Security+ 501 1.0 - 6.0

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

components

CA, Intermediate CA, CRL, OCSP, CSR, Certificate, Public key, Private key, Object identifiers (OID)

backup concepts

Differential, Incremental, Snapshots, Full

storage segmentation

when the device is used on the enterprise network, a corporate workspace with a defined selection of apps and a separate storage container is created

insiders

when the perpetrator of an attack is a member of, ex-member of, or somehow affiliated with the organization's own staff, partners, or contractors

vulnerabilities due to end-of-life systems

when the system has reached a point where it can no longer function as intended. This status can be reached for many reasons, such as lack of vendor support, a failure to instantiate on newer hardware, or incompatibility with other aspects of a system; valuable data that is still on the system before it is disposed

forward proxy

when we have a proxy on the inside of our network that we're using to help our users protect themselves from the internet

antispoofing

when you implement an access control list (ACL) with deny statements for private network addresses spaces

diffie-hellman

a key exchange method over an insecure communications channel; a key agreement protocol, published in 1976 by Whitfield Diffie and Martin Hellman

session affinity/source IP

a layer 4 approach to handling user sessions. It means that when a client establishes a session, it becomes stuck to the node that first accepted the request

certificate revocation list (CRL)

a list of certificates that were revoked before their expiration date

access control list (ACL)

a list of subjects and the rights or permissions they have been granted on the object; network traffic that can be filtered; allow or disallow traffic based on tuples

warm site

a location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed

biometric lock

a lock may be integrated with a biometric scanner

role-based awareness training

a system for identifying staff performing security-sensitive roles and grading the level of training and education required

short message service (SMS)

a system for sending text messages between cell phones

steganography

a technique for obscuring the presence of a message, often by embedding information within a file or other entity.

failover

a technique that ensures a redundant component, device, application, or site can quickly and efficiently take over the functionality of an asset that has failed

obfuscation

a technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.

obfuscation/camouflage

a technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.

heuristic

a technique that leverages past behavior to predict future behavior.

key stretching

a technique that strengthens potentially weak cryptographic keys, such as passwords or passphrases created by people, against brute force attacks

external actor

a threat actor that comes from outside the organization

internal actor

a threat actor that comes from within an organization

oauth (open authorization)

a token-based authorization protocol that is often used in conjunction with OpenID.

Network Scanners

a tool for probing a network for ports. The tool will report back to the user which ports are open ("listening"), which are closed and which are filtered. An example of a network scanner is Nmap.

skimming attack

a type of RFID attack in which an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card

ransomware

a type of Trojan malware that tries to extort money from the victim

birthday attack

a type of brute force attack aimed at exploiting collisions in hash functions

self-signed certificate

a type of digital certificate that is owned by the entity that signs it

Supervisory Control and Data Acquisition (SCADA)

a type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas

air gap

a type of network isolation that physically separates a network from all other networks.

air gaps

a type of network isolation that physically separates a network from all other networks.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

an email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCP)

an encryption protocol used for wireless LANs that addresses the vulnerabilities of the WEP protocol

multimedia message service (MMS)

an extension of short message service (SMS) that enables messages that include text, sound, images, and video clips to be sent from a cell phone or PDA to other phones or e-mail addresses

media access control filtering (MAC filtering)

applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

firewalls

are the devices principally used to implement security zones, such as intranet, demilitarized zone (DMZ), and the Internet

spam filter

are the first line of defense that protects organizations from phishing attacks

diffusion

change one character of the input, and many characters change of the output; makes ciphertext change drastically upon even the slightest changes in the plaintext input

identification of critical systems

compiling an inventory of its business processes and its tangible and intangible assets and resources

agile

focuses on iterative and incremental development to account for evolving requirements and expectations.

carrier unlocking

for either iOS or Android, this means removing the restrictions that lock a device to a single carrier

custom firmware

for some devices, it is necessary to exploit a vulnerability

distinguished encoding rules (DER)

format designed to transfer syntax for data structures

privilege escalation attack

gain higher-level access to a system to exploit a vulnerability

non-intrusive scan

gather information, don't try to exploit a vulnerability; vulnerability scanners; a test that does not disrupt the operations of a system;

bcrypt

generates hashes from passwords; a key-derivation function based on the Blowfish cipher algorithm

sideloading

giving users and businesses the flexibility to directly install apps without going through the storefront interface

dumpster diving

going through an organization's (or individual's) garbage to try to find useful documents (or even files stored on discarded removable media)

Platform-Specific guides

guides mean't for platforms

Vendor-Specific guides

guides mean't for vendors

active reconnaissance

has more risk of detection; the use of tools, such as network scanners & vulnerability scanners, to analyze a system, network or organization

unauthorized software

has the potential to bring malware into a network

logic bomb

having infected a system, a disgruntled person waits for a preconfigured system or user event to be triggered

stapling

having the SSL/TLS web server periodically obtain a time-stamped OCSP response from the CA

public cloud/multi-tenant

hosted by a third party and shared with other subscribers. This is what many people understand by "cloud computing." As a shared resource, there are risks regarding performance and security

license compliance violation

how software can only be used when properly licensed and under what circumstances you would find software being used outside of the license scope, which would therefore be problematic

finance

how the score is kept

passive

may sit on the inner network side of a firewall, on the DMZ, or on the WAN side. Placement on either the DMZ or inner network is preferable in that it will make less noise.

application server guide

secure configuration guides useful for configuring applications servers

network infrastructure devices

secure configuration guides useful for configuring network infrastructure devices

operating system guide

secure configuration guides useful for configuring operating systems

web server guide

secure configuration guides useful for configuring web servers

Secure IMAP

secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993

general purpose guides

security configuration guides that are generic in scope.

vendor diversity

security controls are sourced from multiple suppliers

file system security

security functions provided by access control lists (ACLs) for protecting files managed by the operating system.

interconnection security agreement (ISA)

security guide for Interconnecting Information Technology Systems. Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls

location-based policies

policies that prevent users from logging on from certain locations, or require that they log on only from specific locations.

password reuse

policy defines whether or not a user can ever use the same password again. Can be used in conjunction with password history.

personnel issues

policy violation, insider threat, social engineering, social media, and personal email

IEEE 802.1x

port-based network access control (NAC) with no access until authentication

something you have

possession (smart card, USB token, or key fob that contains a chip with authentication data, such as a digital certificate)

bluejacking

sending of unsolicited messages to another device via Bluetooth

ping

sends an echo request to a machine to determine if communication is possible.

filters

separates traffic from router

array index overflow

possible to exploit unsecure code to load the array with more values than it expects, creating an exception that could be exploited

satellite communications (SATCOM) connection

services such as voice and video calling, Internet access, faxing, and television and radio broadcasting.

legal implications

refer to the positive or negative legal consequences or commitments as a result of an action or choice made by an individual or group

aggregation

referring to the gathering of log and event data from the different network security devices used on the network.

inline

refers to being in between the firewall and the rest of the network environment.

banner grabbing

refers to probing a server to try to elicit any sort of response that will identify the server application and version number or any other interesting detail about the way the server is configured. This information allows an attacker to identify whether the server is fully patched and to look up any known software vulnerabilities that might be exposed.

supporting confidentiality

secrecy and privacy. Encryption (file-level, drive-level, email)

data encryption standard (DES)

symmetric encryption protocol. DES and its replacement 3DES are considered weak in comparison with modern standards, such as AES

split tunnel

the client accesses the Internet directly using its "native" IP configuration and DNS servers.

scheduling algorithm

the code and metrics that determine which node is selected for processing each incoming request

public key

the component of asymmetric encryption that can be accessed by anyone.

voice recognition

the computer's capability of distinguishing spoken words

security automation

the concept of scripted or programmed infrastructure can also be applied to security infrastructure (firewalls, IDS, SIEM, and privilege management)

safety

the condition of being protected from risk

collectors

to store and interpret (or parse) the logs from different types of systems (host, firewall, IDS sensor, and so on), and to account for differences between vendor implementations

host health checks

to verify the status of any system attempting to connect to the network

advanced malware tools

tools that can block malware from running by blocking file signature, heuristics/Anomalous behavior, sandboxing, virtualizing. Need to be routinely updated with the latest definitions.

