables an attacker to take control
When a threat agent successfully takes advantage of a vulnerability
Expoit
A system or software configuration issue or lack of a control that could contribute to a successful exploit or compromise
Exposure
This type of certificate verifies a domain and an organization subject to additional vetting (aka "green bar")
Extended Validation
Additional functionality or the modification of existing functionality without significantly altering the original structure or data flow
Extensibility
US federal law that requires consumer report adverse action disclosure
FCRA Fair Credit Reporting Act
This arrangement makes a "portable identity" possible
FIM Federated Identity Management
This US regulation requires federal agencies to undergo periodic assessments
FISMA
The combination of FTP and SSL
FTPS
Authenication Factors
Factor - Description - Implementation Knowledge - Something a user knows - Password/Passphrase, PIN Possession - Something a user has - Token, smartcard Biometric - Something a user is and something a user does - Physiological, behavioral Location - Somewhere a user is - GeoIP, Facility, Device proximity
This principle implies that in an emergency situation, controls will default to locked
Fail-secure
Biometric Accuracy
False Reject Rate (FRR) - Type 1 Error False Accept Rate (FAR) - Type 2 Error Crossover Error Rate (CER)
US regulation that requires educational institutions to protect the privacy of student records
Family Educational Rights and Privacy Act (FERPA)
An enclosure that blocks electromagnetic fields
Faraday cage
Relative computational efficiency of symmetric encryption
Fast
Symmetric vs Asymmetric
Feature / Symmetric / Asymmetric # of keys / Single shared key / Key pair Block Sizes / Large / Small Processing / Computationally efficient / Computationally intensive Strength / Difficult to break (large keys) / Smaller key sizes Scalability / Not scalable / Scalable Key Exchange / Key exchange is inherently insecure / Key exchange distribution system
Regulation that requires federal agencies to secure their systems and data
Federal Information Security Management Act (FISMA)
What an aggregation of resources that dramatically increases efficiency or capability is known as
Force multiplier effect
The process of collecting, preserving, examining, analyzing, and presenting evidence
Forensics
Number of mandatory canons in the (ISC)2 Code of Ethics
Four Canons
Supporting Processes
Four important internal processes support the software development process: - 'Configuration management' is used to support the development of baselines and standards/ - 'Version control' tracks files, source code, and configurations over time - 'Change control' manages changes to artifacts, such as code changes or documentation changes - 'Provisioning' deploys (makes available) versions to various resources for simultaneous development
Relationship to a subcontractor used by a third party
Fourth party
A logical structure used to document and organize processes
Framework
Disclosure
Full disclosure is when a publisher notifies users as soon as a vulnerability is confirmed (even if a patch is not yet available) - The publisher response to a software flaw that creates a security vulnerability is (should be) to develop and distribute fixes known as updates or security patches
Hardware-based mechanism for automatically encrypting all data written to the drive
Full disk encryption (FDE) / Self encrypting drives (SED)
Validation that a security control exists
Functionality
What a control does
Functionality
Functionality & Effectiveness
Functionality is what a control does. Effectiveness is how well a control works. - Effectiveness is a reflection of the control's consistent, complete, reliable, and timely operation
RTO are tied to this time frame
Future
DR Plan Audit (verification and validation)
Governance - Authorized by the Board of Directors (or equivalent body) Management - Supported by management inclusive of funding and resourcing Documentation - Up to date written plan, procedures, and supporting documentation Compliance - Conformance with regulatory requirements, contractual obligations, and SLAs Responsibilities - Individual, team, and departmental responsibilities assigned and understood 3rd Parties - 3rd party contracts match plan requirements Testing - Plan and procedures exercised, results documented, and modifications made Review - Plan in its entirety subject to a scheduled review
Regulation that requires safeguarding consumer financial data
Gramm-Leach-Bliley Act GLBA
This sofware monitors and analyzes local behavior as well as network connectivity
HIDS
This type of IDS runs on a local device
HIDS
US regulation that protects the privacy of patient health information
HIPPA Health Insurance Portability and Accountability Act
Vulnerability Notification
Identification of vulnerabilities in protocols, OSs, utilities, applications, and firmware is an on-going process conducted by software publishers, security researchers, and testers - Public notification is based on a number of factors including severity, ease of exploit, availability of a fix, and intent to exploit - In the US, identified flaws can be reported to the CERT Coordination Center (CERT/CC) - CERT/CC serves as a coordinating body that works with affected vendors to resolve vulnerabilities
Define Requirements
Identify and document security requirements early in the development life cycle and make sure that subsequent development artifacts are evaluated for compliance with those requirements. When security requirements are not defined, the security of the resulting systme cannot be effectively evaluated
Level of risk before treatment
Inherent Risk
Secure DevOps concept of having an image of a system preconfigured to a desired "known good" state (using automation to replace rather than fix)
Immutable system
This attack tricks an application into sending unintended commands to the interpreter
Injection
This vulnerability allows an attacker to include commands that are sent to an interpreter
Injection
Standards and Best Practice Guidance
International Organization for Standardization (ISO) 2700x National Institute of Standards & Technology (NIST) Special Publication 800 Series Industry (e.g. SANS, WiFi Alliance, CSA, BSA, ISACA, AICPA) Vendors (e.g. Microsoft, Cisco, Apple)
Power or right of a legal or political agency to exercise its authority over a person, subject matter, or territory
Jurisdiction
Secret value used with an algorithm
Key / Cryptovariable
Networking Devices (Conceptual Example)
Layer 1 - Physical - Hubs and Repeaters Layer 2 - Data Link - Bridges, Wireless Access Points, Switches Layer 3 - Network - Multilayer Switches, Router, Firewall (IP Filtering) Layer 4 - Transport - Load Balancer, Firewall (port filtering) Layer 7 - Application - Firewall (protocol or data filtering)
FCoE OSI Layer
Layer 2
Bridges, wireless access points and switches operate at this OSI layer
Layer 2 Data Link
Encryption occurs at this layer in the OSI model
Layer 6 Presentation
This access control concept requires that only the minimal rights and permissions needed to accomplish a task are assigned
Least Privilege
This principle means to assign only the rights and permissions necessary to accomplish a task
Least Privilege
Retention and Preservation
Logs might need to be preserved to meet legal or regulatory requirements - Log retention is the archiving of logs in accordance with organizational retention (and destruction) policies - Log preservation is keeping logs that normally would be discarded because they contain records of activity of particular interest - Log preservation is typically performed in support of incident handling or investigations - Log data used as evidence must be shown to be tamper proof and follow chain of custodyprocedures
Availability Ladder
Low to High Availability - Spare Parts - Passive Fault Tolerance - Active Fault Tolerance - Asymmetric High Availability - Symmetric High Availability
These devices emulate a production environment in order to entice attackers
Low-interaction honeypot
In this model, access is based on the relationship between subject clearance and need to know and the object classification
MAC Mandatory Access Control
Scalable protocol-independent transport technique for high performance networks
MPLS
Complete reproduction of a physical network in software
NSX Network Virtualization
This Microsoft suite of authentication protocols is vulnerable to pass-the-hash attacks
NTLM
Types of Filters
Malware - Scanning incoming data and/or headers for indication of malware File Type - Blocking incoming file types (e.g. .exe, .mp3, .zip) Anti-Spam - Identification of incoming SPAM email by comparing to a database of known SPAM, public blacklists, URL blocklists, Bayesian filtering, and/or reputation services Message Content - Outbound message blocking or quarantining of specific content (e.g. SSN) Auto encryption of outbound messages based on content DLP - Outbound blocking of identified files or file types URL - Blocking URLs from being accessed (generally by category, e.g. gambling sites)
Data Acquisition Tools
Memory Imaging - used to acquire (dump) short term volatile data (RAM/Virtual memory) Write Blocker - Tool that intercepts inadvertent drive writes Bit Stream Image - bit by bit copy of the source material that preserves all latent data in addition to files and directory structure. Accessing an image does not modify its data Clone - exact copy of the entire physical hard drive including all active and residual data and unallocated or slack space. A cloned hard drive can be installed into the computer, and the computer will reboot and function as if the original drive were still installed.
This vulnerability is the failure of a program or OS to free up dynamically requested memory
Memory Leak
Hashing Algorithms
Message Digest (MDx) - MD5 has been shown to be subject to collision attacks and is "broken" Secure Hash Algorithm (SHA) - Created by the NSA - SHA-1 has been shwon to be subject to collision attacks - SHA-2 family is widely used and includes SHA-256, SHA-384, and SHA-512 RIPEMD - Based on MD4; it has been replaced by RIPEMD-160
This common type of IDS detects physical disturbance
Motion
Driving force behind an attack
Motivation
Threat Modeling (Simplified)
Motivation - Why and how would an adversary target my organization? Workfactor = How hard would it be for an adversary to achieve their objective? Threat Intelligence Information Sharing - Are we aware of the latest threats, tools, and techniques? Do we share what we know? Threat Detection - Would we know if we were being attacked? Resiliency - Are we prepared to respond to an attack? Can we maintain continuity of operations?
When two or more of the same type of factors are required for authentication
Multilayer
Multilayer Protocols
Multilayer network communication protocols provide standards that allow diverse systems to communicate. Examples include MPLS, DNP3, and FCoE
The process of both the subject and object authenticating to each other
Mutual Authentication
Need-to-KNow & Least Privilege
Need-to-know means that the subkect has a demonstrated and approved reason for being granted access Least privilege means assigning subjects only the rights and permissions needed to complete the assignment - Once need-to-know has been established, least privilege should be enforced
Network Access Control (NAC)
Network Access Control (NAC) is an agent or agentless approach to network security that attempts to unify endpoint security technology, user or system authentication, and network security enforcement. - An 'agent' is code that performs a function on behalf of an application
DLP Location
Network based (On premise) -- Network based (hardware or virtual applicane) deals with data in motion and is usually located on the network perimeter. Storage based -- Storage based (software) operates on long-term storage (archive) Endpoing based -- Endpoint based (software) operates on a local device and focuses on data-in-use Cloud based (off premise) -- Cloud based operated in "the cloud" data in use, in motion, and at rest.
This risk assessment methodology was developed at the Carnegie Mellon SEI
OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation
Virtual environment that share the kernel of the host operating system but provide user space isolation
OS Container
Connectivity Devices
OSI Layer / Device / Description 1 / Hubs / Hubs retransmit a signal received on one connection point to all ports 1 / Repeaters / Repeaters amplify signals 2 / Bridges, Wireless Access Points / Bridges/WAPs filter traffic based on MAC address, amplify signals, and can connect dissimilar media 2 / 3 // Switch / Switches are used to create connections between two ports and eliminate collisions 3 / Routers / Routers forward packets using IP addresses and routing protocols
Intelligence data collected from publicly available sources
OSINT Open Source Threat Intelligence
Non-profit that publishes the Top Mobile Application Flaws
OWASP
Open community dedicated to software safety and security
OWASP
The act of making a data set difficult to find or understand
Obfuscation
This type of assessment is generally cooperative and known to all relevant personnel
Overt
Provisioning / Deprovisioning Lifecycle
Onboarding, Account Request, User Agreement, Credential Management Authorization, Assignment of rights and permissions, User training User account auditing, User access auditing, Change requests, User training Termination, Offboarding
How many keys used in symmetric encryption?
One
A standard that is publicly available and can be freely adopted and extended
Open standard
Identity layer on top of the OAuth 2.0 protocol which facilitates authentication
OpenID Connect
Identify the technologies that support Federated Identity Management. Choose all that apply: OpenID Connect OAuth 2.0 MPLS Active Directory Kerberos SAML
OpenID Connect OAuth 2.0 SAML
Asset criticality generally relates to this characteristic
Operations
This type of attack occurs when an attacker takes advantage of a vulnerable target (not previously known to them)
Opportunistic attack
Value Delivery
Optimize investments in support of business objectives.
BIA report should prioritize this order
Order of restoration
Knowledge - Password/PIN Controls
Password controls include: - Strength (length, complexity, and uniqueness), limited login attempts, and aging - Hashing, hashing with salt, and encryption - User training Even with the above controls, passwords alone provide minimal protection and are considered the 'weakest' form of authentication
Infrastructure-as-a-Service (IaaS)
Provisioned: -"Bare metal" Computing Resources Customer Impact -The customer does not manage or control the underlying cloud infrastructure -The customer can provision processing, storage, networks, and other fundamental computing resources -The customer has control over the operating system, storage, and deployed applications and possibly limited control of select networking components (e.g. host firewalls) Considerations: -Availability -Maintenance -Vulnerability Management -Confidentiality -Privacy
Process of creating user accounts and credentials
Provisioning
This well-known symmetric stream cipher used in WEP is considered deprecated due to multiple vulnerabilities
RC4
This software or OS feature allows a desktop to be accessed remotely on port 3389
RDP
Defacto commercial standard asymmetric cipher
RSA
Digital Signature Algorithms
RSA - Widely implemented - Defacto commercial standard - Works with both encryption and digital signatures Digital Signature Algorithm (DSA) - Published by NIST in cooperation with the NSA. - US Government Digital signature standard NOTE: Digital signatures require two algorithms--a hashing algorithm and a digital signature algorithm
Metric for the amount of time allocated for system recovery
RTO Recovery Time Objective
This software development project model combines prototyping and iterative processes
Rapid Application Development (RAD)
Disaster Recovery Exercises
Read-through (Desk check) - Personnel or departments review their plans and procedures for accuracy and completeness - Accuracy & Familiarity Walk-through (Tabletop) - Scenario-based group workshop focuses on the application of plans and procedures as well as participant readiness. Promotes coordination and communication - Coordination & Communication
Metric related to acceptable data loss
Recovery Point Objective (RPO)
Privilege
Relates to overriding capabilities - Administrative, root, and super user - Privilege trumps rights and permissions Privileged credential theft and privilege escalation are two of the most serious attacks - Pass-the-Hash is a technique in which an attacker captures hashed account credentials on one computer and reuses the credentials to authenticate to another computer
The term used to describe the level of risk after controls have been applied
Residual risk
Buzz word that describes the capability to continue operating even when there has been a fault, incident, or abnormal operating conditions
Resiliency
Capability to continue operating in abnormal conditions
Resiliency
Owners Stewards
Responsible for decisions related to classification, access control, and protection.
Development Security Issues
Retrofitting is expensive and reputation damaging. It is absolutely critical to integrate security into the development lifecycle including: - Considering security during each phase - Conducting code reviews throughout the process - Not allowing development teams to test their own work - Requiring regression testing for new features and fixes
SLE = AV * EF
Revenue from one hour of e-commerce is $20,000 (AV) A DDoS attack could disrupt 85% (EF) of online activity. $20,000 (AV) * .85 (EF) = $17,000 (SLE) The cost of an hour of DDoS disruption is $17,000
This is the process of analyzing and understanding malware characteristics
Reverse Engineering
This type of proxy server appears to the client to be an ordinary web server
Reverse proxy
OS Kernel and device drivers operate at this ring
Ring 0
Protected Rings Illustrated
Ring 3 - Applications Ring 2 - OS Utilities Ring 1 - Operating system Ring 0 - OS Kernel and Device Drives
Measurement of likelihood and impact of a threat event
Risk
Level of risk an entity will accept in pursuit of its mission and objectives
Risk Appetite
Acceptable variation in outcomes related to specific performance measures
Risk Tolerance
Process used to identify and measure risk
Risk assessment
This risk management options requires that the risk-related activity cease
Risk avoidance
Tool used to document risk and ancillary details such as treatment measures and monitoring tasks
Risk register
Secure DevOps Concepts
Security Automation - Automating attacks against pre-production code and continuous vulnerability testing against production code Continuous Integration (CI) - A continuouse merging of source code updates from all developers on a team into a shared mainline. - If a failure is seen, the development team is expected to refocus and fix the build before making any additional code changes Baseline - A consistent, agreed upon version of software that serves as the basis for further development Immutable Systems - Image of a system preconfigured to a desired "known good" state - Uses automation to replace rather than fix Infrastructure as Code - Using code to manage configurations and automate provisioning of infrastructure (e.g. build testing and staging servers)
Statement on Standards for Attestation Agreements #18 (SSAE18)
Service Organization Control (SOC) Reports are internal control reports on the services provided by a service organization. -Standard designed and maintained by the American Institute of Certified Public Accountants (AICPA)
Acceptable Use Policy (AUP) Agreement
Sets forth proper use of information systems, handling standards, monitoring, and privacy expectations -An AUP should be written in language that can be easily and unequivocally understood -By signing the associated agreement, the user acknowledges, understands, and agrees to the stated rules and obligations
Number of layers in the OSI model
Seven
Technology solutions that are implemented without the knowledge or consent of the IT department
Shadow IT
Order that personnel must stay where they are
Shelter-in-place
This open source FIM compatible software allows a user to control the attributes released to each application
Shibboleth
Securing Code Repositories
Source code needs to be protected from unauthorized access, inadvertent modification, sabotage, and IP theft. Source code protection mechanisms include: - Use of a centralied source code repository - Configuration management program that includes change control procedures, bug tracking, release management and documentation - Multiple levels of access control including encryption, dual control, and separation of duties - Secure communication protocols - Backup, rollback, and restoration procedures
Industry Specific Framework
Specific to an industry. Developed, promoted, and enforce by industry memebers. Well known Framework: HITRUST Common Security Framework (Voluntary) PCI DSS Payment Card Industry Data Security Standard (Enforced)
802.11 IEEE Standards
Specification / Data Rate / Frequency / Distance 802.11 / 2 Mbps / 2.4 GHz / 100M 802.11b / 11 Mbps / 2.4 GHz / 140M 802.11a 54 Mbps / 5 GHz / 120M 802.11g 54 Mbps / 2.4 GHz / 140M 802.11n 150 Mbps / 2.4 / 5 GHz / 250M 802.11i - Security for 802.11 technologies 802.11e - Quality of Service (QoS) for priority and time sensitive data
Impersonating an address, system, or purpose
Spoofing
Foundational (lower level) models
State - Conceptual model that ensures no matter what activity is taking place within a system, it is always trustworthy Non-interference (multilevel) - Whatever happens at one security level does not directly or indirectly affect the security environment of other levels Information Flow (multilevel) - Information will flow only in ways that do not violate the security policy of the system NOTE: If any of the lower level (foundational) models are proven false, then the security of the system cannot be relied upon regardless of the implementation of higher level security models
This type of firewall evaluates each datagram individually
Stateless
Sampling Techniques
Statistical Sampling - An objective method for determining sample size and selection criteria - Each item should have an equal probability of selection Non-statistical Sampling - A subjective method for determining which items are the most material, relevant and/or risky - Including items are based on professional judgement Block Sampling - All items in a selected time period, numerical sequence, or alphabetical sequence
The practice of concealing a file within another file
Steganography
Testing performance with an abnormal number of users or operations
Stress testing
Log Analysis Processes
Synchronization - The process of synchronizing with an external time source with a time stamp protocol (e.g. NTP) Normalization - The process of standardizing the log details into a consistent structure Aggregation - The process of consolidating events from disparate devices and systems Deduplication - The process of filtering out duplicate entries or excessive noise Correlation - The process of tying individual log entried together based on related information Identification - The process of identifying normal and abnormal activity
This replication strategy guarantees zero data loss
Synchronous replication
Recorded actions that emulate activity
Synthentic transactions
Code Security Assessment
Synthetic Transactions Security Code Review Static Code Analysis Dynamic Analysis Fuzzing Use Case
Protection Profile
The Common Criteria evaluates product against protection profiles -A 'protection profile' is a specific set of functional and 'assurance requirements' for a 'category of products'. A protection profile can be written by several different groups including vendors, customers, and accreditation agencies -A 'security target' is written by a product 'vendor' or 'developer' that explains the specifications of the product including 'functionality' and 'assurance' requirements -A 'target of evaluation (TOE)' is the product or system that will be rated.
DevOps
The DevOps development methodology is built on the premise that collaboration between 'developers' and the 'operations' team is essential -The intial push for DevOps stemmed from the need to integrate operation to make software development more efficient and of higher quality -'Integrated DevOps' mandates that the operations team remains involved throughout the software development lifecycle to ensure a smooth, efficient process through transition and deployment
The Ethics Working Group provides an ethics framework for adoption by information security organizations including (ISC)2, ISSA, and GIAC
The Unified Framework for Information Security Ethics clearly states expectations of ethical and professional conduct that pertain to information security work while also addressing the interests of those who rely on information security specialists and the public at large.
Business Continuity
The ability for a business to operate in adverse conditions. It may be a contractual obligation and may be a regulatory requirement.
