Sec+

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Log review

is a critical part of security assurance

RSA (Rivest, Shamir, Adelman) 1024-bit

is a secure asymmetric encryption algorithm.

Pretty Good Privacy (PGP)

is a web of trust

BitLocker To Go

A Windows 10 utility that can encrypt data on a USB flash drive and restrict access by requiring a password.

BitLocker

A Windows feature that encrypts an entire drive

DevSecOps

A combination of software development, security operations, and systems operations by integrating each discipline with the others

stateless packet filtering

A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base.

Trusted Firmware Updates

A firmware update that is digitally signed by the vendor and trusted by the system before installation

Whaling

A form of spear phishing that directly targets the CEO, CFO, CIO, CSO, or other high-value target in an organization

Nessus

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities

Downgrade Attack

A protocol is tricked into using a lower quality version of itself instead of a higher quality version

Federated Identity Management (FIdM)

A single identity is created for a user and shared with all of the organizations in a federation

XMAS Attack

A specialized network scan that sets the FIN, PSH, and URG flags set and can cause a device to crash or reboot

Flood Attack

A specialized type of DoS which attempts to send more packets to a single server or host than they can handle

Backdoor

A way of bypassing normal authentication in a system

gpedit

Access the Group Policy Editor by opening the Run prompt and enter __________, and you can view the local policies

SSID

According to Comptia, Disable the ______broadcast in the exam, for network security

IPS

An _____ can prevent a small-scale DDoS

XML External Entity (XXE)

An attack that embeds a request for a local resource

ISO 27701

An international standard that acts as a privacy extension to the ISO 27001 to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS)

ISO 27001

An international standard that details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)

ISO 27002

An international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems (ISMS)

Python

An interpreted, high-level and general-purpose programming language

nmap

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses

hping

An open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks

Trusted Operating Systems (TOS)

An operating system that meets the requirements set forth by government and has multilevel security

Access Control List

An ordered set of rules that a router uses to decide whether to permit or deny traffic based upon given characteristics; IP Spoofing is used to trick a router's ______

Choose Your Own Device (CYOD)

An organization allows employees to select from specified devices for business usage.

Application Blacklist

Any application placed on the list will be prevented from running while all others will be permitted to run

Threat

Any condition that could cause harm, loss, damage, or compromise to our information technology systems § are external and beyond your control

Internet-facing Host

Any host that accepts inbound connections from the internet

DNS Amplification

Attack which relies on the large amount of DNS information that is sent in response to a spoofed query on behalf of the victimized server

Double Tagging

Attacker adds an additional VLAN tag to create an outer and inner tag; can be prevented by moving all ports out of the default VLAN group

Cryptanalysis Attack

Comparing a precomputed encrypted password to a value in a lookup table

Change Management Policy

Defines the structured way of changing the state of a computer system, network, or IT procedure

Data Masking

Deidentification Method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data

unnecessary and regenerate

Delete _______ keys and ________keys when moving into a production environment

Radio Frequency Identification (RFID)

Devices that use a radio frequency signal to transmit identifying information about the device or token holder § can operate from 10 cm to 200 meters depending on the device

Fieldbus

Digital serial data communications used in operational technology networks to link PLCs

wuauserv

Disable the ___________service to prevent Windows Update from running automatically

Network Mapping

Discovery and documentation of physical and logical connectivity that exists in the network

Baseline Reporting

Documenting and reporting on the changes in a baseline

10 Tape Rotation

Each tape is used once per day for two weeks and then the entire set is reused

key

Encryption strength comes from the ____, not the algorithm

-Establish administrative control over Operational technology networks by recruiting staff with relevant expertise § Implement the minimum network links by disabling unnecessary links, services § Develop and test a patch management program for Operational Technology Network § Perform regular audits of logical and physical access to systems to detect possible vulnerabilities and intrusion

Four key controls for mitigating vulnerabilities in specialized system

Rootkit

Gains administrative control of your system by targeting boot loader or kernel

Sensitive but Unclassified

Government Classifications- Items that wouldn't hurt national security if released but could impact those whose data is contained in it

Unclassified data

Government Classifications- can be released to the public

Regulatory bodies

Governmental organizations that oversee the compliance with specific regulations and law

6

Group can RW in Linux

sequentially; locking mechanism

How can you prevent race conditions and TOCTTOU? • Develop applications to not process things __________ if possible • Implement a _____ _________to provide app with exclusive access

o Analyze network traffic o Analyze the executable process list o Analyze other infected host o Identify how the malicious process was executed

How to perform Threat hunting using tools for monitoring and incident response (4)

40%

Humidity should be kept around _____

alert and log

IDS can only ____ and _____ suspicious activity

143 TCP

IMAP

external USB drive

If your motherboard doesn't have TPM, you can use an _____ ____ _______ as a key

Data at Rest

Inactive data that is archived, such as data resident on a hard disk drive

Key stretching and salting

Increasing Hash Security

Confidentiality

Information has not been disclosed to unauthorized people

Integrity

Information has not been modified or altered without proper authorization

Availability

Information is able to be stored, accessed, or protected at all times

WEP

Initialization Vector

88 TCP/UDP

Kerberos

Rule-based Access Control

Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label

centrally

Large organizations _________ manage updates through an update server

False positive

Legitimate activity is identified as an attack

iptables

Linux firewall, can be accessed from the command line

Processor Security Extensions

Low-level CPU changes and instructions that enable secure processing

Rule-based and the Latticebased

MAC is implemented through the ______ and ______ access control methods

security labels

MAC relies on ____ ____ being assigned to every user

OS X

Mac operating system; built in firewall on mac computer

FireVault

Mac whole disk encryption

security

Management should be conducted on an out-of-band network to increase _____

Social Engineering

Manipulates a user into revealing confidential information that are detrimental to that user or the security of our systems; Anytime you are trying to deceive, lie, or trick the user into doing something

PAC - Proxy Auto Configuration

Method used to automatically configure systems to use a proxy server. It is recommended to disabled this since it can be used by an attacker to manipulate the configuration; it suggested to manually configure your proxy server

dictionary attack

Method where a program attempts to guess the password by using a list of possible passwords

Brute-Force Attack

Method where a program attempts to try every possible combination until it cracks the password Increasing complexity exponentially increases the time required to brute-force a password

Due Care

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence

3 and 4

Most FW operate at Layer __ (blocking IP addresses) and Layer___(blocking ports)

1433 TCP

Ms-sql-s

Signature-based

Network traffic is analyzed for predetermined attack patterns

Open wireless connection

No security or no protection provided

White Hats, penetration tester or ethical hacker

Non-malicious hackers who attempt to break into a company's systems at their request

Man-in-the-Browser (MITB)

Occurs when a Trojan infects a vulnerable web browser and modifies the web pages or transactions being done within the browser

Active Interception

Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them

Black-box Testing

Occurs when a tester is not provided with any information about the system or program prior to conducting the test

White-box Testing

Occurs when a tester is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test

Privilege Creep

Occurs when a user gets additional permission over time as they rotate through different positions or roles; violates the principles of least privilege

Password Guessing

Occurs when a weak password is simply figured out by a person

physical or virtual servers.

One of the great things about doing serverless is that it eliminates the need to manage ______ or ________

curl, C-U-R-L.

One of the ways you can test APIs is by using a tool known as This is a tool to transfer data from one server to another, and you can do this using any supportive protocol, including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP, or FILE.

Port Mirroring

One or more switch ports are configured to forward all of their packets to another port on the switch

Incremental Backup

Only conducts a backup of the contents of a drive that have changed since the last full or incremental backup

official App Store or Play Store

Only install apps from the ________

v2

Only use ____ SIM cards with your devices

Circuit-Level gateway

Operates at the session layer and only inspects the traffic during the establishment of the initial session over TCP or UDP

inherited by default

Permissions are _____ ____ _____ from the parent when a new folder is created, meaning Any permissions added/removed from the parent folder will pass to the child by default too!

port 1645

Proprietary variation authentication port

Authentication Header (AH)

Protocol used in IPSec that provides integrity and authentication

Organizational Policies

Provide general direction and goals, a framework to meet the business goals, and define the roles, responsibilities, and terms

1812/1813 UDP

RADIUS

1645/1646 UDP

RADIUS (alternative)

3389 TCP/UDP

RDP

vulnerability, encrypts

Ransomware uses a __________ in your software to gain access and then ________ your files

Key Management

Refers to how an organization will generate, exchange, store, and use encryption keys

Policy-based

Relies on specific declaration of the security policy (i.e., 'No Telnet Authorized')

Biometrics

Relies on the physical characteristics of a person to identify them; considered "something you are"

supply chain

Secure working in an unsecure environment involves mitigating the risks of the ____ _____

Vulnerability Assessment

Seeks to identify any issues in a network, application, database, or other systems prior to it being used that might compromise the system; Defines, identifies, and classifies vulnerabilities within a system

Bluejacking

Sending of unsolicited messages to Bluetooth-enabled devices

orchestration

Serverless depends on ______

§ No patching § No administration § No file system monitoring

Serverless eliminates the need to manage physical or virtual servers ie. 3

personal firewalls

Software application that protects a single computer from unwanted Internet traffic

Critical Update

Software code for a specific problem addressing a critical, non-security bug in the software

802.1x

Standardized framework used for port-based authentication on wired and wireless networks; can prevent rogue devices

self-encrypting drive (SED)

Storage device that performs whole disk encryption by using embedded hardware; seldom used since its very expensive

Twofish

Symmetric block cipher that replaced blowfish and uses 128-bit blocks and a 128-bit, 192-bit, or 256-bit encryption key to encrypt plaintext into ciphertext

Blowfish

Symmetric block cipher that uses 64-bit blocks and a variable length encryption key to encrypt plaintext into ciphertext

Rivest Cipher (RC6)

Symmetric block cipher that was introduced as a replacement for DES but AES was chosen instead

69 UDP

TFTP

WPA

TKIP and RC4

Birthday Attack

Technique used by an attacker to find two different messages that have the same identical hash digest

Port 23 (TCP/UDP)

Telnet

Denial of Service (DoS)

Term used to describe many different types of attacks which attempt to make a computer or server's resources unavailable

PKI

The federation trust between parties is established using ____certificates.

Red Team

The hostile or attacking team in a penetration test or incident response exercise

Risk

The probability that a threat will be realized

Fraud

The wrongful or criminal deception intended to result in financial or personal gain

electronic access systems

These can use an RFID reader to scan an employee's badge and grant them access based on those credentials.

Installation

This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system

BC extinguisher

This most often uses CO2 to put out a fire. This is useful for both gas fires, Class B, and electrical fires, Class C, and it's also safe to use on computers.

Grandfather-Father-Son

Three sets of backup tapes are defined as the son (daily), the father (weekly), and the grandfather (monthly)

syslog / rsyslog / syslog-ng

Three variations of syslog which all permit the logging of data from different types of systems in a central repository

SYSLOG

To consolidate all the logs into a single repository, you can use this. A standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them; uses port 514 over UDP

encryption

Turn on _______for voice and data

Cluster

Two or more servers working together to perform a particular job function

Port 389

Unencrypted

Service Set Identifier (SSID)

Uniquely identifies the network and is the name of the WAP used by the clients

separated

VMs are ________ from other VMs by default

plan

Verify it is compatible with your systems and ______for how you will test and deploy it

Security Assessments

Verify that the organization's security posture is designed and configured properly to help thwart different types of attacks; might be required by contracts, regulations, or laws

Kali Linux

Version of Linus that is use by penetration tested or simulated attacker

SNMP v3

Version of SNMP that provides integrity, authentication, and encryption of the messages being sent over the network

Macro

Virus embedded into a document and is executed when the document is opened by the user

Metamorphic

Virus that is able to rewrite itself entirely before it attempts to infect a file (advanced version of polymorphic virus)

user action

Viruses require a _______ in order to reproduce and spread

Advanced Encryption Standard (AES)

WPA relies for its algorithm

Baiting

When a malicious individual leaves malware-infected removable media such as a USB drive or optical disc lying around in plain view

Overwrite Events

When a maximum log size is reached, the system can begin overwriting the oldest events in the log files to make room

Dumpster Diving

When a person scavenges for private information in garbage containers

Eavesdropping

When a person uses direct observation to "listen" in to a conversation

Shoulder Surfing

When a person uses direct observation to obtain authentication information

Authentication

When a person's identity is established with proof and confirmed by a system

risk

When security is sacrificed in favor of more efficient operations, additional _____ exists

Power Users

___ ____ is a role-based permission

Adobe Flash

being phased out in favor of html 5

ultrasonic camera

camera sound-based detection.

runtime error

error occurs while the program is running

Online password attacks

involve entering guessing directly to a service

ArcSight

A SIEM log management and analytics software that can be used for compliance reporting for legislation and regulations like HIPPA, SOX, and PCI DSS

QRadar

A SIEM log management, analytics, and compliance reporting platform created by IBM § Alien Vault and OSSIM (Open-Source Security Information Management) § A SIEM solution originally developed by Alien Vault, now owned by AT&T, and rebranded as AT&T Cybersecurity § OSSIM can integrate other open-source tools, such as the Snort IDS and OpenVAS vulnerability scanner, and provide an integrated web administrative tool to manage the whole security environmen

Simple Network Management Protocol (SNMP)

A TCP/IP protocol that aids in monitoring network-attached devices and computers is incorporated into a network management and monitoring system

Measured Boot

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report

Secure Boot

A UEFI feature that prevents unwanted processes from executing during the boot operation

virtual machine

A ____ ______ is a container for an emulated computer that runs an entire operating system

laptop

A _____ would be better classified as a computer or host than as part of the Internet of Things.

Race Condition

A ______ ________ vulnerability is found where multiple threads are attempting to write a variable or object at the same memory location; difficult to detect and mitigate; can also be used against databases and file systems

Hypothesis

A _______ is derived from the threat modeling and is based on potential events with higher likelihood and higher impact.

Rainbow Table Attack

A ________ is a password attack that allows an attacker to use a set of plaintext passwords and their hashes to crack passwords.

normal

A baseline establishes what is _____ so you can find deviations

Anomaly-based

A baseline is established and any network traffic that is outside of the baseline is evaluated

Playbook

A checklist of actions to perform to detect and respond to a specific type of incident

Attestation

A claim that the data presented in the report is valid by digitally signing it using the TPM's private key

Security Orchestration, Automation, and Response (SOAR)

A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment - is primarily used for incident response

Function as a Service (FAAS)

A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language

Botnet

A collection of compromised computers under the control of a master node

Security Information and Event Monitoring (SIEM)

A combination of different data sources into one tool that provides realtime analysis of security alerts generated by applications and network hardware • Sensor • Sensitivity • Trends • Alerts • Correlation

network firewall

A combination of hardware and software that filters traffic between private networks or between a private network and a public network, such as the Internet.

curl

A command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)

tcpdump

A command line utility that allows you to capture and analyze network traffic going through your system

Memdump

A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps

cat (concatenate)

A command-line utility for outputting the contents of a file to the screen

head

A command-line utility for outputting the first ten lines of a file provided to it

tail

A command-line utility for outputting the last ten lines of a file provided to it

grep

A command-line utility for searching plain-text data sets for lines that match a regular expression or pattern

chmod

A command-line utility used to change the access permissions of file system objects

WinHex

A commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics

Operational Technology (OT)

A communications network designed to implement an industrial control system rather than data networking § Industrial systems prioritize availability and integrity over confidentiality

Quantum Communication

A communications network that relies on qubits made of photons (light) to send multiple combinations of 1s and 0s simultaneously which results in tamper resistant and extremely fast communications

Modbus

A communications protocol used in operational technology networks § gives control servers and SCADA hosts the ability to query and change the configuration of each PLC

Private cloud

A company creates its own cloud environment that only it can utilize as an internal enterprise resource should be chosen when security is more important than cost

Machine Learning (ML)

A component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions o

Metasploit (MSF)

A computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing

Embedded Systems

A computer system that is designed to perform a specific, dedicated function; are considered static environments where frequent changes are not made or allowed; have very little support for identifying and correcting security issues

zombie

A computer that is controlled by a Command and Control (hacker) who uses it to launch attacks on other computer systems.