patch management tools

tools used to manage security patches

transitive trust

the trust extends to other trusted domains. For example, if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A also trusts Domain C

remote access

the user's device does not make a direct cabled or wireless connection to the network. The connection occurs over or through an intermediate network, usually a public Wide Area Network

phishing

to email users with the purpose of tricking them to reveal personal information or click on a link

signs

to enforce the idea that security is tightly controlled. Beyond basic no trespassing signs, some homes and offices also display signs from the security companies whose services they are currently using. These may convince intruders to stay away

session hijacking attack

to impersonate a user on a website, using the session ID that is stored in their cookies

cameras

to perform facial recognition

impersonation

to pretend to be someone else in order to obtain personal or sensitive information

URL hijacking attack

to purchase a domain name that is similar to a legitimate domain name

protected cabling

to reduce the likelihood of emission spillage

accounting

tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted

hashing

transforming plaintext of any length into a short code called a hash

stream vs block

transmit byte by byte, vs in groups

jamming attack/interference attack

transmits noise or radio signals on the same frequency that is used by a wireless network, which prevents users from connecting to the network

security through obscurity

trying to keep the design of a security system secret as its only method of security; keeping something a secret by hiding it

disabling unnecessary ports and services

turning off any service that is not being used

identify common misconfigurations

typical results from a vulnerability assessment; use databases and dictionaries that consists of misconfigurations, such as open ports, weak passwords, default accounts and passwords, sensitive data and security & configuration errors

guest

unauthenticated users

Unencrypted credentials/clear text

unencrypted, readable data that is not meant to be encrypted

firewall

universal security control

firmware over-the-air (OTA) updates

updates can be delivered wirelessly, either through a Wi-Fi network or the data connection

vehicle

use a substantial amount of electronics, all of which can potentially have vulnerabilities that could be exploitable. As well as computer systems to control the vehicle's engine, steering, and brakes, there may be embedded systems for in-vehicle entertainment and for navigation (sat-nav), using Global Positioning Systems (GPS)

multipartite viruses

use both boot sector and executable file infection methods of propagation

hosted

used by a third party for the exclusive use of the organization. This is more secure and can guarantee a better level of performance but is correspondingly more expensive.

netcat or nc

used for reading from or writing to network connections using TCP or UDP.

track person hours

used to determine whether the cost of the incident was justified

third-party app stores

used to distribute unauthorized, non-approved applications. Can be downloaded by jailbroken/rooted devices.

downgrade attack

used to facilitate a Man-in-the-Middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths

zones/topologies

DMZ, Extranet, Intranet, Wireless, Guest, Honeynets, NAT, Ad hoc

Protocols

DNSSEC, SSH, S/MIME, SRTP, LDAPS, FTPS, SFTP, SNMPv3, SSL/TLS, HTTPS, Secure POP/IMAP

Connection methods

Cellular, WiFi, SATCOM, Bluetooth, NFC, ANT, Infrared, USB

Industry-standard frameworks and reference architectures

Regulatory, Non-regulatory, National vs. international- Industry-specific frameworks

time synchronization

SIEM logs may be collected from appliances in different geographic locations and, consequently, may be configured with different time zones. This can cause problems when correlating events and analyzing logs.

risk assessment

SLE, ALE, ARO, Asset value, Risk register, Likelihood of occurrence, Supply chain assessment, Impact, Quantitative, Qualitative,Testing, Penetration testing authorization, Vulnerability testing authorization, risk response techniques, accept, transfer, avoid, mitigate

Cloud deployment models

SaaS, PaaS, IaaS, Private, Public, Hybrid, Community

environment

Development, Test, Staging, Production

threat assessment

Environmental, Artificial/manufactured, Internal vs. external

continuity of operations planning (COOP)

Exercises/tabletop, After-action reports, Failover, Alternate processing sites, Alternate business practice

deprovisioning

The process of removing an application from packages or instances.

hybrid cloud

a combination of public and private clouds

tcpdump

a command-line packet sniffing utility.

DDoS mitigator

a hardware device that identifies and blocks real-time distributed denial of service (DDoS) attacks.

SSL/TLS accelerators

a hardware interface that helps offload the resource-intensive encryption calculations in SSL/TLS to reduce overhead for a server.

Password-Based Key Derivation Function 2 (PBKDF2)

a key derivation function used in key stretching to make potentially weak cryptographic keys such as passwords less susceptible to brute force attacks

root certificate

a self-signed public key certificate that identifies the root CA

certificate authority (CA)

a server that can issue digital certificates and the associated public/private key pairs

kerberos

an authentication service that is based on a time-sensitive ticket-granting system.

alarms

an electrical, electronic, or mechanical device that serves to warn of danger by means of a sound or signal.

smart cards

credit card sized card containing a microchip for data storage and processing.

types/category

crucial to enabling swift identification and remediation of the incident

detective

may not prevent or deter access, but it will identify and record any attempted or successful intrusion

network intrusion detection system (NIDS)

(network intrusion detection system) A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.

intimidation (principle)

"there will be bad things if you don't help" and "if you don't help me, the payroll checks won't be processed"

Network Intrusion Prevention System (NIPS)

(Network-Based Intrusion Prevention System) An inline security device that monitors suspicious network and/or system traffic and reacts in real time to block it.

domain information groper (dig)

(domain information groper) Utility to query a DNS and return information about a particular domain name.

router

A network device that links dissimilar networks and can support multiple alternate paths between location-based parameters such as speed, traffic loads, and cost.

symmetric algorithms

AES, DES, 3DES, RC4, Blowfish/Twofish

mobile device management concepts

Application management, Content management, Remote wipe, Geofencing, Geolocation, Screen locks, Push notification services, Passwords and pins, Biometrics, Context-aware authentication, Containerization, Storage segmentation, and Full device encryption

geographic considerations

Off-site backups, Distance, Location selection, Legal implications, Data sovereignty

automation/scripting

Automated courses of action, Continuous monitoring, Configuration validation

key stretching algorithms

BCRYPT, PBKDF2

agreement types

BPA, SLA, ISA, MOU/MOA

deployment models

BYOD, COPE, CYOD, Corporate-owned, VDI

routing and switching use case

Basic layer 2 switches provide ports and Virtual LANs (logical groupings of clients) for wired and (via an access point) wireless devices. Traffic between logical networks is controlled by layer 3 switches with LAN routing functionality. WAN/edge routers provide services such as web, email, and communications access for corporate clients and VPN access to the corporate network for remote clients

data destruction and media sanitization

Burning, Shredding, Pulping, Pulverizing, Degaussing, Purging, Wiping

cipher modes

CBC, GCM, ECB, CTR, Stream vs. block

camera use

CCTV cameras

data acquisition

Capture system image, Network traffic and logs, Capture video, Record time offset, Take hashes, Screenshots, Witness interviews

nslookup

Command-line program in Windows used to determine exactly what information the DNS server is providing about a specific host name.

data sensitivity labeling and handling

Confidential, Private, Public, Proprietary, PII, PHI

account policy enforcement

Credential management, Group policy, Password complexity, Expiration, Recovery, Disablement, Lockout- Password history, Password reuse, Password length

Implementation vs. algorithm selection

Crypto service provider, Crypto modules

network address allocation use case

DHCP provides an automatic method

certificate formats

DER, PEM, PFX, CER, P12, P7B

incident response plan

Documented incident, types/category definitions, Roles and responsibilities, Reporting requirements/escalation, Cyber-incident response teams, Exercise

authentication protocols

EAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, IEEE 802.1x, RADIUS Federation

file transfer use case

Email and Instant Messaging (IM)

hardware/firmware security

FDE/SED, TPM, HSM, UEFI/BIOS, Secure boot and attestation, Supply chain, Hardware root of trust, EMI/EM

biometric factors

Fingerprint scanner, Retinal scanner, Iris scanner, Voice recognition, Facial recognition, False acceptance rate, False rejection rate, Crossover error rate

cross-site scripting (XSS) attack

HTML or JavaScript code entered into a web page form to retrieve sensitive information from the website; one of the most powerful input validation exploits

environmental controls

HVAC, Hot and cold aisles, Fire suppression

tokens

Hardware, Software, HOTP/TOTP

recovery sites

Hot site, Warm site, Cold site

pass-the-hash (PtH) attack

If an attacker can obtain the hash of a user password, it is possible to present the hash (without cracking it) to authenticate to network protocols; an attack that discovers the hash of a user's password and uses it to log on to the system as the user

behavioral-based detection

In IDSs and IPSs, an operation mode where the analysis engine recognizes baseline normal traffic and events, and generates an incident when an anomaly is detected.

