Remember This

DMZ

A DMZ is a buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. In other words, Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the intranet (internal network).

HIDS and NIDS

A HIDS can monitor all traffic on a single host system such as a server or workstation. In some cases, it can detect malicious activity missed by antivirus software. A NIDS is installed on network devices, such as routers or firewalls, to monitor network traffic and detect network-based attacks. It can also use taps or port mirrors to capture traffic. A NIDS cannot monitor encrypted traffic and cannot monitor traffic on individual hosts.

Trojan

A Trojan appears to be something useful but includes a malicious component, such as installing a backdoor on a user's system. Many Trojans are delivered via drive-by downloads. They can also infect systems from fake antivirus software, pirated software, games, or infected USB drives.

Trusted Platform Module

A Trusted Platform module (TPM) is a hardware chip included on many laptops and mobile devices. It provides full disk encryption and supports a secure boot process and remote attestation. A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust.

Backdoor

A backdoor provides another way to access a system. Many types of malware create backdoors, allowing attackers to access systems from remote locations. Employees have also created backdoors in applications and systems.

Chain of Custody

A chain of custody provides assurances that evidence has been controlled and handled properly after collection. It documents who handled the evidence and when they handled it. A legal hold is a court order to preserve data as evidence.

Clean Desk

A clean desk policy requires users to organize their areas to reduce the risk of possible data theft. It reminds users to secure sensitive data and may include a statement about not writing down passwords.

Cloud Access Security Broker

A cloud access security broker (CASB) is a software tool or service deployed between an organization's network and the cloud provider. It provides Security as a Service by monitoring traffic and enforcing security policies. Private clouds are only available for one organization. Public cloud services are provided by third-party companies and available to anyone. A community cloud is shared by multiple organizations. A hybrid cloud is a combination of two or more clouds.

Cold Site

A cold site will have power and connectivity needed for a recovery site, but little else. Cold sites are the least expensive and the hardest to test. A warm site is a compromise between a hot site and a cold site. Mobile sites do not have dedicated locations, but can provide temporary support during a disaster.

DDoS Attack

A denial-of-service (DDoS) attack is an attack from a single source that attempts to disrupt the services provided by another system. A distributed denial-of-service (DDoS) attack includes multiple computers attacking a single target. DDoS attacks typically include sustained, abnormally high network traffic.

DoS Attack

A denial-of-service (DOS) attack is an attack from a single source that attempts to disrupt the services provided by another system. A distributed denial-of-service (DDoS) attack includes multiple computers attacking a single target. DDoS attacks typically include sustained, abnormally high network traffic.

Digital Signature

A digital signature is an encrypted hash of a message. The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key. If successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation prevents senders from later denying they sent an email.

WPS Attack

A disassociation attack effectively removes a wireless client from a wireless network, forcing it to reauthenticate. WPS allows users to easily configure a wireless device by entering an eight-digit PIN. A WPS attack guesses all possible PINs until it finds the correct one. It will typically discover the PIN within hours and use it to discover the passphrase.

DRP

A disaster recovery plan (DRP) includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan.

Vulnerability Scan

A false positive from a vulnerability scan indicates the scan detected a vulnerability, but the vulnerability doesn't exist. Credentialed scans run under the context of a valid account and are typically more accurate than non-credentialed scans.

False Positive

A false positive incorrectly indicates an attack is occurring when an attack is not active. A high incidence of false positives increases the administrator's workload. A false negative is when an attack is occurring, but the system doesn't detect and report it. Administrators often set the IDS threshold high enough it minimizes false positives but low enough that it does not allow false negatives.

Fat AP

A fat AP is also known as a stand-alone AP and is managed independently. A thin AP is also known as a controller-based AP and is managed by a wireless controller. The wireless controller configures the thin AP.

Forensic Image

A forensic image is a bit-by-bit copy of the data and does not modify the data during the capture. Experts capture an image of the data before analysis to preserve the original and maintain its usability as evidence. Hashing provides integrity for captured images, including images of both memory and disk drives. You can take a hash of a drive before and after capturing an image to verify that the imaging process did not modify the drive contents.

Hardware Security Module

A hardware security module (HSM) is a removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys.

Hot Site

A hot site includes personnel, equipment, software, and communication capabilities of the primary site with all the data up to date. A hot site provides the shortest recovery time compared with warm and cold sites. It is the most effective disaster recovery solution, but it is also the most expensive to maintain.

Logic Bomb

A logic bomb executes in response to an event, such as when a specific application is executed or a specific time arrives.

Master Image

A master image provides a secure starting point for systems. Administrators sometimes create them with templates or with other tools to create a secure baseline. They then use integrity measurements to discover when deviates from the baseline.

MOA

A memorandum or understanding or memorandum of agreement (MOU/MOA) defines responsibilities of each party, but it is not as strict as a service level agreement (SLA) or interconnection security agreement (ISA). If the parties will be handling sensitive data, they should include an ISA to ensure strict guidelines are in place to protect the data while in transit. An MOU/MOA often supports an ISA.

Penetration Test

A penetration test is an active test that can assess deployed security controls and determine the impact of a threat. It starts with a vulnerability scan and then tries to exploit vulnerabilities by actually attacking or simulating an attack.

Threshold Assessment

A privacy threshold assessment is typically a simple questionnaire completed by system or data owners. It helps identify if a system processes data that exceeds the threshold for PII. If the system processes PII, a privacy impact assessment helps identify and reduce risks related to potential loss of the PII.

Proxy Server

A proxy server forwards requests for services from a client. It provides caching to improve performance and reduce Internet bandwidth usage. Transparent proxy servers accept and forward requests without modifying them. Nontransparent proxy servers use URL filters to restrict access to certain sites. Both types can log user activity.

Quantitative Risk Assessment

A quantitative risk assessment uses specific monetary amounts to identify cost and asset values. The SLE identifies the amount of each loss, the ARO identifies the number of failures in a year, and the ALE identifies the expected annual loss. You calculate the ALE as SLE x ARO. A qualitative risk assessment uses judgement to categorize risks based on likelihood of occurrence and impact.