Dev
The development environment (DEV) is used for code development, proof of concept, experimentation, and customization - The environment can be a developer's desktop, dedicated server, or a server shared by several developers working on the same project - If software is being acquired rather than developed, the DEV environment is used to preview, configure, and customize the application - The development environment MUST be segregated from the production environment
Secure Protocols
The function of a secure protocol is to ensure confidentiality, integrity, authentication, nonrepudiation, or any combination thereof - Secure protocols are commonly used in network management and communications; often replacing older insecure protocols
Risk Monitoring
The objective is to track known risks, evaluate treatment effectiveness, identify new risks, and schedule ongoing assessments
Archietecture-centric
The threat models focus on system design and potential attacks against each component
Workfactor
The time, effort, and resources needed for an attacker to successfully achieve their objective. The intensity of the workfactor should match the criticality and/or sensitivity of the asset you are protecting. Workfactor is a powerful offensive weapon and can be used to dissuade all but the most motivated of adversaries. Due to attack tools and techniques constantly evolving, assessing workfactor should be an iterative process.
Sequential Project Models
The traditional software development models are structurally linear (sequential). - The 'Waterfall' model requires that each phase must be completed before emoving on to the next phase. - The 'V-model' emphasizes 'verification and validation' at each phase and testing to take place throughout the project
Evidence-based knowledge about a threat
Threat Intelligence
This process is used to anticipate threats
Threat modeling
Business Impact Analysis Objective
To identify the impact of a disruption on mission-Essential services, systems, and infrastructure. Essential means that the absence of or disruption of services would result in significant, irrecoverable, or irreparable harm to the organization, employees, business partnets, constituents, community, or country.
This protection approach replaces sensitive data with non sensitive substitutes
Tokenization
Decision States
True Positive - Normal activity is correctly identified False Positive - Normal activity is incorrectly identified as abnormal True Negative - Abnormal activity is correclty identified False Negative - Abnormal activity is incorrectly identified as normal
Cyber Attack Impact
Unauthorized access to or theft of data, which is a violation of 'confidentiality' Modification of data, which is a violation of 'integrity' Inaccessibility of data or disruption of service which is a violation of 'availability'
Wiretap Act
Unauthorized interception of digital communications.
Audit opinion rendered when the auditor does not have any significant reservations
Unqalified opinion
Quality & Performance Testing
Use Case (Positive) - Determine if the application works as expected under normal operating conditions Misuse Case (Negative) - Determine if the application can gracefully (and securely) handle invalid input or unexpected behaviro Load Testing - Performance in normal and peak conditions Volume Testing - Impact of incremental volume of records (not users) Stress Testing - Performance with an abnormal number of users or simultaneous operations Synthetic Transactions - Recorded actions that emulate a specific interaction which are used to measure availability and response time
Malware Use Cases
Use Cases include using malware to: - Facilitate extortion schemes (ransomware) - Weaponize computers and devices - Collect authentication credentials - Exfiltrate data and intellectual property (IP) - Distribute SPAM, pron, and other illegal materials - Carry out information warfare or sabotage
Direct Attached Storage (DAS)
Use of one or more locally attached (internal or external) disks
Facilitated Risk Analysis Process (FRAP)
Used to analyze one system at a time. Stresses prescreening activities
Privacy Violations
Violation of privacy principles and regulations
Mechanism to pool storage resources so they appear to be one unit
Virtual Storage
Term applied to a situation where a virtual machine and the host operating system interact
Virtual machine escape
Technology that creates multiple environments from a single physical host
Virtualization
OWASP 2017 #2 Broken Authentication
Vulnerability - Broken Authentication Description - The attacker uses flaws in the authentication or session management functions to impersonate users. Privileged accounts are frequently targeted Flaw - Weak authentication and session management controls Impact - Can result in user session hijacking, redirection to malware distribution site, or bypassing access controls Mitigation: -Do not use default credentials -Do not expose session IDs -Store password using a hash function -Implement weak password checks -Harden credential recovery and API pathways -Implement multi-factor authentication -Log authentication failure / configure alerts
Automated tools used to look for vulnerabilities and exposures
Vulnerability scanner
Data Deletion
When a file is deleted, the corresponding entry in the Master File Table (MFT) is removed and the MFT entry is marked as ready to be re-used. The data for the file is separate from the MFT entry. -The original file remains intact until the space is used and the original file is overwritten. Potentially, all or part of the deleted file and/or MFT entry can be recovered. -'Data remanence' is the residual representation of digital data that remains even after attempts have been made to delete or erase the data.
Whitelist / Blacklist
Whitelisting enforces the zero trust principle of 'deny all' and allow only what's necessary. - Enforcement via a list of "allowed" entities (e.g. applications, IP addresses, URLs, email senders) Blacklisting enforces the convenience principle of 'allow all' and restrict only what is harmful - Enforcement via a list of "restricted or denied" entities (e.g. applications, IP addresses, URLs, email senders)
Wireless Network Configurations
Wireless Personal Area Network (WPAN) (aka Bluetooth) - 802.15 standard. Interconnects devices within a limited range (e.g. keyboard) Wireless Local Area Network (WLAN) - 802.11 standard Wireless Metropolitan Area Network (WMAN) - 802.16 standard Wireless Wide Area Network (WWAN) - Point-to-point microwave links
OSI Model
[ HOST LAYERS Application - Network process to application Presentation - Data Representation and Encryption Session - Interhost Communication Transport - End-to-End Connections and Reliability ] [ MEDIA LAYERS Network - Path Determination and IP (Logical Addressing) Data Link - MAC and LLC (Physical Addressing) Physical - Media, Signal, and Binary Transmissions ]
The AES algorithm requires this number of keys to encrypt and decrypt a message block 1: 1 2: 3 3: 4 4: 2
1: 1
ISCM Process
1: Define 2: Establish 3: Implement 4: Analyze/report 5: Respond 6: Review/Update
The objective of which type of forensic investigation is to provide a 'preponderance of evidence' 1: Customary 2: Compliance 3: Civil 4: Criminal
3: Civil
The firewall rule "DENY ANY ANY ANY ANY" should be where in the rule set sequence? 1: After all ALLOW statements 2: At the beginning 3: Doesn't matter where 4: At the end
4: At the end
Supporting Activities (Five A's)
Accountability, Authentication, Authorization, Accounting, Assurance
Assurance
Assurance is the processes we use to develop confidence that our security measures are working as intended.
Framework for designing, establishing, implementing, maintaining, and monitoring an information security program
ISMS Information Security Management System
Board of Directors Duties
Promoting effective governance Determining organizational risk tolerance Contributing to and authorizing strategic plans Allocating funds Approving policies and significant projects Ensuring appropriate monitoring Ensure compliance with laws, regulations and contracts Reviewing audit and examination results Honoring the legal constructs of due dilligence and due care.
Internal Audit
Responsible for ensuring that management has established a framework of specific internal controls commensurate risk, regulation, and Board directives
Compliance Officer
Responsible for identification of and ensuring compliance with applicable statutory, regulatory, and contractual requirements.
Custodians
Responsible for implementing, managing, and monitoring controls.
Custodians
Responsible for implementing, managing, and monitoring the protection mechanisms based on what the Owners has told them.
Users
Responsible for treating data and interacting with information systems in accordance with organizational policy and standards.
The term used to describe the responsibility of leadership to determine, articulate, authorize, and fund the desired state of security.
Security Governance
Confidence that the system will act in a correct and predictable manner in every situation
Trustworthy Computing
The outcome when investments in suppost of business objectives are optimized
Value Delivery
The final step of an exercise or test
After action Report
NIST SP 800-30
Federal government standard. Used extensively in the private sector
This examination is an independent review of functionality and effectiveness
Application audit
Media hash
Fingerprint
Number of possible key combinations
Key space
Organization that defined SCAP requirements
NIST
IDS that measures magnetic field
Proximity IDS
The process of verifying an identity (e.g passport)
Registration
Mobile Scope
-Variety of endpoints including tablets, smartphones, laptops, and emerging technologies such as wearables -Variety of platforms such as Windows, Apple IOS, and Android and associated security models -Variety of applications including rich content websites using Flash and Javascript -Variety of transmission methods including wired, wireless, cellular, Bluetooth, RFID, and NFC -Variety of locations -- wherever the user is
Process used to develop confidence that security measures are working as intended.
Assurance
What can not happen if the only Kerberos server in a network fails
Authentication
Aggregate of standards for a specific grouping
Baseline
When two different hash inputs produce the same hash output
Collision
Information assets are generally classified by this attribute
Content
The desired result or puspose to be achieved by implementing the control
Control Objective
A network segment within a trusted segment
Enclave
Voluntary cybersecurity framework designed specifically for the healthcare sector
HITRUST
Unique fixed length representation of data
Hash/Fingerprint/Message Digest
Objective of the Clark-Wilson model
Integrity
Notice to preserve all forms of relevant information
Legal hold
The acronym for open source intelligence
OSINT
Sniffing Attacks
Replay - Capturing and reusing packets - Reusing authentication data/credentials - Replaying the packet over and over causing a denial of service IV Attack - Capturing weak initialization vector (IV) - Knowledge of the IV can be used to decrypt data packets RFID Eavesdropping - Intercepting communication between RFID Tags and Readers - Interception, manipulation, and reuse of data
Permanent withdrawal of trust by issuing authority before scheduled expiration date
Revocation
Document that details the parameters of an assessment
Rules of Engagement (ROE)
Automation tool that offers real time data capture and analysis
SIEM
Digital Forensics Investigation Process
1: Evidence Collection 2: Data Acquisition 3: File Recovery 4: Examination 5: Analysis and Reporting 6: Testifying (if necessary) 7: Archiving
Which metric represents a high point in user frustration? 1: False Reject Rate (FRR) Type 1 Errors 2: False Accept Rate (FAR) Type 2 Errors 3: Crossover Error Rate (CER)
1: False Reject Rate (FRR) Type 1 Errors
The processing of analyzing data with tools that look for trends and correlations. 1: Data warehousing 2: Data mining 3: Inference 4: Aggregation
2: Data mining
Mathematical expression used for eposure factor (EF)
% Percentage
ANT
'ANT' is a proprietary (but open access) multicast wireless sensor network technology designed for Internet of Things (IoT) -ANT is primarily incorporated into sports and fitness sensors (wearables) -The transceivers/receivers are embedded in equipment such as heart rate monitors, watches, cycling power meters, cadence meters, and distance and speed monitors monitoring a user's performance (e.g Fitbit) -Range is approximately 30 meters -Security concerns eavesdropping, interception, impersonation and location identification
Auditing Controls
'Assurance' is the process we use to develop confidence that our security measures are working as intended. Audit methodoligies include: - COBIT - SSAE 18 - Commercial/proprietary 'Audit fieldwork generally' includes proof that the control is working as intended. 'Audit reports' generally include findings and recommendations
Availability and Resiliency
'Availability' is a measure of a system's uptime -- the percentage of time that a system is actually operational and providing its intended service - For example, "five nines" means the device should be up 99.999% of the time and experience no more than 5.26 minutes of downtime per year 'Resiliency' is the capability to continue operating even when there has been a disruption or abnormal operating conditions
Denial of Service Attacks to Know
'DoS' --Transmitting malformed packets or unusual requests - Shutting down a specific service or resource 'DDoS' --Massive volume of service requests from multiple sources, often "bots" configured in a bonet - Shutting down a resource and/or denying service to legitimate users - Causing downstream degradation and/or malfunction of compromised "bots"
Hijacking - Web Specific Attacks to Know
'Domain Hijacking' --Unauthorized modification of a domain name registration - Using a legitimate website for malicious purposes 'URL Squatting' --Registering or using an Internet domain name with bad faith. Intent to profit from the goodwill or a trademark belonging to someone else - Directing users to fraudulent sites 'Typo Squatting' --Taking advantage of common typos to create fraudulent websites - e.g. gooogle.com - Redirecting users to malicious sites often to steal credentials or obtain personal information 'Clickjacking' --Tricking a user into clicking on a button, picture, or link - Redirecting users to a malicious site to download malicious code
Assessment Methodologies
'Examination (E)' is the process of interviewing, reviewing, inspecint, studying, and observing to facilitate understanding, comparing to standards or baselines, or to obtain evidence 'Testing (T)' is the process of exercising objects under specified conditions to compare actual and expected behaviors
Hardware Encryption
'Full disk encryption (FDE) / self-encrypting drives (SED)' is a hardware-based mechanism for automatically encrypting all data written to the magnetic media. -Factory set encryption (curcuit built into the disk drive controller chip) -Drive powers up locked -Key is never present in memory -Transparent to the user with the exception of required boot-up password -Does not effect performance -Use case: Securing data at rest
Incident Management Governance
'Policy' - Definition of security incident and related terms, Roles and responsibilities, Prioritization or severity rating, Performance measurements, Reporting structure. 'Plan' - Strategies, Organizational approach, Assigned roles and responsibilities, Reporting mechanisms, Incident handling and escalation roadmap, Contracts, Contact information 'Procedures' - Technical process, Techniques, Checklists, Forms
SETA Maturity Model (Deveoping Secuirty and Awareness Programs)
-Non-Existent -Compliance Focused -Promoting Awareness & Behavior Change -Long Term Sustainment & Culture Change -Metrics Framework
Framework components generally include:
-Policies that assign risk management roles, responsibilities, authorities, parameters, reporting structure, and monitoring criteria. -Standards that address assessment methodology, inclusion criteria, and frequency -Project plan that includess scope, schedule, and resource allocation
Business Continuity Planning Phases
-Project Initiation and Assessments -Business Impact Analysis -Threat Analysis -Strategy Development -Plan Development -Execution / Procurement -Training -Testing -Auditing -Monitoring -Maintenance Review & Update
Confidentiality / Non-disclosure Agreement (NDA)
-Protects data from unauthorized disclosure -Establish data ownership -Protect information from disclosure -Prevent forfeiture of patent rights -Define handling standards including disposal
Configuration Management Process
-Research/Plan -Approve Baseline Configuration -Assign CM Version and Update Library -Implement -Control Changes -Monitor -Report -Repeat
The objective of which software development process is to minimize probability of failure, cost, and risk? 1: Statement Coverage 2: DevOps 3: CMM 4: Agile
2: DevOps
Injection Illustrated (SQL)
1: Application presents a form to the attacker 2: Attacker sends an attack string (SQL query) in the form data 3: Application forwards the attack string to the DB in a SQL query 4: DB runs the query and sends the results back to the application 5: Application sends results to the attacker
This data protection control can be used to enforce "copy and paste" restrictions 1: DLP 2: FDE 3: DEP 4: ACL
1: DLP
Place the ISCM iterative process in the right order 1: Review/Update 2: Analyse/Report 3: Establish 4: Repeat 5: Define 6: Respond 7: Implement
1: Define 2: Establish 3: Implement 4: Analyse/Report 5: Respond 6: Review/Update 7: Repeat
Quantitative Risk Assessment Process
1: Determine Asset Value (AV) 2: Determine Exposure Factor (EF) 3: Calculate Single Loss Expectancy (SLE) 4: Determine Annual Rate of Occurence (ARO) 5: Calculate Annualized Loss Expectancy (ALE) 6: Identify Mitigation Controls 7: Calculate the ALE with Mitigating Controls (ALE2) 8: Cost/Benefit Analysis (CBA)
Risk Assessment Workflow
1: Determine the risk assessment approach (quantitative, qualitative, hybrid) 2: Identify the inherent risk based on relevant threats and related vulnerabilities 3: Assess the impact if the threat source was successful 4: Identify applicable controls and their effectiveness 5: Assess the likelihood of occurrene, taking into consideration the control environment 6: Determine the level of residual risk
This situation is described as a person taking an action that they would not normally do due to a threat of harm 1: Duress 2: Collusion 3: Social engineering 4: Fraud
1: Duress
This data access control is often cited in regulations and may provide "safe harbor" 1: Encryption 2: Logging 3: Capabilities tables 4: ACL
1: Encryption
Match the regulation and its constituents Regulations: 1: GLBA 2: HIPPA 3: COPPA 4: FISMA 5: GDPR Constituents: 1: Minors 2: Patients 3: Federal Agencies 4: Financial services customers 5: EU citizens
1: GLBA - Financial services customers 2: HIPPA - Patients 3: COPPA - Minors 4: FISMA - Federal agencies 5: GDPR - EU citizens
Arrange the following Incident Response phases in the correct order Resumtion Containment Recovery Identification Eradication
1: Identification 2: Containment 3: Eradication 4: Recovery 5: Resumtion
Audit Workflow (Auditor Perspective)
1: Identify the Audit Objective (purpose) 2: Establish work paper documentation 3: Determine audit procedures including data collection and testing 4: Collect and evaluate evidence 5: Analyze evidence and prepare report 6: Discuss with Management . Gain Agreement whenever possible 7: Present Audit report to the Audit Committee or equivalent
Which of the following is a true statment? 1: If a lower level security model fails, the security of the system cannot be relied upon 2: The non-interference and the information flow models only support single level security 3: State machine model incorporates both secure and insecure states 4: Foundational security models are irrelevant as long as relationship level security models are working
1: If a lower level security model fails, the security of the system cannot be relied upon
Kerberos Process
1: Initial CHAP-based authentication between the user and the Kerberos Server 2: The Kerberos Ticket Granting Service (TSG) generates a Ticket Grating Ticket (TGT) Access Token 3: The TGT Access Token is provided to the user. The TGT is protected using symmetric key cryptography 4: When the user attempts to access a trusted resource, the user sends a copy of the TGT back to the KDC with details of the request 5: The KDC validates the TGT and generates a limited lifetime Session Ticket. The KDC sends the Session Ticket back to the user 6: The Session Ticket has 2 encrypted halves (one for the user and one for the resource) containing authentication details and symmetric session key 7: The user decrypts his half of the session ticket, writes (again) the details of resource request, encrypts it with the session key, and sends the session ticket to the resource server 8: The resource server decrypts its half of the ticket, verifies the details of the request, and uses the decrypted session key to decrypt the user request. If matching, the user is authenticated to the resource server 9: Using the session key, the resource server encrypts a portion of the user's authentication data and sends the encrypted data back to the user 10: If the user can successfully decrypt the message, then the mutual authentication is successful
Which statement best relates to the mobile application flaw "insecure communications"? 1: Insufficient handshaking 2: Session management weakness 3: Misuse of a platform feature 4: Unintended distribution of data
1: Insufficient handshaking
Vulnerability Management Process
1: Inventory 2: CVE Intake 3: Assessment 4: Prioritize 5: Change Control 6: Deploy 7: Verify 8: Monitor
This principle states that systems and devices should be configured to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports. protocols, and services. 1: Least functionality 2: Hardening 3: Least privilege 4: Default deny
1: Least functionality
Which one of these authentication factors is considered "emerging"? 1: Location 2: Biometric 3: Knowledge 4: Possession
1: Location
Which one of the following is not a supply chain security risk? 1: Lower pricing 2: Limited visibility 3: Business failure 4: Non-complience
1: Lower pricing
Which statement best descibes MPLS? 1: MPLS is a protocol-independent transport mechanism 2: MPLS is designed specifically for small networks 3: MPLS is an IP-based protocol 4: MPLS uses labels for both internal and IP routing
1: MPLS is a protocol-independent transport mechanism
Which protocol verifies the status of an extended validation certificate? 1: OCSP 2: CRL 3: OSPF 4: CRC
1: OCSP
Incident Response (IR) Process
1: Preparation 2: Identification 3: Containment 4: Eradication 5: Recovery 6: Lessons Learned *NIST SP 800-61r2 - Computer Security Incident Handling Guide
Why should media evidence hash fingerprints be created? 1: Prove integrity 2: Establish non-repudiation 3: Identify the examination technique 4: Maintain confidentiality
1: Prove integrity
Which type of metadata includes comments, track changes, formulas, and embedded files? 1: Pseudo 2: File system 3: Application 4: Stenographic
1: Pseudo
During the BIA process, a business unit stated that they could not afford to lose more than 30 minutes of data. Which statement best expresses this requirement? 1: RPO=30 2: RTO<30 3: MTO>30 4: MTD=30
1: RPO=30
Which statement below is not true as related to traveling with mobile devices? 1: Report lost or stolen devices upon return 2: Upon return, have the device inspected 3: Do not leave devices unattended 4: Encrypt mobile devices
1: Report lost or stolen devices upon return
Configuration Management Workflow
1: Research | Plan | Update 2: Approve Baseline Config 3: Assign CM Version and Update Library 4: Implement 5: Control Changes | Update Baseline if applicable 6: Monitor
Operating system Kernel and device drivers conceptually execute in this protection ring. 1: Ring 0 2: Ring 2 3: Ring 1 4: Ring 3
1: Ring 0
Risk Management Flowchart
1: Risk Appetite 2: Risk Assessment 3: Risk Treatment 4: Risk Monitoring 5: Repeat the process
Level of risk than an organization is comfortable with in pursuit of its mission. 1: Risk appetite 2: Risk mitigation 3: Risk tolerance 4: Risk vaiance
1: Risk appetite
This environment should mirror the go-live environment 1: STAGE 2: POST-PROD 3: DEV 4: TEST
1: STAGE
Looking for known malicious instructuon sequences is an example of which type of detection? 1: Signature 2: Pattern 3: Behavioral 4: Anomaly
1: Signature
Change Management Process (Normal Changes)
1: Submit Request 2: Evaluate Request 3: Test (if applicable) 4: Identify Rollback Options 5: Approve Requests 6: Document Changes 7: Determine Change Window 8: Implement (Consider separation of duties) 9: Verify 10: Update CM Version (if applicable) 11: Close and Archive Request
Order the data recover options beginning from the slowest (bottom) to the fastest (top) 1: Incremental tape backup 2: Synchronous replication 3: Electronic vaulting 4: Full tape backup 5: Asynchronous replication
1: Synchronous replication 2: Asynchronous replication 3: Electronic vaulting 4: Full tape backup 5: Incremental tape backup
OAuth 2.0 Process
1: The Application requests authorization to access service resources from the User 2: If the User authorizes the request, the Application receives an authorization grant 3: The Application requests an access token from the Authorization Server (API) by presenting its credentials and the user authorization grant 4: If the Application identity is accepted and the authorization grant is valid, the Authorization Server issues an Access Token to the Application 5: The Application presents the Access Token to the resource from the Resource Server and requests access. If valid, the Resource Server serves the resource to the Application
Which statement is not true about a Hash Message Authentication Code (HMAC)? 1: The input for a HMAC is a concatenated message and asymmetric key 2: Key distribution and knowledge of concatenation is a challenge 3: An HMAC cannot be reproduced without knowing the key 4: An HMAC provides integrity and origin authentication
1: The input for a HMAC is a concatenated message and asymmetric key
The distinguishing feature of this type of intellectual property is that it remains undisclosed. 1: Trade secret 2: Trademark 3: Copyright 4: EULA
1: Trade secret
MS Secure Development Lifecycle
1: Training 2: Security and Pricacy Requirements 3: Define Quality Gates / Bug Bars 4: Security and Privacy Risk Assessment 5: Establish Design Requirements 6: Attack surface Analysis 7: Threat Modeling 8: Development 9: Static Analysis 10: Dynamic Analysis 11: Attack Surface Review 12: Create Incident Response Plan 13: Conduct Final Security Review 14: Certify Release and Archive 15: Response
SAML Process
1: User (Principal) uses a web browser to access a web application and attempts to authenticate 2: The web application Servie Provider (SP) requests an assertion from the Identity Provider about the User 3: The Identity Provider (idP) prompts the User for credentials (single or multifactor) 4: User provides credentials 5: If the User credentials are accepted, the Identity Provider (idP) submits an assertion (secure token) to the Service Provider (SP) 6: The Service Provider (SP) identifies the authorization level of the user and provides the appropriate level of access
SEI CERT Top 10 Secure Coding Practices
1: Validate input 2: Heed compiler warning (use the highest warning level available) 3: Architect and design for security polies 4: Keep it simple 5: Default deny 6: Adhere to the principle of least privilege 7: Sanitize data sent to other systems 8: Practive defense in depth 9: Use effective quality assurance techniques 10: Adopt a secure coding standard for your language and platform
Which one of the following project models is linear? 1: Waterfall 2: RAD 3: Spiral 4: Agile
1: Waterfall
Business Intelligence Questions
1: What happened? 2: What is happening? 3: Why did it happen? 4: What will happen? 5: What do we want to happen?