full tunnel

Internet access is mediated by the corporate network, which will alter the client's IP address and DNS servers and may use a proxy.

access control lists (ACLs)

It is also possible to apply permissions to ensure only authorized users can read or modify the data

general concepts

Least privilege, Onboarding/offboarding, Permission auditing and review, Usage auditing and review, Time-of-day restrictions, Recertification, Standard naming convention, Account maintenance, Group-based access control, Location-based policies

impact

Life, Property, Safety, Finance, Reputation

common use cases

Low power devices, Low latency, High resiliency, Supporting confidentiality, Supporting integrity, Supporting obfuscation, Supporting authentication, Supporting non-repudiation, Resource vs. security constraints

access control models

MAC, DAC, ABAC, Role-based access control, Rule-based access control

hashing alorithms

MD5, SHA, HMAC, RIPEMD

recording microphone

MDM software may also be able to lock down use of features

personnel management

Mandatory vacations, Job rotation, Separation of duties, Clean desk, Background checks, Exit interviews, Role-based awareness training, Data owner, Systems administrator, System owner, User, Privileged user, Executive user, NDA, Onboarding, Continuing education, Acceptable use policy/rules of behavior, Adverse actions

special purpose

Medical devices, Vehicles, Aircraft/UAV

Time synchronization use case

Network Time Protocol (NTP)

logs

OS and applications software can be configured to record data about activity on a computer. Logs can record information about events automatically.

concepts

Online vs. offline CA, Stapling, Pinning, Trust model, Key escrow, Certificate chaining

data roles

Owner, Steward/custodian, Privacy officer

certificate-based authentication

PIV/CAC/smart card, IEEE 802.1x

methods

PSK vs Enterprise vs Open, WPS, Captive portals

segregation/segmentation/isolation

Physical, Logical (VLAN), Virtualization, Air gaps

Benchmarks/secure configuration guides

Platform/vendor-specific guides, Web server, Operating system, Application server, Network infrastructure devices, General purpose guides

incident response process

Preparation, Identification, Containment, Eradication, Recovery, Lessons learned

secure coding techniques

Proper error handling, Proper input validation, Normalization, Stored procedures, Code signing, Encryption, Obfuscation/camouflage, Code reuse/dead code, Server-side vs. client-side, execution and validation, Memory management, Use of third-party libraries and SDKs, Data exposure

physical access control

Proximity cards, Smart cards

asymmetric algorithms

RSA, DSA, Diffie-Hellman, Groups, DHE, ECDHE, Elliptic curve, PGP/GPG

Secure DevOps

Security automation, Continuous integration, Baselining, Immutable systems, Infrastructure as code

security device/technology placement

Sensors, Collectors, Correlation engines, Filters, Proxies, Firewalls, VPN concentrators, SSL accelerators, Load balancers, DDoS mitigator, Aggregation switches, Taps and port mirror

tunneling/VPN

Site-to-site, Remote access

non-persistence

Snapshots, Revert to known state, Rollback to known configuration, Live boot media

code quality and testing

Static code analyzers, Dynamic analysis (e.g., fuzzing), Stress testing, Sandboxing, Model verification

in-band

The management channel could use the same network as the link being monitored (in-band)

enforcement and monitoring

Third-party app stores, Rooting/jailbreaking, Sideloading, Custom firmware, Carrier unlocking, Firmware OTA updates, Camera use, SMS/MMS, External media, USB OTG, Recording microphone, GPS tagging, WiFi direct/ad hoc, Tethering, Payment method

hypervisor

Type I, Type II, Application cells/container

operating systems

Types, Network, Server, Workstation, Appliance, Kiosk- Mobile OS, Patch management, Disabling unnecessary ports and services, Least functionality, Secure configurations, Trusted operating system, Application whitelisting/blacklisting, Disable default accounts/passwords

account types

User account, Shared and generic accounts/credentials, Guest accounts, Service accounts, Privileged accounts

defense-in-depth/layered security

Vendor diversity, Control diversity, Administrative, Technical, User training

Use cases

Voice and video, Time synchronization, Email and web, File transfer, Directory services, Remote access, Domain name resolution, Routing and switching, Network address allocation, Subscription services

Voice and video use case

Voice over IP (VoIP), web conferencing, and Video Teleconferencing (VTC)

write once, run everywhere

WORM

Cryptographic protocols

WPA, WPA2, CCMP, TKIP

types of certificate

Wildcard, SAN, Code signing, Self-signed, Machine/computer, Email, User, Root, Domain validation, Extended validation

peripherals

Wireless keyboards, Wireless mice, Displays, WiFi-enabled MicroSD cards, Printers/MFDs, External storage devices, Digital cameras

obfuscation

XOR, ROT13, Substitution ciphers

use of third-party libraries and SDKs

a common solution to rewriting code but may introduce vulnerabilities into an application if they are not securely coded or are improperly used.

single point of failure

a component or system that would cause a complete interruption of a service if it failed

honeypot

a "fake" server designed to appear like the real thing. It's meant to be a trap for attackers. Because it's bait, any traffic to it can be assumed to be malicious.

staging environment

a "production like" environment to test installation, configuration and migration scripts. Performance testing, load testing, processes required by other teams, boundary partners, etc.

privacy-enhanced electronic mail (PEM)

a DER-encoded binary file can be represented as ASCII characters (letters and numbers, easy to email, readable)

permanent agent

a NAC agent that is installed on a client. It checks the client for health.

dissolvable agent

a NAC agent that runs on a client, but deletes itself later. It checks the client for health. Compare with permanent agent.

secure boot

a UEFI feature that prevents unwanted processes from executing during the boot operation.

ifconfig

a UNIX/Linux-based utility used to gather information about the IP configuration of the network adapter or to configure the network adapter. It has been replaced with the ip command in most Linux distributions.

virtual desktop environment (VDE)

a VM that runs a desktop operating system

ipconfig

a Windows-based utility used to gather information about the IP configuration of a workstation.

full

a backup type in which all selected files, regardless of prior state, are backed up.

yagi

a bar with fins

least privilege

a basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Public Key Cryptography Standards #12 (PKCS#12/.P12)

a binary format used to store a server certificate, intermediate certificate, and a private key in one file that can be encrypted and having a PFX format with file extension

fingerprint scanner

a biometric technology that can detect the unique patterns and swirls of an individual's finger.

Wi-Fi Protected Setup (WPS) attack

a brute force attack that attempts to discover the PIN of a wireless device that uses Wi-Fi Protected Setup (WPS)

group policy

a centralized configuration management feature available for Active Directory on Windows Server systems

NT LAN manager authentication (NTLM)

a challenge-response authentication protocol created by Microsoft for use in its products

service set identifier (SSID)

a character string that identifies a particular wireless LAN (WLAN).

certificate issues

a client rejecting a server certificate (or slightly less commonly, an authentication server rejecting a client's certificate)

botnets

a collection of compromised computers under the control of a master node; can be utilized in other processor intensive functions and activities; robot networks

Security as a Service (SECaaS)

a computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security

Infrastructure as a Service (IaaS)

a computing method that uses the cloud to provide any or all infrastructure needs.

Platform as a Service (PaaS)

a computing method that uses the cloud to provide any platform-type services.