Risk Register

A risk register is a comprehensive document listing known information about risks. It typically includes risk scores along with recommended security controls reduce the risk scores. A supply chain assessment evaluates everything needed to produce and sell a product. It includes all the raw materials and processes required to create and distribute a finished product.

Role-BAC

A role-BAC model uses roles based on jobs and functions. A matrix is a planning document that matches the roles with the required privileges.

Script Kiddies

A script kiddie is an attacker who uses existing computer scripts or code to launch attacks. Script kiddies typically have very little expertise, sophistication, and funding. A hacktivist launches attacks as part of an activist movement or to further a cause. An insider is anyone who has legitimate access to an organization's internal resources, such as an employee of a company.

SIEM System

A security information and event management system provides a centralized solution for collecting, analyzing, and managing data from multiple sources. It typically includes aggregation and correlation capabilities to collect and organize log data from multiple sources. It also provides continuous monitoring with automated alerts and triggers.

Point of Failure

A single point of failure is any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPSs, and generators remove many single points of failure. RAID is an inexpensive method used to add fault tolerance and increase availability.

Shoulder Surfing

A social engineer can gain unauthorized information just by looking over someone's shoulder. This might be in person, such as when a user is at a computer, or remotely using a camera. Screen filters help prevent shoulder surfing by obscuring the view for people unless they are directly in front of the monitor.

Spear Phishing Attack

A spear phishing attack targets specific groups of users. It could target employees within a company or customers of a company. Digital signatures provide assurances to recipients about who sent an email, and can reduce the success of spear phishing. Whaling targets high-level executives.

Firewall Blocks

A stateless firewall blocks traffic based on the state of the packet within a session. Web application firewalls provide strong protection for web servers. They protect against several different types of attacks, with a focus on web application attacks and can include load-balancing features.

SCADA

A supervisory control and data acquisition (SCADA) system has embedded systems that control an industrial control system (ICS), such as one used in a power plant or water treatment facility. Embedded systems are also used for many special purposes, such as medical devices, automotive vehicles, aircraft, and unmanned aerial vehicles (UAVs).

Threat

A threat is a potential danger and a threat assessment evaluates potential threats. Environmental threats include natural threats such as weather events. Manmade threats are any potential dangers from people and can be either malicious or accidental. Internal threats typically refer to employees within an organization, while external threats can come from any source outside the organization.

Mandatory Access Control

A trusted operating system meets a set of predetermined requirements, such as those identified in the Common Criteria. It uses the mandatory access control (MAC) model.

UTM

A unified threat management (UTM) appliance combines multiple security controls into a single appliance. They can inspect data streams and often include URL filtering, malware inspection, and contention inspection components. Many UTMs include a DDoS mitigator to block DDoS attacks.

Virtual Private Network

A virtual private network (VPN) provides more remote access to a private network via a public network. VPN concentrators are dedicated devices used for VPNS. They include all the services needed to create a secure VPN supporting many clients.

Vulnerability Scanner

A vulnerability scanner can identify vulnerabilities, misconfigured systems, and the lack of security controls such as up-to-date patches. Vulnerability scans are passive and have little impact on a system during a test. In contrast, a penetration test is intrusive and can potentially compromise a system.

System Test

A vulnerability scanner is passive and non-intrusive and has little impact on a system during a test. In contrast, a penetration test is active and intrusive, and can potentially compromise a system. A penetration test is more invasive than a vulnerability scan.

Symmetric Block Cipher

AES is a strong symmetric block cipher that encrypts data in 128-bit blocks. AES uses 128-bit 192-bit, or 256-bit keys. DES and 3DES are block ciphers that encrypt data in 64-bit blocks. 3DES was originally designed as a replacement for DES, but NIST selected AES as the current standard. However, 3DES is still used in some applications, such as when legacy hardware doesn't support AES.

ARP Poisoning Attacks

ARP poisoning attacks attempt to mislead systems about the actual MAC address of a system. ARP poisoning is sometimes used in man-in-the-middle attacks.

Account Expiration

Account expiration dates automatically disable accounts on the expiration date. This is useful for temporary accounts such as temporary contractors.

Connect Servers

Administrators connect to servers remotely using protocols such as Secure Shell (SSH) and the Remote Desktop Protocol (RDP). In some cases, administrators use virtual private networks to connect to remote systems.

Cipher Suites

Administrators should disable weak cipher suites and weak protocols on servers. When a server has both strong and weak cipher suites, attackers can launch downgrade attacks bypassing the strong cipher suite and exploiting the weak cipher suite.

SNMPv3

Administrators use SNMPv3 to manage and monitor network devices and SNMP uses UDP ports 161 and 162. It includes strong authentication mechanisms and is more secure than earlier versions.

Protocol Analyzer

Administrators use a protocol analyzer to capture, display, and analyze packets sent over a network. It is useful when troubleshooting communications problems between systems. It is also useful to detect attacks that manipulate or fragment packets. A capture shows information such as the type of traffic (protocol), flags, source and destination IP addresses, and source and destination MAC addresses. The NIC must be configured to use promiscuous mode to capture all traffic.

Use Ping

Administrators use ping to check connectivity of remote systems and verify name resolution is working. They also use ping to check the security posture of systems and networks by verifying that routers, firewalls, and IPSs block ICMP traffic when configured to do so.

Privilege Escalation Techniques

After exploiting a system, penetration testers use privilege escalation techniques to gain more access to target systems. Pivoting is the process of using an exploited system to target other systems.

802.1X Server

An 802.1X server provides port-based authentication, ensuring that only authorized clients can connect to a network. It prevents rogue devices from connecting.

IPS

An IPS can detect, react, and prevent attacks. It is placed inline with the traffic (also known as in-band). An IDS monitors and responds to an attack. It is not inline but instead collects data passively (also known as out-of-band).

Account Policy

An account disablement policy identifies what to do with accounts for employees who leave permanently or on a leave of absence. Most policies require administrators to disable the account as soon as possible, so that ex-employees cannot use the account. Disabling the account ensures that data associated with it remains available. Security keys associated with an account remain available when the account is disabled, but are no longer accessible if the account is deleted.

Application Whitelist

An application whitelist is a list of authorized software and it prevents users from installing or running software that isn't on the list. An application blacklist is a list of unauthorized software and prevents users from installing or running software on the list.