This is the time, effort and resources needed for an attacker to successfully achieve their objective. 1: Workfactor 2: Investment 3: Resiliency 4: Motivation
1: Workfactor
Adherence to the (ISC)2 Code of Ethics is a condition of certification. This group makes the final decision on ethics violations and decertification 1: (ISC)2 CEO 2: (ISC)2 Board of Directors 3: (ISC)2 Certification Board 4: (ISC)2 Ethics Committee
2: (ISC)2 Board of Directors
This wireless network specification details security mechanisms 1: WPA2 2: 802.11i 3: 802.15 4: 802.11e
2: 802.11i
This type of embedded system attack makes use of a voltage glitch on the power supply to cause a program malfunction. 1: Memory and bus 2: Active side channel 3: Brownout 4: Injection
2: Active side channel
A computer or network that does not connect to the Internet or any computer or network that connects to the Internet. 1: Enclave 2: Air-gap 3: Clean room 4: Physically isolated
2: Air-gap
Which statement best describes authorization? 1: Authorization is when accountability is maintained 2: Authorization is granting permission to perform a specific action 3: Authorization is when activity is accounted for 4: Authorization is when both subject and object identify themselves
2: Authorization is granting permission to perform a specific action
Which authority issues and revokes digital certificates? 1: Validation Authority (VA) 2: Certification Authority (CA) 3: Issuing Authority (IA) 4: Registration Authority (RA)
2: Certification Authority (CA)
Handling standards are generally organized by ______? 1: Ownership 2: Classification level 3: Location 4: Retention Schedule
2: Classification level
This security evaluation program evaluates products against a protection profile 1: ISO 27001 2: Common Criteria 3: ITSEC 4: TCSEC
2: Common Criteria
Which of the following is not a consideration when evaluating large scale parallel systems such as cloud computing? 1: Distributed management and ownership 2: Common use of outdated operating systems 3: Force multiplier effect 4: Big data aggregation
2: Common use of outdated operating systems
Which statement describes the cryptographic objectives of substitution and transposition? 1: Padding and randomization 2: Confusion and diffusion 3: Secrecy and block chaning 4: Initialization and workfactor
2: Confusion and diffusion
Which of the following most directly influences the choice of data protection controls? 1: Encryption options 2: Data classification 3: Privacy principles 4: Cost
2: Data classification
Which statement about self encrypting drives is true? 1: Performance is degraded 2: Use casee is securing data-in-process 3: The key is stored in memory 4: Transparent to user with the exception of boot-up password
4: Transparent to user with the exception of boot-up password
This security component includes support for Secure Boot, network authentication, and universal graphics drivers. 1: BIOS 2: TPM 3: HSM 4: UEFI
4: UEFI
This OECD Privacy Principle states that "personal data should not be disclosed, made available, or otherwise used for purposes other than those specified". 1: Collection limitation 2: Individual participation 3: Data quality 4: Use limitation
4: Use limitation
Workstations being configured to only allow applications that are explicitly given permission to execute is an implementation of this practice 1: Least functionality 2: Default allow 3: Blacklisting 4: Whitelisting
4: Whitelisting
Trusted System
A 'Trusted System' has undergone sufficient benchmark testing, verification, and validation (by an independent third party) to ensure that the product meets the user requirements -'Funtionality' is verification that a security control exists and that it works correctly at least once. -'Assurance' is a degree of confidence that the system will act in a correct and predictable manner in every computing situation (trustworthy computing)
Isolated Networks and Clean Room
A 'physically isolated' network is completely disconnected from any other network, period. "Clean room" network/computer is located in a secure room or facility.
Diabling Servies
A 'service' is a utilite that runs in the background. Disabline unneccessary services minimizes exposure and enhances performance - A service can be configured to start Automatic, Manual, Disabled, or Automatic (Delayed Start) - A service is independent of the logged in user and will continue to run even if there are no logged in users .
Advanced Persistent Threat (APT)
A 'sophisticated' attack in which an attacker gains access to a network and stays there undetected for a long period of time.
Trust Models (Chain of Trust)
A Trust Model defines how users trust other users, organizations, CAs and RAs within the PKI Web of Trust - No central authority. Each user creates and signs their own certificate. Users sign each others public key indicating "trust" Third party (Single Authority) Trust - A central third-party Certificate Authority (CA) signs a key and authenticates the owner Hierarchical Model - Extension of third party in which root CAs issues certificates to lower level "intermediate" CAs who can then issue certificates. Trust is inherited. - Offline root CA is one that is isolated from a network and is often kept powered down to prevent compromise. - A Registration Authority (RA) offloads some of the work from the CA. The RA can accept and process registration requests and distribute certificates. - A Local Registration Authority (LRA) requires physical identification
Disk Wiping
A clearing technique that overwrites all addressable storage and indexing locations multiple times. -US DoD 5220.22-M method requires overwriting all addressable storage and indexing locations on the drive three times: with zeros (0x00), complement (0xFF), and random characters; and then verifies all writing procedures. Exception: Solid state drives may require a manufacturer-specific utility
Asset Management
A complete set of activities that focus on the protection, accounting and integrity of infrastructure and physical assets Asset management = classification + inventory + configuration management
Copyrights
A copyright covers the expression of an idea rather than the idea itself (which is protected by a patent) The intent is to protect artistic property such as a writing, recording, or a computer program. The protections are intended to allow the creator to benefit from being credited for the work and to control the distribution, duplication, and use of the work. The copyright protection is weaker than patent protection, but the duration of protection is considerably longer. Copyrights are good for the entire life of the creator +50 to 100 years
Cloud Computing [NIST SP800-145]
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction -Service models (SaaS, PaaS, and IaaS) -Deployment models (private cloud, community cloud, and public cloud) -Security model (CASB, SecaaS)
Network-based IDS/IPS
A network-based IDS (NIDS) analyzes and reports on network traffic. A network-based IPS (NIPS) can take responsive action A network IDS/NIPS can be situated out-of-band or in-band - Out-of-band plaement utilizes a passive tap that receives a copy of the network traffic and can process samples. Generally, NIDS will be out-of-band - In-band (inline) placement is directly in the flow of trafic and must process (inspect) every packet. Generally, NIPS will be in-band
Remote Authentication Dial-in User Service (RADIUS)
A networking protocol that provides centralized AAA management services. - RADIUS became an IETF Internet Standard in 1997. - RADIUS does not separate authentication and authorization transactions - RADIUS is used mainly for network access (e.g. ISP, wireless 802.1x, remote) - RADIUS reporting includes who joined the network, how they authenticated, how long they were on, and what types of endpoints are on the network
Terminal Access Controller Access Control System (TACACS+)
A networking protocol that provides centralized AAA management services. - TACACS+ was developed by Cisco and is proprietary - TACACS+ does separate authentication and authorization transactions - TACACS+ uses TCP for transport and encrypts the entire packet - TACACS+ is used mainly for device administration (e.g. router, switch)
Key Escrow
A proactive arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.
Project Management
A project managment framework establishes the scope and boundaries of managing projects and the consisten method to be applied. - The project management approach defines guidelines for prcesses and deliverables - The project manager provides day to day facilitation and coordination
Retention
A protocol (set of rules) within an organization that dictates types of unaltered data that must be kept and for how long. Data retention strategies must be aligned with business and legal requirements
Proxy Server
A proxy server is an intermediary machine, between a client and a server, which is used to filter or cache requests made by the client. - A proxy server can be single purpose -- supporting one protocol, (e.g. http) or multipurpose -- supporting multiple protocols
Recovery Point Objective (RPO)
Acceptable Data loss. The point in time prior to a disruption or system outage that data can be recovered.
Reverse Proxy
A reverse proxy appears to the client just like an ordinary web server. - The proxy caches all the static answers from the web server and replies to the clients from its cache to reduce the load on the web server - This tye of setup is also known as 'Web Server Acceleration'
Security Evaluation Objectives
A security evaluation process assesses products against defined security requirements in a consisten and repeatable manner. Third party labs rely on standard evaluation criteria.
Configuration Management (CM)
A set of activities focused on establishing and maintaining the integrity of systems through control of the processes for initializing, changing, and monitoring the configurations including: -Establishing baselines -Monitoring for anomalies -Controlling configuration changes
Handling standards should be associated with this user facing agreement
Acceptable Use Policy (AUP) Agreement
Control Objective
A statement of desired result or purpose to be achieved by implementing the control. Control objectives may relate to: - Security (confidentiality, integrity, availability) - Privacy - Compliance - Effectiveness - Efficiency
NT Lan Manager (NTLM)
A suite of Microsoft protocols used for authentication. - NTLM uses challenge-response (similar to CHAP) for authentication - Hashed password values are stored on the server 'not salted' and are vulnerable to brute force attacks - NTLM is vulnerable to "Pass-the-Hash" attacks where captured credentials from one machine can be successfully used to gain control of another machine - Microsoft recommends not using NTLM. Kerberos is the preferred authentication method.
Open Source Threat Intelligence (OSINT)
A term used to refer to the data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available resources (as opposed to covert or clandestine sources) www.osintframework.com
Acknowledging the level of risk and not requiring any further treatment
Acceptance
Zero Day
A vulnerability that is previously unknown and does not yet have a fix - The time from when an exploit first becomes active to when the number of vulnerable systems shrink to an insignificant number is known as the 'window of vulnerability (WoV)'
Wireless Access Point
A wireless access point (WAP or AP) bridge wireless and wired IP traffic - An AP act as a central transmitter and receiver of wireless signals - An AP can either be a stand-alone device or integrated with a router. - Fat (thick) access points have 802.11 security, management, and performance 'standalone' functionality built-in - Thin access points minimize device intelligence and offload configuration features and management to an associated 'controller'.
In this model, complex Boolean rules can be used to evaluate subject and object attributes, operations and environment
ABAC Attribute-based Access Control
Malware Eradication Techniques
AV and Anti-malware software - Disinfection, quarantine, and deletion capabilities Regedit command - Windows registry editor Bootrec / fixmbr - Windows boot sector repair utility Specialized bootable software - Eg. Microsoft Sysinternals Rootkit Revealer. chkrootkit for Linux/ OS X Restoration - Reimage and/or rebuild impacted system Disposal - Remove, sanitize, and securely dispose of infected device
Malware Detection & Analysis Techniques
AV and anti-malware software - Signatures (DAT files), known characteristics, and behaviors Post-infection Scanner - Second generation AV (e.g. Malwarebytes) Log analysis - Use of a SEIM or equivalent Malware Intelligence - Knowledge of infection characteristics, C&C IP address, or distribution URLs Malware Verification - Analysis of suspicious files and URLs (e.g. Virustotal) Reverse Engineering - Process of analyzing and understanding characteristics - Behavioral analysis - Code analysis
Wireless Attack Categories
Access - Authentication exploit - Enables unauthorized or unsolicited access to an end-user device Spoofing - Impersonating a wireless device - Enables an attacker to act as the trusted source and redirect/manipulate actions Sniffing - Capturing wireless data packets - Enables an attacker to evesdrop, manipulate, and/or reuse data packets Denial of Service - Overwhelming system resources - Enables an attacker to make services unavailable for their intended use
Logging of access and use of information resources
Accounting
Authentication Protocol Overview
Acronym - Protocol name - Service PAP - Password Authentication Protocol - Authentication CHAP / MS-CHAP - Challenge Handshake Authentication Protocol / Microsoft Challenge Handshake Authentication Protocol - Authentication EAP - Extensible Authentication Protocol - Authentication NTLM - NT Lan Manager - Authentication RADIUS - Remote Authentication Dial-in User Service - A-A-A TACACS - Terminal Access Controller Access Control System - A-A-A Kerberos - Authentication System - Mutual Authentication
The load balancing technique of associating a user's IP address with a single server
Affinity
Inventory Management
Also referred to as inventory control, is a set of policies, standards, and procedures used to maintain optimum inventory levels, track assets, and schedule replacements. Inventory management benefits include: -Tracking (including termination and loss) -Providing context for vulnerability and patch management -Facilitating recovery or replacement
Non-employee Relationships
Also referred to as third parties, include vendors, service providers, business partners, consultants, and contractors. Third-party oversight activities include (but are not limited to): - Conducting a due dilligence investigation related to service provider selection and subsequent business activities - Requiring acceptable use and nondisclosure agreementss and codifying service relationships - Monitor the service provider through appropriate audits and tests - Reviewing, on a scheduled basis adherence to contractual obligations
Alternate Business Process Strategies
Alternate business process stategies assume that normal dependencies (technology, facilities, personnel) may not be available - Alternate locations should be established and appropriate contracts entered into - Cross-trained or outsourced personnel should be identified - Manual processes should be documented - "Notification of delay" communication channel should be documented Alternate business process strategies must be aligned with the BIA, disaster tolerance, and budget allocation.
Recovery Time Objective (RTO)
Amount of time allocated for System Recovery. Must be less than the maximum amount of time a system resource can be unavailable before the is an unacceptable impact on other system resources or business products.
Incident Mgmt. Plan and Playbook
An 'incident management plan' includes roles and responsibilities, strategies, and procedures for preparing for, responding to, and managing incidents. - An 'incident playbook' is a set of instructions for planning for and responding to specific types of event, attacks, or scenarios. Generally, playbooks are developed for high-risk events (measured in terms of likelihood and impact). For example, malware, DDoS attacks, ransomware, and payment card compromise
Authorization & Access Control
An Access Control Model is a framework that dictates how subjects access objects or how objects access objects Access control models are built in to operating systems and some applications
Configuration Item (CI)
An aggregation of information system components and treated as a single entity thoughout the CM process A configuration item may be: - A specific information system component (e.g. server) - A group of information system components (e.g. all switches) - A noncomponent object (e.g. documentation) - An information system as a whole (network)
OpenID Connect
An identity layer on top of the OAuth 2.0 protocol which facilitates authentication. - OpenID connect verifies the identity of the end user. - The id-token (secure token) includes information about the user. - Can be used by both mobile and static applications
High Availability (HA)
Applies mainly to software failover capability which reduces or eliminated the need to activate redundant hardware. - 'Asymmetric HA' (active/passive) requires primary and standby systems. When a failure occures, the standby device takes over - ' Symmetric HA' (active/active) requires two primary systems. Each machine monitors the other (hearbeat) and takes over when a failure occurs
Asymmetric Encryption - Two Keys
Asymmetric means two 'different but related keys' are used. - Known as a key pair (M1, M2) - One key is used to encrypt; the other is used to decrypt - The key pairs are commonly referred to as a 'private key' and a 'public key' -Asymmetric encryption is computationally intensive
The three states of data
At rest, in process, and in transit
Three states of data
At rest, in use, and in transit
All of the points where an attacker can try to enter or extract data from
Attack Surface
Targeted Attack
Attacker chooses a target for a specific objective.
Audit Conclusion
Auding standards require that sufficient, relevant, and reliable evidence is obtained to to support audit conclusions and opinions - An audit examination report can also include a disclaimer that the auditor was not able to render an opinion due to named circumstances
Disabling Default Accounts
Are accounts that are created by the operating system or application. Well known default accounts are vulnerable to exploitation. - Review default account (e.g. admin, guest, SA, servie accounts). - If the account is required, create an account with equivalent privileges and disable the original account. If it is not possible to create an equivalent account, then rename the original and change the default password - If the account is not required, disable (delete if possible) the account
Key Performance Indicators (KPIs)
Are business metrics used by management. - Effective KPIs focus on the business processes and functions that management sees as most important for measuring progress toward meeting strategic goals and performance targets
Audit and Event Logs
Are chronological records of events and actions - Critical log sources include firewalls, IDS/IPS devices, proxy servers, authentication servers and devices, OSs, and key applications
Audit and Event Log Control Objective
Audit logs are both a near-time and historical detective control - Routine log analysis is beneficial for monitoring access, identifying security incidents, policy violations, fraudulent activity, and operational issues. - Logs are critical components or internal investigations and forensic analysis
High level description of audit work to be performed
Audit plan
Cloud Access Security Brokers (CASBs)
Are security policy points (software or appliance) placed between "the cloud" and enterprise users. -Security policies are interjected as cloud-based resources are accessed. For example, authentication, encryption, visibility, and DLP -Provides control over 'shadow IT' applications -Shadow IT is used to describe the use of IT solutions that are managed outside of and without the knowledge of the IT department -CASBs proxy traffic and use auto discovery to identify cloud applications
Functional Roles
Are tactical and relate to specific datasets, information systems, assets or processes. Owners Custodians Users
SETA program objective for end users
Awareness
Containers
Are the products of operating system virtualization without a hypervisor. - Containers provide a lightweight virtual environment (instances) - OS containers are virutal environments that share the kernel of the host operating system but provide user space isolation - Application containers are virtual environments that share the kernel of the host operating system designed to package and run a single service
Asset Ownership Responsibilities
Asset (system, data, resource) ownership responsibilities include: -Defining the asset -Assigning value (AV) -Classifying the asset -Confirming the level of protection required -Authorizing access rights and permissions -Authroizing disclosure -Ongoing governance
This is the term used to describe the objective of developing confidence that security measures are working as intended. 1: Accounting 2: Trustworthy Computing 3: Assurance 4: Integrity
Assurance
API Security
Application programming interfaces (APIs) are connectors that allow applications and devices to work together. - Use strong API authentication options (e.g. Oauth 2.0 w/TLS) - Use encryption whenever possible - Use a framework or existing vetted library to implement security solutions
Regression Testing
Application testing that ensures that a change (e.g. patch, update, configuration modification) does not introduce a fault or vulnerability that would impact performance, functionality, security, or interaction. - A 'fault' is a failure, incorrect proccess, defect, or error
This software controlled failover requires primary and standby systems. When a failure occurs, the standby device takes over
Asymmetric High Availability (Active/Passive)
TCP/IP Model
Application - (Protocol Suite) HTTP, FTP, SMTP, DNS, RIP, SNMP Transport - (Protocol Suite) TCP, UDP Internet - (Protocol Suite) ARP, IP, IGMP, ICMP Link - (Protocol Suite) Ethernet, Token Ring, Frame Relay, ATM
Application & Content Management
Application Mgt - Control application installation (APP Catalogue) - Enforce user permission required to install and/or update APPs - Automate transparent downloads and uploads Content Mgt - Control access to business content - Enforce user permissions required to access / annotate content - Automatically push files to device Push Notification - Control push notifications - Push notifications are pop-up -- alerts or customized messages Remote Wipe - Clean the device - Command sent to a remote device to delete selected content - Reset to factory setting
Audit Evidence
Auditing standards require that sufficient, relevant and reliable evidence is obtained to support audit conclusions and opinions. - "Audit evidence is all the information, whether obtained from audit procedures or other sources, that is used by the auditor in arriving at the conclusions on which the auditor's opinion is based" - The amount of evidence collected is directly related to the purpose, objective, and scope of an audit
Auditor Professionals
Audits should be conducted by qualified audit professionals. It is the responsibility of the auditor to: - Adhere to professional standards - Be faiir, competent, and accurate - Understand the audit target environment - Report any conflict of interest or independence
Authentication
Authentication is the positive indentification of a person or system who is seeking access to information or to a system.