Software as a Service (SaaS)

a computing method that uses the cloud to provide application services to users.

order of restoration

a concept that dictates what types of systems to prioritize in disaster recovery efforts

separation of duties

a concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

service level agreement (SLA)

a contractual agreement setting out the detailed terms under which a service is provided

asset value

a corporate share's portion of the corporation's net worth, represented by its assets minus its liabilities

secure hash algorithm (SHA)

a cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2

ephemeral key

a cryptographic key that is generated for each execution of a key-establishment process and that meets other requirements of the key type (e.g., unique to each message or session)

Public Key Cryptography Standards #7 (PKCS#7 P7B)

a cryptographic message-syntax standard associated with the .p7b file

email blocking

a data loss prevention (DLP) technique for blocking the copying of files at the email

USB Blocking

a data loss prevention (DLP) technique for blocking the copying of files to a USB flash drive

cloud based blocking

a data loss prevention (DLP) technique for blocking the copying of files to the cloud

insider threat

a deliberate effort on the part of an employee to cause damage to the network, reveal company secrets, or adversely effect the operation of the enterprise

privacy impact assessment (PIA)

a detailed study to assess the risks associated with storing, processing, and disclosing PII. The study should identify vulnerabilities that may lead to data breach and evaluate controls mitigating those risks

hardware token

a device held by a user that displays a number or a password that changes frequently, such as every 60 seconds. The number is synchronized with a server and used as a onetime password.

bridge

a device similar to a switch that has one port for incoming traffic and one port for outgoing traffic.

proxy

a device that acts on behalf of one end of a network connection when communicating with the other end of the connection.

correlation engine

a device that aggregates and correlates content from different sources to uncover an attack

hardware security module (HSM)

a device that generates, manages and securely stores encryption keys

access point (ap)

a device that provides a connection between wireless devices and can connect to wired networks

risk register

a document highlighting the results of risk assessments in an easily comprehensible format (such as a "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage

RACE Integrity Primitives Evaluation Message Digest (RIPEMD)

a family of message digest algorithms; a message digest algorithm designed as an alternative to MD5 and SHA

data exposure

a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the appropriate access controls; refers to ensuring that data is only available to those with a "need to know"

code signing

a form of digital signature that guarantees that source code and application binaries are authentic and have not been tampered with.

code signing

a form of digital signature that guarantees that source code and application binaries are authentic and have not been tampered with; refers to the generation of a digital signature for a piece of code so that users can verify that it originates from a legitimate party and has not been modified in transit

proprietary

a form of the confidential classification. Disclosure of proprietary data could have a significant negative effect on an organization

memorandum of agreement (MOA)

a formal agreement (or contract) that contains specific obligations rather than a broad understanding. If one party fails to fulfill its obligations, the other party will be able to seek redress under the terms of the agreement through the courts

blowfish

a freely available 64-bit block cipher algorithm that uses a variable key length.

hot site

a fully configured alternate network that can be online quickly after a disaster.

burning

a good method for destroying data on paper. However, disposing of data on USB drives, DVDs, CDs, or other storage media via burning can give off toxic fumes, making it an environmental issue. This method should be used mainly for data on paper

virtual local area network (logical)

a logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

keylogger

a malicious program that records keystrokes that actively attempts to steal confidential information

internal threat

a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems

network access control (NAC)

a means of ensuring endpoint security—ensuring that all devices connecting to the network conform to a "health" policy (patch level, anti-virus/firewall configuration, and so on)

false acceptance rate (FAR)

a measurement of the percentage of invalid users that will be falsely accepted by the system. This is called a Type II error. Type II errors are more dangerous than Type I errors.

false rejection rate (FRR)

a measurement of valid users that will be falsely rejected by the system. This is called a Type I error.

hoax

a message that tells of impending doom from a security threat that doesn't exist

loop prevention

a method of preventing switching loop or bridge loop problems. Both 51? and RSTP prevent switching loops.

pretty good privacy (PGP)

a method of securing emails created to prevent attackers from intercepting and manipulating email and attachments by encrypting and digitally signing the contents of the email using public key cryptography

certificate chaining

a method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.

authentication

a method of validating a particular entity's or individual's unique credentials.

pulping

a method that turns paper into a liquid slurry. This is only for data on paper and the disadvantages outweigh advantages, including having to haul the paper to a pulping facility and ensuring that the paper will be secure until pulping occurs

motion detection

a motion-based alarm is linked to a detector triggered by any movement within an area (defined by the sensitivity and range of the detector), such as a room

Industrial Control System (ICS)

a network managing embedded devices (computer systems that are designed to perform a specific, dedicated function)

anomaly-based detection

a network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside the acceptable range.

lightweight directory access protocol (LDAP)

a network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information

directory services use case

a network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers

switch

a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address.

crypto-malware

a new generation of ransomware as your data is unavailable until you provide cash

salt

a nonce most commonly associated with password randomization that makes the password hash unpredictable; a security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to ("salting") each plaintext input.

development environment

a package for programming, usually including an editor with syntax highlighting and other features and an interactive command line

stored procedures

a part of a database that executes a custom query. The procedure is supplied an input by the calling program and returns a pre-defined output for matched records. This can provide a more secure means of querying the database. Any stored procedures that are part of the database but not required by the application should be disabled; group of SQL statements stored in a Relational Database Management System that make functionality available to users of the database. Users should only have access to the minimum set of stored procedures necessary to do their job.

cloud storage

a particular type of Software as a Service where the vendor provides reliable data storage and backup

pre-shared key (PSK)

a passphrase to generate the key that is used to encrypt communications

hacktivist (hacking activist)

a person or group who launches cyber attack(s) as part of an activist movement to promote a political agenda

pivot

a system and/or set of privileges that allow the tester to compromise other network systems (lateral spread); to use various tools to gain additional information

witness interviews

a person who sees an event when it takes place. It is imperative to call the witness to assist the investigation process. The witness can testify about how the event occurred, where and when it occurred, and other information related to the event in question

VM sprawl avoidance

a phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where the administrator can no longer manage them effectively. A policy for developing and deploying VMs must be established and enforced.

vishing (voice phishing)

a phishing attack conducted through a voice channel (telephone or VoIP, for instance)

rollback to known configuration

a physical instance might not support snapshots but has an "internal" mechanism for restoring the baseline system configuration, such as Windows System Restore

snapshots

a point-in-time copy of data maintained by the file system

cipher block chaining (CBC)

a popular mode of operation relatively easy to implement; an encryption mode of operation where an exclusive or (XOR) is applied to the first plaintext block

gnu privacy guard (GPG)

a popular open-source implementation of PGP

rivest cipher 4 (RC4)

a popular streaming symmetric-key algorithm

cold site

a predetermined alternate location where a network can be rebuilt after a disaster.

memorandum of understanding (MOU)

a preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts. MOUs almost always have clauses stating that the parties shall respect confidentiality, however

intranet

a private network that is only accessible by the organization's own personnel.

extranet

a private network that provides some access to outside parties, particularly vendors, partners, and select customers.

legal hold

a process designed to preserve all relevant information when litigation is reasonably expected to occur.

reporting requirements/escalation

a process for indicating to whom information should be distributed and at what point the security event has escalated to the degree that specific actions should be implemented.

memory leak

a process that takes memory without subsequently freeing it up could be a legitimate but faulty application or could be a worm or other type of malware. To detect a memory leak, look for decreasing Available Bytes and increasing Committed Bytes

after-action reports

a process to determine how effective COOP and DR planning and resources were

microsoft challenge handshake authentication protocol (MS-CHAP)

a protocol that strengthens the password authentication provided by Protected Extensible Authentication Protocol (PEAP)

digital signature algorithm (DSA)

a public key encryption standard used for digital signatures that provides authentication and integrity verification for messages

rivest shamir adleman (RSA)

a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest

stream cipher

a relatively fast type of encryption that encrypts data one bit at a time.

secure shell (SSH)

a remote administration and file-copy program that supports VPNs by using port forwarding, and that runs on TCP port 22

mandatory vacations

a requirement that employees are forced to take their vacation time, during which someone else fulfills their duties.

data owner

a role with overall responsibility for data guardianship

man trap

a secure entry system with two gateways, only one of which is open at any one time.

flood guard

a security control in network switches that protects hosts on the switch against SYN flood and ping flood DoS attacks.

recertification

a security control where user access privileges are audited to ensure they are accurate and adhere to relevant standards and regulations.

screen locks

a security feature that requires the user to enter a PIN or a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications

pinning

a security feature where a certain web server is linked with a public key to minimizing the risk of forged certificates

Domain Name System Security Extensions (DNSSEC)

a security protocol that provides authentication of DNS data and upholds DNS data integrity.