Layer 2 Tunneling Protocol (L2TP) - Port 1701

A connection between two or more computers or device that are not on the same private network; is usually paired with IPSec to provide security

Message Digest Algorithm (MD5)

A cryptographic hashing algorithm created in 1990; uses a 128-bit hash digest, but is susceptible to collisions should only be used as a second-factor of integrity checking

Secure Hash Algorithm (SHA)

A cryptographic hashing algorithm created to address possible weaknesses in the older MD5 hashing algorithm

Ephemeral

A cryptographic key that is generated for each execution of a key establishment process § _______ keys are short-lived and used in the key exchange for WPA3 to create perfect forward secrecy

Hardware Root of Trust (ROT)

A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics;is used to scan the boot metrics and OS files to verify their signatures, which we can then use to sign a digital report

Transport Layer Security (TLS)

A data encryption technology used for securing data transmitted over the Internet. Https: is secure browsing and uses this data encryption

FTK Imager

A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed

Lightweight Directory Access Protocol (LDAP)

A database used to centralize information about clients and objects on the network; Active Directory is Microsoft's version

Web of Trust

A decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-based PKI system

Single Sign-On (SSO)

A default user profile for each user is created and linked with all of the resources needed § Compromised SSO credentials cause a big breach in security

Tokenization

A deidentification method where a unique token is substituted for real data

Aggregation/Banding

A deidentification technique where data is generalized to protect the individuals involved

Proxy Server

A device that acts as a middle man between a device and a remote server

Modem

A device that could modulate digital information into an analog signal for transmission over a standard dial-up phone line

Autopsy

A digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

Controller Area Network (CAN)

A digital serial data communications network used within vehicles

Self-Encrypting Drives

A disk drive where the controller can automatically encrypt data that is written to it

Radio Frequency Interference (RFI)

A disturbance that can affect electrical circuits, devices, and cables due to AM/FM transmissions or cell towers

Perfect Forward Secrecy or Forward Secrecy

A feature of key agreement protocols (like SAE) that provides assurance that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised

Log Files

A file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software • Network • System • Application • Security • Web • DNS • Authentication • Dump Files • VoIP • Call Managers

session cookie

A file used by online shopping sites to keep track of items in a user's shopping cart. To track user and the server NOT user and the browser

EFS (Encrypting File System)

A file-encryption tool available on Windows systems that have partitions formatted with NTFS.

Web Security Gateway

A go-between device that scans for viruses, filters unwanted content, and performs data loss prevention functions

Distributed Denial of Service (DDoS)

A group of compromised systems attack simultaneously a single target to create a Denial of Service (DOS)

Honeynet

A group of computers, servers, or networks used to attract an attacker

Internet of Things (IoT)

A group of objects (electronic or not) that are connected to the wider Internet by using embedded electronic components § Most smart devices use an embedded version of Linux or Android as their OS § Devices must be secured and updated when new vulnerabilities are found

Security Template

A group of policies that can be loaded through one procedure

Digital Signature

A hash digest of a message encrypted with the sender's private key to let the recipient know the document was created and sent by the person claiming to have sent it

MITRE ATT&CK Framework

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures

Due Diligence

A legal principle identifying a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system

Due Process

A legal term that refers to how an organization must respect and safeguard personnel's rights; protects citizens from their government and companies from lawsuits

Inbound Port

A logical communication opening on a server that is listening for a connection from a client

Splunk

A market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on; installed locally or as a cloud-based solution

eFUSE

A means for software or firmware to permanently alter the state of a transistor on a computer chip

Secure Processing

A mechanism for ensuring the confidentiality, integrity, and availability of software code and data as it is executed in volatile memory

Application Programming Interface (API)

A method that uses the brokers connections between the cloud service and the cloud consumer • WARNING: Dependent on the _____ supporting the functions that your policies demand

MAC filtering

A method used to filter out which computers can access the wireless network; the WAP does this by consulting a list of MAC addresses that have been previously entered.

Cloud Security Alliance's Reference Architecture

A methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business

Trusted Foundry

A microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function); Program is operated by the Department of Defense (DoD)

Hybrid Warfare

A military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare with other influencing methods, such as fake news, diplomacy, and foreign electoral intervention

Kill Chain

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion

nxlog

A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs; is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng

Hot Site

A near duplicate of the original site of the organization that can be up and running within minutes

tracert/traceroute

A network diagnostic command for displaying possible routes and measuring transit delays of packets across an Internet Protocol network

netflow

A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network

Tunnel Mode

A network tunnel is created which encrypts the entire IP packet (payload and header); is commonly used for transmission between networks

Post-quantum Cryptography

A new kind of cryptographic algorithm that can be implemented using today's classical computers but is also impervious to attacks from future quantum computers § One method is to increase the key size to increase the number of permutations needed to be brute forced § Researchers are working on a wide range of approaches, including latticebased cryptography and supersingular isogeny key exchange

GNU Privacy Guard (GPG)

A newer and updated version of the PGP encryption suite that uses AES for its symmetric encryption functions § has cross-platform availability

Network Tap

A physical device that allows you to intercept the traffic between two points on the network

Downloader

A piece of code that connects to the Internet to retrieve additional tools after the initial infection by a dropper

Personal Identifiable Information (PII)

A piece of data that can be used either by itself or in combination with some other pieces of data to identify a single person- • Full Name • Driver's License • Date of Birth • Place of Birth • Biometric Data • Financial Account Numbers • Email Addresses • Social Media Usernames

Persistent Agents

A piece of software that is installed on the device requesting access to the network

Wireshark

A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis

Virtual Private Cloud (VPC)

A private network segment made available to a single cloud consumer within a public cloud o The consumer is responsible for configuring the IP address space and routing within the cloud o is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites o On-premise solutions maintain their servers locally within the network o Many security products offer cloud-based and on-premise versions o Consider compliance or regulatory limitations of storing data in a cloud-based security solution o Be aware of the possibility of vendor lock in

VPN (Virtual Private Network)

A private network that is configured within a public network such as the Internet; Any traffic you wish to keep confidential crossing the internet should use a ____

Threat Modeling

A process by which developers can understand security threats to a system, determine risks from those threats, and establish appropriate mitigations; helps prioritize vulnerability identification and patching

Risk Management Framework (RMF)

A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations

Risk Assessments

A process used inside of risk management to identify how much risk exists in a given network or system

Field Programmable Gate Array (FPGA)

A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture; End customer can configure the programming logic to run a specific application instead of using an ASIC (application-specific integrated circuit)

Idempotence

A property of IaC that an automation or orchestration action always produces the same result, regardless of the component's previous state § IaC uses carefully developed and tested scripts and orchestration runbooks to generate consistent builds

Syslog

A protocol enabling different appliances and software applications to transmit logs or event records to a central server § follows a client-server model and is the de facto standard for logging of events from distributed systems § runs on most operating systems and network equipment using Port 514 (UDP) over TCP/IP § A message contains a PRI code, a header, and a message portion § A PRI code is calculated from the facility and severity level of the data § A header contains the timestamp of the event and the hostname § The message portion contains the source process of the event and related content can refer to the protocol, the server, or the log entries themselves

Secure Shell (SSH) - Port 22

A protocol that can create a secure channel between two computers or network devices to enable one device to control the other device

Point-to-Point Tunneling Protocol (PPTP) - Port 1723

A protocol that encapsulates PPP packets and ultimately sends data as encrypted traffic

Infrastructure as Code (IaC)

A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration § allows for the use of scripted approaches to provisioning infrastructure in the cloud § Robust orchestration can lower overall IT costs, speed up deployments, and increase security

the harvester

A python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database

Public Ledger

A record-keeping system that maintains participants' identities in secure and anonymous form, their respective cryptocurrency balances, and a record book of all the genuine transactions executed between network participants A permissioned blockchain is used for business transactions and promotes new levels of trust and transparency using an immutable ________

OVAL Interpreter

A reference developed to ensure the information passed around by these programs complies with the OVAL schemas and definitions used by the OVAL language

Deep Learning

A refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions o uses complex classes of knowledge defined in relation to simpler classes of knowledge to make more informed determinations about an environment

Evil Twin

A rogue, counterfeit, and unauthorized WAP with the same SSID as your valid one; you can prevent it from being effective by making sure that all of your wireless clients are configured to use a VPN whenever they connect over Wi-Fi even if they're connecting to your own Wi-Fi cause you don't know if anybody has set up an evil twin in your area

Data Steward

A role focussed on the quality of the data and associated metadata

Data Custodian

A role responsible for handling the management of the system on which the data assets are stored

Privacy officer

A role responsible for the oversight of any PII/SPI/PHI assets managed by the company

Invoice Scam

A scam in which a person is tricked into paying for a fake invoice for a service or product that they did not order

Failover Cluster

A secondary server can take over the function when the primary one fails

Virtual Private Networks

A secure connection between two or more computers or device that are not on the same private network

Simultaneous Authentication of Equals (SAE)

A secure password-based authentication and password-authenticated key agreement method § provides forward secrecy

Forward Proxy

A security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy • WARNING: Users may be able to evade it and connect directly

User Account Control (UAC)

A security component in Windows that keeps every user in standard user mode instead of acting like an administrative user

Control Objectives for Information and Related Technology (COBIT

A security framework that divides IT into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate

Demilitarized Zone (DMZ)

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports § Everything behind the _____is invisible to the outside network

Data Owner

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity and availability of the information asset; is responsible for labeling the asset and ensuring that it is protected with appropriate controls

Domain Controller

A server that acts as a central repository of all the user accounts and their associated passwords for the network; is up-to-date on its patches, its configurations are hardened, and that it's secure and in place in your network.

DNSSEC

A set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types.

Cybersecurity Framework (CSF)

A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks

Incident Response

A set of procedure that an investigator follows when examining a computer security incident

Incident Response

A set of procedures that an investigator follows when examining a computer security incident

Group Policy

A set of rules or policies that can be applied to a set of users or computer accounts within the operating system

Payment Card Industry Data Security Standard (PCI DSS)

A set of security standards that all U.S. companies processing, storing, or transmitting credit card information must follow.

Blockchain

A shared, immutable ledger for recording transactions, tracking assets and building trust § Most famous example of the ____is those used in cryptocurrencies

Spike

A short transient in voltage that can be due to a short circuit, tripped circuit breaker, power outage, or lightning strike

Hotfix

A single problem-fixing piece of software for an operating system or application, doesnt requires a reboot of the system

Patches

A single problem-fixing piece of software for an operating system or application, requires a reboot of the system; while this often solves one issue, it may create a new issue

Warm Site

A site that has computers, phones, and servers but they might require some configuration before users can start working

Cold Site

A site that has tables, chairs, bathrooms, and possibly some technical items like phones and network cabling

Endpoint Protection Platform (EPP)

A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption

Endpoint Detection and Response (EDR)

A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats; aim is NOT to prevent initial execution but to provide historical visibility in a compromise

Serverless

A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances

Continuous Delivery

A software development method where application and platform requirements are frequently tested and validated for immediate availability

Continuous Deployment

A software development method where application and platform updates are committed to production rapidly § focuses on automated testing of code in order to get it ready for release § focuses on automated testing and release of code in order to get it into the production environment more quickly

OpenSSL

A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end

Microsoft Baseline Security Analyzer (MBSA)

A software tool released by Microsoft to determine the security state of a system by assessing missing security updates and less-secure security settings within Microsoft Windows components such as Internet Explorer, IIS web server, and products such as Microsoft SQL Server and Microsoft Office macro settings.

Dereferencing

A software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to.

Race Conditions

A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer

Broken Authentication

A software vulnerability where the authentication mechanism allows an attacker to gain entry

Spoofing

A software-based attack where the goal is to assume the identity of a user, process, address, or other unique identifier

SIEM

A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications • solutions can be implemented as software, hardware appliances, or outsourced managed services • Log all relevant events and filter irrelevant data • Establish and document scope of events • Develop use cases to define a threat • Plan incident response to an event • Establish a ticketing process to track events • Schedule regular threat hunting • Provide auditors and analysts an evidence trail

Key Recovery Agent

A specialized type of software that allows the restoration of a lost or corrupted key to be performed

Signature-based

A specific string of bytes triggers an alert

Trusted Platform Module (TPM)

A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information; can be managed in Windows via the tpm.msc console or through group policy

Open Vulnerability and Assessment Language (OVAL)

A standard designed to regulate the transfer of secure public information across networks and the Internet utilizing any security tools and services available § is comprised of a language and an interpreter

Secure/Multipurpose Internet Mail Extensions (S/MIME)

A standard that provides cryptographic security for electronic messaging; can encrypt emails and their contents ...including malware

Risk Avoidance

A strategy that requires stopping the activity that has risk or choosing a less risky alternative

Risk Acceptance

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

Risk Mitigation

A strategy that seeks to minimize the risk to an acceptable level

One-Time Pad

A stream cipher that encrypts plaintext information with a secret random key that is the same length as the plaintext input are not commonly used

System and Organization Controls (SOC)

A suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services

implement a jump box

A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could potentially contain some vulnerabilities that could weaken the security posture of the network. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops?

User and Entity Behavior Analytics (UEBA)

A system that can provide automated identification of suspicious activity by user accounts and computer hosts; UEBA solutions are heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning; top UEBA Microsoft and Splunk

Key Stretching

A technique that is used to mitigate a weaker key by increasing the time needed to crack it

Banner Grabbing

A technique used to gain information about servers and inventory the systems or services

Intrusion Prevention System (IPS)

A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity.

Buffer

A temporary storage area that a program uses to store data

Penetration Test

A test that uses active tools and security utilities to evaluate security by simulating an attack on a system to verify that a threat exists, actively test it, bypass security controls, and then finally exploit vulnerabilities on a given system Test the system to discover vulnerabilities or prove security controls work • Examine the system to identify any logical weaknesses • Interview personnel to gather information

Service Pack

A tested, cumulative grouping of patches, hotfixes, security updates, critical updates, and possibly some feature or design changes

Browser Exploitation Framework (BeEF)

A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attacks against the system from within the browser context

Timeline

A tool that shows the sequence of file system events within a source image in a graphical format

Password Analysis

A tool used to test the strength of your passwords to ensure your password policies are being followed

Shielded Twisted Pair (STP)

A twisted pair cable that has an aluminum shield inside the plastic jacket that surrounds the pairs of wires, this minimize EMI and RFI and can help with crosstalk

Real-Time Operating System (RTOS)

A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks; typically cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond tolerances

Programmable Logic Controller (PLC)

A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems § firmware can be patched and reprogrammed to fix vulnerabilities

Supervisory Control and Data Acquisition (SCADA)

A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographic region; about multiple plants

Unified Extensible Firmware Interface (UEFI)

A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot

UTP (Unshielded Twisted Pair)

A type of twisted pair cabling that does not include shielding around its conductors.

Internet Protocol Flow Information Export (IPfix)

A universal standard of export for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector

Default Accounts

A user or administrator-level account that is installed on a device by the manufacturer during production

Date and time; One of the common causes of an Invalid or Expired Security Certificate error is the clock on the user's computer being wrong since the website security certificates are issued to be valid within a given date range.

A user reports that every time they try to access https://www.diontraining.com, they receive an error stating "Invalid or Expired Security Certificate". The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user's workstation to fix the "Invalid or Expired Security Certificate" error?

Cloud Computing

A way of offering on-demand services that extend the traditional capabilities of a computer or network § relies on virtualization to gain efficiencies and cost savings

setting the secure attributes on the cookie; When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still would need to set the Secure attribute on the cookie. Hashing the cookie provides integrity of the cookie, not confidentiality.

A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?

WPA3 - Enterprise Mode

AES-256 encryption with a SHA-384 hash for integrity checking

secure authentication and authorization

APIs should use ________such as SAML or OAuth/OIDC before accessing data

VLAN segmentation and DHCP snooping

ARP Poisoning is prevented by _____ and _____

Persistence

Ability of attackers to maintain a foothold inside a compromised network o A pentester can also simulate an insider threat

hardening

Act of configuring an operating system securely by updating it, creating rules and policies to govern it, and removing unnecessary applications and services

Subnetting

Act of creating subnetworks logically through the manipulation of IP addresses

Social Engineering

Act of manipulating users into revealing confidential information or performing other detrimental actions

Purging (Sanitizing)

Act of removing data in such a way that it cannot be reconstructed using any known forensic techniques

War Driving

Act of searching for wireless networks by driving around until you find them § Attackers can use wireless survey or open source attack tools

Log File Maintenance

Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, back up, security, and encryption of the log files

Kerberos

Active Directory relies on ____________ and its ticket granting system to conduct its user authentication functions.