Provisioning Lifecycle Phase 2
Authorization, Assignment of rights and permissions, User training - Authorization is granted by data/resource owner - Rights and permissions are assigned by the data/resource custodian - User receives initial and ongoing training (SETA)
Match the MDM control category and control type Categories: Auto wipe Geofencing Containerization Push notification Controls: - Data protection - Application and content management - Device tracking - Authentication
Auto wipe - Authentication Geofencing - Device tracking Containerization - Data protection Push notification - Application and content management
Vulnerability Scanning
Automated tools that scan devices, OSs, applications, databases, and so on to look for known vulnerabilities and exposures. - Commercial and open source tools are available - Two modes: 'Unauthenticated' and 'authenticated' - CVE knowledgebase must be maintained
Sending unsolicited messages via Bluetooth
Bluejacking
The term used to describe mobile devices used in the workplace that are personally owned
BYOD Bring Your Own Device
Investigative report that may include employment and educational history, credit check, workers compensation claims, and criminal record
Background check
Backup Media Storage
Backup media should be secured in accordance with its classification and handling standards. The following should be considered: - Location (on-site/off-site) - Distance - Accessibility - Environmental controls - Physical security - Logical security
Sampling Rules of Thumb
Based on profession judgement - Low risk targets generally require a small sample - High risk targets generally require large sameple or complete check - Strong controls generally require small sample. - Weak controls generally expande sample size
Set of specifications for a configuration item
Baseline
A set of agreed upon specifications for a configuration item
Baseline Configuration (BC)
This configuration management element should be updated if the change applies to all current and future systems
Baseline Configuration (BC)
Aggregate of standards for a specific category or grouping
Baselines
Model that states no read up and no write down
Bell-Lapadula
This type of metric is intended to help an organization compare themselves to peers
Benchmark
Access Attack
Bluejacking - Bluetooth Discovery - Enables an attacker to send an unsilicited/unwanted message to a bluetooth device Bluesnarfing - Bluetooth Authentication - Discovering and connecting to a bluetooth device with weak or non-existent authentication requirements Blueborne - Device takeover - Exploits protocol weakness NFC (Near Field Communication) Bump - Enables an NFC-enabled attacker to connect to an NFC device by being in close enough range
Unauthorized device access by exploiting a Bluetooth pairing option
Bluesnarfing
This model is designed to defend against conflict of interest
Brewer-Nash
A wireless access point is this type of connectivity device
Bridge
Bridge
Bridges are OSI Layer 2 two port (input and output) devices that connect LANS using the same protocol. - Bridges filter traffic based on MAC address, amplify signals, and can be used to connect dissimilar media - Wireless access points are bridges for wireless and wired IP traffic
Key Attacks
Brute Force - Every possible key is tested (online/offline) Dictionary - List of known kets tested Frequency - Looking for patterns to reveal the key Replay - Attacker tries to reuse a cryptographic transmission
This vulnerability allows an attacker to write to non-allocated system memory
Buffer Overflow
Writing excess data into system memory
Buffer Overflow
Memory / Buffer Vulnerabilities
Buffer Overflow - Overrunning the memory allocated (buffer) for data input and writing the excess data into non-allocated system memory - Impact - The excess data can contain instructions that the processor will execute Memory Leak - Failure of an OS or program to free up dynamically requested memory - Impact - Slow response time (sluggishness). Denial of Service Memory or Code Reuse - Repurpose existing executable code towared malicious purposes - Impact - Elevated privileges
This attack can occur if two NFC devices are in close enough range
Bumping
This type of plan describes the overall strategy for sustaining the business
Business Continuity Plan (BCP)
This process precedes the development of a Business Continuity Plan
Business Impact Analysis (BIA)
Used to support decision making through data-driven insight
Business Intelligence (BI)
Business Alignment
Business alignment mandates that secure design principles are supported throughout the entire organization and incorporates various viewpoints. Business alignment frameworks include: -Zachman Framework -Sherwood Applied Business Security Architecture
This wireless security protocol has been broken and is considered insecure
WEP
This wireless network configuration is based on the 802.11 standard
WLAN
This block cipher mode includes an initialization vector and a component of the previous block ciphertext
CBC Cipher Block Chaining
In this model, content is served using both dedicated and peer computers
CDN Hybrid Mode Content Distribution Network
The term used to describe company issued mobile devices to be used only for business purposes
COBO Company-owned Business Only
The term used to describe a company-owned mobile device that can be used for both professional and personal use
COPE Company-owned Personal Enabled
US regulation that governs the online collection and data use for minors under 13
COPPA Children's Online Privacy Protection Act
The premise of this philosophy is that the proper design and effective use of the physical environment can lead to a reduction in the incidence and fear of crime
CPTED
CPTED Constructs
CPTED relies on psychological and sociological responses - People protect territory they feel is their own, and people have a certain respect for the territory of others. - Intruders do not want to be seen - Limiting access discourages intruders and/or marks them as intruders
This vulnerability is used to execute malicious code on a site by exploiting the trust relationship between a browser and the site
CSRF/XSRF
Well-known database of vulnerabilities and exposures
CVE
The term used to describe giving users a choice of company owned devices for professional use only
CYOD Choose Your Own Device
In this architecture, the processing is distributed between servers and endpoints
Client/Server
Removable Media
Can pose a significant threat to confidentiality and has been the source of numerous data breaches. Best practices include: - Removable media should always be encrypted - Users should be trained in the proper use of removable media including incident reporting for lost, stolen, or misplaced devices. - Removable media used for backup or archival purposes should be catalogued and movement logged - Controls should be implemented to prohibit use of unauthorized meda including restricting USB and other external ports
This methodology is used to assess, develop, and refine a process
Capabilities Maturity Model (CMM)
Certificate Expiration and Renewal
Certificate expiration dates are determined at time of issuance. - Renewal is the responsibility of the owner. If renewal doesn't happen, the certificate becomes invalid. - Renewal options include maintaining the same key pair or generating new keys - The longer keys are in service--the more vulnerable they become.
The process of ensuring that a system meets specific standards
Certification
CHAP and MS-CHAP
Challenge Handshake Authentication Protocol (CHAP) relies on challenge text and a hashing algorithm. - Authentication is initialized by the server and can be performed repeatedly throughout the session - Server sends a random string of characters (challenge text). The user appends the string to their password, hashes the result, and sends it to the server. The server applies the same function. If the results match, the user is authenticated. - MS-CHAP is Microsoft's version of CHAP that extends functionality for Microsoft networks.
Classification Schemas
Classification schemas vary by sector. Governement and military classification schemes include: -US Federal government classification system (FIPS 199) -Military and national security classification (systems and information) Classification schemes are discretionary for the private sector
Requirement to never leave confidential data (paper, monitor, whiteboard) unattended or within view of unauthorized personnel
Clean desk
Structured development approach used for applications that are subject to strict certifications requirements
Cleanroom
Bootable exact copy of a drive
Clone
File Recovery
Cluster - Fixed length blocks of disk space. Documented in a File Allocation Table or equivalent Slack space - Spaces between the end of a file and the end of the cluster. Slack space can contain data from RAM or segments of deleted files Unallocated space - Clusters that are not allocated to a file. Clusters can contain deleted file fragments. 'Carving' is the process by which deleted files or fragments are recovered Metadata - Data about data - file system, application, pseudo
Alternate Locations & Processing Sites
Cold Site - Has basic HVAC and power infrastructure; no server-related or communications equipment Mobile Site - Is a transportable modular unit. The delivery site must provide access roads, water, waste disposal, power, and connectivity Warm Site - Has an HVAC, server, and communications infrastructure and equipment. Systems might need to be configured. Data needs to be restored. Hot Site - Has an HVAC, servers, and communications infrastructure and equipment. Systems are preconfigured. Data is generally near-time Mirrored Site - Is fully redundant with real-time replication from production site. Can assume processing with virtually no interruption Reciprocal Site - Is based on an agreement to have access to/use of another organization's facilities
Frequency
Collection, assessment, and monitoring frequency are influenced by a number of static and dynamic factors and events including: - Security control volatility - System categorization and classification - Security controls with identified weaknesses - Organizational risk tolerance - Threat information - Vulnerability information - Results of testing and examinations - Change triggers
Hash Attacks
Collision - Using a mathematical technique to force two inputs into producing the same hash value. - The hash method used cannot be relied on anymore to identify different data. Birthday - Exploits the mathematics behind the birthday problem in probability theory to cause a collision Pass-the-Hash - Using captuered hashed credentials from one machine to successfully gain control of another machine.
Primary objective of data labeling
Communicate classification level
Alternate control designed to accomplish the intent of the original control
Compensating
This type of audit compares the control environment to established policies, standards, or rules
Compliance Audit
IPsec Components
Component - Function Authentication Header (AH) - Integrity, Origin Authentication, Replay Attack Protection (HMAC) Encapsulating Security Payload (ESP) - Intrgrity, Origin Authentication, Replay Attack Protection, and Confidentiality (HMAC & Symmetric Encryption) Internet Key Exchange (IKE) - Device authentication and establishing Security Association Security Association (SA) - A negotiation that includes the algorithms that will be used (hasjing and encryption), key length, and key information Security Parameter Index (SPI) - Security Association Identifier
Term used to describe commonly used suite of development tools
Computer-aided Software Engineering (CASE)
Personnel Agreements
Confidentiality / Non-disclosure Agreement (NDA) Acceptable Use Policy (AUP) Agreement
An aggregation of elements treated as a single configuration management entity
Configuration Item (CI)
Data Protection
Containerization - Use of a secure virtual container. - Used to segregate "high risk" applications (e.g. email, browser) and confidential data Storage Segmentation - Segmenting personal and coporate data - Enforcing different access and encryption policies based on folder and storage location (internal v. removable) Full Device Encryption - Requiring the entire device to be encrypted including removable media DLP - Enforces DLP policies - Control what applications can be used to open ("open-in") files - Copy and paste restrictions
This wireless security protocol uses AES for encryption
WPA2
Logging and Monitoring
Continuous logging, analysis, and monitoring can uncover security weakness that may have not been apparent or may have gone unreported - In addition, configuration changes are recorded and can be checked to ensure that they were authorized and that they do not introduce security issues
In an SSAE18 SOC2 audit, the target organization chooses the TSP categories but cannot specify these
Controls
Layered Security
Controls are typically applied in multiple layers because no one control can protect an asset from every type of threat. - This architecture is referred to as defense-in-depth or layered security
Technical (Logical)
Controls provide through the use of technology and/or a digital device Example: Encryption, ACLs, firewall rules, anti-virus software, biometric authentication
Administrative (Managerial)
Controls relating to oversight, laws, rules, regulations, and policies. Example: Policies, procedures, training, audits, compliance reporting
Physical
Controls that can have a material structure (seen, heard, touched) Example: Gate, alarm, guard, barricade, door, lock, CCTV, ID card
This type of lock has a key controlled cylinder
Conventional
EU regulation that requires website inform and consent actions
Cookie Law
The anticipated relationship between the testing team and taget personnel in a white box penetration test
Cooperative
This intellectual property mechanism is designed to protect the expressio n of an idea
Copyright
Type of Investigations
Criminal / Civil / Internal Basis - Law must be broken / Contact violation or dispute / Incident Intent - Intent required / Intentional or accidental / Intentional or accidental Burden of Proof - Beyond a reasonable doubt / Preponderance of evidence / N/A Litigation - Government / Individuals or companies / Administrative Investigation - Assist law enforcement to obtain evidence / Provide evidence of wrongdoing or damage / Prove/disprove event and/or impact
One of the objectives of this plan is to minimize rumors and misinformation
Crisis Communication Plan
This category of patch fixes significant non-security related bugs that can impact performance or cause a malfunction
Critical Update
This type of plan includes procedures for mitigating a cyber attack
Cyber Incident Response Plan (CIRP)
Patents
Designed to protect an invention The invention must be a novel, not obvious, and provide some utility. A patentable invention must be something that can be produced. For all participating members of the World Trade Organization (WTO), a patent is good for 20 years.
In a firewall ACL, this refers to where the traffic is going to
Destination
Data Warehousing
Data warehousing combines data from multiple sources into a large database with the purpose of extensive retrieval and trend analysis.
The function of this type of control is identification
Detective
This type of control identifies and reports a threat agent, action, or incident
Detective
DLP Endpoint Port Blocking
DLP solutions can be used to identify and control end-point ports as well as block access to removeable media. -Identify removable devices / media connected to your network by type (e.g., USB thumb drive, CD burner, smart phone), manufacturer model number, and MAC address -Control and manage removable devices through endpoint ports, including USB, FireWire, Wi-Fi, Modem / Network NIC, and Bluetooth -Require encryption, limit file types, limit file size -Provide detailed forensics on device usage and data transfer by person, time, file type, and amount
The US law that makes it illegal to create products that circumvent copyright protections
DMCA Digital Millennium Copyright Act
Open standards protocol used in process automation environments
DNP3 Distributed Network Protocol
Algorithm that is the US government standard for digital signatures
DSA Digital Signature Algorithm
"At a glance" data visualization tool
Dashboard
Data Center Considerations
Data centers (and equivalent) should be strategically located and whenever possible: - Located in the center of a facility with no external windows or doors - Located on floors other than the basement, first floor, and top floor - Full walls extended from floor to ceiling - Nonpartitioned ceiling
Data Protection -- Obfuscation
Data obfuscation is the act of making a data set difficult to find or understand. 'Data Abstraction' is the concept of separating interface and implementation Data "hiding' is when known data is not accessible to certain processes or users 'Steganography' is the practice of concealing a file within another file
Data Protection Directive / GDPR (EU)
Data protection for all individuals within the European Union. EU Data Protection Directive (EU DPD) and it's successor the GDPR (General Data Protection Regulations) is based upon the Organization for Economic Cooperation and Development (OECD) Privacy Principles. GDPR also addresses the export of data from the EU www.oecd.org
Data Control Decisions
Data security control decisions are generally related to: -Data classification (e.g. protected, confidential, and public) --owner Data state (point in time - rest, use, or transit) -Data at rest (persistent storage (e.g. disk, tape) -Data in use (CPU processing or in RAM) -Data in transit (transmission) Common data protection controls include access management, cryptography, and obfuscation
Private Sector
Deciding upon classification schemes, definitions, and number of levels is a management function. Classification schemes that should be codified in policy and communicated throughout the organization Handling and protection standards should be developed for each classification and communicated throughout the organization
Authentication Decisioning
Decisions regarding the type and number of factors should always be commensurate with the business value of what is being protected, regulatory requirements, and contractual obligations. - Authentication controls should be subject to periodic risk assessments
Match the log analysis techniques Terms Deduplication Correlation Aggregation Normalization Definitions - Consolidating log entried - Relating log entries - Standardizing log details - Removing duplicate entries
Deduplication - Removing duplicate entries Correlation - Relating log entries Aggregation - Consolidating log entried Normalization -Standardizing log details
The principle requires explicit allows
Default Deny
Any action that isnt explicitly denied is allowed
Default allow
Default Allow and Default Deny
Default allow means any access or action not explicitly forbidden is allowed Default deny means any access or action not explicitly allowed is forbidden
Star and Simple Properties
Describe what a subject can do to an object Star [*] implies "write" Simple implies "read"
Social Engineering (SE)
Describes a class of techniques used to manipulate people by deception, into divulging information or performing an action (e.g. unwitting malware distribution) -The information or action may in itself be useful or be a stepping stone -A significant number of security incidents and data breaches have included a social engineering component -Attack vectors include email, phone, text, and physical presence
Single Sign-on (SSO)
Describes a unified login experience in which the user provides a set of credentials one time and is allowed to access multiple systems without needing to authenticate - SSO systems intercepts requests for identification and authentication - SSO can be a bottleneck or single point of failure (SPOF) - Legacy SSO rarely is a true enterprise solution
Identity Management Systems (IdM)
Describes the technical management of user identities (including authentication and authorization) within and/or across enterprise boundaries. Technologies include: - Directory services (LDAP, AD) - on/off premis - Single sign-on (SSO) - on/off premise - Identity-as-a-Service (IDaaS) - cloud - Federated identity management (FIM) - distributed
Trusted Computing System Evaluation Criteria (TCSEC)
Description: -Developed in 1983, TCSEC was used to evaluate, classify, and select systems for the DoD based upon confidentiality requirements. Superseded by the Common Criteria Function: -Original publication as the 'orange book'. Expanded to 20+ books known as the 'rainbow series'
IT Security Evaluation Criteria (ITSEC)
Description: -Developed in 1991 by a consortium of European nations, ITSEC is used to evaluate the functionality and assurance of a computer system based upon a vendor-defined set of requirements Function: -Functionality and assurance evaluated independently and separately.
Common Criteria
Description: -Developed in 1993 by the ISO, the "Common Criteria' provides a universal structure and language for expressing product and system requirements Function: -The Common Criteria evaluates products against a protection profile and results are published
Information | Cybersecurity governance is the responsibility of leadership to:
Determine and articulate the organization's desired state of security Provide the strategic direction, resources, funding, and support to ensure that the desired state of security can be achieved and sustained. Maintain responsibility and accountability through oversight.