Transport Layer Security (TLS)

a security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection.

weak implementations

a security system that has known vulnerabilities

Internet Protocol Security (IPSec)

a set of open-non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet

redundant array of independent/ inexpensive disks (RAID)

a set of vendor-independent specifications that support redundancy and fault tolerance for configurations on multiple-device storage systems

bluetooth connection

a short-range wireless radio network transmission medium normally used to connect two personal devices, such as a mobile phone and a wireless headset.

network address translation (NAT)

a simple form of Internet security that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.

ROT13

a simple letter substitution cipher that replaces a letter with the 13th letter after it, in the alphabet

session keys

a single-use symmetric key used for encrypting all messages in one communication session

demilitarized zone (DMZ)

a small section of a private network that is located behind one firewall or between two firewalls and made available for public access.

tokens/cards

a smart lock may be opened using a magnetic swipe card or feature a proximity reader to detect the presence of a wireless key fob or one-time password generator (physical tokens) or smart card

software defined networking (SDN)

a software application for defining policy decision on the control plane

host-based firewall/personal firewall

a software application running on a single host and designed to protect only that host

crypto service provider (CSP)

a software library that implements the Microsoft CryptoAPI

hijacking attack

a software or system takeover

data loss/leak prevention (DLP)

a software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands

data loss prevention (DLP)

a software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands.

stress testing

a software testing method that evaluates how software performs under extreme load

testing risk assessment

a software testing type which is based on the probability of risk

security information and event management (SIEM)

a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

whaling

a spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other "big beasts")

multipurpose proxy

a special proxy that "knows" the application protocols that it supports. For example, an FTP proxy server implements the protocol FTP.

guest account

a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource

trusted platform module (TPM)

a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.

near filed communication (NFC) connection

a standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID.

remote authentication dial-in user service

a standard protocol used to manage remote and wireless authentication infrastructures

IEEE 802.1X

a standard that authenticates users on a per-switch port basis by permitting access to valid users but effectively disabling the port if authentication fails.

object identifiers (OID)

a string of decimal numbers used to uniquely identify the objects (e.g., syntaxes, data elements, and other parts of distributed applications). OIDs are usually found in SNMP, X.500 directories, and OSI applications where uniqueness is crucial.

normalization

a string that is stripped of illegal characters or substrings and converted to the accepted character set. This ensures that the string is in a format that can be processed correctly by the input validation routines; refers to transforming user input into the expected format before processing it.

database security

a subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.

advanced encryption standard (AES)

a symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES

twofish

a symmetric key block cipher, similar to Blowfish, consisting of a block size of 128 bits and key sizes up to 256 bits.

initialization vector (IV)

a type of nonce used for randomizing an encryption scheme; a technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption.

server operating system (SOS)

a type of operating system that is designed to be installed and used on a server computer

SSL decryptors

a type of proxy used to examine encrypted traffic before it enters or leaves the network

load balancer

a type of switch or router that distributes client requests between different resources, such as communications links or similarly configured servers. This provides fault tolerance and improves throughput.

block cipher

a type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks. It is usually more secure, but is also slower, than stream ciphers

Unified Extensible Firmware Interface (UEFI)/ Basic Input Output System (BIOS)

a type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security. A firmware interface that initializes hardware for an operating system boot.

WiFi Direct/ad hoc

a type of wireless network where connected devices communicate directly with each other instead of over an established medium.

ad hoc

a type of wireless network where connected devices communicate directly with each other instead of over an established medium.

password complexity

a typical strong network password should be 12-16 characters. a longer password or passphrase might be used for mission critical systems or devices where logon is infrequent. no single words—better to use word and number/punctuation combinations. mix upper and lowercase (assuming the software uses case-sensitive passwords)

recovery

a user configured to restore encrypted data in the event that the original key is lost

capture system image

a very effective way of preserving evidence, data, and verify its integrity

virtual desktop infrastructure (VDI)

a virtualization implementation that separates the personal computing environment from a user's physical computer

application cells/containers

a virtualized environment that holds only the necessary operating system components (such as binary files and libraries) that are needed for a specific application to run. Also called an container. This not only reduces the necessary hard drive storage space and Random Access Memory (RAM) needed but also allows for containers to start more quickly because the entire operating system does not have to be started.

backdoor

a way of bypassing normal authentication in a system

full device encryption

a way to assure data at-rest is secure even in the event of loss or theft is to usE.

likelihood of occurrence

a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability.

faraday cage

a wire mesh container that blocks external electromagnetic fields from entering into the container

ANT connection

a wireless sensor protocol that uses a part of the 2.4 GHz range that is reserved for industrial, scientific, and medical or ISM

privileged account

able to install and remove programs and drivers, change system-level settings, and access any object in the file system

rule-based access control

access is determined through system-enforced rules as the system checks the ACLs for that object

validation

act of confirming or verifying

injection attack

adding your own information into a data stream

role based access control (RBAC)

administrators provide access based on the role of the user and rights are gained implicitly instead of explicitly

recovery

after the incident has been contained, it's important to restore all your affected systems and services as soon as possible

quantitative risk assessment

aims to assign concrete values to each risk factor

crypto module

algorithms underpinning cryptography that are interpreted and packaged as a computer program or programming library.

Configuration compliance scanner

all of this is a lot of work and automation goes a long way. SCAP is the security content automation protocol. It's a protocol for managing information related to security configurations, and validating them in an automated way. There are tools to help with this, some that are SCAP compliant.

on-premise

all of your applications and all of the servers are going to be running in a data center. It's inside of a building and have complete control over everything that happens with those systems.

differential

all selected files that have changed since the last full backup are backed up.

incremental

all selected files that have changed since the last full or incremental backup (whichever was most recent) are backed up.

unified threat management (UTM)

all-in-one security appliances and technologies that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss Prevention, content filtering, and so on

alternate business practices

allow the information flow to resume to at least some extent

Enterpise

allows WLAN authentication to be integrated with the wired LAN authentication scheme

USB On The Go (OTG)

allows a port to function either as a host or as a device

encryption

allows a program to require a secret key for access to certain data

standard naming convention

allows better administrative control over network resources. The naming strategy should allow administrators to identify the type and function of any particular resource or location at any point in the directory information tree

remote access trojan (RAT)

allows the attacker to remotely access the PC, upload files, and install software on it

group-based access control

allows you to set permissions (or rights) for several users at the same time

system sprawl/undocumented assets

also be the root of security issues; an overabundance of systems that are not being uses; assets that are not being tracked, indicating poor loss prevention and poor inventory control

standalone AP

also referred to as thick access points, do not require a controller and are generally used in smaller environments.

site-to-site

always on, or almost always; a VPN that can be accessed automatically by users

access points

among the most common points of attack; measures should be taken to prevent unauthorized access, such as outdated firmware, default username and passwords, unlocked management interfaces, and more

certificate

an X.509 digital certificate is issued by a certificate authority (CA) as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization

security assertion markup language (SAML)

an XML-based data format used to exchange authentication information between a client and a service

fat AP

an access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller

social engineering

an activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.

domain hijacking

an adversary gains control over the registration of a domain name, allowing the host records to be configured to IP addresses of the attacker's choosing

random/pseudo-random number generation

an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers

HMAC-based One-time Password (HOTP)

an algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message

terminal access controller access control system plus

an alternative to RADIUS developed by Cisco. The version in current use is TACACS+; TACACS and XTACACS are legacy protocols

software token

an app, or other software that generates a token for authentication.

hardware security module (HSM)

an appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.

nonce

an arbitrary number used only once in a cryptographic communication, often to prevent replay attacks.

denial-of-service (DOS) attack

an attack from one attacker against one target

distributed denial-of-service (DDoS) attack

an attack from two or more attackers against one target

dictionary attack

an attack that attempts to discover a password from words in the dictionary

man-in-the-middle (MITM) attack

an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other by redirecting network traffic and inserting malware

extensible authentication protocol (EAP)

an authentication framework; a wireless authentication protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication

openID connect (OIDC)

an authentication layer that sits on top of the OAuth 2.0 authorization protocol.

context-aware authentication

an authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, and more.

shibboleth

an identity federation method that provides single sign-on capabilities and enables websites to make informed authorization decisions for access to protected online resources.

memory management

an important aspect of secure coding. Mistakes like freeing the memory associated with a pointer twice can open an application up to attack.

proper error handling

an important component of secure coding. Program crashes are an indicator of potentially exploitable code, so appropriate error handling helps protect applications both by ensuring correct functionality and revealing indicators of potential coding flaws.