Embedded System

An embedded system is any device that has a dedicated function and uses a computer system to perform that function. It includes any devices in the Internet of things (IoT) category, such as wearable technology and home automation systems. Some embedded systems use use a system on a chip (SoC).

Incident Response

An incident response policy defines a security incident and incident response procedures. Incident response procedures start with preparation to prepare for and prevent incidents. Preparation helps prevent incidents such as malware infections. Personnel review the policy periodically and in response to lessons learned after incidents.

Intrusion Prevention System

An intrusion prevention system (IPS) is a preventive control. It is placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can also be used internally to protect private networks.

Antivirus Software

Antivirus software detects and removes malware, such as viruses, Trojans, and worms. Signature-based antivirus software detects known malware based on signature definitions. Heuristic-based software detects previously unknown malware based on behavior.

Software as a Service

Applications such as web-based email provided over the Internet are Software as a Service (SaaS) cloud-based technologies. Platform as a Service (PaaS) provides customers with a fully managed platform, which the vendor keeps up to date with current patches. Infrastructure as a Service (IaaS) provides customers with access to hardware in a self-managed platform.

Typo Squatting

Attackers purchase similar domain names in typo squatting (also called URL hijacking) attacks. Users visit the typo squatting domain when they enter the URL incorrectly with a common typo. In a session hijacking attack, the attacker utilizes the user's session ID to impersonate the user. In a domain hijacking attack, an attacker changes the registration of a domain name without permission from the owner.

SQL Injection Attacks

Attackers use SQL injection attacks to pass queries to back-end databases through web servers. Many SQL injection attacks use the phrase ' or '1' = '1' - to trick the database server into providing information.

Availability

Availability ensures that systems are up and operational when needed and often addresses single points of failure. You can increase availability by adding fault tolerance and redundancies, such as RAID, failover clusters, backups, and generators. HVAC systems also increase availability.

Background Checks

Background checks investigate the history of an individual prior to employment and, sometimes, during employment. They may include criminal checks, credit checks, and an individual's online activity. An exit interview is conducted when an individual departs an organization. User accounts are often disabled or deleted during the exit interview and everything issued to the employee is collected.

Barricades

Barricades provide stronger barriers than fences and attempt to deter attackers. Bollards are effective barricades that can block vehicles.

Key Stretching Techniques

Bcrypt and PBKDF2 are key stretching techniques that help prevent brute force and rainbow table attacks. Both salt the password with additional random bits.

Resetting Passwords

Before resetting passwords for users, it's important to verify the user's identity. When resetting passwords manually, it's best to create a temporary password that expires upon first use.

Black Box Testers

Black box testers have zero prior knowledge of the system prior to a penetration test. White box testers have full knowledge, and gray box testers have some knowledge. Black box testers often use fuzzing.

Bluejacking

Bluejacking is the unauthorized sending of text messages to a nearby Bluetooth device. Bluesnarfing is the unauthorized access to, or theft of information from, a Bluetooth device. Ensuring devices cannot be paired without manual user intervention prevents these attacks.

Brute Force Attacks

Brute force attacks attempt to guess passwords. Online attacks guess the password of an online system. Offline attacks guess the password stored within a file, such as a database. Dictionary attacks use a file of words and common passwords to guess a password. Account lockout policies help protect against brute force attacks and complex passwords thwart dictionary attacks.

Buffer Overflows

Buffer overflows occur when an application receives more data than it can handle, or receives unexpected data that exposes system memory. Buffer overflow attacks often include NOP instructions (such as x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent buffer overflow attacks.

Certificates

CAs revoke certificates for several reasons such as when the private key is compromised or the CA is compromised. The certificate revocation list (CRL) includes a list of revoked certificates and is publicly available. An alternative to using a CRL is the Online Certificate Status Protocol (OCSP), which returns answers such as good, revoked, or unknown. OCSP stapling appends a digitally signed OCSP response to a certificate.

Certificate Format

CER is an ASCII format for certificates and DER is a binary format. PEM is the most commonly used certificate format and can be used for just about any certificate type. P7B certificates are commonly used to share public keys. P12 and PFX certificates are commonly used to hold the private key.

Cable Locks

Cable locks are effective threat deterrents for small equipment such as laptops and some workstations. When used properly, they prevent losses due to theft of small equipment. Locking cabinets in server rooms provide an added physical security measure. A locked cabinet prevents unauthorized access to equipment mounted in server bays.

Certificate Stapling

Certificate stapling is an alternative to OCSP. The certificate presenter (such as a web server) appends the certificate with a time-stamped digitally signed OCSP response from the CA. This reduces OCSP traffic to and from the CA. Public key pinning helps prevent attackers from impersonating a web site with fraudulent certificate. The web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions.

Certificate Owners

Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

Complex Passwords

Complex passwords use a mix of character types. Strong passwords use a mix of character types and have a minimum password length of at least 14 characters.

Confidentiality

Confidentiality ensures that data is only viewable by authorized users. The best way to protect the confidentiality of data is by encrypting it. This includes any type of data, such as PII, data in databases, and data on mobile devices. Access controls help protect confidentiality by restricting access. Steganography helps provide confidentiality by hiding data, such as hiding text files within an image file.

Device Policy

Coporate-owned, personally enabled (COPE) devices are owned by the organization, but employees can use them for personal reasons. A bring your own device (BYOD) policy allows employees to connect their own personal devices to the corporate network. A choose your own device (CYOD) policy includes a list of approved devices. Employees with a device on the list can connect them to the network. A virtual desktop infrastructure (VDI) is a virtual desktop and these can be created so that users can access them from a mobile device.

Cross-Site Request Forgery

Cross-site request forgery (XSRF) scripting causes users to perform actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords.

XSS Attacks

Cross-site scripting (XSS) attacks allow attackers to capture user information such as cookies. Input validation techniques at the server help prevent XSS attacks.

DNS Poisoning Attacks

DNS poisoning attacks attempt to corrupt DNS data. Amplification attacks increase the amount of traffic sent to or requested from a victim and can be used against a wide variety of systems, including individual hosts, DNS servers, and NTP servers.