Control Cross-Over Examples Firewall (Technical Control)
Deterrent - "Hardened" appearance discourages opportunistic attacks Preventative - Rule-set blocks certain ingress and egress traffic Detective - Activity is logged and alerts can be configured Corrective - N/A
Control Cross-Over Examples Security Awareness Training (Administrative Control)
Deterrent - Advises participants of penalties and consequences Preventative - Teaches participants what NOT to do Detective - Trains participants on what to be "on the lookout for" suspicious activity and how to report it Corrective - Instructs participants on how to respond to threat
Methodology that promotes collaberation between developers and operations personnel
DevOps
Policy Lifecycle Responsibilities for Board of Directors or Executive Management
Develop - Communicate guiding principles. Review and authorize policy. Publish - Champion the policy Adopt - Lead by example Review - Reauthorize or approve retirement
Policy Lifecycle Responsibilities for Operational Management
Develop - Plan, research, write, vet, review and approve. Publish - Communicate, disseminate, and educate Adopt - Implement, evaluate, monitor and enforce Review - Provide feedback and make recommendations
Policy Lifecycle
Develop: Plan, Write, Approve Publish: Communicate, Disseminate, Educate Adopt: Implement, Monitor, Enforce Review: Solicit Feedback, Reauthorize or Retire
Integrated Product and Process Development (IPPD)
Developed by the DoD and is described as a multidisciplinary management technique that uses design tools such as modeling and simulation, teams and best commercial practices to develop products and their related processes concurrently - The core of the IPPD process is integrated product teams - Integrated product teams (IPTS) are composed of representatives from all appropriate functional disciplines working together to build successful programs and enabling decision-makers to make the right decisions at the right time
SSL
Developed in 1995, Secure Socket Layer (SSL) is used to establish a secure communication channel between two TCP sessions by negotiation. Default SSL port is 443 Steps: 1 - Client sends connection request. 2 - Server responds saying Secure connection is needed 3 - Client requests security capabilities 4 - Encrypted Session Established. **In 2015, SSL 3.0 was deprecated. New vulnerabilities continue to be discovered. SSL 2.0 and 3.0 should be diabled
This backup strategy backs up all files created or modified since the last full backup
Differential
This cipher outcome sends bits through multiple rounds of transposition
Diffusion
Primary Attack Vectors
Digital Infrastructure Human Physical Infrastructure
Digital Infrastructure
Disruption, manipulation, or compromise of network or host hardware, services, application, data, or transmission. Subst is crytographic which is disruption, manipulation, or compromise of crytographic algorithms, protocols, services, applications, or data
In this penetration test approach, neither the testing team nor the target have been given any information
Double blind
Potential liability incurred by a company whose computer systems are compromised
Downstream Liability
Current US government standard asymmetric algorithm
ECC Elliptic Curve Cryptosystem
Automated testing technique that inputs data in a program and monitors the response
Fuzzing
Secure Coding Incentive
Eliminating vulnerabilities during development can result in a two to three orders-of-magnitude reduction in the total cost of repairing the code vs making the repairs afterwards
Contains a microprocessor and software designed to perform a specific task
Embedded System
Mobile Device Management (MDM)
Encompasses deploying, securing, monitoring, integrating, and managing mobile devices in the workplace - The intent of MDM is to optimize the functionality and security of mobile devices, while simultaneously protecting the corporate network - MDM solutions can be local or cloud based
Control that transforms plaintext to ciphertext
Encryption
Cryptographic technique used to protect confidentiality
Encryption
Data protection control recommended for all mobile devices
Encryption
The process of making data "unreadable" without the key
Encryption
Endpoint Firewalls
Endpoint firewalls (known as 'local, host-based, or software' firewall) is a protective boundary for the local device that monitors and restricts ingress and egress access. - Endpoint firewalls generally employ stateful packet filtering that examine source and destination addresses, source and destination ports, and protocol number and compares them to predefined rules
Endpoint Security
Endpoint security is the process of securing various endpoints on a network including: - Mobile devices - Desktop devices - Data center devices Endpoint security management is a standards-based approach that requires devices to comply with specific criteria
Session Management
Ensures that any instance of identification and authentication to a resource is managed properly - 'Broken Authentication' attacks use leaks or flaws in the authentication or session management functions (e.g. exposed accounts, passwords, session IDs) to impersonate users and gain system access
This automated code testing technique is used to discover coding error and security loopholes by inputting invalid or unexpected data
Fuzzing
These tools are used to discover and document information such as running services, users, and groups
Enumeration Tools
EMI and RFI
Equipment and copper cable are sensitive to electromagnetic interference (EMI) and radio frequency interference (RFI). - EMI is due to electromagnetic conduction or radiation. Almost any type of electrical device can cause EMI - RFI is due to AM/FM and cellular tower transmissions - Equipment should have limited exposure to magnets, fluorescent lights, electrical motors, space heaters, and wireless access points. - Copper cable should be shielded
Chain of Custody
Establishes the proof that the items of evidence collected at the crime scene is the same evidence that is being presented in a court of law (integrity). The chain of custody log would contain: - Identifying information - Handlers - Time and date (including time zones) of each occurrence of evidence handling - Locations where the evidence was stored
Establishing an ISCM Program
Establishing an ISCM program requires the organization to define criteria and processes including (but not lmited to): - Metrics - Frequency of data collection, assessment, and reporting - ISCM implementation tools and methodologies
Examination & Testing Comparison
Examination Strengths - May gain insight not otherwise available - Broad scope of coverage with limited resources Examination Weaknesses - May not provide assurance that the security controls are working as intended Testing Strength - Can provide a real-world picture of an organization's security posture - Can evolve over time and mimic current attacker techniques Testing Weaknesses - May not provide a comprehensive evaluation due to limitations of time. resources. or tester - May be intrusive
Approach
Examinations and tests may be conducted by internal or external personnel. Examinations and testing may be covert or overt - Overt assessments are generally cooperative and are known to all relevant personnel - Covert assessments can be adversarial and are known to a limited subset of personnel. Often, personnel associated with the target are not read in. Visibility and accessibility is often determined by who is conducting the assessment
Examination Objectives
Examinations are used to determine if the assessment object is properly documented and to gain operational insight regarding effectiveness, suitability, and survivability - Examinations generally focus on policies, standards, baselines, procedures, plans, probrams, configuration settings, output, and reports - Examinations are considered a passive activity with minimal (if any) anticipated operational impact
The audience for simulation exercise topics of extortion, intellectual property theft, and exposure of customer information
Executives
Federal Information Security Management Act (FISMA)
FISMA requires federal agencies to implement a program to provide security for their information and information systems including those provided by or managed by another agency.
US Federal Agency responsible for responding to and coordinating the response to a disaster that has occured in the United States
Federal Emergency Management Agency (FEMA)
FTPS
File Transfer Protocol (FTP) is used for file access, file transfer, and file management. Authentication data and payload are transmitted in clear text and subject to eavesdropping, replay, and MiTM attacks - FTPS (File Transfer Protocol Secure) is an extension to FTP that adds support for SSL and TLS in order to encrypt the file transfer channel (TCP port 990 or 21) - Don't confuse FTPS with SFTP. SFTP uses SSH and runs on port 22 - Use case: Secure file transfer
Fire
Fire protection is comprised of three elements: - Fire prevention is the first line of defense - Fire detection is realizing there is a fire while it is still small and controlable - Fire suppression and containment is actually dealing with the fire
This devicee reports on ingress and egress traffic
Firewall
Detective and Preventative Solutions
Firewall - Ingress and egress traffic Filters - Data access IDS/IPS - Intrusion attempts NAC - Connections to the network DLP - Data exfiltration Honeypot - Knowledge and investigation Sandbox - Isolation Anti-malware - Malicious code *Honeypot is not a Preventative solution
Sampling Approaches
Fixed Sample Plan - % of occurrence in a defined population (how many) Stop and go Sampling - Sampling model that allows the auditor to stop once a reasonable conclusion can be drawn or hypothesis supported Discovery / Exploratory Sampliung - Used when evidence of a single error or instance would be material (e.g. fraud, illegal activity)
Examination
Forensic examination should be conducted by trained personnel. It is easy to contaminate or destroy evidence The examiner should document all activity including action taken, tools or procedures used, and results - There are a number of open source and commercial forensic products available - Whenever possible, examinations should be conducted on exact images or replicas and not on the original data source
Categories of Software Licensing
Freeware, Shareware, Commercial (Academic being a subset of commercial) Within each of these categories are specific types of agreements that are legally enforceable including master agreements and end-user license agreements (EULAs)
Traditional Backup Strategies
Full Backup - Backs up all files - Full backup media Differential - Backs up all files created or modified since last full backup. Does not reset archive bit - Full backup + most recent differential Incremental - Backs up all changed files. Does reset archive bit. - Full backup + all subsequent incremental
This traditional backup strategy has the fastest recover
Full backup
This category of patch corrects non-security related operational issues
Functional Update
Permissions
Functions that a subject can perform on an object, a file or a folder; for example, read, write, modify, and delete - Access control lists are generally used to assign permissions - Permissions can be assigned to user accounts, group accounts, or resources depending upon the system or device - Permissions are generally cumulative - Permissions can be explixit or inherited - Permissions should be audited on a regular basis
Invalid, unexpected, or semi random data used by automated testing
Fuzz
Match the quality and performance testing type and condition Type: Fuzzing Stress Testing Synthetic transactions Use Case Conditions - Availability and response time emulation - Injection of invalid data - Abnormal condition response - Normal operating condition response
Fuzzing - Injection of invalid data Stress Testing - Abnormal condition response Synthetic transactions - - Availability and response time emulation Use Case - Normal operating condition response
US regulation that protects the privacy of consumer financial information
GLBA Gramm-Leach-Bliley Act
Executive Continuing Education
General Contraints -Time is limited -Technical expertise may be minimal -Patience for not understanding is limited Objective is insight and understanding for the long-term -Know your audience presentation preferences -Provide a discussion framework and pre-reading materials -Be specific to institutional goals (including regulatory requirements) -Use business language -Cover a limited number of topics - stay focused
Configuration Guidance Examples
Government (Public Sector): NIST SP 800 Publications NIST Checklist Program Repository Vendor (Private Sector): Microsoft Security Compliance Manager Cisco Guide to Harden Cisco ISO Devices
This procedure format works well in global contexts
Graphic
Fire suppression gas that was banned by the Montreal Protocol of 1987
Halon
These inform users how to protect and interact with data and systems
Handling standards
Rules associated with making a connection
Handshake
Match the alternate locations with their descriptions Locations: Hot site Mirrored site Warm site Cold site Mobile site Descriptions: - Self contained unit - Basic HVAC and power infrastructure - Fully redundant site - Systems are preconfigured, data is neartime - HVAC, communications infrastructure and equipment
Hot site - Systems are preconfigured, data is neartime Mirrored site - Fully redundant site Warm site - HVAC, communications infrastructure and equipment Cold site - Basic HVAC and power infrastructure Mobile site - Self contained unit
The number one workplace safety priority
Human life and safety
Trusted, sector-specific entities established by PDD63
ISACs
Internationally recognized Information Security Framework
ISO 27000
ISO Quality Management Certification
ISO 9001
Incident Response (IR) Process - Identification
Identify and analyze indicators of attack (IOA) and indicators or compromise (IOC) - Examples include IDS, SIEM, AV, File integrity checking, logs, network flows, threat intelligence, people
Identity and Access Services
Identity and access services is a term used to describe authentication, authorization, and accounting functions. - An authentication protocol is used solely for user validation (authentication) - AAA architecture protocols are used for validating the user (authentication), controlling access to server data (authorization), and monitoring network resources use (accounting)
Identity and Authentication
Identity is a distinguishing characteristic (e.g. user name) Registration is the process of verifying an identity (e.g. drivers license) Authentication is the process of proving an identity to an authentication system - The proof is referred to as a 'factor' - The combination of a user name and factor is referred to as 'credentials'
SE Physical Presence Techniques
Impersonation - Impersonating a "trusted" source in order to gain access Shoulder Surfing - Covert observation Piggybacking/Tailgating - When an unauthorized person enters a checkpoint close behind, or in concert with authorized personnel Dumpster Diving - Rummaging through trash and recycling in search of information
OWASP Top 5 2016 Application Flaws
Improper Platform Usage - Misuse of a platform feature or failure to use platform security controls Insecure Data Storage - Insecure data storage and unintended distribution of data (data leakage) Insecure Communication - Poor handshaking (rules to establish a connection), incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc Insecure Authentication - Failure to identify the user, weakness in session management or bad session management Insufficient Cyptography - The code applies cryptography to a sensitive information asset; however, the cryptography is insufficient in some ways
Centralized
In a 'centralized computing environment', processing occurs within mainframe or terminal host and clients (terminals, thin clients) are limited to simple interaction and emulation -Security advantage is controls can be implemented and tightly controlled -Security disadvantage is that configuration errors and unaddressed vulnerabilities can impact all client systems.
Distributed Systems
In a 'distributed systems environment', there is no central authority. Security considerations: -Each node is responsible for its own security -Distributed ownership and management -Local data stores -Peer-to-Peer (P2P) access -Malware distribution
Disaster Recovery Planning
In a business context, disasters are disruptive events that significantly impact an organization's capability to operate. The cause can be environmental, operational, accidental, or willful - The goal of disaster recovery planning is to minimize the impact of a disaster and restore normal operating conditions as soon as possible - Disaster recovery planning includes response, recovery, and resumption plans - A business continuity plan takes a broader approach and addresses how to operate in abnormal operating conditions
Trial Witness
In a court trial, witnesses can be called to testify by either the defense or prosecution - Factual witness is an individual who is knowledgeable about the facts of the case through direct participation or observations - Expert witness is a preson who has knowledge beyond that of an ordinary lay person enabling them to give testimony regarding an issue that requires expertise to understand. Experts are allowed to give an opinion
Client | Server
In a hterogeneous client/server environment, processing is distributed and there is inherent trust, which makes every endpoint a potential target and every connection a potential conduit. Security considerations: -Privileged use -Outdated operating systems and applications -Malware distribution -Unauthorized remote access
Hash Function Characteristics
In order to be considered secure, cryptographic hash functions must meet three criteria: -Output must not be reversible (one-way representation) -Variable length input must produce fixed length output -Output must be unique to the input. If a hash function produces the same value for two different inputs, the result is known as a 'collision'
Location term when an intrusion prevention device is placed directly in the flow of traffic
In-band / In-line
This phase of incident management focuses on monitoring
Incident detection
Data Breach Disclosure & Notification
Incidents classified as a confirmed or high probability breach may trigger disclosure and notification requirements.
Incident Management
Includes incident prevention, preparation, detection, and response. - 'Incident prevention' includes threat modeling, risk assessment, controls implementation, monitoring, and assurance activities - 'Incident preparation' includes planning, documenting, assignin responsibilities, training, and practicing response capabilities - 'Incident detection' inlcudes monitoring, incident reporting, analysis, and participation in threat intelligence and information sharing activities - 'Incident response' includes containment, eradication, and recovery
Firewall Configuration Planning
Ingress/Egress Filtering - Default allow - if not explicitly denied, then access is allowed - Default deny - if not explicitly allowed, the access is denied NAT - private to public IP address mapping Business Rules - By IP address, protocols, ports, users or groups, and time or day Approvals and Administration - Process for approving a new rule. Process for approving an exception Monitoring / Logging - Configuration of logs, log review, and log archive Review / Testing - Review of configuration and rule-set, identifying vulnerabilities, testing access, and exploits
What the process of restricting input and output based on specific parameters is known as
Input/output validation
Web Security
Insecure code is 'more often than not' the result of a flawed process, competing priorities, or rush to market: -Web security is the result of a deliberate process that prioritizes security from the initiation of the project through the end of the lifecycle
The motivation for this adversary may include grievance, morality, coercion, and/or financial pressure
Insider
Instant Messaging and Chat
Instant messaging and chat services were initially designed for real-time text communication but have expanded to include voice, video, screen sharing, and file exchange. - Threats include packet sniffing, eavesdropping, unauthorized participation, data leakage, malware distribution, and social engineering - Corresponding mitigating controls include firewall restrictions, encryption, authentication and password security, and user awareness training
Secure DevOps
Instead of security operating as an isolated discipline, 'Secure DevOps' aims to integrate security into the development processes from inception. -The Secure DevOps approach enables developers to learn more about how what they are developing can be exploited. -Secure DevOps proactively focuses on survivability by providing reliable software with a reduced attack surface
Procedures
Instructions for how a policy, standard, baseline, or guideline is carried out in a given situation. Procedures focus on discrete actions or steps, with a specific starting and ending point. Four commonly used formats: Simple step - 1, 2, 3, 4 Hierarchy - High level then sublevels Graphic - Using pictures Flowchart - Decisions
Framework Focus
International National Regulatory Industry specific
Publisher of 22301:2012 Business Continuity Management Systems Requirements
International Organization for Standardization (ISO)
Internet and Transport Layer Protocols
Internet - IP - Addressing and routing Internet - ARP - MAC to IP translation Internet - ICMP - Error control and troubleshooting Internet - Internet Group Management Protocol (IGMP) - Multicasting Transport - TCP - Connection oriented delivery Transport - UDP - Connectionless delivery
Privacy Impact Assessment (PIA)
Is a decision-making tool used to identify and mitigate privacy risks at the 'beginning of and throughout the development life cycle' of a program or system. PIAs generally include the following information: -Description of the system -What PII, if any, is collected or used -Why it is being collected -From whom is the PII collected -Privacy requirements (regulatory, contractual, ethical) -How it will be used, accessed, secured, shared and stored.
Capability Maturity Model (CMM)
Is a methodology used to develop and refine an organization's software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes 1: Initial - Process is unpredictable, poorly controlled, and reactive 2: Managed - Project-oriented management but still reactive 3: Defined - Project-oriented, basic standardization, proactive 4: Quantitatively Managed - Processes are measured and controlled 5: Optimized - Focused on process improvement
Hardware Security Module (HSM)
Is a physical device whose function is secure cryptoprocessing. -HSMs take the form of adapter cards, USBs, or appliances -HSMs can be clustered for high availability -Fast, scalable, and expensive -Use case: Used for encryption during secure login/authentication processes, during digital signings of data (e.g. certification authority), and for payment security systems (e.g. ATMs)
Trusted Platform Module (TPM)
Is a special hardware chip installed on a computer's motherboard that is responsible for protecting passwords, symmetric and asymmetric keys, hashes, and digital certificates that are specific to that system hardware -The chip contains an RSA key used for encryption and authentication -TPMs are compatible with most operting systems -Use case: encrypting hard drives independent of the drive itself
Security Content Automation Protocol (SCAP)
Is a suite of specifications to enable automated vulnerability management, measurement, and policy compliance - Protocol specifications are published and maintained by NIST - NIST SP 800-126 is the Technical Specification for the Security Content Automation Protocol (SCAP)
Exposure
Is a system or software configuration issue or lack of a control that could contribute to a successful exploit or compromise Common examples of exposure include: - Default settings - Running unnecessary services that are common attack points (e.g. HTTP, FTP, or SMTP) - Weak passwords - End of life applications and devices - System sprawl
Information Sharing and Analysis Center (ISAC)
Is a trusted, sector-specific entity that provides sector-specific information sharing about vulnerabilities, threats, and incidents - ISACs are a concept that was introduced in Presidential Decision Directive 63 to promote critical infrastructure information sharing - ISACs range from the Aviation ISAC to the Water ISAC
Certification and Accreditation (C&A)
Is a two-step process that relates to the trustworthiness and acceptance of a product, system, or process. -'Certification' is the process of evaluating, testing, and examining security controls. The evaluation compares the current systems' security posture with specific standards. -'Accreditation' is the process of an authority (management) granint approval to operate a system for a specified period of time with the understanding of the residual risks identified during the certification process.
Federated Identity Management (FIM)
Is an arrangement made among multiple enterprises that allows users (and sometime objects) to use the same identification data to obtain access to disparate resources (aka "portable identity") - Technologies used for federated identity include Security Assertion Markup Language (SAML), OAuth, OpenID Connect, and Shibboleth
Security Incident
Is an event or action that endangers the confidentiality, integrity, or availability of information or information systems - A 'data breach' is when data is exfiltrated or extracted or there is a loss of internal control. A data breach may trigger reporting and notification requirements
Unified Extensible Firmware Interface (UEFI)
Is an open standard interface layer between the firmware and the operating system that requires firmware updates to be digitally signed -Designed as a replacement for traditional PC BIOS -Additional functionality includes support for Secure Boot, network authentication, and universal graphics drivers -Protects against BIOS malware attacks including rootkits
Distributed Network Protocol (DNP3)
Is an open standards-based communications protocol used between components in process automation systems. - Operates at Layers 2, 4 and 7 - Used primarilty in the electric, water, waste water, transportation, oil, and gas industries - DNP3 was developed to meet the need for a standard protocol that would allow SCADA system components developed by differing vendors to talk - DNP3 ensures the reliability of communications within the harsh environment of utilities (error checking - no security)
Malware Distribution Channel
Is designed to entice users to unwittingly install the malicious code by employing enticing tactics including: - Phishing emails with embedded web links or attachments - Social media web links - Web drive-by downloads - Embedded in pictures, movies, or advertising - Embedded in portable media (USB)
Basic Input Output System (BIOS)
Is non-volatile firmware used to perform hardware initialization during the booting process, and to provide runtime services for operating systems and programs. A password is generally required to access the BIOS and perform the following functions: -Authorize boot up sequence -Make changes to the BIOS configuration
Security-as-a-Service (SecaaS)
Is the delivery of managed security services for public, private, and hybrid cloud environments -SecaaS relieves the burden of relying on the SaaS, PaaS, or IaaS vendor for security protection and enforcement. -Services include encryption, activity monitoring, DLP, malware detection, filtering, firewall, policy enforcement, email security, intrusion detection, authentication, and more. -The cloud security market is expected to reach $8.71 billion by 2019.