Wi-Fi Protected Access (WPA)

an improved encryption scheme for protecting Wi-Fi communications, designed to replace WEP.

Wi-Fi Protected Access 2 (WPA2)

an improved version of WPA that does not support older network cards and offers both secure authentication and data encryption. It uses EAP for a variety of authentication methods—most often EAP-PSK. (16)

Time-based One-time Password (TOTP)

an improvement on HOTP that forces one-time passwords to expire after a short period of time

steward/custodian

an individual who has been assigned or is responsible for the day-to-day proper storage, maintenance and protection of information

privacy officer

an individual who is responsible for overseeing the proper handling of PII

universal serial bus (USB) connection

an industry standard that establishes specifications for cables and connectors and protocols for connection, communication and power supply (interfacing) between computers, peripherals and other computers

standard operating procedure (SOPs)

an inflexible, step-by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed by SOPs.

privacy threshold assessment (PTA)

an initial audit to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a PIA must be performed. PTAs must be repeated every three years

Wi-Fi Protected Setup (WPS)

an insecure feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN

protected distribution

an intruder could attach eavesdropping equipment to the cable; an intruder could cut the cable

substitution ciphers

an obfuscation technique where each unit of plaintext is kept in the same sequence when converted to ciphertext, but the actual value of the unit changes.

mobile operating system (MOS)

an operating system for mobile phones, tablets, smartwatches, 2-in-1 PCs (that can be convert to a laptop mode or detach and work as a tablet mode), smart speaker, or other mobile devices

Industry-Specific Framework

an organization can structure their IT departments to best serve the overall need of the organization

clean desk

an organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.

documented incident

an outline that defines in detail what is and is not an incident that requires a response.

resource exhaustion

an overload of requests sent from an attacker to a resource, which can cause the system to slow down and prevent legitimate users from accessing it

rogue access point (AP)

an unauthorized wireless access point (WAP) installed in a computer network to capture traffic

lessons learned

analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident

alternate processing sites/recovery sites

another location that can provide the same (or similar) level of service

live boot media

another option is to use an instance that boots from read-only storage to memory rather than being installed on a local read/write hard disk

policy violation

any act that bypasses or goes against an organizational security policy; be familiar with outcomes, such as retraining, reassignment, and termination. The severity of the outcome will be determined by the seriousness of the breach.

key exchange

any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.

adware

any type of software or browser plug-in that displays commercial ads, offers, and deals

application blacklisting

anything not on the prohibited blacklist can run

security guards

armed or unarmed, can be placed in front of and around a location to protect it. They can monitor critical checkpoints and verify identification, allow or disallow access, and log physical entry events. They also provide a visual deterrent and can apply their own knowledge and intuition to potential security breaches. The visible presence of guards is a very effective intrusion detection and deterrence mechanism, but is correspondingly expensive

discretionary access control (DAC)

as the owner, they have control who has access and can modify access at any time

exercise

aspects of incident response plan should regularly be tested in a simulated real-world environment

transfer/sharing

assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities)

user certificate

associate a certificate with a user with a powerful electronic "id card"

boot sector viruses

attack the disk boot sector information, the partition table, and sometimes the file system

secret algorithm

attempting to hide details of the cipher amounts to "security by obscurity"

brute force attack

attempts every possible combination in the key space in order to derive a plaintext password from a hash

rainbow table attack

attempts to discover the password of a hash using a table of pre-computed hashes; redefine the dictionary approach

permission issues

audits should be done to verify that personnel have correct access. Shouldn't have too much, but just the appropriate amount

secure token

authentication mechanism that can identify and authenticate. Tell servers (resources) what access rights a user possesses. Can allow or deny access.

challenge handshake authentication protocol (CHAP)

authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks

biometric

authentication schemes based on individuals' physical characteristics.

principles of social engineering

authority, intimidation, consensus, scarcity, familiarity, trust & urgency

qualitative risk assessment

avoids the complexity of the quantitative approach and is focused on identifying significant risk factors.

Logs and events anomalies

be sure to check for any suspicious activity that appear in logs. Verify that logging is enabled to capture these

agent

best for frequently disconnected machines or machines in the DMZ, based on pull technology

implicit deny

block any traffic that has not matched a rule. Typically the final default rule

counter mode (CTR)

block cipher mode that acts like a stream cipher and encrypts successful values of a "counter"

intent/motivation (attribute of actors)

boredom, raised awareness about a cause, greed, revenge, money

heating, ventilation, and air conditioning (HVAC)

building control systems maintain an optimum heating, cooling, and humidity level working environment for different parts of the building.

band selection/width

can affect availability and performance.

displays

can be manipulated by sending it instructions coded into pixel values in a specially crafted web page

media gateway

can be provisioned as a dedicated appliance or as software running on a server

VM escape protection

can be reduced by using effective service design and network placement when deploying VMs

Wireless scanners/cracker

can be used to detect the presence of such networks and report the network name (SSID), the MAC address of the access point (BSSID), the frequency band (2.4 or 5 GHZ) and radio channel used by the network, and the security mode

vulnerabilities due to lack of vendor support

can become an issue at several different levels. The most obvious scenario is when the original manufacturer of the item, be it hardware or software, no longer offers support.

misconfiguration/weak configuration

can cause a system to be taken down; a disabled network, stopped email communications or stopped network traffic

WiFi-enabled MicroSD cards

can connect to a host Wi-Fi network to transfer images stored on the card. Unfortunately, it is straightforward to replace the kernel on this type of device and install whatever software the hacker chooses

Protocol Analyzer

can decode a captured frame to reveal its contents in a readable format. You can choose to view a summary of the frame or choose a more detailed view that provides information on the OSI layer, protocol, function, and data.

safe

can feature key-operated or combination locks but are more likely to come with electronic locking mechanisms. Safes can be rated to a particular cash value for the contents against various international grading schemes

improperly configured accounts

can have two different types of impact. On the one hand, setting privileges that are too restrictive creates a large volume of support calls and reduces productivity. On the other hand, granting too many privileges to users weakens the security of the system and increases the risk of things like malware infection and data breach

network operating system (NOS)

can host shared folders and files, enabling them to be copied or accessed over the local network or via remote access (over a VPN, for instance)

organized crime

can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution; a group of people who launch a cyber attack(s), except they function like a legitimate business

heap overflow

can overwrite stored variables of some sort in an area of memory allocated by the application during execution, with unexpected effects. An example is a known vulnerability in Microsoft's GDI+ processing of JPEG images

push notification services

can push a notification to all managed devices. Can be used for a large scale update of software.

systems administrator

can share resources (folders, printers, and other resources) to make them available for network users

automated alerting and triggers

can take an amount of data comparable to a fire hose and shrink it down to the mere trickle that you are looking for. This data can then be run through rules that the system administrator creates which then fires off notification alerts to the system administrator's email informing of said events

level of sophistication (attributes of actors)

can vary depending on the number and skill level of individuals working together as an organized crime

resources/funding (attribute of actors)

can vary depending on the number and skill level of individuals working together as an organized crime

automated courses of action

can work to maintain or to restore services with minimal human intervention or even no intervention at all. For example, you might configure services that are primarily hosted on physical infrastructure to failover to cloud-based instances, or conversely, have a cloud-based system failover to a backup site with physical servers. You could also use automation to isolate a network segment if a computer worm outbreak is detected.