DNS Zones

DNS zones include records such as A records for IPv4 addresses and AAAA records for IPv6 addresses. DNS uses TCP port 53 for zone transfers and UDP port 53 for DNS client queries. Most Internet-based DNS servers run BIND software on Unix or Linux servers, and it's common to configure DNS servers to only use secure zone transfers. DNSSEC helps prevent DNS poisoning attacks. Nslookup and dig are two command-line tools used to test DNS. Microsoft systems include nslookup; Linux systems include dig.

Data Exfiltration

Data exfiltration is the unauthorized transfer of data out of a network. Data loss prevention (DLP) techniques and technologies can block the use of USB devices to prevent data loss and monitor outgoing email traffic for unauthorized data transfers. A cloud-based DLP can enforce security policies for data stored in the cloud, such as ensuring that Personally Identifiable Information (PII) is encrypted.

Data Leakage

Data leakage occurs when users install P2P software and unintentionally share files. Organizations often block P2P software at the firewall.

Detective Controls

Detective controls attempt to detect when vulnerabilities have been exploited. Some examples include log monitoring, trend analysis, security audits, and CCTV systems.

Diffie-Hellman

Diffie-Hellman is a secure method of sharing symmetric encryption keys over a public network. Elliptic curve cryptography is commonly used with small wireless devices. ECDHE is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys.

Digital Signatures

Digital signatures can verify the integrity of emails and files and they also provide authentication and non-repudiation. Digital signatures require certificates.

Cipher Locks

Door access systems include cipher locks, proximity cards, and biometrics. Cipher locks do not identify users. Proximity cards can identify and authenticate users when combined with a PIN. Biometrics can also identify and authenticate users.

Dumpster Divers

Dumpster divers search through trash looking for information. Shredding or burning papers instead of throwing them away mitigates this threat.

EMI Shielding

EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable. Cable troughs protect cables distributed throughout a building in metal containers. A Faraday cage prevents signals from emanating beyond the cage.

Zero-Day Exploits

Educating users about new viruses, phishing attacks, and zero-day exploits helps prevent incidents. Zero-day exploits take advantage of vulnerabilities that aren't known by trusted sources, such as operating system vendors and antivirus vendors.

Encryption

Encryption provides confidentiality and helps ensure that data is only viewable by authorized users. This applies to any data-at-rest (such as data stored in a database) or data-in-transit being sent over a network.

Enterprise Mode

Enterprise mode requires an 802.1X server. EAP-FAST supports certificates. PEAP and EAP-TTLS require a certificate on the 802.1X server. EAP-TLS also uses TLS, but it requires certificates on both the 802.1X server and each of the clients.

Error and Exception Handling

Error and exception handling helps protect the integrity of the operating system and controls the errors shown to users. Applications should show generic error messages to users but log detailed information.

Failover Clusters

Failover clusters are one method of server redundancy and they provide high availability for servers. They can remove a server as a single point of failure. Load balancing increases the overall processing power of a service by sharing the load among multiple servers. Configurations can be active-passive, or active-active. Scheduling methods include round-robin and source IP address affinity. Source IP address affinity scheduling ensures clients are redirected to the same server for an entire session.

Physical Security

Fencing, lighting, and alarms all provide physical security. They are often used together to provide layered security. Motion detection methods are also used with these two methods to increase their effectiveness. Infrared detectors detect movement by objects of different temperatures.

Full Disk Encryption

File-and folder level protection protects individual files. Full disk encryption protects entire disks, including USB flash drives and drives on mobile devices. The chmod command changes permissions on Linux systems.

Firewalls

Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn't previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.

Group Policy

Group Policy is implemented on a domain controller within a domain. Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more.

Group-Based Privileges

Group-based privileges reduce the administrative workload of access management. Administrators put user accounts into security groups, and assign privileges to the groups. Users within a group automatically inherit the privileges assigned to the group.

Software Tokens

HOTP and TOTP are both open source standards used to create one-time use passwords. HOTP creates a one-time use password that does not expire. TOTP creates a one-time use password that expires after 30 seconds. Both can be used as software tokens for authentication.

Temperature Controls

HVAC systems increase availability by controlling temperature and humidity. Temperature controls help ensure a relatively constant temperature. Humidity controls reduce the potential for damage from electrostatic discharge and damage from condensation. HVAC systems should be integrated with the fire alarm systems and either have dampers or the ability to be turned off in the event of a fire.

Salt Passwords

Hashing is a one-way function that creates a string of characters. You cannot reverse the hash to re-create the original file. Passwords are often stored as hashes instead of storing the actual password. Additionally, applications often salt passwords with extra characters before hashing them.

Hashing

Hashing verifies integrity for data such as email, downloaded files, and files stored on a disk. A hash is a number created with a hashing algorithm, and is sometimes listed as a checksum.

HVAC Systems

Higher-tonnage HVAC systems provide more cooling capacity. This keeps server rooms at lower operating temperatures and results in fewer failures.

Honeypots and Honeynets

Honeypots and honeynets attempt to divert attackers from live networks. They give security personnel an opportunity to observe current methodologies used in attacks, and gather intelligence on these attacks.

Host-Based Firewalls

Host-based firewalls provide protection for individual hosts such as servers or workstations. A host-based firewall provides intrusion protection for the host. Linux systems support xtables for firewall capabilities. Network-based firewalls are often dedicated servers or appliances and provide protection for the network.

Encryption Protocol

IPsec is a secure encryption protocol used with VPNs. Encapsulating Security Payload (ESP) provides confidentiality, integrity, and authentication for VPN traffic. IPsec uses Tunnel mode for VPN traffic and can be identified with protocol ID 50 for ESP. It uses IKE over port 500. A full tunnel encrypts all traffic after a user has connected to a VPN. A split tunnel only encrypts traffic destined for the VPN's private network.

Identification

Identification occurs when a user claims an identity such as with a username or email address. Authentication occurs when the user proves the claimed identity (such as with a password) and the credentials are verified. Access control systems provide authorization by granting access to resources based on permissions granted to the proven identity. Logging provides accounting.