Behavior-based

Activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system

Spam

Activity that abuses electronic messaging systems, most commonly through email

Easter egg

Acts just like a backdoor; Non-malicious code that when invoked, displays an insider joke, hidden message or secret feature

Remote Access Trojan (RAT)

Acts just like a backdoor; is placed by an attacker to maintain persistent access

Worm

Acts like a virus but can self-replicate

Salting

Adding random data into a one-way cryptographic hash to help protect against password cracking techniques

Privacy Act of 1974

Affects U.S. government computer systems that collects, stores, uses, or disseminates personally identifiable information

Non-Disclosure Agreement (NDA)

Agreement between two parties that defines what data is considered confidential and cannot be shared outside of the relationship ; are a binding contract

0 =

All Users (no access) in Linux

Implicit Deny

All access to a resource should be denied by default and only be allowed when explicitly stated

revoked

All of a CA's certificates must be ______ if it is compromised

Full Backup

All of the contents of a drive are backed up

OCSP Stapling

Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake

Redundant Array of Independent Disks (RAID)

Allows the combination of multiple physical hard disks into a single logical hard disk drive that is recognized by the operating system

Near Field Communication (NFC)

Allows two devices to transmit information when they are within close range through automated pairing and transmission § devices are operated within 4 cm from each other

SIM Cloning

Allows two phones to utilize the same service and allows an attacker to gain access to the phone's data; SIM v1 cards were easy to clone but newer SIM v2 cards are much harder

Locally Shared Object (LSO)

Also known as Flash cookies, they are stored in your Windows user profile under the Flash folder inside of your AppData folder; used by Adobe flash

network-based IDS

An IDS system that primarily uses passive hardware sensors to monitor traffic on a specific segment of the network.

host-based IDS

An IDS system that primarily uses software installed on a specific host such as a web server.

network security

An IPS, proper firewall configs, network segmentation, and firmware updates are the keys to having ______

OVAL Language

An XML schema used to define and describe the information being created by OVAL to be shared among the various programs and tools

Mandatory Access Control (MAC)

An access control policy where the computer system determines the access control for an object • The computer chooses the permissions

Role-Based Access Control (RBAC)

An access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission level

Attribute-Based Access Control (ABAC)

An access model that is dynamic and context-aware using IF-THEN statements

Service-Level Agreement (SLA)

An agreement concerned with the ability to support and respond to problems within a given timeframe and continuing to provide the agreed upon level of service to the user; may promise 99.999% uptime

Interconnection Security Agreement (ISA)

An agreement for the owners and operators of the IT systems to document what technical requirements each organization must meet

Hardware Security Module (HSM)

An appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage

Reverse Proxy

An appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy • WARNING: This approach can only be used if the cloud application has proxy support

Artificial Neural Network (ANN)

An architecture of input, hidden, and output layers that can perform algorithmic analysis of a dataset to achieve outcome objectives o A machine learning system adjusts its neural network to reduce errors and optimize objectives

VM Escape

An attack that allows an attacker to break out of a normally isolated VM by interacting directly with the hypervisor

Reidentification

An attack that combines a deidentification dataset with other data source to discover how secure the deidentification method used is

Cross-Site Scripting (XSS)

An attack that injects scripts into a Web application server to direct attacks at clients.

Driver Manipulation

An attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level

Ping of Death

An attack that sends an oversized and malformed packet to another computer or server

Kerberos

An authentication protocol used by Windows to provide for two-way (mutual) authentication using a system of tickets; Port 88; A domain controller can be a single point of failure for this

sn1per

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

Runbook

An automated version of a playbook that leaves clearly defined interaction points for human analysis

Backup Generator

An emergency power system used when there is an outage of the regular electric grid power

Redundant Power Supply

An enclosure that provides two or more complete power supplies; mitigates a single point of failure

Homomorphic Encryption

An encryption method that allows calculations to be performed on data without decrypting it first § _______ can be used for privacy-preserving outsourced storage and computation

Pretty Good Privacy

An encryption program used for signing, encrypting, and decrypting emails § The IDEA algorithm is used Symmetric functions use 128-bit or higher keys and the asymmetric functions use 512-bit to 2048-bit key sizes

Whole Disk Encryption

An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

Public Key Infrastructure (PKI)

An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption

Crossover Error Rate (CER)

An equal error rate (ERR) where the false acceptance rate and false rejection rate are equal § measures the effectiveness of a biometric system;

Magnitude of Impact or risk impact

An estimation of the amount of damage that a negative risk might achieve

Unified Extensible Firmware Interface (UEFI)

An interface between firmware on the motherboard and the operating system and improves on legacy BIOS processes for booting, handing over the boot to the OS, and loading device drivers and applications before the OS loads.

ISO 31000

An international standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies, and paradigms that differed between industries, subject matters, and regions

Certificate Revocation List (CRL)

An online list of digital certificates that the certificate authority has revoked

Cuckoo

An open source software for automating analysis of suspicious files

OpenID

An open standard and decentralized protocol that is used to authenticate users in a federated identity management system • User logs into an Identity Provider (IP) and uses their account at Relying Parties (RP); is easier to implement than SAML but SAML is more efficient than this

Graylog

An open-source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps

supply chain assessment

An organization must ensure that the operation of every element (hardware, firmware, driver, OS, and application) is consistent and tamper resistant to establish a trusted computing environment

DevOps

An organizational culture shift that combines software development and systems operations by referring to the practice of integrating the two disciplines within a company o Operations and developers can build, test, and release software faster and more reliably

Rogue Access Point

An unauthorized WAP or Wireless Router that allows access to the secure network; To prevent this, you should enable MAC filtering on the network, network access control, and run a good IDS or IPS on your network that can detect or prevent these devices when they initially try to connect.

Sag

An unexpected decrease in the amount of voltage provided

Surge

An unexpected increase in the amount of voltage provided

Dynamic Analysis

Analysis and testing of a program occurs while it is being executed or run

volatility

Analysts should always follow the order of _______ when collecting evidence

Anomaly-based

Analyzes the current traffic against an established baseline and triggers an alert if outside the statistical average

Apple

Android update is a bit complicated, google create the patches for vulnerability found and they pass it to their manufacturers that have modified the base code somehow, so the android user gets their updates from their manufacturer 3 or 4 months later. This said ______ is more secure that Android devices

Insecure Components

Any code that is used or invoked outside the main program development process o Code Reuse o Third-party Library o Software Development Kit (SDK)

Sensitive Data

Any information that can result in a loss of security, or loss of advantage to a company, if accessed by unauthorized persons

Never Trust User Input

Any input that is received from a user should undergo input validation prior to allowing it to be utilized by an application

Shellcode

Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code (use this definition for the exam)

Unnecessary Ports

Any port that is associated with a service or function that is non-essential to the operation of your computer or network

Insufficient Logging and Monitoring

Any program that does not properly record or log detailed enough information for an analyst to perform their job; must support your use case and answer who, what, when, where, and how

Physical Controls

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

disabled

Any services that are unneeded should be _______ in the OS

Snowflake Systems

Any system that is different in its configuration compared to a standard template within an infrastructure as code architecture § Lack of consistency leads to security issues and inefficiencies in support

identifies

Anything that uniquely ________ a user or system can be spoofed

Trojan

Appears to do a desired function but also does something malicious

LDAP

Application layer protocol for accessing and modifying directory services data (Active Directory uses it)

Authenticity and Integrity

Applications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user

Input Validation

Applications verify that information received from a user matches a specific format or range of values

Armored

Armored viruses have a layer of protection to confuse a program or person analyzing it

RSA (Rivest, Shamir, and Adleman)

Asymmetric algorithm that relies on the mathematical difficulty of factoring large prime numbers § is widely used for key exchange, encryption, and digital signatures § can use key sizes of 1024-bits to 4096-bits

Public Key Cryptography

Asymmetric algorithms are also known as ____- Confidentiality § Integrity § Authentication § Non-repudiation Two keys are used

Fork Bomb

Attack that creates a large number of processes to use up the available processing power of a computer

Domain Name Kiting

Attack that exploits a process in the registration process for a domain name that keeps the domain name in limbo and cannot be registered by an authenticated buyer

ARP Poisoning

Attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network; Allows an attacker to essentially take over any sessions within the LAN

WiFi Disassociation Attack

Attack that targets an individual client connected to a network, forces it offline by deauthenticating it, and then captures the handshake when it reconnects § Used as part of an attack on WPA/WPA2

Clickjacking

Attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page

switch spoofing

Attacker configures their device to pretend it is a switch and uses it to negotiate a trunk link to break out of a VLAN

Smurf Attack

Attacker sends a ping to subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing

Hoax

Attempt at deceiving people into believing that something is false when it is true (or vice versa)

Rubber Hose Attack

Attempt to crack a password by threatening or causing a person physical harm in order to make them tell you the password

DOM-based XSS

Attempt to exploit the victim's web browser

MAC Flooding

Attempt to overwhelm the limited switch memory set aside to store the MAC addresses for each port; Switches can fail-open when flooded and begin to act like a hub; Compromise confidentiality

Network Intrusion Detection Systems

Attempts to detect, log, and alert on malicious network activities § use promiscuous mode to see all network traffic on a segment

Stored/Persistent XSS

Attempts to get data provided by the attacker to be saved on the web server by the victim

Reflected XSS

Attempts to have a non-persistent effect activated by a victim clicking a link on the site

Network Intrusion Prevention Systems

Attempts to remove, detain, or redirect malicious traffic § should be installed in-line of the network traffic flow § can also perform functions as a protocol analyzer

Caching Proxy

Attempts to serve client requests by delivering content from itself without actually contacting the remote server

Security Assertion Markup Language (SAML)

Attestation model built upon XML used to share federated identity management information between systems

Challenge Handshake Protocol (CHAP)

Authentication scheme that is used in dial-up connections

Motivation Factors of Social Engineering

Authority, Urgency, Social Proof, Scarcity, Likeability; Fear

WiFi Protected Setup (WPS)

Automated encryption setup for wireless networks at a push of a button, but is severely flawed and vulnerable § Always disable WPS

light

Because fiber optic cables work with _____ instead of electricity, there's no radiation outside of the cable, and they're not affected by EMI or radio frequency either.

o Improve detection capabilities o integrate intelligence o reduces attack surface o Block attack vectors o identify critical assets

Benefits of threat hunting (5)

Data Classification

Category based on the value to the organization and the sensitivity of the information if it were to be disclosed

Stealth

Category of virus that is using various techniques to avoid detection of anti virus software. Encrypted, polymorphic and metamorphic are example of this virus

RADIUS

Centralization administration system for dial-up, VPN, and wireless authentication that uses either ports 1812/1813 (UDP) or 1645/1646 (UDP)

Mobile Device Management (MDM)

Centralized software solution for remote administration and configuration of mobile devices; can prevent certain applications from being installed on the device

Mobile Device Management (MDM)

Centralized software solution that allows system administrators to create and enforce policies across its mobile devices

Atomic Execution

Certain operations that should only be performed once or not at all, such as initializing a memory location

TACACS+

Cisco's proprietary version of RADIUS that provides separate authentication and authorization functions over port 49 (TCP)

This includes insecure APIs, improper key management, improper logging and monitoring, and unprotected storage.

Cloud Threats

Cloud DLP System

Cloud software as a service that protects data being stored in cloud services

buckets or blobs

Cloud storage containers are referred to as ___ or _____

Logs

Cloud threat- ______must be copied to non-elastic storage for long-term retention

Cloud-based vulnerability scans

Cloud-based ________ ________an better provide the attacker's perspective;

Backdoors

Code placed in computer programs to bypass normal authentication and other security mechanisms

Virus

Code that infects a computer when a file is opened or executed

ELK/Elastic Stack

Collection of free and open-source SIEM tools that provides storage, search, and analysis functions • Elasticsearch (query/analytics) • Logstash (log collection/normalization) • Kibana (visualization) • Beats (endpoint collection agents) may installed locally or as a cloud-based solution

Unified Threat Management

Combination of network security devices and technologies to provide more defense in depth within a single device § may include a firewall, NIDS/NIPS, content filter, anti-malware, DLP, and VPN § is also known as a Next Generation Firewall (NGFW)

Uninterruptible Power Supply (UPS)

Combines the functionality of a surge protector with that of a battery backup

System Virtual Machine

Complete platform designed to replace an entire physical computer and includes a full desktop/server operating system

active

Configure your browsers to prevent ActiveX controls, Java applets, JavaScript, Flash, and other _______ content

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Cryptographic protocols that provide secure Internet communications for web browsing, instant messaging, email, VoIP, and many other services; We already covered how TLS works in the PKI lesson

Data in Use

Data that is undergoing constant change

Acceptable Use Policy

Defines the rules that restrict how a computer, network, or other systems may be used

Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?

root or jailbreak

Do not ____ or _____your devices

full

Do not create one key with ______ control to access an application's functions

default

Don't allow Bluetooth devices to use _______ PINs for pairing

Encryption

Electronic key- ensure confidentiality

Geotagging

Embedding of the geolocation coordinates into a piece of data (i.e., a photo)

636

Encrypted

lower

Encryption adds security but has ______ performance

Symmetric Algorithm (Private Key)

Encryption algorithm in which both the sender and the receiver must know the same secret using a privately-held key § Confidentiality can be assured with symmetric encryption § Key distribution can be challenging with symmetric encryption

Asymmetric Encryption (Public Key)

Encryption algorithm where different keys are used to encrypt and decrypt the data

Data Encryption Standard (DES)

Encryption algorithm which breaks the input into 64-bit blocks and uses transposition and substitution to create ciphertext using an effective key strength of only 56-bits used to be the standard for encryption

Triple DES (3DES)

Encryption algorithm which uses three separate symmetric keys to encrypt, decrypt, then encrypt the plaintext into ciphertext in order to increase the strength of DES

patched and updated

Ensure your mobile device is _____________

Cloud Access Security Broker (CASB)

Enterprise management software designed to mediate access to cloud services by users across all types of devices; provide visibility into how clients and other network nodes use cloud services

Annualized Loss Expectancy (ALE)

Expected cost of a realized threat over a given year

Hijacking

Exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer or server

Administrative Controls

Focused on changing the behavior of people instead of removing the actual risk involved

Recovery

Focused on data restoration, system repair, and re-enabling any server or networks taken offline during the incident response

Recovery

Focused on data restoration, system repair, and re-enabling any servers or networks taken offline during the incident response

Identification

Forensic Procedure that Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected

security policies

Geotagging should be considered when developing your organization's _____ _________

counterfeited or compromised

Greater risk of inadvertently obtaining _____ or ______ devices when purchasing from second-hand or aftermarket sources

recreate the events

HIDS logs are used to _______ _______ _______ after an attack has occurred, you transfer the syslog to a separate centralized location

Organized Crime

Hackers who are part of a crime group that is well-funded and highly sophisticated

Blue Hats

Hackers who attempt to hack into a network with permission of the company but are not employed by the company

Gray Hats

Hackers without any affiliation to a company who attempt to break into a company's network but risk the law by doing so

not

Hard drives, files, or applications are ____accessible anymore; one of symptoms of infection

risk

Hardening, We are not guaranteed security, but we can minimize the ____ ...

Public Data

Has no impact to the company if released and is often posted in the open-source environment.

Confidential Data

Highest classification level that contains items such as trade secrets, intellectual property data, source code, and other types that would seriously affect the business if disclosed

Network Zones

Home, Work, Public. Enables and disables features depending on what zone it is in.

Bastion Hosts

Hosts or servers in the DMZ which are not configured with any services that run on the local network

§ Dropper or downloader § Maintain access § Strengthen access § Actions on objectives § Concealment

How does an APT use modern malware to operate? (5)

copy

If you _____a folder, then permissions are inherited from the parent folder it is copied into

audit

It is important to ______ the client's status after patch deployment

incident response team

Key people that are available to respond to any incident that meets the severity and priority thresholds set out by the incident response plan • Incident Response Manager • Security Analyst • Triage Analyst • Forensic Analyst • Threat Researcher • Cross-functional Support

1701 UDP

L2TP

389 TCP/UDP

LDAP

636 TCP/UDP

LDAP SSL/TLS

Application Layer

Layer from which the message is created, formed, and originated; Consists of high-level protocols like HTTP, SMTP, and FTP

Defense in Depth

Layering of security controls is more effective and secure than relying on a single control

True negative

Legitimate activity is identified as legitimate traffic

patch management

Linux and OSX also have built-in ________ _________systems

md5sum, sha1sum, sha256sum, sha512sum

Linux tools can you use to calculate a hash value

Rainbow Table

List of precomputed valued used to more quickly break a password since values don't have to be calculated for each password being guessed

standard tools and processes

Living of the land exploit detection is more difficult when they are executing malware code within _____ _______ and _______

Secure Coding Standards

Logic bombs and Easter eggs should not be used according to ____ ____ _____

Technical Controls

Logical controls that are put into a system to help secure it

VLANs

Logically separate networks within networks.

archived and backed

Logs should be _________ and ________up to ensure they are available when required

Application Logs

Logs the events for the operating system and third-party applications

System Logs

Logs the events such as a system shutdown and driver failures

Security Logs

Logs the events such as successful and unsuccessful user logins to the system

Data Backup

Maintaining a good backup is crucial to disaster recovery

False negative

Malicious activity is identified as legitimate traffic

Logic Bomb

Malicious code that has been inserted inside a program and will execute only when certain conditions have been met

Viruses

Malicious code that runs on a machine without the user's knowledge and infects the computer when executed

Black Hats

Malicious hackers who break into computer systems and networks without authorization or permission

Trojan Horse

Malicious software that is disguised as a piece of harmless or desirable software

Worm

Malicious software, like a virus, but is able to replicate itself without user interaction

Dropper

Malware designed to install or run other types of malware embedded in a payload on an infected host

Watering holes

Malware is placed on a website that you know your potential victims will access

Ransomware

Malware that restricts access to a victim's computer system until a ransom is received

Hypervisors

Manages the distribution of the physical resources of a host machine (server) to the virtual machines being run (guests)

Session Layer

Manages the establishment, termination, and synchronization of a session over the network

implement

Manually or automatically deploy the patch to all your clients to ________it

anti-malware suites

Many ____________ _____also contain software firewalls

evidence

Many forensics tools can generate a timeline based on your _________

Mean Time Between Failures (MTBF)

Measures the average time between failures of a device

Mean Time To Repair (MTTR)

Measures the average time it takes to repair a network device when it breaks

timeliness, relevancy, accuracy and confidence levels

Measuring quality of intelligence

Attack Vector

Method used by an attacker to gain access to a victim's machine in order to infect it with malware; how we get into the machine and infect them- download and installation

Address Space Layout Randomization

Method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits

Security Controls

Methods implemented to mitigate a particular risk

hybrid

Methods may be combined monitoring into a ____approach in some IDS/IPS systems

Anti-Tamper

Methods that make it difficult for an attacker to alter the authorized execution of software; mechanisms include a field programmable gate array (FPGA) and a physically unclonable function (PUF)

Signature-based o Anomaly-based o Behavior-based

Monitoring Types

fileless

Most modern malware uses _______techniques to avoid detection by signaturebased security software

RAID arrays

NAS systems often implement ____ _______to ensure high availability

management, operational, and technical

NIST categories Security control

119 TCP

NNTP

Storage Area Network (SAN)

Network designed specifically to perform block storage functions that may consist of NAS devices

User Education

Never share authentication information; Train users how to encrypt emails and data; Follow organizational data handling and disposal policies

REST or SOAP, the simple object access protocol

Now these APIs are commonly going to use either _____ or _____as their frameworks.