Unified Threat Management (UTM)
Is the evolution of the traditional firewall into an all inclusive device performing multiple security functions such as firewall, IDS/IPS, gateway anti-virus and anti-spam content filtering, data loss prevention, and user activity audit reporting - Advantages include reduced operational complexity and overhead cost - Disadvantages include single point of falure and vendor dependency
Data Transmission
Is the physical transfer of data over a communication channel. - Network data transmission components include transmission media, connectivity devices, and circuits
Secure Coding
Is the practice of following secure coding standards couples with the use of testing tools to detect code vulnerabilities - In order for applications to be designated and implemented with proper security requirements, secure coding practices and focus on security risks must be integrated into day-to-day operations and the development processes - Three precursors to secure coding are application security training, defining requirements, and threat modeling
Input Validation
Is used to detect unauthorized input before it is processed by the application. - Input validation should be applied to all input data - Synactic validation enforces correct syntax of structured fields (e.g. SSN, data, currency symbol) - Semantic validation enforces correctness of values (e.g. start date is before end date, price is within expected range)
Sampling
Is used to infer characteristics about a population based upon the characteristics of a sample. - Evidence sampling is applying a procedure to less than 100% of the population - Sampling risk is risk where the assessor's conclusion is baed on a sample that might be different ifthey examined or tested the entire population
Desktop Virtualization (VDI)
Is virtualization technology that hosts a desktop operating system on a centralized server in a data center. - Persistent VDI provides each user with his or her own desktop image, which can be customized and saved for future use, much like a traditional physical desktop - Nonpersistent VDI provides a pool of uniform desktops that users can access when needed. Nonpersistent desktops revert to their original state each time the user logs out.
Certificate of Destruction
Issued by commercial services upon destruction of media (for example, paper, CD/DVD, tape, and drives). The certificate should at a minimum include: -Date of destruction -Description of media (including serial number, if appropriate) -Method of destruction -Witnesses -Company Name
User Secuirty Controls
Job Rotation - Rotating assignments (fraud deterrent and detection) Mandatory Vacation - Requiring employees to take a set amount of vacation time (fraud deterrent and detection) Separation of Duties - Breaking a process into takss so that no one subject is in complete control (fraud prevention/deterrent - would require collusion) Dual Control - Requiring more than one subject of key to complete a specific task (fraud prevention/deterrent - would require collusion) Clean Desk - Requirement to never leave confidential data (paper, monitor, whiteboard) unattended or within view of unauthorized personnel)
Business process metrics used by management
KPIs Key Performance Indicators
Administrative Forensic Procedures
Keep a log - Record all investigative activity - date, time, details Record Time Offset - Record any differential between true and evidence time stamp Talk to Winesses - Record witness statements as soon as possible (recollections change with time) Take pictures (screenshots) and videos - Capture information without chance of contamination Track Resources - Track man-hours, expenses and equipment costs Retention Policy - Determine how long evidence must be retained for and under whose control
Kerberos Components
Kerberos Server - Key Distribution Center (KDC) - Authentication Server (AS) - Ticket Granting Service (TGS) Resource - Trust Principal
Cryptographic Terminology - Key
Key / Cryptovariable - Secret value used with an algorithm - The key dictates what parts of the algorithm will be used, in what order, and with what values Key Space - Number of possible key combinations - e.g. 256-bit = 2^256 = 1.1578 * 1077 possible keys Key Stretching - The inital key is fed into an algorithm that outputs an 'enhanced' (stronger) key Symmetric - Using a single key Asymmetric - Using two mathematically related keys (public / private)
In this cryptanalysis approach, a sample of the ciphertext is available without the plaintext associated with it
Known Ciphertext
High-risk targets generally require this sample size
Large
In this architecture, multiple systems work in concert
Large-scale Parallel System
An expression of how much time it takes for a packet of data to get from one designated point to another
Latency
Layers
Layers reference specific functions. - Layers provide 'encapsulation' - Higher levels envelope lower levels Layers provide abstraction - Layers provide a stream of data. The underlying implementation is irrelevant Layers provide decoupling - Technologies can be substituted as long as they communicate with upper and lower levels the same way (e.g. substitute IPv6 for IPv4
This principle states that information systems should have only essential services, ports, and accounts enabled
Least functionality
The minimum set of permissions needed to perform a task
Least privilege
An order that suspends the modification, deletion, and/or destruction of records and media
Legal Hold
Legal Considerations
Legal considerations include authorization, liability, indemnification, nondisclosure, and privacy - Authorization is often required from third parties that host assessment objects; not doing so is a violation of a contract - Contracts with external assessors may include SLAs, limitation of liability, and indemnification clauses that should be reviewed by legal counsel - Potential privacy violations should be identified - Nondisclosure contracts or agreements should protect disclosure of data collection and findings
RAID Configurations
Level 0 - Data written (striped) across multiple disks - Performance only Level 1 - Data mirrored on two identical drives - Fault Tolerance Level 5 - Data is written (striped) across three or more drives with one parity strip. Can auto-recover one drive - Fault Tolerance and Performance Level 6 - Data is written (striped) across three or more drives with two parity stripes. Can auto-recover two drives - Fault Tolerance Level 10 (1+0) - Data is simultaneously mirrored and striped across several drives (min 4 drives) - Fault Tolerance and Performance
Residual Risk
Level of risk after treatment
Examples of this inventory attribute include subscription, contract, perpetual
License
Site Security Controls
Lighting - can be continuous, motion triggered, random, times, or standby - Lighting should be tamper proof and have a backup power supply Signs - Signs for personnel safety and intruder deterrence Physical Barrier - Fences, walls, gates, barricades, and bollards define the perimeter Security Guards - Security personnel may be stationed at checkpoints, patrol the area, manage surveillance, and respond to breaches and/or suspicious activity
Windows Service Accounts (example)
Local System - Very high privileged built in account Local Service - Built in account that has the same level of access to resources and objects as members of the Users group Network Service - Built in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account
Intrusion Detection Response
Logging - Recording information about the event - Passive Notification - Communicating event-related information - Passive Shunning - Ignoring the event as it is not applicable - Passive Terminating - Ending the impacted process or session (e.g. forced RST) - Active/Inline Instructing - Making a configuration change (e.g. shut down port 80) - Active/Inline Deception - Allowing the attacker to think the attack was successful in order to gather information about the intrusion (e.g. honeypot) - Active/Inline
Log Security
Logs might contain confidential information including: - Device and architecture identification - User and group information and membership - Application and patch data - Evidence of wrongdoing - PII or payment card data if transaction data is captured Logs should always be securely transmitted and stored
Developer
Maintenance Hook (Backdoor) - A hidden mechanism that bypasses access control measures. Used by programmers during the development stage to gain access to the program in case the access control malfunctions - Impact - Unauthorized access & Elevated privileges
This is a hidden mechanism used by a programmer to gain system access
Maintenance hook (Backdoor)
Managed Switches
Managed switches provide the ability to configure, manage, and monitor the device via: - Serial console command-line interface - Remote Telnet, SSH, HTTP, or HTTPS interface - Embedded simple network management protocol (SNMP)
Subject Based Access
Mandatory access control (MAC) - Access is based on relationship between subject clearance and need to know and the object classification label - Security Labels Discretionary access control (DAC) - Data owners decide subject access - Access Control Lists, Capabilities, Tables Role-based access control (RBAC) - Access is based on the subject's assigned roles. Many-many relationships allowed - Access Control Lists, Capabilities, Tables, Security Policy
Poisoning
Manipulating a trusted source of data (e.g. DNS) Enables an attacker to act as the trusted source and redirect/manipulate actions
Two-tier barrier with an entry door on one side and an exit door on the opposite side
Mantrap
These tools are used to create physical and logical diagrams
Mapping Tools
Maximum Tolerable Downtime (MTD) Maximum Tolerable Outage (MTO)
Maximum time a process/service can be unavailable without causing significant harm to the Business.
Compliance Examinations
May be conducted by regulatory agencies or on behalf of certification bodies to gauge statutory or contractual compliance - Examination reports may include an opinion, detailed findings, related recommendations, and as applicable, required next steps - Examiners will expect to have direct access to executive managment and the Board of Directors - Failure can result in decertification, files, or other penalties
Synthetic Transactions
Measurement of availability and response times using recorded actions that emulate a specific interaction
Data Encryption
Media containing legally protected, sensitive, or confidential data should always be encrypted. Numerour regulations and contractual obligations require encryption including: - PCI DSS requires encryption of payment card data - MA 201 CMR 17 requires encryption of all personal information stored on laptops or other portable devices - HIPPA/HITECH offers safe harbor for notification for incidents in which the ePHI is encrypted
Owners
Members of management responsible for the protection of a subset of information.
Incident Mgmt. Team Membership
Membership if the 'incident management team (IMT)' is generally composed of internal personnel and adjunct (as needed) external resources. - Internal personnel should represent a cross-section of the organization including operations, information security, information technology, risk management, marketing, legal and compliance, and executive management - External resources include forensic experts, legal counsel, insurance representatives, public relations, and law enforcement
External Relationships
Might include (but are not limited to) moving assistance, equipment procurement, personnel augmentation, physical security, and public relations. - Contracts should clearly state the type of service, expenses, activation and notification requirements, response protocols, length of service, and compliance requirments
MDM Control Categories
Mobile device management software is used to control deployment, manage settings (policies), and report on activity and usage. MDM control categories include: - Device tracking - Data protection - Authentication - Application and content management
Mobile Controls
Mobile workplaces should be considered a logical and physical extension of the internal network and secured accordingly. -Administrative controls such as remote computing policy, standards and agreements, and training -Technical controls that mimic internal design and ensure secure connections -Physical controls such as locks and cases
Corresponding key to a "public key"
Private key
In a broken authentication attack, this type of account is frequently targeted
Privileged
NAC Policies
NAC 'pre-admission policies' determine if a device is allowed on the network and if so, what segment based on 'host health' (e.g. AV, patch level, firewall and IDS status, configuration settings). - Depending upon the result, the device is allowed network access or is quarantined - NAC 'post-admission policies' regulate and restrict access once the connection is allowed
The process of mapping private internal IP addresses to public IP addresses
NAT
This program is the US government repository of publicly available security guidance
NCP National Checklist Program
Agreement to protect the confidentiality of information
NDA Non-disclosure Agreement
Short range wireless technology used in commerce
NFC Near field communication
Publusher of the SP800 series
NIST National Institute of Standards and Technology
This controls framework is designed for public and private use to enhance and measure cyber resilience
NIST Cybersecurity Framework
This NIST publication describes the US federal government risk assessment methodology
NIST SP 800-30
At what layer in the OSI model do switches that can filter traffic by IP addresses operate? Application Presentation Session Transport Network Data Link Physical
Network
Embedded System Attacks
Network Attack - Exploit the protocol or implementation (e.g. open ports) -Injection (e.g. persistent malware) -Privilege escalation -Packet capture Active Side Channel - Using a voltage glitch on the power supply to cause a program malfunction Memory and Bus - Physically connect to the hardware and read the contents of the memory Weak Authentication - Using the known default administrator password to gain access. Botnet - Weaponization of devices (bots) for use in DDoS attacks Stepping Stone - Embedded devices such as HVAC systems, printers/MFDs, and camera systems are often connected to a network "unmanaged"
Set of CPU instructions and assigned resources
Process
Network Performance Metrics
Network latency is an expression of how much time it takes for a packet of data to get from one designated point to another - Throughput is the quality of work made by the system per unit of time - Transmission throughput = # bytes/sec
Authentication framework that enables application to obtain limited access to user accounts on an HTTP service
OAuth 2.0
This process queries the status of certificates in real-time
OCSP Online Certificate Status Protocol
Internationally recognized privacy framework
OECD Privacy Principles
Civil Case
Objective of the civil investigation is to provide evidence of wrongdoing or damage. - Civil litigation includes (but is not limited to) intellectual property theft, contract violations, and patent infringements - In a civil case, the standard for burden of proof if a "preponderance of evidence"
This type of plan includes procedures for minimizing loss of life and property
Occupancy Emergency Plan (OEP)
Remote location in the same geographic area as a contracing organization
Off-site
Process of transitioning an employee out of an organization
Offboarding
Acquisition of evidence before it disappears, is overwritten, or is no longer useful
Order of volatility
Personnel Privacy
Organizations have an obligation to collect only what is required and to protect personnel records (e.g. personnel files, PII, medical records) in accordance with all applicable laws and regulations - However, privacy does not extent to use of corporate assets or company related activites - Organizations can (and frequently do) monitor personnel activity. Including in the AUP aggreement should be a "no expectation of privacy" statement
Supply Chain Agreements
Organizations should exercise due care for supply chain vendors which include the following: -Contractual obligations specific to responsibilities, compliance, controls, coordination of incident response and business continuity, reporting and 'audit access' -Nondisclosure / confidentiality agreements -Service level agreements (SLA) committing to a required level of service and support - May include incentives, penalty provisions, and enforcement actions
The primary motive for this adversary is financial gain
Organized Crime
Use of more than one communication channel for authentication
Out-of-Band
This type of challenge question is derived from subscription databases
Out-of-wallet
Term used to describe when services are to be performed by third parties
Outsourcing
VPN Protocols
PPTP - Microsoft's implementation of secure communication over a VPN - Designed to secure Point-to-Point protocol (PPP) - No longer considered secure L2TP - Cisco's implementation of secure communication over a VPN - Combines Layer 2 Forwarding and PPTP - Can be used on IP and non IP networks SSL - Uses SSL or its successor TLS for single or multiple connections using a browser - User connects to an SSL Gateway or endpoint - SSL VPN Portal is a single connection to multiple services IPsec - Defacto standard for IP-based VPNS
Geofencing
Process of defining a cirtual boundary ("geofence") around a specific physical area - Define where devices can be used - Identify when a device enters a secure earea - Multifactor authentication
Firewall Security Features
Packet Filtering (all) - Analyzes network packet addressing for malformed packets, attacks, and spoofed IP addresses Access Control Lists (all) - Restrict access including IP address, port, protocol, time/day, and custom rules State - 'Stateless' firewalls treat datagram individually. 'Stateful' firewalls are able to associate packets with previous and future packets Application Layer Filtering - Apply rules that are specific to applications and services Network Address Translation (NAT) - Map internal private IP addresses to public IP addresses
Packet Loss
Packet loss is disruptive to voice and video and will degrade the communication channel - VoIP uses 'Real-time Transmission Protocol (RTP)' which does not guarantee delivery but is designed to request redelivery of a packet - 'Secure Real-time Transport Protocol (SRTP)' is an extension of RTP that incorporates enhanced security features. - SRTP uses encryption and authentication to minimize risk of denial of service and replay attacks
In this configuration, redundant components are inactive until a failure occurs
Passive (standby) fault tolerance
Match the physical security IDS characteristics and system Systems: Passive infrared Proximity Motion Photometric Contact Characteristics - Detects changes in light - Detects break in electrical circuit - Detects physical disturbance - Measures magnetic field - Detects changes in heat
Passive infrared - Detects changes in heat Proximity - Measures magnetic field Motion - Detects physical disturbance Photometric - Detects changes in light Contact - Detects break in electrical circuit
Authentication
Passwords & PINs - Enforce password policies and lockout functionality Biometrics - Enforce biometric policies - Enable biometric authentication - Control enrollment Context-aware - Authentication requirement based on activity (e.g. access to a specific resource or application) Auto Wipe - Wipes a mobile device after a pre-specified number of failed logins or moves outside of a defined physical boundary. Screen Locks - Requirement that the screen lock after "x" minutes of inactivity - Forced Deauthentication
Reporting
Penetration test reports should include vulnerability findings, exploit activities, and recommendations for mitigation. - Vulnerability findings should be categorized and referenced appropriately with CVE notation - Exploit activities should be documented with enough detail so that they are reproducible - Mitigation recommendations should be prioritized and as applicable, include risk reduction and security enhancement recommendations
Configuration Assessment
Performs checks against guidance, best practices, and applicable standards. - Reviewed components including (but not limited to) improper configuration, authentication and session tracking strength, encryption implementation and strength, input and output validation, error messaging, traversal paths, and sensitive content
Peripheral Security
Peripherals are ancillary devices that are either plugged in or attached via network connection, Bluetooth or 802.11. Best practices for securing peripherals include: - Rejecting "unknown" devices (disallow using policies) - Change the default password - Using secure communications protocols (e.g. SSH instead of Telnet) - Disabling unnecessary services (e.g. remote management) - Configure access controls - Use secure wireless protocols - Dispose of securely
The load balancing technique of associating application layer information with a single server
Persistence
Type of VDI that provides each user with his or her own desktop image, which can be customized and saved for future use
Persistent
NAC Agents
Persistent or Permanent - Installed on a device and runs continuously Dissolvable - Downloads and runs when required (one time authentication) and then disappears Agentless - Integrates with a directory services (e.g. Active Directory)
Types of Digital Certificates (Use)
Personal - verifies a user identity (generally used for email) Server (Machine/Computer) - verifies a device identity Domain Validation - verifies a domain - Wildcard certificate can be used with multiple subdomains of a domain (e.g. *.example.com) Organization - verifies a domain and an organization Extended Validation - Verifies a domain and an organization subject to additional vetting (aka "green bar") Code / Object signing - verifies organization/ownership as well as object integrity Trusted/Intermediate - identifies root and intermediate Certificate Authorities
Examples include Social Security, passport and driver's license numbers
Personal Information (PI, PII, NPPI)
Defining Personal Information
Personal information (PI, PII, NPII) may include discrete information such as a Social Security number, financial account number, password and PIN, driver's license number, passport number, medical record, educational records and biometric data. Personal information can also include, but is not limited to, shopping habits, search engine queries, browsing history, email, pictures, location, commerce, and GPS travel.
Information Security Management (ISM)
Personnel generally having the authority to interpret strategic direction and are held accountable for the success or failure of their area.
Travel
Personnel often travel with mobile devices and/or connect back to network resources. Personnel should be provided with travel requirements and guidelines including but not limited to: - Encrypt all mobile storage - Have no expectation of privacy - Do not connect to unknown wireless networks - Never leave devices unattended - Do not hand your device to strangers - Report a lost or stolen device immediately - Upon return, have the device inspected
SE Technical Techniques
Phishing - Pretexting using email Spear Phishing - Targeted version of phishing (mass vs group/individual) Whale - High profile phishing target Vishing - Pretexting using voice (phone) Hoax - Warning of a non-existent threat or offer - designed to defraud Watering Hole - Compromising a website or social media application frequented by the target
Fences, mantraps, bollards, and locks are examples of this control implementation
Physical
This access control category focuses on facilities, equipment and devices
Physical
Cyber and Physical Convergence
Physical and cyber security are no longer separate disciplines. There is a significant overlap in controls. For example, using a picture ID badge to identify myself to physical security, then using the card to "swipe" into the building, then using the same card to log into my computer with proximity technology that automatically locks down the computer when I walk away from my desk and produces an audit trail of my whereabouts and activities
Physical Security Controls
Physical security principles of deter, detect, and delay supported by a response plan are designed to frustrate and disrupt an adversary's attack timeline Deter - Stop or displace an attack Detect - Verify an attack, initiate a response Delay - Prevenet the attack from reaching the asset (including measures to minimize the consequence of an attack)
The act of using a weakness on one system to access a more secure system
Pivoting
This is a detailed proposal for doing or achieving something
Plan
Switch Port Security
Port security is a dynamic feature that can be used to limit and identify the MAC addresses of the stations that allow access to the same physical port. - Limiting the number of allowable MAC addresses on a switch port using port security effectively shuts down a MAC address-flooding DDoS attack
Key Properties of Virtual Machines
Portioning - Run multiple operating systems on one physical machine. Divide system resources between virtual machines (automatic resource allocation) Isolation - Provide fault and security isolation at the hardware level. Preserver performance with advanced resource controls Encapsulation Recovery - Save the entire state of a virtual machine to files. Move and copy virtual machines as easily as moving and copying files. Hardware Independence - Provision or migrate any virtual machine to any physical server High Availability - Support application high availability (failover clustering) and ensure that services are always available when running inside VMs
Use Case
Positive testing determines if the application works as expected [use case]. Negative testing ensures that the application can gracefully (and securely) handle invalid input or unexpected behavior [misuse case]
Match the control classification and description Classification: Preventative Compensating Corrective Detective Deterrent Description: - Discourages a threat agent from acting - Alternate control - Minimizes the impact of the threat agent - Identifies and reports a threat agent - Stops a threat agent from being successful
Preventative - Stops a threat agent from being successful Compensating - Alternate control Corrective - Minimizes the impact of the threat agent Detective - Identifies and reports a threat agent Deterrent - Discourages a threat agent from acting
Malware Prevention and Disruption
Prevention controls and techniques include: - Ingress and egress filtering and restrictions - Forbidding the receipt or execution of certain file types - Restricting the use of removable media - Restricting cookies, pop-ups, mobile code execution, access to webmail and social media sites - Employing least privilege at the local level - Internet access sandboxes - Educating users
Data Protection -- Cryptographic
Primary cryptographic data use cases and corresponding techniques include: -Confidentiality (encryption) -Integrity (hashing) -Non-repudiation (digital signature) -Authentication (digital certificate)
Cryptography
Primary cryptographic use cases and corresponding techniques include: -Confidentiality (encryption) -Integrity (hashing) -Non-repudiation (digital signature) -Authentication (digital certificate)
National Information Infrastructure Protection Act of 1996
Primary federal antihacking statue.