Encrypt Data

If you can recognize the hashing algorithms such as MD5, SHA, and HMAC, it will help you answer many exam questions. For example, if a question asks what you would use to encrypt data and it lists hashing algorithms, you can quickly eliminate them because hashing algorithms don't encrypt data.

Encryption Algorithms

If you can recognize the symmetric algorithms such as AES, DES, 3DES, Blowfish, and Twofish, it will help you answer many exam questions. For example, if a question asks you what you would use to hash data and it lists encryption algorithms, you can quickly eliminate them because encryption algorithms don't hash data. You should also know the size of the blocks and the size of the keys.

Full Backup

If you have unlimited time and money, the full backup alone provides the fastest recovery time. Full/incremental strategies reduce the amount of time needed perform backups. Full/differential strategies reduce the amount of time needed to restore backups.

Door Access

In the event of a fire, door access systems should allow personnel to exit the building without any form of authentication. Access points to data centers and server rooms should be limited to a single entrance and exit whenever possible.

Integrity

Integrity verifies that data has not been modified. Loss of integrity can occur through unauthorized or unintended changes. Hashing algorithms, such as MD5, SHA-1, and HMAC, calculate hashes to verify integrity. A hash is simply a number created by applying the algorithm to a file or message at different times. By comparing the hashes, you can verify integrity has been maintained.

Eliminate Risk

It is not possible to eliminate risk, but you can take steps to manage it. An organization can avoid a risk by not providing a service or not participating in a risky activity. Insurance transfers the risk to another entity. You can mitigate risk by implementing controls, but when the cost of the controls exceeds the cost of the risk, an organization accepts the remaining, or residual, risk.

Android Device

Jailbreaking removes all software restrictions from an Apple device. Rooting modifies an Android device, giving users root level access to the device. Overwriting the firmware on an Android device with custom firmware is another way to root an Android device. Sideloading is the process of installing software on an Android device from a source other than an authorized store.

Job Rotation

Job rotation policies require employees to change roles on a regular basis. Employees might change roles temporarily, such as for three to four weeks, or permanently. This helps ensure that employees cannot continue without fraudulent activity indefinitely.

Kerberos

Kerberos is a network authentication protocol within a Microsoft Windows Active directory domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (or TGT server) to issue timestamped tickets that expire after a certain time period. Additionally, Kerberos uses symmetric-key cryptography to prevent unauthorized disclosure and to ensure confidentiality. Chapter 10 explains algorithms in more depth, but in short, symmetric-key cryptography uses a single key for both encryption and decryption of the same data.

Key Data

Key data roles within an organization are responsible for protecting data. The owner has overall responsibility for the protection of the data. A steward or custodian handles routine tasks to protect data. A privacy officer is an executive responsible for ensuring the organization complies with relevant laws.

Keyloggers

Keyloggers capture a user's keystrokes and store them in a file. This file can be automatically sent to an attacker or manually retrieved depending on the keylogger. Spyware monitors a user's computer and often includes a keylogger.

Private Key

Knowing which key encrypts and which key decrypts will help you answer many questions on the exam. For example, just by knowing that a private key is encrypting, you know that it is being used for a digital signature.

LDAP

LDAP is based on an earlier version of X.500. Windows Active Directory domains and Unix realms use LDAP to identify objects in query strings with codes such as CN=Users and DC=GetCertifiedGetAhead. LDAPS encrypts transmissions with TLS.

Layered Security

Layered security, or defense-in-depth practices, uses control diversity, implementing administrative, technical, and physical security controls. Vendor diversity utilizes controls from different vendors. User training informs users of threats, helping them avoid common attacks.

Least Functionality

Least functionality is a core security principle stating that systems should be deployed with the least amount of applications, services, and protocols.

Least Privilege

Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.

Monitoring Logs

Logs record what happened, when it happened, where it happened, and who did it. By monitoring logs, administrators can detect event anomalies. Additionally, by reviewing logs, security personnel can create an audit trail.

Loop Protection

Loop protection such as STP or RSTP is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected together.

MAC Filtering

MAC filtering can restrict access to a wireless network to specific clients. However, an attacker can use a sniffer to discover allowed MAC addresses and circumvent this form of network access control. It's relatively simple for an attacker to spoof a MAC address.

Malware

Malware includes a wide variety of malicious code, including viruses, worms, Trojans, ransomware and more. A virus is a malicious code that attaches itself to an application and runs when the application is started. A worm is self-replicating and doesn't need user interaction to run.

Mandatory Vacation

Mandatory vacation policies require employees to take time away from their job. These policies help to deter fraud and discover malicious activities while the employee is away.

Scarcity and Urgency

Many of the reasons that social engineers are effective are because they use psychology-based techniques to overcome users' objections. Scarcity and urgency are two techniques that encourage immediate action.

Mobile Device Management

Mobile device management (MDM) tools help enforce security policies on mobile devices. This includes the use of storage segmentation, containerization, and full disk encryption to protect data. They also include enforcing strong authentication methods to prevent unauthorized access.

Security Controls

Most security controls can be classified as technical (implemented with technology), administrative (implemented using administrative or management methods), or physical (items you can touch).

NAT

NAT translates public IP addresses to private IP addresses, and private IP addresses back to public. A common form of NAT is Port Address Translation. Dynamic NAT uses multiple public IP addresses while static NAT uses a single public IP address.

Network Access Control

Network Access Control (NAC) includes methods to inspect clients for health, such as having up-to-date antivirus software. NAC can restrict access of unhealthy clients to a remediation network. You can use NAC for VPN clients and for internal clients. Permanent agents are installed on the clients. Dissolvable agents (sometimes called agentless) are not installed on the clients and are often used to inspect employee-owned mobile devices.

Normalization

Normalization is a process used to optimize databases. While there are several normal forms available, a database is considered normalized when it conforms to the first three normal forms.

Asymmetric Encryption

Only a private key can decrypt information encrypted with a matching public key. Only a public key can decrypt information encrypted with a matching private key. A key element of several asymmetric encryption methods is that they require a certificate and a PKI.

Advanced Persistent Threats

Organized crime elements are typically motivated by greed and money but often use sophisticated techniques. Advanced persistent threats (APTs) are sponsored by governments and they launch sophisticated, targeted attacks.