Annualized Rate of Occurrence (ARO)

Number of times per year that a threat is realized

System Failure

Occurs when a computer crashes or an individual application fails

Buffer Overflow

Occurs when a process stores data outside the memory range allocated by the developer; Over 85% of data breaches were caused by by this. This also attempt to put more data into memory than it is designed to hold

Key Escrow

Occurs when a secure copy of a user's private key is held in case the user accidently loses their key

Crosstalk

Occurs when a signal transmitted on one copper wire creates an undesired effect on another wire; in very close proximity; it also happens if you have punch-down blocks and you decide to use an older terminal, like the old 66 blocks that were used for phone lines, and tried to use that for networks.

Privilege Escalation

Occurs when a user is able to gain the rights of another user or administrator

Privilege Elevation

Occurs when a user is able to grant themselves the ability to run functions as a higher-level user

Authorization

Occurs when a user is given access to a certain piece of data or certain areas of a building

Unauthorized Access

Occurs when access to computer resources and data occurs without the consent of the owner

Blind Hijacking

Occurs when an attacker blindly injects data into the communication stream without being able to see if it is successful or not

Brute Force Attack

Occurs when an attacker continually guesses a password until the correct one is found ; will always find the password...eventually!

Cross-Site Scripting (XSS)

Occurs when an attacker embeds malicious scripting commands on a trusted website

"Smash the Stack"

Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker's code to run

Cross-Site Request Forgery (XSRF/CSRF)

Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated

Remote Code Execution (RCE)

Occurs when an attacker is able to execute or run commands on a remote computer

Arbitrary Code Execution

Occurs when an attacker is able to execute or run commands on a victim computer

MAC Spoofing

Occurs when an attacker masks their own MAC address to pretend they have the MAC address of another device

Spoofing

Occurs when an attacker masquerades as another person by falsifying their identity

Pivot

Occurs when an attacker moves onto another workstation or user account

IV Attack

Occurs when an attacker observes the operation of a cipher being used with several different keys and finds a mathematical relationship between those keys to determine the clear text data; This happened with WEP and makes it easy to crack

Pharming

Occurs when an attacker redirects one website's traffic to another website that is bogus or malicious

Unauthorized zone transfers

Occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks

TCP/IP Hijacking

Occurs when an attacker takes over a TCP session between two computers without the need of a cookie or other host access

Watering Hole

Occurs when malware is placed on a website that the attacker knows his potential victims will access

Propagation

Occurs when permissions are passed to a subfolder from the parent through inheritance

DNS Poisoning

Occurs when the name resolution information is modified in the DNS server's cache § If the cache is poisoned, then the user can be redirected to a malicious website

Brownout

Occurs when the voltage drops low enough that it typically causes the lights to dim and can cause a computer to shut off

Blackout

Occurs when there is a total loss of power for a prolonged period

Collision

Occurs when two different inputs to a hash create an identical hash digest output

Job Rotation

Occurs when users are cycled through various jobs to learn the overall operations better, reduce their boredom, enhance their skill level, and most importantly, increase our security ; helps the employee become more well-rounded and learn new skills ; also helps the organization identify theft, fraud, and abuse of position

Virtualization Sprawl

Occurs when virtual machines are created, used, and deployed without proper management or oversight by the system admins

Privilege Escalation

Occurs when you are able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn't able to access

anti-spam

One of the most effective forms of Security as a Service solutions is found in the form of _______ products. These products allow all of the organization's email to be routed through this cloud server first in order to detect any malware or ______. Any suspect emails are placed in a quarantine area that's accessible through a web browser by the local administrator for review and possible release to the end user.

Application Whitelist

Only applications that are on the list are allowed to be run by the operating system while all other applications are blocked

Differential Backup

Only conducts a backup of the contents of a drive that has changed since the last full backup; take more time to create but less time to restore

Trusted Third-Party

Organizations are able to place their trust in a single third-party (also called the bridge model); is more efficient than a cross certification or web of trust model

Wired Equivalent Privacy

Original 802.11 wireless security standard that claims to be as secure as a wired network; not as secured; weakness is its 24-bit IV (Initialization Vector)

7

Owner can RWX in Linux

dial-up

PAP and CHAP used mostly with ______

not

PKI and public key encryption are related but they are ___ the same thing

public key cryptography

PKI is the entire system and just uses ________ to function

110 TCP

POP3

995 TCP

POP3 (SSL/TLS)

1723 TCP/UDP

PPTP

One-Time Passwords

Passwords created to be used only once. Because it's used only once, there's little risk of the password being reused even if an attacker is able to capture it while it is transmitted.

salted

Passwords not "______" with a random value make the ciphertext vulnerable to rainbow table attacks.

Baselining o Baseline Reporting o Security Posture

Performance Baselining

Permissions in Windows

Permissions are assigned to Owners (U), Groups (G), and All Users (O or A)

User Rights

Permissions assigned to a given user

Pharming

Phishing attempt to trick a user to access a different or fake website (usually by modifying hosts file)

Smishing

Phishing conducted over text messaging (SMS)

Vishing

Phishing conducted over voice and phone calls

Hardware Security Module (HSM)

Physical devices that act as a secure cryptoprocessor during the encryption process

Dry Pipe Sprinkler System

Pipes are filled with pressurized air and only push water into the pipes when needed to combat the fire

Wet Pipe Sprinkler System

Pipes are filled with water all the way to the sprinkler head and are just waiting for the bulb to be melted or broken

Well-Known Ports

Ports 0 to 1023 are considered well-known and are assigned by the Internet Assigned Numbers Authority (IANA)

Registered Ports

Ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols

Dynamic or Private Ports

Ports 49,152 to 65,535 can be used by any application without being registered with IANA

65,535

Ports can be any number between 0 and _____

Vulnerability Management

Practice of finding and mitigating the vulnerabilities in computers and networks

tokens, encryption, XML file scanning, and cookie verification

Prevent XSRF with these 4 ways

output encoding and proper input validation

Prevent XSS with ___ ____ and proper _____ _______

configuration and network segmentation

Prevent split tunneling through proper

User Account Control

Prevents unauthorized access and avoid user error in the form of accidental changes

Least Functionality

Process of configuring workstation or server to only provide essential applications and services

Fire Suppression

Process of controlling and/or extinguishing fires to protect an organization's employees, data, equipment, and buildings

Encryption

Process of converting ordinary information (plaintext) into an unintelligible form (ciphertext); protects data at rest, data in transit, or data in use

Baselining

Process of measuring changes in networking, hardware, software, and applications

Baselining

Process of measuring changes in the network, hardware, and software environment

Patch Management

Process of planning, testing, implementing, and auditing of software patches

Identification

Process of recognizing whether an event that occurs should be classified as an incident

Identification

Process of recognizing whether an event that occurs should be classified as an incident

Context-aware Authentication

Process to check the user's or system's attributed or characteristics prior to allowing it to connect; Restrict authentication based on the time of day or location

User Access Recertification

Process where each user's rights and permissions are revalidated to ensure they are correct

Intel

Processor that has Trusted Execution Technology (TXT) Software Guard Extensions (SGX)

Incident Management Program

Program consisting of the monitoring and detection of security events on a computer network and the execution of proper response to those security events • Preparation • Identification • Containment • Eradication • Recovery • Lesson Learned

Incident Management Program

Program consisting of the monitoring and detection of security events on a computer network and the execution of proper responses to those security events

chmod

Program in Linux that is used to change the permissions or rights of a file or folder using a shorthand number system

authentication

Proper _________ is used to detect and prevent spoofing

Timeliness

Property of an intelligence source that ensures it is up-to-date

Relevancy

Property of an intelligence source that ensures it matches the use cases intended for it

Accuracy

Property of an intelligence source that ensures it produces effective results; eliminating false positives

Confidence Levels

Property of an intelligence source that ensures it produces qualified statements about reliability

General Data Protection Regulation (GDPR)

Proposed set of regulations adopted by the European Union to protect Internet users from clandestine tracking and unauthorized personal data usage.

port 1646

Proprietary variation authorization port

War Dialing

Protect dial-up resources by using the callback feature

Fault-tolerant RAID

Protects against the loss of the array's data if a single component fails (RAID 1, RAID 5, RAID 6)

Fault-resistant RAID

Protects against the loss of the array's data if a single disk fails (RAID 1 or RAID 5)

Infrastructure as a Service (IaaS)

Provides all the hardware, operating system, and backend software needed in order to develop your own software or service

Remote Authentication Dial-In User Service (RADIUS)

Provides centralized administration of dial-up, VPN, and wireless authentication services for 802.1x and the Extensible Authentication Protocol (EAP) § operates at the application layer; authenticate users, authorize them to services, and account for their usage of those services.

Structured Exception Handling (SEH)

Provides control over what the application should do when faced with a runtime or syntax error

RAID 0

Provides data striping across multiple disks to increase performance

EAP-FAST

Provides flexible authentication via secure tunneling (FAST) by using a protected access credential instead of a certificate for mutual authentication

Encapsulating Security Payload (ESP)

Provides integrity, confidentiality, and authenticity of packets by encapsulating and encrypting them

RAID 1

Provides redundancy by mirroring the data identically on two hard disks

RAID 6

Provides redundancy by striping and double parity data across the disk drives

RAID 5

Provides redundancy by striping data and parity data across the disk drives

Help America Vote Act (HAVA) of 2002

Provides regulations that govern the security, confidentiality, and integrity of the personal information collected, stored, or processed during the election and voting process

Remote Access Trojan (RAT)

Provides the attacker with remote control of a victim computer and is the most commonly used type of Trojan

Disaster-tolerant RAID

Provides two independent zones with full access to the data (RAID 10)

Platform as a Service (PaaS)

Provides your organization with the hardware and software needed for a specific service to operate

Security as a Service (SECaaS)

Provides your organization with various types of security services without the need to maintain a cybersecurity staff § Anti-malware solutions were one of the first _products; downsides to using this approach. The main one is that it's highly reliant on a good Internet connection.

wireless

RFI causes more problems for _______networks

135 TCP/UDP

RPC/DCOM-scm

False Acceptance Rate (FAR)

Rate that a system authenticates a user as authorized or valid when they should not have been granted access to the system

False Rejection Rate (FRR)

Rate that a system denies a user as authorized or valid when they should have been granted access to the system

Windows Update

Recommended update to fix a noncritical problem that users have found, as well as to provide additional features or capabilities

Remote Wipe

Remotely erases the contents of the device to ensure the information is not recovered by the thief

Clearing

Removal of data with a certain amount of assurance that it cannot be reconstructed

o Identify symptoms of a malware infection o Quarantine the infected systems o Disable System Restore (if using a Windows machine) o Remediate the infected system o Schedule automatic updates and scans o Enable System Restore and create a new restore point o Provide end user security awareness training o If a boot sector virus is suspected, reboot the computer from an external device and scan it

Removing Malware (8)

WiFi Protected Access (WPA)

Replacement for WEP which uses TKIP, Message Integrity Check (MIC), and RC4 encryption ; was flawed, so it was replaced by WPA2

Remote Lock

Requires a PIN or password before someone can use the device; mac findmy +iphone features

Federal Information Security Management (FISMA) Act of 2002

Requires each agency to develop, document, and implement an agencywide information systems security program to protect their data

Separation of Duties

Requires more than one person to conduct a sensitive task or operation; can be implemented by a single user with a user and admin account

Stack

Reserved area of memory where the program saves the return address when a function call instruction is received

difficult

Rootkits are activated before booting the operating system and are ________to detect

Port Address Translation (PAT)

Router keeps track of requests from internal hosts by assigning them random high number ports for each request

maintenance

SDLC final phase involves bug fixes, patches and update; training your end users in using the system

testing

SDLC phase that we get the code, ____ each application and system to test using different testing techniques

integration

SDLC phase were the application is integrated to the larger network environment and focus on the end to end service to ensure that each part can communicate effectively. Connecting to the outside world.

Deployment

SDLC phase were your application is move to the production environment were end users can utilize it to perform their work

Software/ System Design

SDLC phase where application is defined, outline and and diagramed in detailed; focus on the final input and output

Planning, Software/System Design, Implementation, Testing, Integration, Deployment and Maintenance

SDLC phases PSITIDM

o Use passwords to protect the contents of your documents o Digital signatures and digital certificates are used by MS Outlook for email security

Securing Applications

-Limit connectivity between the virtual machine and the host § Remove any unnecessary pieces of virtual hardware from the virtual machine § Using proper patch management is important to keeping your guest's operating system secure

Securing VMs 3

Network Access Control (NAC)

Security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network; can be used as a hardware or software solution

Bluejacking

Sending of unsolicited messages to Bluetooth-enabled devices such as mobile phones and tablets; sends information

administrative

Separation of Duties is a preventative type of _______ control

Technical Controls

Smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication

Anti-virus (AV)

Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and others

Security Update

Software code that is issued for a product-specific security-related vulnerability

Rootkits

Software designed to gain administrative level control over a system without detection

Malware

Software designed to infiltrate a computer system and possibly damage it without the user's knowledge or consent

Agile

Software development is performed in time-boxed or small increments to allow more adaptivity to change

Storage DLP systems

Software installed on servers in the datacenter to inspect the data at rest

Data Historian

Software that aggregates and catalogs data from multiple sources within an industrial control system

Agents

Software that is loaded on a managed device to redirect information to the network management system

VPN Concentrator

Specialized hardware device that allows for hundreds of simultaneous VPN connections for remote workers

cloud

Specialized security services _____providers can stop DDoS attacks

Extranet

Specialized type of DMZ that is created for your partner organizations to access over a wide area network

White Team

Staff administering, evaluating, and supervising a penetration test or incident response exercise

-Reconnaissance -Weaponization -Delivery -Exploitation -Installation -Command & Control - Action on Objectives

Stages of Kill Chain (RWDEICA)

X.509

Standard used PKI for digital certificates and contains the owner/user's information and the certificate authority's information

Protected EAP (PEAP)

Supports mutual authentication by using server certificates and Microsoft's Active Directory to authenticate a client's password

Rivest Cipher (RC4)

Symmetric stream cipher using a variable key size from 40-bits to 2048- bits that is used in SSL and WEP; exam tip ___is the only stream cipher covered

Data Loss Prevention

Systems designed to protect data by conducting content inspection of data being sent out of the network o Also called Information Leak Protection (ILP) or Extrusion Prevention Systems (EPS) o is used to ensure your private data remains secure

Premise Systems

Systems used for building automation and physical access security § Many system designs allow the monitoring to be accessible from the corporate data network or even directly from the Internet

§ Windows 7 (and newer) § Mac OS X 10.6 (and newer) § FreeBSD (TrustedBSD) § Red Hat Enterprise Server

TOS

Ransomware

Takes control of your computer or data unless you pay

Removable media controls

Technical limitations placed on a system in regards to the utilization of USB storage devices and other removable media; Create administrative controls such as policies

§ Masquerading § DLL injection § DLL sideloading § Process hollowing

Techniques of Code injection

Write Once Read Many (WORM)

Technology like a DVD-R that allows data to be written only once but read unlimited times

Telephony

Term used to describe devices that provide voice communication to users

Cookies

Text files placed on a client's computer to store information about the user's browsing habits, credentials, and other data

Trusted Execution

The CPU's security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running

Lock picking

The art of unlocking a lock without a key.