Law Enforcement
Primary forcus is to identify, catch and prosecute criminals. They have no obligation to recover stolen funds or property. - Consult with legal counsel before calling law enforcement. - Once contacted, the institution is a crime scene and they are allowed to confiscate evidence. - They may ask you to allow the attack to continue while they investigate. Unless court ordered, you do not have to comply with this request. - They have no obligation to keep you updated and probably won't.
Availability
Principle that information, systems and supporting infrastructure are operating and accessible when needed.
Confidentiality
Principle that only authorized people, processes, or systems have access to information and that information must be protected from unauthorized disclosure.
Log Management Workflow
Prioritize Configure Collect Secure Analyze Respond Archive Destroy
The right of an individual to control their personal information
Privacy
Decision making tool used to identify privacy related issues at the beginning of a project
Privacy Impact Assessment
Privacy Concerns
Privacy Violation Data Compilation Data Warehousing Data Mining Aggregation Inference
Defining Privacy
Privacy is the right of an individual to control the use of their personal information. In contrast, information security is the process by which we safeguard information and system and ensure confidentiality, integrity, and availability.
This cloud deployment model is provisioned for exclusive use
Private Cloud
Match the following items: Terms Private cloud Community cloud IaaS SaaS Public cloud PaaS Definitions -Customer deploys onto the cloud infrastructure -Customer provisions "bare metal" resources -Provisioned for a well-defined group -Provisioned for public use -Customers use the provider's application -Provisioned for single organization exclusive use
Private cloud - Provisioned for single organization exclusive use Community cloud -Provisioned for a well-defined group IaaS - Customer provisions "bare metal" resources SaaS - Customers use the provider's application Public cloud - Provisioned for public use PaaS - Customer deploys onto the cloud infrastructure
International Framework
Promoted globally. Developed by representatives from participating areas. Well known Framework: ISO 27000 Family
Private Sector Classification Examples
Protected - Protection required by regulation or contractual obligation (e.g. PI, PHI) Proprietary - Intellectual property or process; significant impact if disclosed Confidential/Sensitive/Internal Use Only - Internal use only - limited use; negative impact if disclosed Public - Available for distribution
A specific set of functional and assurance requirements for a category of products (used by the Common Criteria)
Protection Profile
Secure Communications Protocols
Protocol - Description - Objective SSL/TLS - Securing web based protocols and transmissiong - Confidentiality, Authentication, Integrity HTTP - Layer SSL/TLS on top of HTTP - Confidentiality, Authentication, Integrity FTPS - Layer SSL/TLS on top of HTTP - Confidentiality SSH - Secure channel between a local and remote device - Confidentiality, Integrity SFTP - File transfer component of SSH - Confidentiality S/MIME - Securing web based protocols and transmissions - Confidentiality, Integrity, Nonrepudiation Secure POP3 - Secure Post Office Protocol 3 (SSL-POP, POP3) - Authentication Secure IMAP - Secure Internet Message Access Protocol (IMAP4-SSL) - Authentication
Sherwood Applied Business Security Architecture (SABSA)
Provides a context for understanding a complex environment by intersecting views and lifecycle layers -Views: What, why, how, where, who, and when -Lifecycle layers: Contextual, conceptual, logical, physical, component, and operational
Zachman Framework
Provides a context for understanding a complex environment by intersecting views and viewpoints -Views: What, why, how, where, who, and when -Viewpoints: developer, systems engineer, security officer, application administrator, and end user
Platform-as-a-Service (PaaS)
Provisioned: -Computing Resources + Operating System + (optionally, database) Customer Impact: -The customer does not manage or control the underlying cloud infrastructure, operating system, and platform -The customer deploys onto the cloud infrastructure created or aquired applications -The customer has control over deployed applications and possibly configuration settings for the application-hosting environment Considerations -Availability -Maintenance -Vulnerability Management -Confidentiality -Privacy -Data Ownership
Process in which electronic data is located and searched for used in litigation
eDiscovery
Software-as-a-Service
Provisioned: -Computing Resources + Operating System + Applicaion Customer Impact: -The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities -The customer uses the provider's applications running on a cloud infrastructure -The customer has control over limited user-specific application configuration Considerations: -Availability -Maintenance -Vulnerability Management -Confidentiality -Privacy -Data Ownership -Multitenancy -Testing
Cloud Deployment Models
Public Cloud - Provisioned for 'public' use. Considerations are Location, Multitenancy Community Cloud - Provisioned for the exclusive use by a 'well-defined group'. Considerations are Multitenancy Private Cloud - Provisioned for the exclusive use of a 'single organization'. Considerations are Scalability Hybrid Cloud - The public and private cloud infrastructures communicate over an encrypted connection, using technology that allows for the portability of data and applications. Considerations are the Security of the connection
Public Key Infrastructure
Public Key Infrastructure (PKI) consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working together in a comprehensive manner to enable secure communication. - Public Key Infrastructure x.509 (PKIX) is the working group formed by the IETF to develop standards and models (known as X.509) - Public Key Cryptography Stanards (PKCS) is a set of voluntary standards created by RSA and other industry leaders.
Match the anti-remanence technique Terms: 1: Pulverizing 2: Pulping 3: Wiping 4: Shredding 5: Degaussing Definitions: 1: Using an electromagnetic field to destroy data 2: Reducing media to dust 3: Overwriting all addressable storage and indexing locations 4: Physically breaking the media into pieces 5: Chemically altering the media
Pulverizing - Reducing media to dust Pulping - Chemically altering the media Wiping - Overwriting all addressable storage and indexing locations Shredding - Physically breaking the media into pieces Degaussing - Using an electromagnetic field to destroy data
Risk Assessment Approaches
Qualitative Quantitative Semi-qualitative (hybrid) *Key elements are 'likelihood of occurance' and 'impact'
This protocol provides centralized AAA services and is used primarily for network access authentication
RADIUS
Asymmetric Ciphers
RSA - Widely implemented - Defacto commercial standard - Works with both encryption and digital signatures Elliptic Curve Cryptosystem (ECC) - Similar function to RSA but with smaller key sizes (requires less computing power) - Current US government standard Diffie-Hellman - Primarily used for key agreement (key exchange) - Allows two parties (in the same DH group) that have no prior knowledge of each other to jointly establish a shared secret key - DHE uses modular arithmetic to compute the shared secret - ECDH uses algebraic curves to generate keys El Gamel - Primarily used for transmitting digital signatures and key exchanged
Timing and Communication
Race Condition - Is a flaw that produces an unexpected result when the timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data - Impact - Unauthorized access Covert Channel - The use of a malicious script to transfer information objects between processes that are not supposed to be allowed to communicate - Impact - Unauthorized access
This vulnerability is related to timing issues (Time of Use / Time of Check)
Race condition
Team exercise that simulates an attack in order to exercise and evaluate preparedness and response capabilities
Red team / Blue team
Primary stength of DNP3
Reliability (error checking)
Remote Meeting Technology
Remote (sometimes referred to as virtual) meetings are designed to connect participants in real-time and support audio and video conferencing, file and desktop sharing, and remote control - Threats include eavesdropping, spying, unauthorized participation, data leakage, unintentional access and bandwidth utilization (unavailability) - Corresponding mitigating controls include firewall restrictions, encryption, authentication and password security, equipment management controls, user awareness training, and adequate bandwidth
This command is sent to the device to delete all or selected content or reset to factory configuration
Remote Wipe
This process copies transaction logs and periodically transmits them to a backup location
Remote journaling
Physical Security Officer
Responsible for ensuring that appropriate physical security procedures have been established and physical security devices installed, commensurate with the identified risk exposure.
Incident Response (IR) Process - Recovery and Lessons Learned
Restore systems to normal operations and document lessons learned - Identify root causes, lessons learned, and update playbook
Statuatory Requirements
Retention requirements may apply to various types of electronic files. This includes but is not limited to email, documents, databases, and application-generated records: -Financial, accounting, and tax records -Corporate and legal records -Human resources, including payroll records -Insurance records -Policies and regulatory-related files (e.g.IRS, SEC, HIPPA, GLBA)
Role-based Awareness Training
Role: Executive User Focus: Strategy, policy, and organizational impact (risk) SETA: Education Role: System Owner Focus: Business process and impact SETA: Education Role: Data Owner Focus: Data protection and privacy SETA: Education Role: System Admin Focus: Implementing, managing and monitoring controls SETA: Training Role: Privileged User Focus: "Privileged" functions SETA: Training Role: User Focus: Responsible use (AUP) and best practices SETA: Awareness
In this model, access is based on situational if-then statements
Rule-based Access Control
Protocol for sending digitally signed and encrypted emails
S/MIME
Email Security -- S/MIME
S/MIME is a protocol for sending digitally signed and encrypted emails - Use case: encryption (confidentiality), and digital signature (integrity and nonrepudiation)
The negotiation between two IPsec endpoints
SA Security Association
Framework that provides contect for understanding a complex environment by focusing on different lifecycle layers
SABSA Sherwood Applied Business Security Architecture
The practice of managing the lifecycle of software assets
SAM Software Asset Management
Open standard that provides user authentication and authorization services -- components include idP and SP
SAML
This enterprise level storage uses fiber channel, FCoE, or iSCSI connections
SANS
A significant vulnerability for this architecture is the use of outdated operating systems due to long life expectancy
SCADA
These ISC systems are used to monitor and control entire sites and/or complex environments
SCADA
Suite of specifications to enable automated vulnerability management, measurement, and policy compliance
SCAP Security Content Automation Protocol
Leading multimedia open protocol
SIP Session Initiation Protocol
This contract specifies performance and response parameters
SLA
Quantitative Formulas
SLE ($) = AV ($) x EF (%) Single Loss Expectancy = Asset Value x Exposure Factor ALE ($) = SLE ($) x ARO (#) Annualized Loss Expectancy = Single Loss Expectancy x Annualized Rate of Occurence
When the failure of one device impacts the operation of the entire system
SPOF Single Point of Failure
SSL Decryptors
SSL decryptors are controversial perimeter devices (either built into the firewall or standalone appliance) used to decrypt SSL/TLS packets, inspect the contents, re-encrypt, and forward the packet
SSL/TLS Accelerators
SSL/TLS encryption/decryption is a processor-intensive operation. - SSL/TLS Application Specific Integrated Circuits (ASIC) are processors that are specifically designed to perform SSL.TLS operations - SSL/TLS Accelerator is an ASIC applicance that sits between a user and a server, accepting SSL/TLS connections from the client and sending them via private network to the server unencrypted
In this cloud service model, the computing resources, operating system and application are all managed by the provider
SaaS Software-as-a-Service
Workplace Access
Safety and security dictate that access to workplaces must be controlled - Access control including but are not limited to entry/exit systems, guards, employee badges, and visitor management systems - Employees need to understand that they should never circumvent access control systems, which includes sharing badges or key codes
Inferring characteristics about a population based on a subset
Sampling
Type of risk where the assessor's conclusion might be different if the entire population was examined
Sampling risk
Sandbox
Sandboxing is a mechanism used for safely executing untrusted code, files, or programs. - The sandbox environment is isolated from all other running processes - URL sandboxes can be used to inspect URL connections before allowing user access - Email sandboxing can be used to inspect attachments before allowing the user access - Sandboxes can be used by developers to examine and test code
Scoping and Tailoring
Scoping instructs an organization how to apply and implement security controls (baselines) Tailoring allows an organization to align common security controls with specific objectives
SecCM Activities
SecCM activities compliment traditional CM activities and include: - Identification and recording of configurations that impact the security posture of the information system and the organization - The consideration of security risk in approving the intial configuration - The analysis of security implications of changes to the information system configuration - Documentation of the approved/implemented changes
Managed security services in the cloud environment
SecaaS Security-as-a-Service
Secure Boot Attestation
Secure Boot requires that all boot loader components (e.g. OS kernel, drivers) attest to their identity (digital signature) and the attestation is compared to the trusted list. -When a computer is manufacured, a list of keys that identify trusted hardware, firmware, and operating system loader code (and in some instances, known malware) is embedded in the UEFI -Ensures the integrity and security of the firmware -Prevents malicious files from being loaded -Can be disabled for backware compatibility
Metholdology that promotes intergrating security into the development process from inception
Secure DevOps
The methodology of integrating development, operations, and security
Secure DevOps
This methodology is a marriage of security and DevOps
Secure DevOps
Patch Categories (can vary by vendor)
Security Update - An update which fixes security vulnerability. Security updates generally have a defined security level. (e.g. Microsoft categories include critical, important, moderate, low, unspecified) Critical Update - An update which fixes specific, non-security related, critical bugs. That bug can cause for example serious performance degradation, interoperability malfunctions or disturb application compatibility. Functionality Patch - Correct a non-security related functional issue Feature Patch - Introduce new features
Assessor Challenges
Security assessors often face technical, operational, and political challenges - Resistance from business owners, system and network admins, and end users - Pre-assessment fixes - In-the-moment mitigation - Restrict time windows - Evolving technology - Risk of operational impact
Activity and Error Reporting
Security devces generate reports applicable to their function - Understanding context is important for identifying indicators of attack/compromise (IOA/IOC), performance and resource utilization, and post-incident forensics - An 'indicator of attack' (IOA) is a proactive early warning sign that an attack may be imminent or already underway - An 'indicator of compromise' (IOC) is reactive based on substantive or corroborating evidence that a system or network has been exploited
Investigation Triggers
Security related scenarios that may trigger a legal or internal investigation include (but are not limited to): - Harm - Disruption - Theft - Unusual or suspicious activity - Situation at a connected 3rd party - Threat intelligene (FS-ISAC) - External notification (FBI, Secret Service, customer)
A system utility that runs in the background
Service
Incident Mgmt. Training
Should be included in organization-wide security education, training and awareness (SETA) programs. - All personnel should be aware of potential incident scenarios and reporting procedures. - First responders and Computer Incident Response Team (CIRT) members should receive training related to their assigned tasks - Executives should be educated on incident-related organizational risks.
Cloud Storage
Should be subject to the same controls as local storage. - The cloud storage physical location may span multiple servers and locations (fault-tolerant distributed resources) - 'Virtual storage' is a mechanism to pool resources so that they appear as one unit - Due dilligence and oversight of cloud storage is critical
This objective of this social engineering technique is covert observation
Shoulder surfing
This detection pattern matching approach is based on known information
Signature-based
IDS Detection Approach
Signature-based - Pattern matching decisions are based on established known signatures - Signatures must be updated frequently Rule-based - Analyzes behavior for violation of preconfigured rules Behavior-based - Behavior based anomaly detections rely on predicted norms and deviations - Can be learned over time and/or start with a set of assumptions and adapt to local conditions - Requires fine tuning Heuristic - Continually trains on network behavior and can continually alter detection capabilities based on learned knowledge
Disaster Recovery Testing
Simulation (Parallel, Functional, Prepardness) - Localized scenario that simulates an actual event and limits material and equipement to what would be possible if the situation were an actual event. - Generally parallel tests are component-, device-, or system-level - Primary systems may remain active - Objective - Evidence of localized readiness Full scale (Interruption) - Tests all components of the designated plan simultaneously - Primary environment is not operational - Objective - Evidence of enterprise readiness
This scenario test simulates an actual event and is generally component- or system focuses
Simulation (Parallel, Functional, Preparedness)
ALE = SLE * ARO
Single Loss Expectancy (for an hour of DDoS disruption) is $17,000 Based on the current threat and controls environment it is expected that there will be 5 hours (ARO) of DDoS disruption per year $17,000 (SLE) * 5 (ARO) = $85,000 (ALE)
Factor Requirements
Single-factor - Only one factor is required for authentication Multi-layer - Two or more of the 'same type' of factor is required for authentication Multi-factor - Two or more 'different types' of factors are required for authentication Out-of-Band - Use of more than one communication channel required for authentication
The outcome when security decision making is tied to organizational objectives
Strategic Alignment
Governance Outcomes
Strategic Alignment Risk Management Value Delivery Resource Management Performance Measurment Process Integration
This type of attack occurs in the time period between when an exploit is developed and when a patch has been released or a compensating control identifies
Zero-day
This governance objective is that cybersecurity programs support and compliment organizational goals. 1: Risk management 2: Strategic alignment 3: Performance measurement 4: Value delivery
Strategic alignment
Executive Management Duties
Strategic alignment Risk management Value delivery Performance measurement Resource management Process assurance
Symmetric Ciphers
Stream Cipher - Works with one bit at a time. - Algorithms: RC4 Block Cipher - Works with blocks of data. - Algorithms: DES, 3DES, AES, Blowfish, Twofish, IDEA
Strength & Workfactor
Strength of a cryptosystem is a combination of the 'algorithm', the 'algorithmic process', the 'length' of the key, and the 'secrecy' of the key. If one element is weak, the cryptosystem can potentially be compromised. - The 'work factor' is the amount of time and effort it would take to penetrate (break) a cryptosystem. -'Depricated' means that the use of the algorithm and key length is allowed, but the user must accept some risk (weakness). -'Broken' means that the algorithm and/or key length is exploitable
System Hardening
The objective of system or device hardening is to reduce the attack surface and make it more resilient to attack - Hardening is the process of configuring security settings, rules, and policies and removing unnecessary applications and services in order to minimize vulnerabilities and exposure to threats
Wireless Attacks
The objective of wireless attacks is the disruption, manupulation, or compromise of wireless transmission or devices - War Driving is the physical scanning for unprotected wireless networks - War chalking is marking a physical area to indicate a free, open, and/or insecure wireless network or access point
Perimeter
The perimeter includes: - The line demarcating the extent of a site/building/asset - Access point within the demarcation line providing a means of entering and exiting - Sterile zones consisting of two perimeter lines (attack side and defended side)
Framework that provides contect for understanding a complex environment by focusing on different viewpoints
Zachman Framework
Active entites and passive entites
Subjects and objects
Term used to describe reliance on a source to provide a product or service
Supply chain dependency
Term used to describe the disruption of the normal flow of goods, materials, and services
Supply chain disruption
Surveillance
Surveillance technologies such as closed circuit TV (CCTV) and camera systems can be used to monitor and detect suspicious, abnormal, or unwanted behavior A surveillance system can: - Identify the presence of an intruder - Trigger an alarm or an alert - Provide enough detail to determine the type of incident response - Provide evidence
Certificate Revocation
Suspention - Temporary revocation of a certificate until a certificate problem can be resolved. Revocation - Permanent withdrawal of trust by issuing authority before scheduled expiration date. Certificate Revocation List (CRL) - CA maintained list of certificates that have been revoked. - Pull model - CRL is downloaded by the user or organization - Push model - CRL is automatically sent out by the CA at regular intervals Online Certificate Status Protocol (OCSP) - Process designed to query the status of certificate in real time. - OCSP stapling is a time stamped (cached) OCSP response
This multiport forwarding device can operate at Layer 2 and/or 3 depending upon the configuration
Switch
Switches
Switches are multiport forwarding devices that enable high-speed passing of data and error checking. - Layer 2 switches filter traffic by MAC addresses - Layer 3 switches filter traffic by IP address and have routing capabilities - Aggregation Layer 2 switch provides connectivity for other switches
An HMAC is a hashed value that includes this
Symmetric key
Provisioning Lifecycle Phase 4
Termination, Offboarding - Termination tasks include reclaiming assets, disabling/removing account and access, archiving documents and email - Offboarding tasks include reassigning file and folder permissions and ownership
Infrastructure Assessments
System Configuration Examination - Identify weakness in security configurations, baseline variations, and nonconformance with industry standards and recommendations Log Review - Ensure adherence to log monitoring and management policies, standards and procedures Vulnerability Assessment - Identify host attributes, known Common Vulnerabilities and Exposures (CVEs), outdated software versions, missing patches, misconfigurations and security policy, or standards deviations Penetration Testing - Evaluate the security of a target by identifying and attempting to exploit (or provide proof of concept) vulnerabilities, improper configurations, and hidden points of entry Red Team / Blue Team Exercise - Simulated attack designed to exercise preparedness and response capabilities
NIST SP 800-160
System Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems -SP 800-160 addresses the engineering-driven actions necessary to develop more defensible and 'survivable' systems--including components that compose and the services that depend on those systems. -Aliged with the international standard ISO/IEC/IEEE 15288
The focus of NIST SP 800-160
Systems Security Engineering
This Cisco protocol provides centralized AAA services and is used primarily for device administration
TACACS+
Combination of all security mechanisms within a computer system
TCB Trusted Computing Base
This protocol provides for connection oriented delivery
TCP
Non-IP Networking
TCP/IP is the communications protocol of the Internet. To traverse the Internet, non-IP network protocols must either be encapsulated, translatable, or used for non-Internet niche purposes
Protocol used to establish a secure communication channel between two TCP sessions using a cryptographic key exchange on port 443
TLS
Termination
Tasks include recovering physical and access control assets, deleting or disabling local and remote access, deleting or disabling user accounts and access permission, archiving documents and email, and reassigning file folder permissions. Termination related tasks should be documented (checklist/procedure)
The intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying evidence
Spoliation
An account that is no longer being used
Stale
This term describes changes that are required in the normal course of business and have established policies and procedures
Standard Changes
Specifications for the implementation of policy and dictate 'mandatory' requirements
Standards
Conceptual model that ensures that the system is always trustworthy
State
Firewalls that are able to associate packets with previous and future packets
Stateful
Code Testing and Analysis
Static Code Analysis - Examination of non-running code (static) for vulnerabilities Dynamic Analysis - Examination of running code for vulnerabilities (automated) Fuzzing - Automated testing technique used to discover coding errors and security loopholes by inputting invalid, unexpected, or semi-random data, called 'fuzz', and monitoring the application response Quality and Performance Testing - Evaluates application response to use the misuse as well as performance under various conditions Regression Testing - Evaluates functionality and security post-change
An objective method for determining sample size and selection criteria - each item should have an equal probability of selection
Statistical sampling
The process of concealing data within a file
Steganography
A perimeter area consisting of two lines dividing an attack side and a defended side
Sterile zone
In this sampling approach, the assessment stops once a reasonable conclusion can be reached
Stop and Go sampling
Posession - Something You Have
Something you have requires physical possession of a device. - A secure token is a handheld device with an LED that displays a number and the number is synchronized with an authentication server - A smart card is a credit card-sized card that has an integrated circuit and a certificate used to identify the holder
Momentary high voltage
Spike
Key Management
The activities involving the handling of crytographic keys and other related security parameters (e.g. passwords) during their entire lifecycle. -A key should only be used for one purpose (e.g. encryption) -Keys should be frequently changed to increase workfactor -Private keys must be securely stored - A 'hardware security module' (HSM) can be used to store cryptographic keys in tamper-resistant hardware providing logical and physical protection
Asset
The asset includes: - Any item of value to the organization which does not rely on protective perimeter or building security measures.