near field communications (NFC) attack

captures data from mobile devices that use near field communication (NFC)

integer overflow

causes the target software to calculate a value that exceeds these bounds. This may cause a positive number to become negative (changing a bank debit to a credit, for instance). It could also be used where the software is calculating a buffer size; if the attacker is able to make the buffer smaller than it should be, he or she may then be able to launch a buffer overflow attack

wildcard

certificates based on the name of the server

command line tools

ping, netstat, tracert, nslookup and dig, ipconfig/ifconfig, tcpdump, nmap, netcat or nc

perfect forward secrecy (PFS)

change the method of key exchange; a characteristic of session encryption that ensures if a key used during a certain session is compromised, it should not affect data previously encrypted by that key

access violations

changed system files, missing system files, and other evidence of unusual file states and possible access violations on the system

media access control (MAC) spoofing attack

changes the Media Access Control (MAC) address configured on an adapter interface or asserts the use of an arbitrary MAC address

static code analyzers

check the logic of applications without actually running the code. This is a more difficult but less risky of determining the functionality of code.

location selection

choosing the location for a processing facility or data center requires considering multiple factors

EAP Flexible Authentication via Secure Tunneling (EAP-FAST)

cisco's proposal to address the shortcomings of LEAP

wireless mice

clickjacking issues

private cloud

cloud infrastructure that is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With private cloud computing, organizations can exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations

compiled code

code that is converted from high-level programming language source code into lower-level code that can then be directly executed by the system.

capture video

collect and preserve digital video evidence for legal proceedings

hash-based message authentication code (HMAC)

combine a hash with a secret key; a method (described in RFC-2104) used to verify both the integrity and authenticity of a message by combining cryptographic hash functions, such as MD5 or SHA-1, with a secret key

Temporal Key Integrity Protocol (TKIP)

combines the secret root key with the IV and adds a sequence counter to prevent replay attacks; a mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard

macro viruses

common in microsoft office

wireless

computer network that uses wireless data connections between network nodes

appliance operating system (AOS)

computer with software or firmware that is specifically designed to provide a specific computing resource. Such devices became known as appliances because of the similarity in role or management to a home appliance, which are generally closed and sealed, and are not serviceable by the user or owner

infrared (IR) connection

computers equipped with an IR sensor could transfer files and other digital data over short-range wireless signals

wearable technology

computing devices that are worn on various parts of the body.

active-active

configurations consist of n nodes, all of which are processing concurrently

active-passive

configurations use a redundant node to failover

usage auditing and review

configuring the security log to record key indicators and then reviewing the logs for suspicious activity. Behavior recorded by event logs that differs from expected behavior may indicate everything from a minor security infraction to a major incident

WiFi connection

connection via a universal wireless network standard that uses radio waves

cellular connection

connection via cell phone towers that provides high speed transmission

site-to-site

connects two or more local networks, each of which runs a VPN gateway (or router/VPN concentrator)

replay attack (cryptography attacks)

consists of intercepting a key or password hash then reusing it to gain access to a resource, such as the pass-the-hash attack. This type of attack is prevented by using once-only session tokens or timestamping sessions

controller-based AP

controller-based Access points are also known as thin clients and require a controller for centralized management (updates, configuration, etc.) and do not need to be manually configured

technical

controls implemented in operating systems, software, and security appliances. Examples include Access Control Lists (ACL) and Intrusion Detection Systems

physical

controls such as alarms, gateways, and locks that deter access to premises and hardware are often classed separately

administrative/management

controls that determine the way people act, including policies, procedures, and guidance. For example, annual or regularly scheduled security scans and audits can check for compliance with security policies

physical

controls that restrict, detect, and monitor access to specific physical areas or assets through measures such as physical barriers, physical tokens, or biometric access controls.

lock types

conventional, deadbolt, electronic

consensus/social proof (principle)

convince based on what's normally expected; "your co-worker Jill did this for me last week"

administrative control/user training

could ensure that the media is not left unattended on a desk and is not inserted into a computer system without scanning it first

vulnerable business processes

could result in disclosure, modification, loss, destruction, or interruption of critical data or it could lead to loss of service to customers; aspects of a business that are vulnerable to security risks, such as the shopping cart of a company's website, a web server or a back-end database server

technical control/endpoint security

could scan the media for malware or block access automatically

nmap

created by Gordon Lyon in 1999 for network scanning and mapping. Check out their website, which is also clearly from the late 90s.

identification

creating an account or ID that identifies the user, device, or process on the network; the process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.

account maintenance

creating an account, modifying account properties, disabling an account, changing an account's password, and so on

authentication issues

credential violations, what to do in the event of credential leaks, system breaches that result in the invalidation of all passwords, and steps to follow after an account impersonation incident

offline brute force attack

cryptographic attack where the attacker steals the password and then tries to decode it by systematically guessing possible keystroke combinations that match the encrypted password

online brute force attack

cryptographic attack where the attacker tries to enter a succession of passwords using the same interface as the target user application

layer 2

data link

private

data of a personal nature and intended only for internal use. Significant negative impact to the organization if disclosed

data sovereignty

data stored in a country is subject to the laws of that country

personally identifiable information (PII)

data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them)

weak cipher suites and implementations

data that it is storing and processing may not be secure. It may also allow a malicious attacker to masquerade as it, causing huge reputational damage; weak encryption technologies

attestation

declare something to be true

proxies

deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on (providing it conforms to the rules)

default configuration

default installation is (theoretically) secure but minimal. Any options or services must explicitly be enabled by the installer; a default username/password that is susceptible to being exploited by an attacker

agentless

designed for centralized, based on push technology

web application firewall

designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks

infrared detection

detects moving heat sources

identification

determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders

SSL accelerators

device that speeds up the process of SSL handshake encryption. The SSL handshake requires some cryptographic overhead. Requires a lot of CPY Cycles. Offload the SSL process to a hardware accelerator. Often integrated into a load balancer.

distance

dictate the need to ensure the recovery site is located far enough from the main data center so as not to be affected by a single incident

risk response techniques

different options available when dealing with risks.

parabolic

dish or grid

load balancer

distributes client requests across available server nodes in a farm or pool

stateless

does not keep track of traffic flows

compensating

does not prevent the attack but restores the function of the system through some other means, such as using data backup or an alternative site

secure baseline

each development environment should be built to the same specification, possibly using automated provisioning

baselining

each development environment should be built to the same specification, possibly using automated provisioning.

sandboxing

each development environment should be segmented from the others. No processes should be able to connect to anything outside the sandbox. Only the minimum tools and services necessary to perform code development and testing should be allowed in each sandbox

virtual IPs

each server node or instance needs its own IP address, but externally a load-balanced service is advertised using a Virtual IP (VIP) address (or addresses)

privileged user

employees with access to privileged data should be given extra training on data management and PII plus any relevant regulatory or compliance frameworks

correlation

enables SIEM to look for similarities, repeating occurrences, and patterns of the event data

protected extensible authentication protocol (PEAP)

encapsulates EAP in a TLS tunnel, one certificate on the server; similar to EAP-TLS, PEAP is an open standard developed by a coalition made up of Cisco Systems, Microsoft, and RSA Security

confusion

encrypted data is drastically different from the plaintext; makes the relationship between an encryption key and its ciphertext as complex and opaque as possible

weak/deprecated algorithms

encryption algorithms that have been cracked and are not considered secure. Avoid proprietary encryption algorithms and "security by obscurity". Avoid MD5, SHA-0, SHA-1 and DES. WEP and WPA are considered weak ciphers.

full disk encryption (FDE/SED)

encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself.