Weaponization

The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system

Reconnaissance

The attacker determines what methods to use to complete the phases of the attack

Delivery

The attacker identifies a vector by which to transmit the weaponized code to the target environment

Actions on Objectives

The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives

Orchestration

The automation of multiple steps in a deployment process o is the automation of the automations

Legal

The business or organizations legal council is responsible for mitigating risk from civil lawsuits

Secure Enclave

The extensions allow a trusted process to create an encrypted container for sensitive data

Single Point of Failure

The individual elements, objects, or parts of a system that would cause the whole system to fail if they were to fail

Work Recovery Time (WRT)

The length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event

Recovery Time Objective (RTO)

The length of time it takes after an event to resume normal business operations and activities

Maximum Tolerable Downtime (MTD)

The longest period of time a business can be inoperable without causing irrevocable business failure; sets the upper limit on the recovery time that system and asset owners need to resume operations

Data Acquisition

The method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk

Basic Encoding Rules (BER)

The original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized

Hardware Source Authenticity

The process of ensuring that hardware is procured tamper-free from trustworthy suppliers

Artificial Intelligence (AI)

The science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention

Key

The strength of an encryption system lies in the ___ strength o ___ must be securely stored o Periodically change your ____

Identity Fraud

The use by one person of another person's personal information, without authorization, to commit a crime or to deceive or defraud that other person or a third person; involves stealing another person's identity and using it as your own

Command & Control (C2)

The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

Exploitation

The weaponized code is executed on the target system by this mechanism

services.msc

This command opens the services window in this window, services can be started, stopped, restarted enabled and disabled

DAC is Discretionary Access Control

This is an access control policy that's determined by the owner.

service orchestration.

This is going to be used to deploy services into cloud environments.

resource orchestration

This is to provision and allocate resources within a cloud environment or other solution.

white-box test

This means they'll give them some kind of information about the network, usually IP addresses, the types of servers being run, maybe the software, and sometimes, even a basic standard user account.

explicit, implicit

Threat feeds are form of _____ knowledge, but ______ knowledge from experience practitioners is also useful

resources and time

Threat hunting consumes a lot of _______ and _______to conduct, but can yield a lot of benefits

regular

Threat hunting relies on the usage of the tools developed for ________ security monitoring and incident response

Proprietary

Threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee; repackaging information from other sources without providing their own data, not nearly useful

risk analysis

is conducted before a business impact analysis; otherwise, the threats would not yet have been identified.

Towers of Hanoi

Three sets of backup tapes (like the grandfather-father-son) that are rotated in a more complex system

WiFi Protected Access 2 (WPA2)

is the highest level of wireless security

Certificate revocation

lists track the serial numbers of revoked PKI certificates.

Cloud-based infrastructure

must be configured to provide the same level of security as a local solution

Single-sided certificates

only require the server to be validated

Software Development Life Cycle

organized process of developing a secure application throughout the life of the project

reimage

removal of a rootkit is difficult and the best plan is to _________ the machine

Web servers

should be placed in your DMZ

Legal Hold

§ A process designed to preserve all relevant information when litigation is reasonably expected to occur § A computer or server could be seized as evidence § Appoint a liaison with legal knowledge and expertise who can be the point of contact with law enforcement • Analysis must be performed without bias • Analysis methods must be repeatable by third parties • Evidence must not be changed or manipulated

Remote Desktop Protocol

§ Microsoft's proprietary protocol that allows administrators and users to remotely connect to another computer via a GUI § doesn't provide authentication natively; Port 3389

Community Cloud

§ Resources and costs are shared among several different organizations who have common service needs

Advanced Encryption Standard (AES)

§ Symmetric block cipher that uses 128-bit, 192-bit, or 256-bit blocks and a matching encryption key size to encrypt plaintext into ciphertext § is the standard for encrypting sensitive U.S. Government data

jumpbox

§ To configure devices in the DMZ, a _____is utilized

Weak of Default Configurations

• Any program that uses ineffective credentials or configurations, or one in which the defaults have not be changed for security • Many applications choose to simply run as root or as a local admin • Permissions may be too permissive on files or directories due to weak configurations

encryption and authentication

• Basic security controls like ____ and ______ are not included by default within syslog

System and Processor Virtual Machines

2 VM Types

perimeter, building, and the room itself.

3 areas of Physical security

Proprietary, closed source, open source

3 types of intelligence or where you can find information

journalctl

A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux

IPSec

A TCP/IP protocol that authenticates and encrypts IP packets and effectively securing communications between computers and devices using this protocol; provides confidentiality (encryption), integrity (hashing), and authentication (key exchange)

dd

A command line utility used to copy disk images using a bit by bit copying process

Quantum Computing

A computer that uses quantum mechanics to generate and manipulate quantum bits (qubits) in order to access enormous processing powers

Electromagnetic Interference (EMI)

A disturbance that can affect electrical circuits, devices, and cables due to radiation or electromagnetic conduction

Diamond Model of Intrusion Analysis

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

Extensible Authentication Protocol (EAP)

A framework of protocols that allows for numerous methods of authentication including passwords, digital certificates, and public key infrastructure

Scam

A fraudulent or deceptive act or operation

Hash

A function that converts an arbitrary length string input to a fixed length string output

Mimikatz

A penetration testing tool used to automate the harvesting of hashes and conducting the Pass the Hash attack

Next-gen SIEM

A security information and event monitoring system with an integrated SOAR • Scans security/threat data • Analyze it with ML • Automate data enrichment • Provision new resources

Public cloud

A service provider makes resources available to the end users over the Internet

Pseudo-Random Number Generator (PRNG)

A simulated random number stream generated by a computer that is used in cryptography, video games, and more o There are no such thing as truly random numbers in computers

Honeypot

A single computer (or file, group of files, or IP range) that might be attractive to an attacker; are normally used in security research

Application Containerization

A single operating system kernel is shared across multiple virtual machines but each virtual machine receives its own user space for programs and data; Containerization allows for rapid and efficient deployment of distributed applications; examples: o Docker o Parallels Virtuozzo o OpenVZ

FTP Server

A specialized type of file server that is used to host files for distribution across the web § _ should be configured to require TLS connections

Risk Transfer

A strategy that passes the risk to a third party

tcpreplay

A suite of free open source utilities for editing and replaying previously captured network traffic

Data Loss Prevention (DLP)

A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users.

File Integrity Monitoring (FIM)

A type of software that reviews system files to ensure that they have not been tampered with

Spam

Abuse of electronic messaging systems

System-Specific Policies

Address the security needs of a specific technology, application, network, or computer system

Type II

Addresses the operational effectiveness of the specified controls over a period of time (usually 9-12 months)

Virtual Private Network (VPN)

Allows end users to create a tunnel over an untrusted network and connect remotely and securely back into the enterprise network

encrypted channel (HTTPS)

An API must only be used over an _____

Man-in-the-Middle Attack

An attack where the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communication between the hosts

Ping Flood

An attacker attempts to flood the server by sending too many ICMP echo request packets (which are known as pings)

Phishing

An attempt to fraudulently obtain information from a user (usually by email); is a more specific type of social engineering; is a generic category with specific techniques

Spear Phishing

An attempt to fraudulently obtain information from a user, usually by email that targets a specific individual

Legacy Systems

An old method, technology, computer system, or application program which includes an outdated computer system still in use

vulnerability

Any open port represents a possible _________ that might be exposed

Mantrap

Area between two doorways that holds people until they are identified and authenticated

Kerberos

Authentication protocol used in Windows to identify clients to a sever using mutual authentication (Uses tickets)

Trusted Platform Module (TPM)

Chip residing on the motherboard that contains an encryption key for bitlocker

Groups

Collection of users based on common attributes (generally work roles)

Malware infections, Watering holes,

Common delivery methods of Threat and Attack vectors

Data Link Layer

Describes how a connection is established, maintained, and transferred over the physical layer and uses physical addressing (MAC addresses); Frames; ie mac addresses, switches and bridges

BYOD

Don't allow _______

anti-forensics

Droppers are likely to implement ____________ techniques to prevent detection and analysis

§ FileVault § BitLocker

Encryption software is most commonly used, encryption software is commonly used as it is more affordable than SED

security policy

Ensure your organization has a good _____ _______ for mobile devices

patches and adopt

Ensure your web browser is up-to-date with ___________... ...but don't ___________ the newest browser immediately

Due Diligence

Ensuring that IT infrastructure risks are known and managed properly

Security Association (SA)

Establishment of secure connections and shared security information using certificates or cryptographic keys

Senior leadership

Executives and managers who are responsible for business operations and functional areas

Tabletop Exercise (TTX)

Exercise that uses an incident scenario against a framework of controls or a red team; is a discussion of simulated emergency situations and security incidents

Code Injection

Exploit technique that runs malicious code with the identification number of a legitimate process

Living Off the Land

Exploit techniques that use standard system tools and packages to perform intrusions

Analysis

Forensic Procedure that Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Reporting

Forensic Procedure that Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Collection

Forensic Procedure that Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected

ICS and SCADA

HVAC systems may be connected to networks____ and ______

Hacktivists

Hackers who are driven by a cause like social change, political agendas, or terrorism

Advanced Persistent Threats

Highly trained and funded groups of hackers (often by nation states) with covert and open-source intelligence at their disposal

Transport Mode

Host-to-host transport mode only uses encryption of the payload of an IP packet but not its header; used for transmission between hosts on a private network

802.1x

IEEE standard that defines Port-based Network Access Control (PNAC) and is a data link layer authentication technology used to connected devices to a wired or wireless LAN

993 TCP

IMAP4 with SSL/TLS

SPAN

If you cannot configure a _____ port, then you can use a network tap

log files or monitoring tools

If you're dealing with a software as a service, many times, you're not going to have any ability to access ___- or ______

Profiling Threat Actors and Activities

Involves the creation of scenario that show how a prospective attacker might attempt an intrusion and what their objectives might be

file system

Level of security of a system is affected by its ____ _____ type

datasets

Machine learning is only as good as the _______ used to train it

True positive

Malicious activity is identified as an attack

Replay Attack

Network-based attack where a valid data transmission is fraudulently or malicious rebroadcast, repeated, or delayed

Altered Hosts File

Occurs when an attacker modifies the host file to have the client bypass the DNS server and redirects them to an incorrect or malicious website

Physical, data link, network, transport, session, presentation, application

Please do not throw sausage pizza away

Quality of Service (QoS)

Policies that control how much bandwidth a protocol, PC, user, VLAN, or IP address may use.

Network Address Translation (NAT)

Process of changing an IP address while it transits across a router; Using this can help us hide our network IPs

4

R (Read) in Linux

Physical Layer

Represents the actual network cables and radio waves used to carry data over a network; Bits

Rely on Trusted SDKs

SDKs must come from trusted source to ensure no malicious code is being added

rootkit before

Scanners can detect a file containing a _________ _________it is installed...but once installed, it is very have to detect

Management Controls

Security controls that are focused on decision-making and the management of risk

Network DLP System

Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit

Network Management System (NMS)

Software running on one or more servers to control the monitoring of network-attached devices and computers

Network Attached Storage (NAS)

Storage devices that connect directly to your organization's network

International Data Encryption Algorithm (IDEA)

Symmetric block cipher which uses 64-bit blocks to encrypt plaintext into ciphertext

Rivest Cipher (RC5)

Symmetric block cipher with a key size up to 2048-bits

100-1000x

Symmetric is ______ faster than asymmetric

Advanced Encryption Standard (AES)

Symmetric key encryption that supports 128-bit and 256-bit keys, used by both filevault and bitlocker

514 UDP

Syslog

6514 TCP

Syslog over TLS

HVAC (Heating, Ventilation and Air Conditioning)

Systems that provide and regulate heating and cooling.

terminal access controller access control system plus

TACACS+ stands for

Recovery Point Objective (RPO)

The longest period of time that an organization can tolerate lost data being unrecoverable; is focused on how long can you be without your data

third-party orchestration platforms.

These allow you to work on your product and your orchestration across multiple vendors, and allows you to prevent this vendor lock-in.

input validation and encryption

To prevent XML vulnerabilities from being exploited, use proper

Presentation Layer

Translates the information into a format that the sender and receiver both understand

TCP

Transmission Control Protocol - provides reliable, ordered, and error-checked delivery of a stream of packets on the internet. TCP is tightly linked with IP and usually seen as TCP/IP in writing.

Snapshot Backup

Type of backup primarily used to capture the entire operating system image including all applications and data; are also commonly used with virtualized systems

netcat

Utility for reading from and writing to network connections using TCP or UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts

arp

Utility for viewing and modifying the local Address Resolution Protocol (ARP) cache on a given host or server

ipconfig/ifconfig

Utility that displays all the network configurations of the currently connected network devices and can modify the DHCP and DNS settings

netstat

Utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics

dnsenum

Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization

scanless

Utility that is used to create an exploitation website that can perform Open port scans in a more stealth-like manner

route

Utility that is used to view and manipulate the IP routing table on a host or server

Active Assessments

Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities

Stream Cipher

Utilizes a keystream generator to encrypt data bit by bit using a mathematical XOR function to create the ciphertext

SYN Flood

Variant on a Denial of Service (DOS) attack where attacker initiates multiple TCP sessions but never completes the 3-way handshake

Multipartite

Virus that is persistent, combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer;

Vulnerabilities

Weaknesses in the design or implementation of a system

unpatched

Worm take advantage of _______OS, application or software

self-replicate and spread

Worms ______ and ______ without a user's consent or action

Proxies cache

____ _____ the website to reduce requests and bandwidth usage

DDoS (Distributed Denial of Service)

a type of attack where multiple virus-infected computers are used to target a single system, overwhelming it with traffic, rendering it useless or unresponsive

Procedures

are specific

Corrective controls

are used after an event occurs.

Phish Insight

free phishing tool campaign where you can register

Gray-box testing

is a combination of white-box testing and black-box testing.

compensating control

is used whenever you can't meet the requirements for a normal control.

Usernames and Passwords

most commonly used authentication system

Onboard Diagnostics (OBD-II)

primary external interface

ext4

recommended file system for linux

Hired, Fired or Promoted

user recertification should be triggered when an employee is ___, ___, _____

SHA-1

uses a 160-bit hash digest, but isn't considered strong

SHA-2

uses a 256-bit or 512-bit hash digest and is the current version in used in modern forensics

EAP-TTLS

uses a server-side digital certificate and a client-side password for mutual authentication

Infrastructure as a Service (IaaS)

virtual private cloud infrastructure be classified as_____

infrared system

which looks at things based on their heat

Accounting

▪ Tracking of data, computer usage, and network resources ▪ Non-repudiation occurs when you have proof that someone has taken an action

Public Key Cryptographic Systems #7 (PKCS#7)

.p7b

- boot sector -Metamorphic -Macro -Multipartite - Program -Polymorphic -Encrypted -Stealth -Armored -Hoax

10 types of viruses (BM3P2ESAH)

Class B

172.16.0.0 to 172.31.255.255

Class C

192.168.0.0 to 192.168.255.255

procedural and Legal or regulatory control

2 categories of Administrative controls

WPA3 enterprise mode and wpa 3 personal mode

2 different mode of WPA3

sc stop or net stop [name of program]

2 functions on the command prompt, to stop a program

version control and configuration management

2 important concepts of maintenance

Wet Pipe Sprinkler System & Dry Pipe Sprinkler System

2 types Sprinklers systems

Vertical Privilege Escalation § Horizontal Privilege Escalation

2 types of Privilege Escalation

active or passive

2 types of assessment

Type 1 and Type II

2 types of hypervisors

further

2.4 GHz signals can travel ______ than 5 GHz

Authentication, Authorization, Accounting

3 A's of Security

WEP, WPA, WPA2

3 encryption in wireless network

Physical Controls, Technical Control and Administrative Control

3 main categories in Mitigating threat

§ Update your anti-malware software automatically and scan your computer § Update and patch the operating system and applications regularly § Educate and train end users on safe Internet surfing practices

3 main tips to remember in order to avoid malware

1. What is the value of the information? § 2. What is the threat your system is facing? § 3. What is the mitigation that could be deployed?

3 questions can help to scope your assessments

-Remove email addresses from website o Use whitelists and blacklists o Train and educate end users

3 tips to prevent spam going to your oraganization

Resource Orchestration § Workload Orchestration § Service Orchestration

3 types of orchestration

o Collocated data can become a security risk o Configure, manage, and audit user access to virtualized servers o Utilizing the cloud securely requires good security policies o Data remnants may be left behind after deprovisioning

4 Cloud Security concerns

1. implement policies 2. Train your users 3. Use proxy & content filter 4. Prevent malicious code

4 General Security for Web Browsers

Malware, Unauthorized access, System failure and social engineering

4 main categories of security threats

Script kiddies, hacktivists, organized crime, advance persistent threats

4 main groups of threat actors

DNS poisoning, Unauthorized Zone Transfer, Altered Hosts File, Pharming, Domain Name Kiting

5 different DNS Attacks

• Flood Attacks • Ping of Death • Teardrop Attack • Permanent DoS • Fork Bomb

5 subcategory of DoS

white hats, black hats, gray hats, blue hats and Elite

5 types of hackers

Session theft § TCP/IP hijacking § Blind hijacking § Clickjacking § Man-in-the-Middle § Man-in-the-Browser § Watering hole § Cross-site scripting

8 types of session hijacking

WiFi Protected Access version 2 (WPA2)

802.11i standard to provide better wireless security featuring AES with a 128-bit key, CCMP, and integrity checking § is considered the best wireless encryption available

fiber optic

To prevent data emanations from happening, you should switch your networks to _____ cables because they don't have any emanation at all.

read-only

To prevent your host file from being manipulated, it should always be set to _____; Windows stores the hosts file in the following directory: \%systemroot%\system 32\drivers\etc

official mobile stores

To protect your phone from malware, only install apps from the ___________

Explicit Allow

Traffic is allowed to enter or leave the network because there is an ACL rule that specifically allows it § Example: allow TCP 10.0.0.2 any port 80

Explicit Deny

Traffic is denied the ability to enter or leave the network because there is an ACL rule that specifically denies it § Example: deny TCP any any port 23

Implicit Deny

Traffic is denied the ability to enter or leave the network because there is no specific rule that allows it § Example: deny TCP any any port any

unnecessary

Turn off all _________features

TEMPEST

U.S. Government standards for the level of shielding required in a building to ensure emissions and interference cannot enter or exit the facility; facilities are also resistant to EMPs (electromagnetic pulses)

cheaper

UTP is commonly used more often than STP because it is ____

Bluesnarfing

Unauthorized access of information from a wireless device through a Bluetooth connection sends information; takes information

Bluesnarfing

Unauthorized access or taking of information from a wireless device over a Bluetooth connection

The ALE is less than the cost of mitigating the risk

Under what circumstance might a risk be acceptable? (Choose the best answer.)