PAP Authentication

PAP authentication uses a password or a PIN. A significant weakness is that PAP sends the information across a network in cleartext, making it susceptible to sniffing attacks. CHAP is more secure than PAP because passwords are not sent over the network in cleartext.

PSK Mode

PSK mode (or WPA-PSK and WPA2-PSK) uses a pre-shared key and does not provide individual authentication. Open mode doesn't use any security and allows all users to access the AP. Enterprise mode is more secure than Personal mode, and it provides strong authentication. Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

Password Crackers

Password crackers attempt to discover passwords and can identify weak passwords, or poorly protected passwords. Network scanners can detect all the hosts on a network, including the operating system and services or protocols running on each host.

Password Policies

Password policies include several elements. The password history is used with the minimum password age to prevent users from changing their password to a previously used password. Maximum password age causes passwords to expire and requires users to change their passwords periodically. Minimum password length specifies the minimum number of characters in the password. Password complexity increases the key space, or complexity, of a password by requiring more character types.

Hash Attacks

Passwords are typically stored as hashes. A pass the hash attack attempts to use an intercepted hash to access an account. Salting adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks. A hash collision occurs when the hashing algorithm creates the same hash from different passwords. Birthday attacks exploit collisions in hashing algorithms.

Patch Management

Patch management procedures ensure that operating systems and applications are up to date with current patches. This protects systems against known vulnerabilities. Change management defines the process and accounting structure for handling modifications and upgrades. The goals are to reduce risks related to unintended outages and provide documentation for all changes.

Reconnaissance Methods

Penetration tests include both passive and active reconnaissance. Passive reconnaissance uses open-source intelligence methods, such as social media and an organization's website. Active reconnaissance methods use tools such as network scanners to gain information on the target.

PII

Personally Identifiable Information (PII) includes info such as a full name, birth date, biometric data, and identifying numbers such as an SSN. PHI is PII that includes medical or health info. Organizations have an obligation to protect PII and PHI and often identify procedures for handling and retaining PII in data policies.

Port Security

Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.

Preventive Controls

Preventive controls attempt to prevent security incidents. Hardening systems increases their basic configuration to prevent incidents. Security guards can prevent unauthorized personnel from entering a secure area. Change management processes help prevent outages from configuration changes. An account disablement policy ensures that accounts are disabled when a user leaves the organization.

Private Networks

Private networks should only have private IP addresses. These are formally defined in RFC 1918.

Proximity Cards

Proximity cards are credit card-sized access cards. Users pass the card near a proximity card reader and the card reader then reads data on the card. Some access control points use proximity cards with PINs for authentication.

Public Data

Public data is available to anyone. Confidential data info is kept secret among a certain group of people. Proprietary data is data related to ownership, such as patents or trade secrets. Private data is info about individuals that should remain private. Data classifications and data labeling help ensure personnel apply the proper security controls to protect information.

Centralized Authentication

RADIUS, TACACS+, and Diameter all provide centralized authentication. TACACS+ can be used with Kerberos. Diameter is an improvement over RADIUS, and it supports many additional capabilities, including securing transmissions with EAP.

RAID Subsystems

RAID subsystems, such as RAID-1, RAID-5, and RAID-6 provide fault tolerance and increased data availability. RAID-5 can survive the failure of one disk. RAID-6 can survive the failure of two disks.

Symmetric Stream Cipher

RC4 is a strong symmetric stream cipher, but most experts recommend using AES instead today. Blowfish is a 64-bit block cipher and Twofish is a 128-bit block cipher. Although NIST recommends AES as the standard, Blowfish is faster than AES-256.

RSA

RSA is widely used to protect data such as email and other data transmitted over the Internet. It uses both a public key and a private key in a matched pair.

Diffusion Cryptographic Techniques

Random numbers are picked by chance. Pseudo-random numbers appear to be random but are created by deterministic algorithms, meaning that given the same input, a pseudo-random number generator will create the same output. In cryptology, confusion indicates that the ciphertext is significantly different than the plaintext. Diffusion cryptographic techniques ensure that small changes in the plaintext result in significant changes in the ciphertext.

Ransomware

Ransomware is a type of malware that takes control of a user's system or data. Criminals then attempt to extort payment from the victim. Ransomware often includes threats of damaging a user's system or data if the victim does not pay the ransom. Ransomware that encrypts the user's data is sometimes called crypto-malware.

Mobile Device

Remote wipe sends a signal to a lost or stolen device to erase all data. Geolocation uses Global Positioning System (GPS) and can help locate a lost or stolen device. Geofencing creates a virtual fence or geographic boundary and can be used to detect when a device is within an organization's property. GPS tagging adds geographical data to files such as pictures. Context-aware authentication uses multiple elements to authenticate a user and a mobile device.

Replay Attack

Replay attacks capture data in a session with the intent of later impersonating one of the parties in the session. Timestamps and sequence numbers are effective countermeasures against replay attacks.

Privileges

Requiring administrators to use two accounts, one with administrator privileges and another with regular user privileges, helps prevent privilege escalation attacks. Users should not use shared accounts.

Risk

Risk is the likelihood that a threat will exploit a vulnerability. Risk mitigation reduces the chances that a threat will exploit a vulnerability, or reduces the impact of the risk, by implementing security controls.

Rogue Access Points

Rogue access points are often used to capture and exfiltrate data. An evil twin is a rogue access point using the same SSID as a legitimate access point. A secure AP blocks unauthorized users, but a rogue access point provides access to unauthorized users.

Role-Based Training

Role-based training ensures that employees receive appropriate training based on their roles in the organization. Common roles that require role-based training are data owners, system administrators, system owners, end users, privileged users, and executive users.

Rootkits

Rootkits have system-level or kernel access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes.

Stateless Firewalls

Routers and stateless firewalls (or packet-filtering firewalls) perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list. Antispoofing methods block traffic using ACL rules.

Access Control

Rule-based access control is based on a set of approved instructions, such as an access control list. Some rule-BAC systems use rules that trigger in response to an event, such as modifying ACLs after detecting an attack or granting additional permissions to a user in certain situations.

SAML

SAML is an XML-based standard used to exchange authentication and authorization information between parties. SAML provides SSO for web-based applications.