Integrity Measurement
The best case scenario is for developers to identify bugs and issues during the development state. Early identification is more efficient and less expensive. - 'Integrity measurement' is a measure of the quality of the source code before it moves to the test environment - 'Unit testing' evaluates a module for specification compliance (including security baseline) - 'Interface testing' evaluates the connection between two or more components
Resiliency
The capability to continue operating even when there has been a fault, incident, or abnormal operating conditions. Preventative and detective controls reduce the likelihood of disruption. Corrective controls mitigate the consequences.
Ethernet
The defacto physical layer networking technology. - Ethernet is a Carrier Sense Multiple Access / Collision Detection (CSMA/CD) Protocol - Current versions include Fast Ethernet (100 Mbps), Gigabit Ethernet (up to 100 Gbit/s), and Terabit Ethernet (above 100 Gbit/s)
After action Report
The final step of an exercise/test is an After action Report which documents the success or failure of the exercise/test and details followup tasks and if required, modifications
Business Continuity Planning
The objective is to prepare for continued operation of Essential functions and services during disruption of normal operating conditions. To support this objective: - Threat scenarios are evaluated - Essential services and processes are identified - Response, recovery, and contingency plans are developed - Strategies, plans, and procedures are tested
Criminal Case
The objective of a criminal investigation is to assist law enforcement to obtain evidence. - In a criminal case, a law must be broken - Only the government can prosecute a criminal case - In a criminal case, the standard for burden of proof is "beyond a reasonable doubt." - Compliance with the Fourth Amendment regarding search and seizure of evidence is required
Crisis Communication Plan
The objective of a crisis communication plan is to prepare for and coordinate internal and external communication - Identify those parties that should be informed about the situation and when - Communicate facts - Minimize rumors and misinformation - Restore order and/or confidence
DRP Exercise and Testing Objectives
The objective of a disaster recovery exercise and testing should be to evaluate strategies, plans, and procedures; not institutional knowledge - The outcome of disaster recovery exercises and testing should be strategym plan, and procedure modifications (if necessary), and an enhanced participant familiarity with the facets of the plan
Access Control
The objective of access control is to protect information and information systems from unauthorized access (confidentiality), modification (integrity), and disruption (availability) - Physical access focuses on facility equipment and devices - Logical access focuses on software and data
Audit
The objective of an audit is to provide 'independent' assurance based on evidence (examination and testing) Internal Controls - Evaluation of the design of the controls to address control objectives, verification that the controls are in place, and assessment of the operational effectiveness and efficiency of the controls Compliance - Comparison of the control environment to established policies, standards, or rules Forensic - Identifying fraudulent and criminal activity
Internal Case
The objective of an internal investigation is to respond to questions, concerns, disputes, or findings. - Internal investigations can lead to an administrative hearing. - An administrative hearing is a trial-like process before an administrative agency (quasi-judicial) - Internal investigations can morph into civil or criminal investigations
Business Intelligence
The objective of business intelligene (BI) is to support decision making through data-driven insight and predictive analytics - Business intelligence (BI) is the intersection of what happened and why - Prefictive analytics is when data is mined to predict the likelihood of future outcomes
Destruction
The physical act of destroying media in such a way that it cannot be reconstructed. Shredding - physically breaking media to pieces Pulverizing - reducing media to dust Pulp = chemically altering media Burning - incinerating media
Steganography
The practice of concealing a file within another file - Watermarking is a hidden message that is used to prove or claim ownership - Hidden binary files are most often found embedded in image and audio files - Steganalysis is the detection of steganography by a third party
Software Asset Management (SAM)
The practice of managing the lifecycle of software assets within an organization. The two significant benefits of a SAM program are cost control and risk reduction. Processes include: -Developing policies and procedures -Documenting software usage -Determining authorization status -Remediating (if necessary) -Establishing a routine audit process
Layered Defense (Defense-in-Depth)
The premise of a layered defense model is that if the intruder can bypass one layer of controls, the next layer of controls should provide additional deterrence or detection capabilities. Layered defense is both physical and psychological
Firewalls
The primary objective of a firewall is to isolate network segments by controlling ingress and egress access. - Ingress means incoming and egress means outgoing - Firewalls are preventive controls because they can be configured to restrict ingress and egress network traffic, repel known attacks, manage nonroutable IP addresses, and anonymize internal addresses - Firewalls can be detective controls because they can be configured to log events and send alerts
Least Functionality
The principle of 'least functionality' is that systems and devices should be configured to provide only 'essential capabilities' and specifically 'prohibit' or 'restrict' the use of functions, ports, protocols, and services In practice this means: - Removing unused programs - Disabling services - Disabling (removing, if possible) default accounts - Setting security policies (if available) - Pay attention to peripherals
Physical Security Zones
The principles of deter, detect, and delay extend to the following security zones: -Beyond the perimeter -Perimeter -Within site -Building -Asset
Offboarding
The process for transitioning employees out of an organization. Tasks include: -Documenting separation details - Tasks and responsibilities prior to departure - Knowledge transfer - Exit interview
Forensics
The process of collecting, preserving, examining, analyzing, and presenting evidence. - Invariably there is tension between response (find and fix) teams and forensic investigators
Threat Detection
The process of identifying artifacts (e.g. virus signatures, IP address, malicious URL, command and control connection, file changes, unexpected activity, behavioral anomalies) that are indicative of an attack ('IOA') or active exploit ('IOC')
Patch Management
The process of identifying, acquiring, installing, and verifying patches. - 'Security patches' are designed to correct security issues and functionality problems in software and firmware. - Timely deployment of security patches reduces the likelihood of exploitation
Onboarding
The process of integrating a new employee with a company and culture as well as getting the tools and information they need to be successful. User orientation is the intial task of completing paperwork (including Confidentiality and Acceptable Use Policy agreements), introductions, and initial training. User provisioning is the process of creating user accounts and credentials, assigning access rights and permissions, and providing assets.
PROD
The production environment (PROD) is the "live" environment that hosts the application. It is the endpoint in the release management process. - PROD planning should include deployment, maintenance, backup, and disaster recovery strategies - Developers should never have rights to a PROD environment (segregation of duties) - New functionality and bug fixes should go through the release management cycle before being deployed to PROD - Emergency changes should be subkect to change management procedures
Occupant Emergency Plan (OEP)
The purpose of the Occupant Emergency Plan (OEP) is to create a safe environment for building occupants. The OEP functions include: - Provide a coordinated response to incidents occuring in the facility - Provide particulars regarding what steps should be taken in the event of an emergency - Identify specific routes of entry into and exit from the facility in response to emergencies - Clearly designate assembly areas and shelter facilities where building occupants can gather to be accounted for
Indicator of Compromise (IOC)
The reactive substantive or corroborating evidence that a system or network has been expoited.
Legal Hold
The requirement for an organization to preserve all forms of relevant information when litigation, audit, or government investigation is reasonably anticipated. The objective is to avoid evidence spoliation. -A legal hold supersedes organizational retention policies.
Transparent Proxy
The same as a forward proxy except that the client (browser) does not neet ot be configured. The proxy server resides on the gateway and intercepts requests
Due Care
The standard of care that a prudent person would have exercised under the same or similar conditions. In a cybersecurity perspective, action taken by an organization to protect its stakeholders, incestors, employees, and customers from harm.
Hardware Inventory
Useful Attributes: Identifier - Name, model, serial number Supplier - Warranty, SLA (if applicable), support contract (if applicable) Location - On premise, remote, cloud Assignments - User, custodian, department, asset owner Connections - Ingress, Egress OS/Firmware - Manufacturer, version
TEST
The testing environment (TEST) is used to merge code, ensure quality, isolate bugs, and measure performance and functionality. Testing and development are iterative processes - The testing environment should match the production environment as closely as possible - User acceptance testing (UAT) can be multi-stage (e.g. alpha, beta) - 'Alpha' versions are early versions submitted for feature and functionality testing and feedback - 'Beta' versions are late stage versions submitted to a limited set of users for testing and feedback
Software Licensing
The use of software generally requires a license that contains provisions relating to the use terms and conditions
Logging Challenges
There are five primary challenges to working with log data: volume, noise, variety of formats, interpretation, and privacy - A single device can easily generate hundreds of events per minute - Logs can contain significant amounts of useless data that needs to be parsed before processing. - Logs must be converted to a standard format and their data normalized to ensure consistency - Logs are cryptic and require interpretice processes - Logs might contain sensitive data
Patch Management Challenges
There are several challenges inherent in the patch management process including: - Prioritization, timing, and testing - Patch management approach (automated, manual, hybrid) - Access to unmanaged, mobile, or remote devices - Firmware impacts - Side effects Patch management delays should be evaluated in light of organizational risk tolerance and if applicable brough to management's attention
Client-side vs Server-side Validation
There are two types of validation: server-side and client-side - Server-side validation takes place on the server, during a postback (roundtrip to a server) - Client-side validation takes place in the browser and does not require a postback - Where client-side and server-side validation types are used together, the validation on the server acts as a second barrier that stops malicious bypass of client-side validation
Risk Management Concepts terminology
Threat - Potential danger Threat agent - Individual or group that can manifest a threat Threat event - Specific instance of a threat Vulnerability - Weakness Exploit - When a threat agent successfully takes advantage of a vulnerability Impact - Magnitude of harm caused by a threat source Likelihood (of occurence) - A weighted factor that a given threat agent is capable of exploiting a given vulnerability
Evidence-based information about threats, vulnerabilities, and exploits
Threat Intelligence
Plan Components
Threat Modeling - Anticipated threats and associated controls Incident types and Categorization - Based on severity and used to determine response times, resource assignments, and preparation requirements Roles and responsibilities - Assignments including first responders, incident handlers, and designated spokespersons Reporting requirements - How incidents are internally reported, documented, and reviewed as well as when notification requirements are triggered Escalation requirements - Definitions for escalation thresholds Incident Team - Membership, preparation, skill requirements, external resources Exercise Requirement - Training and exercise requirements and reporting
Information Sharing
Threat intelligence is the 'receiving' of information Information sharing is the 'giving' of information Sharing information about cybersecurity incidents, threats, vulnerabilites, best practices, mitigationsm and other topics.
Decision Factors
Three factors should inform information security decisions: - Strategic alignment with the organization's objectives - Legal, regulatory, or contractual requirements - Level of risk
Supporting Processes
Three supporting processes are critical to the success of a Configuration Management program: - 'Asset and Inventory Management' to ensure configuration item visibility - 'Change control' to manage configuration item changes - 'Version control' to track and document baseline configurations over time
The quality of useful work made by the system per unit of time
Throughput
This term describes the quality of useful work per unit of time
Throughput
Host Security Technologies
Tools - Purpose - Output HIDS/HIPS - Host intrusion detection and prevention - Local suspicious activity. Response taken (if HIPS) Antivirus - Blocks malicious code. Scans for signatures - Malicious files identified. Blocked, quarantined, deleted files File Integrity Checker - Identifies changes in files or file structure - File changes including time, date and file size Firewall - Controls ingress and egress traffic - Allowed and denied traffic (including attacks) Data Execution Prevension (DEP) - Monitors program memory use - Denied/blocked executables
Border Security Technologies
Tools - Purpose - Output Unified Threat Management (UTM) - Multiple (network firewalling, network intrusion detection/prevention (IDS/IPS), gateway antivirus (AV), etc) - Depends upon what the device is being used for Data Loss Prevention (DLP) - Prevents malicious and accidental data exfiltration - Allowed and denied activity, quarantined activity (queued) Web Application Firewall (WAP) - Filters, monitors, inspects, and blocks HTTP traffic to and from a web application - Suspicious traffic requests including SQL injections and XSS
Proprietary business and technical information that can be legally protected
Trade Secret
Transmission Medium
Transmission medium can be wired (cabling) or wireless (radio waves or microwave). Transmission characteristics include: - Throughput - Signal strength - Environmental sensitivity - EMI and RFI - Temperature fluctuations - Interception capability (emanation)
TLS
Transport Layer Security (TLS) is used to establish a secure communication channel between two TCP sessions using a cryptographic key exchange. Default TLS port is 443 Steps Client Server <--Session Establishment <-Cryptographic Key Exchange-> <-Encrypted Session Established -> **TLS is the successor and recommended replacement for SSL. TLS 1.1 or higher should be used. TLS 1.0 has been broken
This cipher technique moves characters or bits to another place within the block
Transposition
Testing to determine if the application works as expected under normal operating conditions
Use case
Software Inventory
Useful Attributes: Identifier - Name, publisher, version and serial number Supplier - SLA (if applicable), support contract (if applicable) Location - Local, server, cloud Assignments - User, custodian, department, owner License Info - Subscription, contract, perpetual Code - Activation keys or code
Provisioning Lifecycle Phase 3
User account auditing, User access auditing, Change requests, User training - User account is audited (validity, group membership, roles, access permissions) - User access is audited - Change request based on personnel requirements - Ongoing training
Defensive Controls
User education, including general awareness and understanding of the importance of following security procedures and reporting suspicious activity. Supported by: - Published policies and procedures including caller/visitor identification, document disposal, and incident reporting - Technical controls, including SPAM and content filtering, browser security settings, and sandboxing - Physical controls including surveillance, mantraps, anti-skimming and anti-shimming devices
Social Engineering Psychology
Using perception, persuasion, and influence, Social Engineers take advantage of basic human instincts and responses including: -The instinct to respond to authority -The tendency to trust people -The desire to be responsive -The fear of getting into trouble -The threat of harm -The promise of a reward
Virtualization technology that hosts a desktop operating system on a centralized server
VDI Virtual Desktop Infrastructure
Software configuration that allows endpoints to be logically grouped together even if they are not attached to the same network switch
VLAN
Virtual Local Area Network (VLAN)
VLAN management allows for the software configuration of endpoints to be logically grouped together even if they are not attached to the same network switch - This allows the grouping of hosts with a common set of requirements to communicate as if they were attached to the same broadcast domain
Malware Families
Virus - Code that requires a host to execute and replicate - Macro, boot sector, stealth, script Worm - Self contained program that can replicate on its own. Takes advantage of network transport to spread - Bot/zombie, crypto. APT, generic Trojan - Self contained program that appears legitimate. Spreads through user interaction - Embedded in music, video, game, greeting cards, and utilities Rootkit - Self contained program that has privileged system access - Firmware, kernel, boot record, legitimate (anti-theft) Spyware - Self contained program that collects user information and can manipulate configuration settings - Monitors, adware, tracking cookies, geolocator, click fraud
VoIP Security
VoIP is subject to eavesdropping, interception, spoofing and DDoS. VoiP security controls include: - Enclave VoIP servers - Implement VoiP IDS/IPS - Disable unnecessary services on VoiP devices - Include servers in vulnerability and patch management program - Include VoiP in threat intelligence program - Vendor SLA
VoIP Protocols
VoIP is used to transmit audio and video over IP networks: - VoIP systems employ session controls and signaling protocols for the notification, setup, and tear-down of calls - Codec software is used to convert audio and video into digital frames - There are a variety of proprietary and open VoIP protocols - H.323 was the first widely adopted protocol - Session Initiation Protocol (SIP) is the leading multimedia open protocol
OWASP 2017 #3 Sensitive Data Exposure
Vulnerability - Sensitive data exposure Description - Unauthorized access to personal, sensitive or proprietary data Flaw - Weak data protection controls Impact - Exposure of data (may have regulatory, contractual and/or reputational impact) Mitigation: -Classify data and apply appropriate handling standards -Don't store data that isn't needed -Encrypt sensitive data at rest and in transit -Use strong cryptographic components including managmenet -Hash passwords -Disable caching for responses that contain sensitive data
The objective of this assessment is to identify known weaknesses and exposures
Vulnerability assessment
This type of exercise is organized as a scenario based workshop
Walk through (Tabletop)
This alternate site has servers and communications infrastructure. Servers might need to be updated. Data will need to be restored
Warm Site
This swap process requires the system to be in a suspended state
Warm Swap
Fire Suppression
Water-based - Sprinkler system effective on Class A (ordinary combustible) fires Dry-pipe - Sprinkler system effective on Class A (ordinary combustible) fires. - Pipes do not have water in them until system is avtivated - Automatic shut-off Halon - Pressurized Halon gas that removes oxygen from the air with no residue. - Banned by the Montreal Protocol of 1987 FM-200 - Colorless, oderlss gaseous halocarbon with no residue - Safe for human beings Argonite - Mixture of argon and nitrogen gas - Although non-toxic, it can be dangerous to humans CO2 - Pressurized gas-- manual discharge required - Extremely dangerous to humans
This software development project model requires that each phase must be completed before moving to the next
Waterfall
An embedded label in a document
Watermark
Sourcing
Ways organizations obtain services to support the business. Insourcing - when functions are performed by internal personnel Outsourcing - when functions are performed by third parties Sourcing can be provided on-site, off-site and off-shore. Off-site (nearshore) - remote location in the same geographic area as the organization's physical location Off-shore - remote location in a different geographic location (generally refers to other countries)
This type of firewall identifies attacks such as SQL injection and XSS
Web Application Firewall (WAP)
Preservation
Whenever possible, potential evidence should be kept as 'pristine as possible' Contaminants include: - Installing or running any diagnostic tools or scanning software - Deleting files - Making any changes to the system including logging the user out - Turning off the device (memory forensics is possible if a device has not been turned off)
InfoSec Audit Standards
Widely used information security audit control standards and frameworks for internal and operational auditing include: - ISACA COBIT 5 IT Controls and Assurance Objectives - ISACA IT Assurance Framework (ITAF) - AICPA Statement on Standards for Attestation Engagements No. 18 (SSAE 18) - Formally known as a SSAE 16 and before then, SAS 70 - SSAE 18 SOC 2 report is the de facto assessment standard for technology-oriented service organizations
Wireless Architecture
Wireless networking is connectivity through radio frequency transmissions. Wireless modes include: - Ad Hoc mode is a wireless peer-to-peer relationship - Infrastructure mode topology includes wireless devices, access points, and wired routers connected to the Internet