Diffie-Hellman (DH)

Used to conduct key exchanges and secure key distribution over an unsecured network § Diffie-Hellman is used for the establishment of a VPN tunnel using IPSec

Routers

Used to connect two or more networks to form an internetwork; rely on a packet's IP Addresses to determine the proper destination; Once on the network, it conducts an ARP request to find final destination

Human Resources (HR)

Used to ensure no breaches of the employment law or employee contract is made during an incident response

OSI Model

Used to explain network communications between a host and remote device over a LAN or WAN

Public Relation (PR)

Used to manage negative publicity from a serious incident

Password Authentication Protocol (PAP)

Used to provide authentication but is not considered secure since it transmits the login credentials unencrypted (in the clear)

Challenge Handshake Authentication Protocol (CHAP)

Used to provide authentication by using the user's password to encrypt a challenge string of random numbers

Security Awareness Training

Used to reinforce to users the importance of their help in securing the organization's valuable resources; User security awareness training has the best return on investment

Security Training

Used to teach the organization's personnel the skills they need to perform their job in a more secure manner

Registration Authority

Used to verify information about a user prior to requesting that a certificate authority issue the certificate

UDP

User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism.

training

User ________ will prevent many issues inside your organization

Least Privilege

Users and processes should be run using the least amount of access necessary to perform a given function

Least Privilege

Users are only given the lowest level of access needed to perform their job functions

Non-Persistent Agents

Uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan

password cracker

Uses comparative analysis to break passwords and systematically continues guessing until the password is determined o Cain & Abel and John the Ripper

Network Layer

Uses logical address to route or switch information between hosts, the network, and the internetworks; Packets; ie router, IP address

logger

Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or from other files

SSH

Utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connections

nslookup/dig

Utility used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information

baseline

Utilize a secure _______ image when adding new computers. This will have the OS, strict configuration policies, and minimum application needed

Passive Assessments

Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems o are limited in the amount of detail they find

Cross-Certification

Utilizes a web of trust between organizations where each one certifies others in the federation

Hybrid Implementation

Utilizes asymmetric encryption to securely transfer a private key that can then be used with symmetric encryption

Lattice-based Access Control

Utilizes complex mathematics to create sets of objects and subjects to define how they interact

Sandboxing

Utilizes separate virtual networks to allow security professionals to test suspicious or malicious files

physical requirements

Virtualization continues to rise in order to reduce the ____ _____ for data centers

- lockheed martin kill chain - MITRE ATT&CK Framework -Diamond Model of Intrusion Analysis

What are the 3 attack framework?

Physical hardware

What is the lowest layer (bottom layer) of a bare-metal virtualization environment?

DNS poisoning and ARP cache poisoning

What types of attacks cannot be mitigated by virus scanners?

Back up your files

What's one good practice to combat ransomware?

Diversion Theft

When a thief attempts to take responsibility for a shipment by diverting the delivery to a nearby location

Watering Hole Attack

When an attacker figures out where users like to go, and places malware to gain access to your organization

failed

When threat hunting, you need to assume that these existing rules have _______

Wi-Fi

Whenever possible, though, you should just avoid _____ in the first place because it is just an additional vulnerability. And by going to a wired network, you're going to be much more secure.

Recipient's public key

Which key is used when you send an encrypted e-mail message?

VM escape

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?

Cross-site request forgery

Which type of attack exploits a web site's trust of a user session?

Domain Controller

Whitelisting and blacklisting can be centrally managed using _____ ________ group policies

Windows Update program (wuapp.exe)

Windows 10 uses the ____- ______ _______ to manage updates

NTFS or FAT32

Windows systems can utilize ______ or ______

secure

Wired devices are almost always more _______than wireless ones; if your wireless device is not using AES, that means the encryption is weak

Wireless Access Points (WAP)

Wireless security also relies upon proper ______

disruption

Worms can cause ________to normal network traffic and computing activities, slowing down your system

anti-malware solutions

Worms, Trojans, and Ransomware are best detected with _______ __________

Forensic Procedures

Written procedures ensure that personnel handle forensics properly, effectively, and in compliance with required regulations

XML Bomb (Billion Laughs Attack)

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it

ESSID broadcasting has been disabled

You are attempting to connect to a corporate wireless network, but the WLAN name does not appear for you to connect to it. Why might this be?

Virtualization

You need to determine the best way to test operating system patches in a lab environment prior to deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches prior to deployment?

infected

Your computer might have been _______ if it begins to act strangely

Change the Wi-Fi channel is correct. 802.11g wireless routers run in the 2.4 GHz frequency range. In North America, you can configure your wireless router to use one of eleven channels to reduce interference. For example, if both neighbors are using channel 3 in the 2.4 GHz range, you might configure your wireless router to use channel 11 to reduce or eliminate interference. Each channel is spaced approximately 5 MHz from the next, so choosing a closer channel, such as channel 4, may still produce problems.

Your new 802.11g home wireless network seems to be unpredictable. At times, you are disconnected for no apparent reason. You have ensured that you are running the latest driver for your Wi-Fi network card and you have updated the firmware in your wireless router, yet the network is still unreliable. The neighbors on either side of you both have wireless networks as well. What should you do next to increase the stability of your wireless network?

Live migration

___ ____ occurs when a VM is moved from one physical server to another over the network

FTK and EnCase

___ _____re popular forensic tools

Secure Boot

____ _____ is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.

firmware exploit

____ ______ gives an attacker an opportunity to run any code at the highest level of CPU privilege

Rapid Elasticity

____ _____in cloud computing would not be possible without orchestration

Elasticity

_____ allows for scaling up or down to meet user demands

Content filter

______ _______can be used to blacklist specific websites or entire categories of sites

Flood guards

_______, time outs, and an IPS can prevent SYN Floods

Secure Volumes

are a method of keeping data at rest, secure from prying eyes. When data on the volume is needed, a secure volume is mounted and it's properly decrypted to allow that access. Once the volume is no longer needed, though, it's encrypted again and unmounted from the virtual server. This is the same concept that's used by BitLocker on a Windows laptop, or FileVault on a MacBoo

Class K fires

are composed of cooking oil. So, if your organization has a kitchen inside of its facilities, you should have a fire extinguisher system that's built-in to handle grease and oil fires that could occur during cooking.

Class C fires

are electrical fires, CO2-based extinguisher

Log files

are important to your ability to reconstruct an event after it occurs

SNMP v1/v2

are insecure due to the use of community strings to access a device

Username and password

are only considered single-factor authentication

Preventative controls

are security controls that are installed before an event happens and they're designed to prevent something from occurring.

Cable locks

are the best solution, as it will allow the laptops to be physically connected to the desks in the computer lab and can prevent theft.

Switches

are the combined evolution of hubs and bridges

Detective controls

are used during an event to find out whether or not something bad may have happened

Honeypots and honeynets

are used to attract and trap potential attackers

Backdoors

are used to bypass normal security and authentication functions

Protocol Analyzers

are used to capture and analyze network traffic

Standards

are used to implement a policy in an organization

File Servers

are used to store, transfer, migrate, synchronize, and archive files for your organization

Transitive Attacks

aren't really an attack but more of a conceptual method, based on trust

Steganography

attempts to conceal the fact that any communication is taking place by placing messages or files within other files.

current version and build

before OS update, you need to identify the____ _____ ______ prior to updating a system

o Segment the network o Reduce collisions o Organize the network o Boost performance o Increase security

benefit of VLANs

Efficient use of IP addresses § Reduced broadcast traffic § Reduced collisions § Compartmentalized

benefit of subnetting

Ensure your browser and its extensions are updated regularly

best protection from unwanted ads and disable pop up and only allows the sites you need

port 445 smb and 139 net bios

block ports ___ and ____ to stop null connection

shim

both DLL and Driver manipulation occurs by the use of _____; is placed between two components to intercept calls and redirect them

good host base firewall

by doing this you are preventing outside unauthorized people accessing your machine

updating your OS and do needed patching

by doing this you are preventing viruses from exploiting some known exploit

use encrypted websites (https)

by doing this you ensure that there's no man in the middle connection when you browse the internet between you and your destination site

Hashing

can also be used to prove file integrity of the operating system and application files

Windows Firewall with Advance security

can be access by typing wf.msc at the command prompt; suitable for businesses

basic mac OS

can be access from security and privacy panel

pairing key

change default ______ ___of your bluetooth device to avoid bluesnarfing and bluejacking

MISP project

codifies the use of the admiralty scale for grading data and estimative language

PF (packet filter)

command line version of basic mac firewall

convert drive:/FS:NTFS

command to convert FAT32 file system to NTFS

Fire Eye

company that uses proprietary closed source intelligence

quantum bit

composed of electrons or photons that can represent numerous combinations of 1s and 0s at the same time through superposition § Cryptography is used to secure our communications and data by relying on how difficult a math problem is to compute... § Asymmetric encryption algorithms have been mathematically proven to be broken by _____ computers

Identify assets o Identify vulnerabilities o Identify threats o Identify the impact

conduct a risk assessment, you only have to use four steps

Application-layer gateway

conducts an in-depth inspection based upon the application being used; also known as level 7 firewall

Class B fire

consist of flammable gases or liquids. To put out a Class B fire, you should use a dry chemical agent or a CO2-based fire extinguisher

Class A fires

consist of solid combustible materials, things like wood and paper; a water-based extinguisher.

stateful packet filtering

creates and maintains a table in memory that lists all established connections between the organization's computers and the Internet

HSM

devices perform cryptographic calculations, thus eliminating this task from the host computer system.

RADIUS

dialing user service

jailbreaking/rooting

do not _______/_____ device, if you do, that means your bi-passing that your system has and makes you vulnerable to attacks

warm site

dormant alternate location, or a location that performs noncritical functions under normal conditions, but can be rapidly converted to a main operations site with minimal effort.

DLL injection

dropper will force a process to load as part of the dll

Masquerading

dropper will replace genuine exe file with a malicious one

microservice

everything in serverless is developed as a function or a .

§ Single sign-on § Malware and rogue device detection § Monitor/audit user activity § Mitigate data exfiltration

features of CASB

knowledge, ownership, characteristic, location, and action.

five basic factors of authentication

custom firmware or a custom ROM

for android mobile - using this means your using an alternate firmware, so when google made patches for vulnerability, it doesn't necessarily makes it way to your device

Sherwood Applied Business Security Architecture (SABSA) Framework

for developing risk-driven enterprise information security and information assurance architectures. It also aids in delivering security infrastructure solutions that support critical business initiatives.

ALE= SLE X ARO

formula of ALE

DAC, MAC, RBAC, and ABAC.

four access control models

can avoid it, you can transfer it, you can mitigate it, and you can accept it.

four things that you can do with risk

hot site

fully configured alternate network that can be quickly brought online after a disaster. With a hot site, systems and data are usually up-to-date.

Discretionary access control (DAC)

gives the resource owner (the user owns his or her home directory and its contents) control of assigning permissions to that resource.

data loss prevention systems.

greatest ways to protect IP Theft; can see when people are trying to take data out of your organization, data from your shared drive, data from your database, data over email, whatever it is, if people are trying to steal that data from you, if you have a protective with it, you'll be able to identify it and possibly prevent it.

APT, Organized crimes, hacktivist, script kiddies

hackers skill levels

MTD and RPO

help to determine which business functions are critical and to specify appropriate risk countermeasures

Google Voice number

how to really protect your phone number from ID theft, you can use _____ ______ _____ , it uses alternate number that you can use and your real number is hidden

breaking inheritance

if you dont want propagation to occur, you do this

cloud service provider

in FAAS The underlying architecture is managed by the ________

IPS

install ___ at the boundary to prevent null connection

Intranets

internal corporate networks based on internet technology

User account control

is a Windows operating system mechanism that requires administrator approval to modify operating system configurations.

Multi-cloud

is a cloud deployment model where the cloud consumer uses multiple public cloud services.

software development kit (SDK)

is a collection of software development tools in one installable package. They facilitate the creation of applications by having compiler, debugger and perhaps a software framework.

Frames

is a digital data transmission unit in computer networking and telecommunication.

Mandatory access control (MAC)

is a model whereby administrators or computer operating systems determine what permissions are granted in accordance with established policies.

Jack the Ripper

is a popular open source password cracking tool that combines several different cracking programs and runs in both brute force and dictionary attack modes. ... Originally developed for Unix-derived systems

Cisco's TACACS+

is a proprietary version of RADIUS

protected distribution system (PDS)

is a secured system of cable management to ensure that the wired network remains free from eavesdropping, tapping, data emanations, and other threats. They are kind of expensive, though, because they add locks to every network closet. They enclose every cable distribution point. And they run cables through a protected conduit that runs throughout the ceiling.

Continuous integration

is a software development method where code updates are tested and committed to a development or build server or code repository rapidly; can test and commit updates multiple times per day; detects and resolves development conflicts early and often

Jumpbox

is a system on a network used to access and manage devices in a separate security zone.

Man-in-the-browser (MitB)

is an attack that intercepts API calls between the browser process and its DLLs

knowledge factor

is concerned with the user providing a piece of memorized information

ownership factor

is concerned with a user proving that they have something in their possession that uniquely identifies them

penetration test

is conducted by a team of professionals to simulate an attack on your network, its system, or its applications.

characteristic factor

is defined as something that the person is

Containment

is focused on isolating the incident

Wireless Network

is less secure than wired network, because the data stream is floating in the network

LEAP

is proprietary to Cisco-based networks

Perfmon.exe

is the Windows program for Performance Monitor

User training

is the administrative control that is cost effective security control to use

Minimum password age

is the amount of time that must pass before users can reset their passwords again.

ITIL

is the de facto standard for IT service management

Legal hold

is the legally required implementation of evidence preservation.

ICS

is used for electrical power stations, water suppliers, health services, telecommunications, manufacturing, and defense needs; one plant

Session Initiation Protocol (SIP)

is used to establish and maintain network sessions related to voice and video, such as with VoIP.

Risk management

is used to minimize the likelihood of a negative outcome from occurring

nonce

is used to prevent password reuse

endpoint analysis

is used when we do monitoring, logging and analysis of our endpoint

terminal>top>kill pid [number]

linux command to stop a program

# sudo stop service

linux command to stop service

Deidentification

methods and technologies that remove identifying information from data before it is distributed; is often implemented as part of database design

context-aware authentication, Single Sign-On authentication, and Federated Identity Management.

models of authentication

PTZ - Pan Tilt Zoom

move the camera to look at different direction and tilt it up and down, pan it left and right, or zoom in or zoom out.

unidirectional

moving in only one direction

hardware based encryption

much faster than software based encryption, but expensive

Newer implementations can use port 1468 (TCP) for consistent delivery § Newer implementations can use TLS to encrypt messages sent to servers § Newer implementations can use MD-5 or SHA-1 for authentication and integrity § Some newer implementations can use message filtering, automated log analysis, event response scripting, and alternate message formats

newer syslog implementations added new features and capabilities

Hoax

not actually a virus but a form of social engineering, trying to trick the user in infecting their own machine.

Residual risk

not covered by a compensating control is an accepted risk

Threat Hunting

o A cyber security PROACTIVE technique designed to detect presence of threat that have not been discovered by a normal security monitoring o Threat Hunting is potentially less disruptive that penetration testing

Security Protocols (4)

o Emails o Websites o Remote control o Remote access

function or microservice

o Everything in serverless is developed as a ____ or _____

Perimeter Security

o Security devices focused on the boundary between the LAN and the WAN in your organization's network o relies on several different devices

Physical tampering

occurs when an attacker attempts to gain physical access

content filtering

occurs when organizations use software that filters content, such as emails, to prevent the accidental or malicious transmission of unauthorized information

Asset disposal

occurs whenever a system is no longer needed

IPFW

older version of PF

golden ticket

one common attack against Active Directory servers is known as the ____ ________. This attack uses a program known as Mimikatz to exploit a vulnerability in the Kerberos ticket-granting system, to generate a ticket that acts as a skeleton key for all of the devices in the domain.

restart in safemode and scan or boot from external drive and scan with a good anti virus software

one effective way to scan your computer for malware

vulnerability data may be stored on their systems, as well.

one major disadvantage of cloud based vulnerability scan

Typosquatting

one way how watering holes works in a effective way; a problem that occurs when someone registers purposely misspelled variations of well-known domain names

Legal or regulatory control

ones you have to do because the law says you must

• CPU registers and cache memory • Contents of system memory (RAM), routing tables, ARP cache, process table, temporary swap files • Data on persistent mass storage (HDD/SDD/flash drive) • Remote logging and monitoring data • Physical configuration and network topology • Archival media

order of volatility

Planning and Analysis

phase in SDLC that goals determine, needs are accessed and all high level work is conducted; ideas formulated to concepts

entrances and exits

placement of the camera should be at the ____ and _____

single point of failure

point in a system where redundancy or failover does not exist, and failure causes obstruction to all functionality.