SDLC Models

SDLC models provide structure for software development projects. Waterfall uses multiple stages going from top to bottom, with each stage feeding the next stage. Agile is a flexible model that emphasizes interaction with all players in a project. Secure DevOps is an agile-aligned methodolgy that stresses security throughout the lifetime of the project.

SMTP

SMTP sends email on TCP port 25, POP3 receives email on port 110, and IMAP4 uses port 143. STARTTLS allows an encrypted version of the protocol to use the same port as the unencrypted version. HTTP and HTTPS use ports 80 and 443 and transmit data over the Internetin unencrypted and encrypted formats, respectively.

Sandboxing

Sandboxing is the use of an isolated area and it is often used for testing. You can create a sandbox with a virtual machine (VM) and on Linux systems with the chroot command. A secure deployment environment includes development, testing, staging, and production elements.

Secure Shell

Secure Shell (SSH) encrypts traffic over TCP port 22. Transport Layer Security (TLS) is a replacement for SSL and is used to encrypt many different protocols. Secure FTP (SFTP) uses SSH to encrypt traffic. FTP Secure (FTPS) uses TLS to encrypt traffic.

EMI & EMP

Secure systems design considers electromagnetic interference (EMI) and electromagnetic pulse (EMP). EMI comes from sources such as motors, power lines, and fluorescent lights and can be prevented with shielding. Systems can be protected from mild forms of EMP (a short burst of electromagnetic energy) such as electrostatic discharge and lightning.

Separation of Duties

Separation of duties prevents any single person or entity from controlling all the functions of a critical or sensitive process by dividing the tasks between employees. This helps prevent potential fraud, such as if a single person prints and signs checks.

Signature-Based Detection

Signature-based detection identifies issues based on known attacks or vulnerabilities. Signature-based detection systems can detect known anomalies. Heuristic or behavior-based IDSs (also called anomaly-based) can detect unknown anomalies. They start with a performance baseline of normal behavior and then compare network traffic against this baseline. When traffic differs significantly from the baseline, the IDS sends an alert.

Single Sign-On

Single sign-on enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on using SSO, this one set of credentials is used throughout a user's entire session. SSO can provide central authentication against a federated database for different operating systems. SSO systems depend on strong authentication. Same sign-on is not the same as SSO. In a same sign-on system, users reenter their credentials each time they access another system. However, they use the same credentials.

Dual-Factor Authentication

Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password or PIN). Smart cards include embedded certificates used with digital signatures and encryption. CACs and PIVs are specialized smart cards that include photo identification. They are used to gain access into secure locations and to log on to computer systems.

Social Engineering

Social engineering uses social tactics to trick users into giving up information or performing actions they wouldn't normally take. Social engineering attacks can occur in person, over the phone, while surfing the Internet, and via email.

Password Attack

Social media sites allow people to share personal comments with a wide group of people. However, improper use of social networking sites can result in inadvertent info disclosure. Attackers can also use info available on these sites to launch attacks against users or in a cognitive password attack to change a user's password. Training helps users understand the risks.

Phishing

Spam is unwanted email. Phishing is malicious spam. Attackers attempt to trick users into revealing sensitive or personal information or clicking on a link. Links within email can also lead unsuspecting users to install malware.

Spoofing Attacks

Spoofing attacks typically change data to impersonate another system or person. MAC spoofing attacks change the source MAC address and IP spoofing attacks change the source IP address.

Model Verification

Static code analysis examines the code without running it and dynamic analysis checks the code while it is running. Fuzzing techniques send random strings of data to applications looking for vulnerabilities. Stress testing verifies an application can handle a load. Sandboxing runs an application within an isolated environment to test it. Model verification ensures that the application meets all specifications and fulfills its intended purpose.

Steganography

Steganography hides messages or other data within a file. For example, you can hide messages within the white space of a JPEG or GIF file. Security professionals use hashing to detect changes in files that may indicate the use of steganography.

Stream Ciphers

Stream ciphers encrypt data in a single bit, or a single byte, at a time in a stream. Block ciphers encrypt data in a specific-sized block such as 64-bit or 128-bit blocks. Stream ciphers are more efficient than block ciphers when encrypting data in a continuous stream.

Symmetric Encryption

Symmetric encryption uses the same key to encrypt and decrypt data. For example, when transmitting encrypted data, symmetric encryption algorithms use the same key to encrypt and decrypt data at both ends of the transmission media. RADIUS uses symmetric encryption.

TLS and SSL

TLS is the replacement for SSL. Both TLS and SSL require certificates issued by certificate authorities (CAs). TLS encrypts HTTPS traffic, but it can also encrypt other traffic.

Tailgating

Tailgating is a social engineering tactic that occurs when one user follows closely behind another without using credentials. Mantraps allow only a single person to pass at a time. Sophisticated mantraps can identify and authenticate individuals before allowing access.

Command Line

Tcpdump is a command-line protocol analyzer. It can create packet captures that can then be viewed in Wireshark. Nmap is a sophisticated network scanner that runs from the command line. Netcat can be used to remotely administer systems and also gather information on remote systems.

Technical Controls

Technical controls use technology to reduce vulnerabilities. Some examples include encryption, antivirus software, IDSs, IPSs, firewalls, and the principle of least privilege. Technical physical security and environmental controls include motion detectors and fire suppression systems.

Test Restores

Test restores are the best way to test the integrity of a company's backup data. Backup media should be protected with the same level of protection as the data on the backup. Geographic considerations for backups include storing backups off-site, choosing the best location, and considering legal implications and data sovereignty.

Tethering

Tethering is the process of sharing a mobile device's Internet connection with other devices. Wi-Fi Direct is a standard that allows devices to connect without a wireless access point, or wireless router. MDM tools can block access to devices using tethering or Wi-Fi Direct to access the Internet.

ABAC Model

The ABAC model uses attributes defined in policies to grant access to resources. It's commonly used in software defined networks (SDNs).

BIA

The BIA identifies mission-essential functions and critical systems that are essential to the organization's success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident.

DAC Model

The DAC model specifies that every object has an owner, and the owner has full, explicit control of the object. Microsoft NTFS uses the DAC model.