Bring-your-own-device (BYOD)

policies complicate data acquisition since you may not be able to legally search or seize the device

Bring Your Own Device (BYOD)

policy allows employees to use their personal mobile devices and computers to access enterprise data and applications

AMD

processor that has Secure Memory Encryption (SME) Secure Encrypted Virtualization (SEV)

syntax error

program failed to run due to coding error

Security Threats

purpose is to break in to your computer, server or network

Data sovereignty

refers to applicable laws and regulations based on the physical location of digital data. describes the sociopolitical outlook of a nation concerning computing technology and information. Some nations may respect data privacy more or less than others. Care needs to be considered when storing such data.

action factor

refers to something that a user does

location factor

refers to where a person is when they're trying to log into their account

Dual-sided certificates

require both the server and the user to be validated

chain of custody

requires evidence to be gathered in a legal manner, documented, and securely stored at all times.

Omnidirectional

sending or receiving signals in all directions

host-based firewall

set by applying a set of rules for the traffic that goes into and out of your computer; also referred to as personal firewalls; will use a lot of the computer

remote administration

should be disabled on your wireless access points. it is something that allows you to connect over the Internet and then make changes to your wireless access point. You don't need that. Instead, you should turn it off and make sure that you're doing it locally inside your network only

Log files

should be saved to a different partition or an external server

CSIRT

should be the single point of contact for security incident and may be a part of the SOC or and independent team

Disaster Recovery Plan (DRP)

should be written down § Contact Information § Impact Determination § Recovery Plan § Business Continuity Plan (BCP) § Copies of Agreements § Disaster Recovery Exercises § List of Critical Systems and Data

§ Hard drives, files, or applications are not accessible anymore § Strange noises occur § Unusual error messages § Display looks strange § Jumbled printouts § Double file extensions are being displayed, such as textfile.txt.exe § New files and folders have been created or files and folders are missing/corrupted § System Restore will not function

signs that your computer is infected (8)

- see a lot of popup ads - your homepage is changed

signs your infected with spyware or adware

-password Contain uppercase letters, lowercase letters, numbers, special characters, and at least 8 characters or more (preferably 14 or more) -change the default password - password is changed frequently - change the default Administrator or Root password - Disable the Guest account - Enable CTRL+ALT+DEL for logging into the system - Use good, strong policies in regards to your passwords

six key tips for keeping your usernames and passwords

hardening

the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services

Third-party orchestration platform

these are some example of _____: § Chef § Puppet § Ansible § Docker § Kubernetes § GitHub

fiber optic splitter

they can attach it to a fiber port on one side, and get two copies of every piece of communication, one that will go into their machine, and one that will go into your network.

cross-origin sharing policy,

this is a content delivery network policy that instructs the browser to treat requests from nominated domains as safe.

workload orchestration

this is for the management of applications and other cloud workloads that need to be performed, and basically looking at the components to create the product you need.

preventive, detective, and corrective

three that can be used to describe security controls.

Supplicant, Authenticator, and Authentication Server

three roles that are required for an authentication

o Attach the exploit to OBD-II o Exploit over onboard cellular o Exploit over onboard Wi-Fi

three vehicular vulnerabilities

open mail relays or SMTP open relays

to prevent SPAM sending email on your behalf, Verify your email servers aren't configured as _____ _____ ____ or _____ ______

o 1. Eliminates unnecessary admin-level requests for Windows resources o 2. Reduces risk of malware using admin-level privileges to cause system issues

two main benefits to using UAC

Basic windows firewall & Windows Firewall with Advance security

two types of windows firewall

Software § Hardware § Embedded

types of firewalls

Access control

unprotected cloud storage- ____ _______to storage is administered through container policies, IAM authorizations, and object ACLs

content delivery networks

unprotected cloud storage-Incorrect origin settings may occur when using ____ _____ _____

leftover

unprotected cloud storage-Incorrect permissions may occur due to default read/write permissions________ from creation

Encrypted

use a cypher to encrypt itself to avoid detection

Microsoft System Center Configuration Management

use by large organization to manage, push policies and update their systems

raised floors

use in dissipating that heat much more effectively in server rooms

EAP-TLS

uses digital certificates for mutual authentication

Qualitative Risk

uses intuition, experience, and other methods to assign a relative value to risk; Experience is critical and uses relative comparison

Quantitative Risk

uses numerical and monetary values to calculate risk; can calculate a direct cost for each risk

Identity federation

uses security tokens generated by a trusted identity source to allow access to resources such as web sites.

EAP-MD5

uses simple passwords for its challenge-authentication; challenge handshake authentication process

Redundancy

usually refers to when you have something extra or unnecessary; helps ensure fault-tolerance to continue operations

Malware infections

usually starts within software, messaging, and media

Tracking Cookies

usually used by spywares; can be used to track your path through a web site, the time you spend there, what links you click, and other details that the company wants to record, usually for marketing purposes.

Secure Enclaves

utilize two distinct areas that the data may be stored and accessed from. Each enclave can be accessed by the proper processor. This is a technique that's used by Microsoft Azure and many other cloud service providers.

anti-virus software

virus are most commonly detected by a good ______ _______

Boot sector

viruses are stored in the first sector of a hard drive and are loaded into memory upon boot up; typical anti virus couldn't detect this so you need to use a anti virus that intended for this detection

Program

viruses infect an executable or application

• Process and memory vulnerabilities in PLC • Plaintext credentials or keys in application code • Code injection via web user interface

vulnerabilities in Building Automation System

1. Define the desired state of security § 2. Create a baseline § 3. Prioritize the vulnerabilities § 4. Mitigate vulnerabilities § 5. Monitor the network and systems

vulnerability management process in five steps

black-box test

where the pentesters have to hunt for any information that they need in order to be able to penetrate the network's defenses.

authentication server

which is going to be the centralized device that performs the authentication, which is usually going to be your RADIUS or your TACACS+ server.

authenticator

which is the device through which the supplicant is attempting to access the network.

to avoid possible compromise of your 2 factor authentication

why do you protect your phone number?

anti-spyware

windows defender has this capability of scanning unauthorized snooping and collection of your data

Basic windows firewall

windows firewall that can be found in the control panel; suited for home usage

File Checksum Integrity Verifier

windows tools can you use to calculate a hash value

certutil

windows tools can you use to calculate a hash value

Embedded Firewall

work as a single function out of many function in one device ie. UTM device, router

sources

you must consider the _____ of your intelligence

infected

your computer might have been ______ if it begins to act strangely

Administrative Controls

▪ Policies, procedures, security awareness training, contingency planning, and disaster recovery plans ▪ User training is the most cost-effective security control to use

Elite

● Skilled Hackers who find and exploit vulnerabilities before anyone else does ● 1 in 10,000 are elite

Time of Check to Time of Use (TOCTTOU)

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource

Cryptography

The practice and study of writing and solving codes in order to hide the true meaning of information

Network Sniffing

The process of finding and investigating other computers on the network by analyzing the network traffic or capturing the packets being sent

Data Ownership

The process of identifying the person responsible for the confidentiality, integrity availability and privacy of information assets

Residual Risk

The risk remaining after trying to avoid, transfer, or mitigate the risk

Steganography

The science and art of hiding messages within other messages o is a form of obfuscation, NOT encryption

desired and malicious

Trojans perform _______functions and _________ functions

SOC 2

Trust Services Criteria

latest

Update your device to the _____ version of the software

Driver Update

Updated device driver to fix a security issue or add a feature to a supported piece of hardware

Multi-factor Authentication

Use of two or more authentication factors to prove a user's identity

passwords

Use strong ______ or biometrics

Internet Content Filter

Used in organizations to prevent users from accessing prohibited websites and other content

ping/pathping

Utility used to determine if a host is reachable on an Internet Protocol network

2

W (Write) in Linux

Defense attorneys

WARNING: _______ will try to use any deviation from these ethics as a reason to dismiss your findings and analysis

Piggybacking

When an unauthorized person tags along with an authorized person to gain entry to a restricted area

Failover

a specific type of fault tolerance, occurs when a redundant storage server offers an exact replica of the real-time data, and if the primary server crashes, the users are automatically directed to the secondary server or backup server

Kill chain analysis

________ _______ _______ can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage

Policies

________ are generic

Encryption

________ scrambles data into unreadable information; ensure confidentiality

Type I (bare metal)

_________ ____ ______ _____hypervisors are more efficient than Type II, acts a stripped-down specialized operating system to provide physical resources to the virtual machine that it host.

Group Policy objectives (GPOs)

__________ ______ _______ aid in the hardening of the operating system

DLL injection

_____________ is commonly used by rootkits to maintain their persistent control; Malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime

NIST SP 800-53

__________is a security control framework developed by the Dept. of Commerce

Enumeration tools and vulnerability

________scanners can cause problems on Operational Technology Network

Encryption and VPNs

_____and ___ are always a good idea to secure your network

Network devices

_____include switches, routers, firewalls, and more

null connection

a connection to the windows interprocess communications share

CAN-SPAM Act of 2003

a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

IT Security Frameworks

a series of documented processes used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment.

ARP spoofing

aka ARP poisoning - faking your MAC address; usually combined with MAC spoofing

pre-ATT&CK tactics matrix

aligns to the reconnaissance and weaponization phases of the kill chain

Virtual Desktop Infrastructure (VDI)

allows a cloud provider to offer a full desktop operating system to an end user from a centralized server

Hyperconvergence

allows providers to fully integrate the storage, network, and servers

managerial control

also referred as administrative controls

cold site

alternate location where a network can be rebuilt after a disaster has occurred. A cold site can take some time to implement, as systems and assets (including data) are not readily configured and available for full use.

Host-based IDS/IPS (HIDS/HIPS)

and A type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the system's state on an endpoint; use signature based detection system and file integrity monitoring

Double file

another sign that your computer has malware is ____ _____ extension are being displayed i.e. textfile.txt.exe

endpoint

any device we use to connect to a network

Hybrid

approaches that combine quantitative and qualitative analysis are commonly used

Spyware

can get installed covertly when you install free software. The _____ then monitors your computer activity and may inventory what type of files or software you have installed. All of this can take its toll on performance over time.

Spectrum Analyzer tool

capture all of the radio frequencies that are openly available in the area.

C:\ net stop service

command line - stop service

§ 1. Remove temporary files by using Disk Cleanup § 2. Periodic system file checks § 3. Defragment your disk drive § 4. Back up your data § 5. Use and practice restoration techniques

delay failure of your hard drive by these 5 tips

Trojan Horse

delivery mechanism of ransomware

Public Key Infrastructure

describes a hierarchy of trusted certificates used for security.

Order of volatility

describes the fragility of digital evidence and, as a result, the order in which it should be gathered.

Asset Value x Exposure Factor; SLE=AV X EF

formula SLE

threats

hardening, Mitigate risk by minimizing vulnerabilities to reduce exposure to _____

Pass the hash and birthday attack

hashing attacks

Script kiddies

have limited skill and only run other people's exploits and tools

New Technology File System (NTFS)

highly recommended to use this file system; is the default file system format for Windows and is more secure because it supports logging, encryption, larger partition sizes, and larger file sizes than FAT32

key escrow

holds decryption keys in trust and is not related to the company, institution, or government agency that issued the keys. The keys can be used in the event of a catastrophe or because of legal requirements.

by encryption

how do protect your data's confidentiality?

o 1. Flash the BIOS o 2. Use a BIOS password o 3. Configure the BIOS boot order o 4. Disable the external ports and devices o 5. Enable the secure boot option

how do we secure the BIOS (5)

segment these devices off into their own network so they're not talking to the rest of the corporate network

how do you ensure security within your network when connecting IoT

vulnerability assessments are conducted often as a credentialed scan, where the tool can be provided with a username and password for the systems. This is going to provide you with an inside out look of your networks, just like a system administrator would see. Now, instead, a pentest is seeking to look at your networks as an attacker would, from the outside in.

how does a penetration test differ from a vulnerability assessment?

zone transfers should always be restricted between two known and trusted servers only and not let other people ask for zone transfers.

how to prevent Unauthorized zone transfers

§ 1. Use data encryption § 2. Use proper authentication § 3. Log NAS access

how to secure your NAS properly

860 TCP

iSCSI

3260 TCP

iSCSI Target

business impact analysis

identifies how personnel, data systems, clients, and revenue will be affected if a threat is realized.

Security audits

identify vulnerabilities and policy noncompliance.

CIA triad (Confidentiality, Integrity, Availability)

if we have all 3 then our data and information have good security

throttling/rate-limiting

in an API, Implement mechanisms _______to protect from a DoS

key

in an API, WARNING: Do not hardcode or embed a ______into the source code

● Something you know ● Something you are ● Something you have ● Something you do ● Somewhere you are

in the digital world, this is how you establish Authentication (5 - something)

Hybrid Cloud

includes two or more private, public, or community clouds, but each cloud remains separate and is only linked by technology that enables data and application portability

Insider Threat

is the most dangerous threat to organizational security; A person who works for or with your organization but has ulterior motives; Employees who steal your information are insider threats

Procedural Control

is the things that your organization chooses to do on their own

Certificate authorities (CAs)

issue, renew, and revoke PKI certificates and should be kept offline for increased security

sflow

it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring

Rooting

jail brake is for mac; ______ is for android

backup

just like your computer, make sure your data on your phone is _________, data availability in case of mobile theft

applications

least functionality is also uninstalling unnecessary ________

functionality, ports and protocols

least functionality is restricting unneeded _____, _______, ______

§ Password complexity § Account lockout policy § Software restrictions § Application restrictions

local group policies contains rules 4

utilities>activity monitor

mac command to stop a program

Class D fires

made up of combustible metals like magnesium, titanium, and lithium; laptops have lithium batteries; yellow extinguisher

Server Cache Poisoning

malicious activity on a Domain Name System server that tries to subvert the name service used by the client. It aims to corrupt the records held by the DNS server, so the client queries fail.

RAIDs

provide redundancy and high-availability

Cipher Lock

provides excellent protection using a mechanical locking mechanism with push buttons that are numbered that require a person to enter the correct combination in order to open that door

APFS

recommended file system for OSX

risk of malware infection; data segmentation

risks of BYOD

Encryption

scrambles, or encrypts, data with a public key. A private key is used to decrypt the data.

Firewalls

screen traffic between two portions of a network

Windows Firewall

software based firewall available in Windows OS

privacy

some apps have location or gps services, turn it off to ensure _______

Privacy and Security

some organization block cookies because they are concerned about _____ & _______

retirement plan

sometimes includes as part of the maintenance migrate your product into a more supported version of OS

SPIM

spam instant messaging

FM-200 or even a CO2-based system

special hazard protection system in server room

Email servers

specialized computers whose sole function is to store, process, and send email; are a frequent target of attacks for the data they hold

IEEE 802.1x

standard is used in port-based NAC

port 1812

standard ports authentication

port 1813

standard ports authorization

ID theft or account takeover

stealing someone's identity (their personal information).

Adware

subcategory of spyware; Displays advertisements based upon its spying on you;

Public Key Infrastructure (PKI)

system uses digital certificates and a certificate authority to allow secure communication across a public network.

pre-action sprinkler

system will activate when heat or smoke is detected

Data Loss Prevention

systems can be used to help identify insider threats

Physical Security

tangible protection such as alarms, guards, fireproof doors, fences, and vaults

perimeter

the outside of the building ie gate, etc.