Mode of Operation

The Electronic Codebook (ECB) mode of operation is deprecated and should not be used. Cipher Block Chaining (CBC) mode combines each block with the previous block when encrypting data and sometimes suffers from pipeline delays. Counter (CTM) mode combines an IV with a counter to encrypt each block. Galois/Counter Mode (GCM) combines Counter mode with hashing techniques for integrity.

MAC Model

The MAC model uses sensitivity labels for users and data. It is commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals.

Authentication Factor

The first factor of authentication (something you know, such as a password or PIN) is the weakest factor. Passwords should be strong, changed regularly, never shared with another person, and stored in a safe if written down. Technical methods (such as a technical password policy) ensure that users regularly change their passwords and don't reuse the same passwords.

Preparation

The first step in the incident response process is preparation. After identifying an incident, personnel attempt to contain or isolate the problem. This is often as simple as disconnecting a computer from a network. Eradication attempts to remove all malicious components from an attack and recovery returns a system to normal operation. Reviewing lessons learned allows personnel to analyze the incident and the response with a goal of preventing a future occurence.

Input Validation

The lack of input validation is one of the most common security issues on web-based applications. Input validation verifies the validity of inputted data before using it, and server-side validation is more secure than client-side validation. Input validation protects against many attacks, such as buffer overflow, SQL injection, command injection, and cross-site scripting attacks.

Data Confidentiality

The primary methods of protecting the confidentiality of data are with encryption and strong access controls. Database column encryption protects individual fields within a database.

Encrypted Email Message

The recipient's public key encrypts when encrypting an email message and the recipient uses the recipient's private key to decrypt an encrypted email message.

RTO

The recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. The recovery point objective (RPO) refers to the amount of data you can afford to lose.

Service Set Identifier

The service set identifier (SSID) identifies the name of the wireless network. You should change the SSID from the default name. Disabling SSID broadcast can hide the network from casual users, but an attacker can easily discover it with a wireless sniffer.

Something You Are

The third factor of authentication (something you are, defined with biometrics) is the strongest individual method of authentication because it is the most difficult for an attacker to falsify. Biometric methods include fingerprints, retina scans, iris scans, voice recognition, and facial recognition. Iris and retina scans are the strongest biometric methods mentioned in this section, though iris scans are used more than retina scans due to the privacy issues and the scanning requirements. Facial recognition is the most flexible and when using alternate lighting (such as infrared), they might become the most popular.

Time-of-Day Restrictions

Time-of-day restrictions prevent users from logging on during restricted times. They also prevent logged-on users from accessing resources during certain times. Location-based policies restrict access based on the location of the user.

Hashing Algorithms

Two popular hashing algorithms used to verify integrity are MD5 and SHA. HMAC verifies both the integrity and authenticity of a message with the use of a shared secret. Other protocols such as IPsec and TLS use HMAC-MD5 and HMAC-SHA1.

Container Virtualization

Type I hypervisors run directly on bare-metal systems without an operating system. Type II hypervisors are software that run within an operating system. Container virtualization runs within isolated cells or containers and does not have its own kernel.

Auditing Review

Usage auditing records user activity in logs. A usage auditing review looks at the logs to see what users are doing and it can be used to re-create an audit trail. Permission auditing reviews help ensure that users have only the access they need and no more and can detect privilege creep issues.

Multifactor Authentication

Using two or more methods in the same factor of authentication (such as a PIN and a password) is single-factor authentication. Dual-factor (or two-factor) authentication uses two different factors, such as using a hardware token and a PIN. Multifactor authentication uses two or more factors.

Video Surveillance

Video surveillance provides reliable proof of a person's location and activity. It can identify who enters and exits secure areas and can record theft of assets.

VLANs

Virtual local area networks (VLANs) separate or segment traffic on physical networks and you can create multiple VLANs with a single Layer 3 switch. A VLAN can logically group several different computers together, or logically separate computers, without regard to their physical location. VLANs are also used to separate traffic types, such as voice traffic on VLAN and data traffic on a separate VLAN.

Virtualization

Virtualization allows multiple virtual servers to operate on a single physical server. It provides increased availability with lower operating costs. Additionally, virtualization provides a high level of flexibility when testing security controls, updates, and patches, because they can easily be reverted using snapshots.

Vishing

Vishing is a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call.

WPA

WPA provided an immediate replacement for WEP and originally used TKIP, which was compatible with older hardware. Later implementations support the stronger AES encryption algorithm. WPA2 is the permanent replacement for WEP and WPA. WPA2 supports CCMP (based on AES), which is much stronger than the older TKIP protocol and CCMP should be used instead of TKIP.

Replay Attacks

WPA2 using CCMP and AES prevents wireless replay attacks. TKIP is vulnerable and should not be used. Radio-frequency identification (RFID) attacks include eavesdropping, replay, and DoS.

Forensic Analysis

When collecting data for a forensic analysis, you should collect it from the most volatile to the least volatile. The order of volatility is cache memory, regular RAM, swap or paging file, hard drive data, logs stored on remote systems, and archived media.

Network Interfaces

Windows systems use ipconfig to view network interfaces. Linux systems use ifconfig, and ifconfig can also manipulate the settings on the network interfaces. You can enable promiscuous mode on a NIC with ifconfig. The ip command is similar to ifconfig and can be used to view and manipulate NIC settings.

Wireless Scanners

Wireless scanners can detect rogue access points on a network and sometimes crack passwords used by access points. Netcat can be used for banner grabbing to identify the operating system and some applications and services on remote servers.

Security Policies

Written security policies are administrative controls that identify a security plan. Personnel create plans and procedures to implement security controls and enforce the security policies.

AP's Power Level

You can limit the range of an AP to a room or building by reducing the AP's power level. This prevents people from connecting because they will be out of the AP's range.

Business Continuity

You can validate business continuity plans through testing. Tabletop exercises are discussion-based only and are typically performed in a classroom or conference setting. Functional exercises are hands-on exercises.

Certificate Signing Request

You typically requests certificates using a certificate signing request (CSR). The first step is to create the RSA-based private key, which is used to create the public key. You then include the public key in the CSR and the CA will embed the public key in the certificate. The private key is not sent to the CA.