Bits

the smallest unit of data in a computer

Class A

10.0.0.0 to 10.255.255.255

o Closed Circuit TV (CCTV) o Pan Tilt Zoom (PTZ)

2 types of surveillance camera

Application Programming Interface (API)

A library of programming utilities used to enable software developers to access functions of another application o allow for the automated administration, management, and monitoring of a cloud service

Port

A logical communication endpoint that exists on a computer or server

Outbound Port

A logical communication opening created on a client in order to call out to a server that is listening for a connection

Memorandum of Understanding (MOU)

A non-binding agreement between two or more organizations to detail an intended common line of action; can be between multiple organizations

Time-based One Time Password (TOTP)

A password is computed from a shared secret and current time

HMAC-based One Time Password (HOTP)

A password is computed from a shared secret and is synchronized between the client and the server

Cain and Abel

A password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols

14

A password should be long, strong, and complex. This should require at least ___ characters with a mix of uppercase, lowercase, numbers, and special characters

Online Certificate Status Protocol (OCSP)

A protocol that allows you to determine the revocation status of a digital certificate using its serial number

Split Tunneling

A remote worker's machine diverts internal traffic over the VPN but external traffic over their own internet connection

Canonical Encoding Rules (CER)

A restricted version of the BER that only allows the use of only one encoding type

Multiparty

A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks

Business Impact Analysis (BIA)

A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations; is governed by metrics that express system availability

PowerShell

A task automation and configuration management framework from Microsoft, consisting of a command-line shell and the associated scripting language

Auditing

A technical assessment conducted on applications, systems, or networks; is a detective control

Prepending

A technical method used in social engineering to trick users into entering their username and passwords by adding an invisible string before the weblink they click; (data:text) converts the link into a Data URI (or Data URL) that embeds small files inline of documents

Pass the Hash

A technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash instead of requiring the associated plaintext password

Vulnerability Scanning

A technique that identifies threats on the network without exploiting them

War Chalking

Act of physically drawing symbols in public places to denote the open, closed, and protected networks in range ; digitally is becoming more commonplace

Information Security

Act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure, corruption, and destruction

Information Systems Security

Act of protecting the systems that hold and process our critical data

more advanced

Active Directory domain controllers have a ________ ________ Group Policy Editor

Polymorphic

Advanced version of an encrypted virus that changes itself every time it is executed by altering the decryption module to avoid detection; complicated version of encrypted virus, it morphs itself

Gramm-Leach-Bliley Act (GLBA)

Affects banks, mortgage companies, loan offices, insurance companies, investment companies, and credit card providers

Health Insurance Portability and Accountability Act (HIPAA)

Affects healthcare providers, facilities, insurance companies, and medical data clearing houses

Sarbanes-Oxley (SOX)

Affects publicly-traded U.S. corporations and requires certain accounting methods and financial reporting requirements

Physical Controls

Alarm systems, locks, surveillance cameras, identification cards, and security guards

Elliptic Curve Cryptography (ECC)

Algorithm that is based upon the algebraic structure of elliptic curves over finite fields to define the keys § with a 256-bit key is just as secure as RSA with a 2048-bit key is most commonly used for mobile devices and low-power computing device

Wildcard Certificates

Allow all of the subdomains to use the same public key certificate and have it displayed as valid; are easier to manage

Subject Alternative Name (SAN)

Allows a certificate owner to specify additional domains and IP addresses to be supported

Public Key Pinning

Allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the user's web browser as part of the HTTP header

test

Always ____a patch prior to automating its deployment

Fail Securely

Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing

Zero Day

Attack against a vulnerability that is unknown to the original developer or manufacturer

SQL Injection

Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application; most common type of injection attack

individually or combined

Attack framework models can be used _____ or ______

Teardrop Attack

Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine

Man-in-the-Middle (MITM)

Attack that causes data to flow through the attacker's computer where they can intercept or manipulate the data

Permanent Denial of Service

Attack which exploits a security flaw to permanently break a networking device by reflashing its firmware

Session Theft

Attacker guesses the session ID for a web session, enabling them to take over the already authorized session of the client

Fraggle Attack

Attacker sends a UDP echo packet to port 7 (ECHO) and port 19 (CHARGEN) to flood a server with UDP packets

scripted installations and baseline configuration templates

BEST PRACTICE: Utilize to secure ___________ ___________ and _______ _______ ________applications during installation

security issues

BYOD introduces a lot of _____ ______ to consider

poor coding

Backdoors are a ______ _______practice and should not be utilized

Vulnerability Assessment

Baselining of the network to assess the current security state of computers, servers, network devices, and the entire network in general

The access control policy is determined by the owner

Best Practices for Access Control

Content Filters

Blocking of external files containing JavaScript, images, or web pages from loading in a browser

symmetric

Blowfish and RC4 are both _____ algorithms.

processor-intensive

Botnets can be utilized in other _______ __________functions and activities

Block Cipher

Breaks the input into fixed-length blocks of data and performs the encryption on each block are easier to implement through a software solution

Advanced Security Options

Browser configuration and settings for numerous options such as SSL/TLS settings, local storage/cache size, browsing history, and much more

Password Spraying

Brute force attack in which multiple user accounts are tested with a dictionary of common passwords

Credential Stuffing

Brute force attack in which stolen user account names and passwords are tested against multiple websites

Issue-Specific Policies

Built to address a specific security issue, such as email privacy, employee termination procedures, or other specific issues

WPA2

CCMP and AES

WPA3 - Personal Mode

CCMP-128 as minimum encryption required for secure connectivity

policies

CORS policy can expose your site to vulnerabilities, such as cross-site scripting attacks. So, you want to be aware of this and you want to make sure that your _______ are written properly.

Keylogger

Captures keystrokes made by the victim and takes screenshots that are sent to the attacker

Building Automation System (BAS)

Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers; need to be segmented from your other network

Physical Access Control System (PACS)

Components and protocols that facilitate the centralized configuration and monitoring of security mechanisms within offices and data centers; can either be implemented as part of a building automation system or a separate system; are often installed and maintained by an external supplier and are therefore omitted from risk and vulnerability assessments by analysts

Managed Devices

Computers and other network-attached devices monitored through the use of agents by a network management system

Business Partnership Agreement (BPA)

Conducted between two business partners that establishes the conditions of their relationship; can also include security requirements

Center for Internet Security (CIS)

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Containment

Containment is focused on isolating the incident

Private Data

Contains data that should only be used within the organization

Data Remnants

Contents of a virtual machine that exist as deleted files on a cloud-based server after deprovisioning of a virtual machine

Network Media

Copper, fiber optic, and coaxial cabling used as the connectivity method in a wired network

Single Loss Expectancy (SLE)

Cost associated with the realization of each individualized threat that occurs

administrative or technical

Create and implement web browsing policies as an __________ control or _________control

Baseline

Created as reference points which are documented for use as a method of comparison during an analysis conducted in the future

RAID 10

Creates a striped RAID of two mirrored RAIDs (combines RAID 1 & RAID 0)

AP Isolation

Creates network segment for each client when it connects to prevent them from communicating with other clients on the network

storage segmentation

Creating a clear separation between personal and company data on a single device

Virtualization

Creation of a virtual resource

Virtual Network Computing (VNC)

Cross-platform version of the Remote Desktop Protocol for remote user GUI access; requires a client, server, and protocol be configured; Port 5900

Symmetric Algorithm (Private Key)

DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RC5, RC6

53 TCP/UDP

DNS

Data in Transit

Data crossing the network or data that resides in a computer's memory

Logs

Data files that contain the accounting and audit trail for actions performed by a user on a computer or network

Bus Encryption

Data is encrypted by an application prior to being placed on the data bus; Ensures that the device at the end of the bus is trusted to decrypt the data

validation routines

Data received by an API must pass service-side _______ _____

forever

Data should never be stored ________

Top Secret Data

Data that could gravely damage national security if it were known to those who are not authorized for this level of information

Confidential Data

Data that could seriously affect the government if unauthorized disclosure were to happen

Secret Data

Data that could seriously damage national security if disclosed

Metadata

Data that describes other data by providing an underlying definition or description by summarizing basic information about data that makes finding and working with particular instances of data easier • Email • Mobile • Web • File

Open-Source

Data that is available to use without subscription, which may include threat feeds similar to the commercial providers and may contain reputation lists and malware signature databases

Closed-Source

Data that is derived from the provider's own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers' systems, suitably anonymized

Create Secure Defaults

Default installations should include secure configurations instead of requiring an administrator or user to add in additional security

Policies

Defines the role of security in an organization and establishes the desired end state of the security program; are very broad

Exploit Technique

Describes the specific method by which malware code infects a target host

Processor Virtual Machine

Designed to only run a single process or application like a virtualized web browser or a simple web server

Cloud Security Alliance's Cloud Control Matrix

Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

Procedures

Detailed step-by-step instructions that are created to ensure personnel can perform a given action

shift-left

DevSecOps utilizes a ________mindset § Integrate security from the beginning § Test during and after development § Automate compliance checks

SDLC Principles

Developers should always remember confidentiality, integrity, and availability; Threat modeling helps prioritize vulnerability identification and patching

Intrusion Detection System (IDS)

Device or software application that monitors a system or network and analyzes the data passing through it in order to identify an incident or attack

3868 TCP

Diameter

Onboarding and Offboarding Policy

Dictates what type of things need to be done when an employee is hired, fired, or quits; Terminated employees are often not cooperative

Job Rotation

Different users are trained to perform the tasks of the same position to help prevent and identify fraud that could occur if only one employee had the job

Asymmetric Algorithms

Diffie-Hellman, RSA, and ECC

Voice Over Internet Protocol (VoIP)

Digital phone service provided by software or hardware devices over a data network

Certificates

Digitally-signed electronic documents that bind a public key with a user's identity

3225 TCP/UDP

FCIP

Port 21 (TCP)

FTP

989/990 TCP

FTPS

NAT filtering

Filters traffic based upon the ports being utilized and type of connection

Clean Agent System

Fire suppression system that relies upon gas (HALON, FM-200, or CO2) instead of water to extinguish a fire

Web Application Firewall

Firewall installed to protect your server by inspecting traffic being sent to a web application § can prevent a XSS or SQL injection

BIOS- Basic Input/Output System

Firmware that provides the computer instructions for how to accept input and send output

Network Redundancy

Focused on ensuring that the network remains up; Redundant Internet connections

De-militarized Zone (DMZ)

Focused on providing controlled access to publicly available servers that are hosted within your organizational network; Sub-zones can be created to provide additional protection for some servers

Operational Controls

Focused on the things done by people

80 TCP

HTTP

443 TCP

HTTPS

IP Proxy

IP Proxy is used to secure a network by keeping its machines anonymous during web browsing

Blackholing or Sinkholing

Identifies any attacking IP addresses and routes all their traffic to a nonexistent server through the null interface

reboot the computer from an external device and scan it

If a boot sector virus is suspected, how will you detect and remove the malware

digital quarantine

If a device fails the inspection, it is placed into _____ ______

Fix Security Issues

If a vulnerability is identified then it should be quickly and correctly patched to remove the vulnerability

security

If we make operations easier, then _____is reduced

move

If you ______ a folder, then permissions are retained from its original permissions

Fuzzing

Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation

Human Machine Interface (HMI)

Input and output controls on a PLC to allow a user to configure and monitor the system

Injection Attack

Insertion of additional information or code through data input from a client to an applications: SQL,HTML, XML, LDAP

Packet filtering

Inspects each packet passing through the firewall and accepts or rejects it based on the rules

AntiVirus

Install ____

Subscriber Identity Module (SIM)

Integrated circuit that securely stores the international mobile subscriber identity (IMSI) number and its related key

Jamming

Intentional radio frequency interference targeting your wireless network to cause a denial of service condition § Wireless site survey software and spectrum analyzers can help identify _______

Public Branch Exchange (PBX)

Internal phone system used in large organizations

Transport Layer

Manages and ensures transmission of the packets occurs from a host to a destination using either TCP or UDP; Segments (TCP) or Datagrams (UDP)

Hybrid

Many companies are now marketing advanced threat protection (ATP), advanced endpoint protection (AEP), and NextGen AV (NGAV) which is a ______ of EPP, EDR, and UEBA

Directory Traversal

Method of accessing unauthorized directories by moving through the directory structure on a remote server

Internet Key Exchange (IKE)

Method used by IPSec to create a secure tunnel by encrypting the connection between authenticated peers

Threat Vector

Method used by an attacker to access a victim's machine; how we get into the machine- weakness of your machine

Open-Source Intelligence (OSINT)

Methods of obtaining information about a person or organization through public records, websites, and social media

Access Control

Methods used to secure data and information by verifying a user has permissions to read, write, delete, or otherwise modify it

137-139 TCP/UDP

NetBIOS

Lambda

Netflix is using this AWS _______ to essentially build this rule-based self-managing infrastructure that replaces a lot of the old inefficient processes.

Non-promiscuous Mode

Network adapter can only capture the packets directly addressed to itself

Promiscuous Mode

Network adapter is able to capture all of the packets on the network, regardless of the destination MAC address of the frames carrying them To capture the most information

regulatory, advisory, or informative

Policies may be (3)

Clean Desk Policy

Policy where all employees must put away everything from their desk at the end of the day into locked drawers and cabinets

Software as a Service (SaaS)

Provides all the hardware, operating system, software, and applications needed for a complete service to be delivered

Distinguished Encoding Rules (DER)

Restricted version of the BER which allows one encoding type and has more restrictive rules for length, character strings, and how elements of a digital certificate are stored in X.509

Software Compliance/Licensing

Risk associated with a company not being aware of what software or components are installed within its network

IP Theft

Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs

Security Posture

Risk level to which a system or other technology element is exposed

Internal Risk

Risks that are formed within the organization, arise during normal operations, and are often forecastable

External Risk

Risks that are produced by a non-human source and are beyond human control

Implementation

SDLC phase that involves coding, debugging

445 TCP

SMB

Port 25 TCP

SMTP

465/587 TCP

SMTP with SSL/TLS

161 UDP

SNMP

162 TCP/UDP

SNMPTRAP

input validation and using least privilege

SQL injection is prevented through _________ _______when accessing a database

Port 22 TCP & UDP

SSH, SCP, SFTP

Technical Controls

Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information

Pre-Shared Key

Same encryption key is used by the access point and the client

physical, technical, or administrative

Security controls are categorized

virtualized runtime containers

Serverless is a software architecture that runs functions within _________ in a cloud rather than on dedicated server instances.

Load-balancing Cluster

Servers are clustered in order to share resources such as CPU, RAM, and hard disks

Remote Access Services (RAS)

Service that enables dial-up and VPN connections to occur from remote clients

malware code

Shellcode originally referred to _____ ______ that would give the attacker a shell (command prompt) on the target system (pentest exam)

Faraday Cage

Shielding installed around an entire room that prevents electromagnetic energy and radio frequencies from entering or leaving the room

Malware

Short-hand term for malicious software

Out-of-band communication

Signal that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices

UDP

Since syslog relied on ______, there can be delivery issues within congested networks

Add-Ons

Smaller browser extensions and plugins that provide additional functionality to the browser

DevOps

Software development and information technology operations

Spyware

Software that collects your information without your consent

Grayware

Software that isn't benign nor malicious and tends to behave improperly without serious consequences

Pop-up Blockers

Software that prevents pop-ups from sites that are unknown or untrusted and prevents the transfer of unwanted code to the local system.

Protocol Analyzer

Software tool that allows for the capture, reassembly, and analysis of packets from the network

Endpoint DLP System

Software-based client that monitors the data in use on a computer and can stop a file transfer or alert an admin of the occurrence; can be set to detection or prevention mode

collected

Some data can only be _______ once the system is shutdown or the power suddenly disconnected

Static Analysis

Source code of an application is reviewed manually or with automatic tools without running the code

open mail relays

Spammers often exploit a company's ____________ to send their messages

influence campaign

The collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent

least privilege

The concept of _______ states that only needed rights to perform a certain task should be given and no more.

Blue Team

The defensive team in a penetration test or incident response exercise

Packets

The defined block of information consisting of header, data, and trailer that serves as the information exchange method on the network.

Disaster Recovery Planning

The development of an organized and in-depth plan for problems that could affect the access of data or the organization's building • Fire • Flood • Long-term Power Loss • Theft or Attack • Loss of Building

Data Emanation

The electromagnetic field generated by a network cable or device when transmitting

Certificate Authority

The entity that issues certificates to a user; Verisign, Digisign, and many others act as Root CA

syslog-ng or rsyslog

The newer version of the server is called

Wireless Encryption

_____ of data in transit is paramount to security

Train

_____ users on proper security and use of the device

Multi-factor authentication

______ can help prevent successful replay attacks

Security education

______ is generalized training (like Security+)

Public Key Cryptographic System #12 (PKCS#12)

.p12

Privacy-enhanced Electronic Mail

.pem, .cer, .crt, or .key

Personal Information Exchange

.pfx

Degaussing

Exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive

Spyware

Malware that secretly gathers information about the user without their consent

apps

Only install _____from the official mobile stores

1

X (Execute) in Linux

Microsoft, Symantec and crowdstrike

top 3 EPP

WPA3

was introduced in 2018 to strengthen WPA2 o has an equivalent cryptographic strength of 192-bits in ____ - Enterprise Mode; • Largest improvement in _______ is the removal of the Pre-Shared Key (PSK) exchange instead it uses Simultaneous Authentication of equals (SAE)

§ Limit static MAC addresses accepted § Limit duration of time for ARP entry on hosts § Conduct ARP inspection

ways to prevent MAC Spoofing

anonymous

well known hacktivist

Net use command

what command do you use to established null connection

Software Development Life Cycle

what does SDLC stands for?

off

when your not using your bluetooth, turn it ____

supplicant

which is the device or user that's requesting access to the network


Ensembles d'études connexes

Chapter 70: Constipation/ Diarrhea

View Set

Quality and Evidence-Based Respiratory Care

View Set

Maternity and Women's Health Nursing - Women's Health

View Set

Social Studies - G 7 - Ch 3 Lesson 4 (new)

View Set

Cambridge Checkpoint Study Guide

View Set