symmetric algorithm

encryption schemes that use a shared cryptographic key for both encryption and decryption of data

galois/counter mode (GCM)

encryption with authentication; an encryption mode of operation that adds authentication to the standard encryption services of a cipher mode

virtual private network (VPN) concentrator

encryption/decryption access device for private data traversing a public network; sometimes called a VPN-enabled router

lighting

enormously important in contributing to the perception that a building is safe and secure at night. Well-designed lighting helps to make people feel safe, especially in public areas or enclosed spaces, such as parking garages. Security lighting also acts as a deterrent by making intrusion more difficult and surveillance (whether by camera or guard) easier

continuing education

ensure that the participants do not treat a single training course or certificate as a sort of final accomplishment. Skills and knowledge must be continually updated to cope with changes to technology and regulatory practices

tailgating

entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint

cloud access security broker (CASB)

enterprise management software designed to mediate access to cloud services by users across all types of devices

improper error handling

errors that give users information that is too detailed and is not logged

penetration testing/ethical hacking

essentially involves thinking like an attacker and trying to penetrate the target's security systems; exploits vulnerabilities

subject alternative name (SAN)

extension to an X.509 certificate; the subdomains are listed as extensions. If a new subdomain is added, a new certificate must be issued

social media

familiar with company acceptable usage policies, how to prevent access to such social media sites via firewalls and filters on the network, as well as group policy implementations to restrict such access

shimming

filling in the space between two objects

network-based

filters traffic by port number; can encrypt traffic into/out of the network; can proxy traffic; most firewalls can be layer 3 devices (routers) firewalls that are better suited for placement at network or segment borders

misconfigured devices

firewalls, content filter, and access points

jailbreaking

iOS is more restrictive than Android so the term "jailbreaking" became popular for exploits that enabled the user to obtain root privileges, sideload apps, change or add carriers, and customize the interface

patch management

identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.

reputation

if a business damages their reputation, this might hurt them in the future

lockout

if an incorrect passcode is entered, the device locks for a set period. This could be configured to escalate (so the first incorrect attempt locks the device for 30 seconds while the third locks it for 10 minutes, for instance). This deters attempts to guess the passcode

low latency

if cryptography is deployed with a real time-sensitive channel, such as voice or video, the processing overhead on both the transmitter and receiver must be low enough not to impact the quality of the signal

hot and cold aisles

if multiple racks are used, install equipment so that servers are placed back-to-back not front-to-back, so that the warm exhaust from one bank of servers is not forming the air intake for another bank

Data sanitization tools

if you need to get rid of data, there are special data sanitization tools to help. These allow you to "destroy, purge or otherwise identify for destruction" data on systems. Probably pretty use for government and other highly regulated industries.

offline certificate authority

in PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise.

online certificate authority

in PKI, a CA that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks

trust model

in PKI, a description of how users and different CAs exchange information and certificates.

key management

in cryptography, the process of administering cryptographic keys, often performed by a CA, and including the management of usage, storage, expiration, renewal, revocation, recovery, and escrow. In physical security, a scheme for identifying who has copies of a physical key or key card.

adverse actions

in disciplining or firing an employee, the employer is discriminating against them in some way

weak security configurations

include replacing old hardware with compliant versions that have better security features, firmware updates, and configuration updates and updating network configurations to prevent unauthorized access

something you do

indicating action, such as gestures on a touch screen.

strategic intelligence/counterintelligence gathering

information about the changing nature of certain problems and threats for the purpose of developing response strategies and reallocating resources

protected health information (PHI)

information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results

open-source intelligence

information that is available via websites and social media

data-in-use

information that is currently being created, deleted, read from, or written to

data-at-rest

information that is primarily stored on specific media, rather than moving from one medium to another

data-in-transit

information that primarily moves from medium to medium, such as over a private network or the Internet.

improper input handling

input that allows attacks, such as buffer overflow and injection attacks

type 1 hypervisor/bare metal

installed directly onto the computer and manages access to the host hardware without going through a host OS

active tools

interact in a way that can be detected. One passive example is using Wireshark to examine traffic after the fact. An active example is port scanning using Nmap.

proper input validation

involves confirming that user input is of a type and in a format expected by the program and, if not, handling the error appropriately.

model verification

involves testing or proving that an application actually functions in the way that the model says that it should

Electromagnetic Pulse (EMP)

is a very powerful but short duration wave with the potential to destroy any type of electronic equipment

honeynets

is an entire decoy network

dead code

is executed but has no effect on the program flow. For example, there may be code to perform a calculation, but the result is never stored as a variable or used to evaluate a condition

type II hypervisor/guest OS (host-based)

is itself installed onto a host operating system

System on Chip (SoC)

is one where most of the activities for that particular system take place within an embedded system

shared/generic account

is one where passwords (or other authentication credentials) are known to more than one person

workstation operating system (WOS)

is primarily designed to run applications. Those applications can be text processor, a spreadsheet application, presentation software, video or audio editors, games, etc

Electromagnetic Interference (EMI)

is the effect unwanted electromagnetic energy has on electronic equipment

kiosk operating system (KOS)

is the system and user interface software designed for an interactive kiosk or Internet kiosk enclosing the system in a way that prevents user interaction and activities on the device outside the scope of execution of the software.

hardware root of trust/trust anchor

is used to scan the boot metrics and OS files to verify their signatures, then it signs the report and allows the NAC server to trust it

server-side

it can be time-consuming, as it may involve multiple transactions between the server and client

program viruses

it's part of the application

personal email

items such as malware and email viruses; blocking access is one such common solution, and could come up in the exam as a way to troubleshoot and prevent such access from occurring.

round-robin

just means picking the next node

wireless keyboards

keylogging issues

private key

known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely.

key strength

larger keys tend to be more secure and can prevent brute-force attacks; the resiliency of a key to resist attacks

Regulatory Framework

laws and regulations which set out the legal requirements of indiv. businesses/organisations in terms of limits to their pollution and activities and consequences imposed if exceeded government establishes agencies responsible for monitoring and enforcing these regulations (Context of Use: DPI, EPA, usually when problem has already risen)

non-disclosure agreement (NDA)

legal basis for protecting information assets; used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences

time-of-day restrictions

limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours whenoversight and monitoring can be performed to prevent fraud, abuse, or intrusion

containment, eradication, and recovery

limiting the scope and impact of the incident. The typical response is to "pull the plug" on the affected system, but this is not always appropriate. Once the incident is contained, the cause can then be removed and the system brought back to a secure state

out-of-band

link that offers better security

facial recognition

looks for unique measurements in an individual's face

life

loss of life or injury to others

stateful

maintaining information about the session established between two hosts (including malicious attempts to start a bogus session); remember the "state" of the session; everything within a valid flow is allowed

preservation

maintenance of a resource in its present condition, with as little human impact as possible.

supporting non-repudiation

make sure the signature isn't fake. confirm the authenticity of data. Digital signature provides both integrity and non-repudiation.

preparation

making the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and establishing confidential lines of communication. It also implies creating a formal incident response plan

viruses

malware that can reproduce itself as it does not need to click on anything, and it needs you to execute a program

worm

malware that self-replicates and doesn't need user input

spyware

malware that spies on you through advertising, identity theft, and affiliate fraud

improper certificate and key management

manage your keys and certificates; this needs to be well planned; Important decisions, can't do this on the fly • What will be the organization's certificate authority? • How will the CA content be protected? • How will intermediate CAs be created and managed? • Who will validate and sign the organization's certificates? • What is the validation process? • And many more

memory/buffer vulnerability

manipulating memory can be advantageous and relatively difficult to accomplish

digital cameras

may be equipped with Wi-Fi and cellular data adapters to allow connection to the Internet and posting of images directly to social media sites

National Framework

may be used to demonstrate compliance with a country's legal regulatory compliance requirements or with industry-specific regulations

deterrent

may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion, example are cameras

radio frequency identification (RFID) attack

means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else; a sniffing, replay or DoS attack on a radio-frequency identification system (RFID) system

social engineering (hacking the human)

means of getting users to reveal confidential information

virtual desktop infrastructure (VDI)

means provisioning a workstation OS instance to interchangeable hardware

baseline deviation

means testing the actual configuration of clients and servers to ensure that they are patched and that their configuration settings match the baseline template

application whitelisting

means that nothing can run if it is not on the approved whitelist

disablement

means that the account will no longer be an active account and that the user keys for that account are retained which would not be the case if the account was deleted from the system

always-on VPN

means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user's cached credentials to authenticate. Microsoft has an Always On VPN solution for Windows Server 2016 and Windows 10 clients (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) and an OpenVPN client can be configured to autoconnect (https://openvpn.net/vpn-server-resources/setting-your-client-to-automatically-connect-to-your-vpn-when-your-computer-starts).

remote access

means that the user's device does not make a direct cabled or wireless connection to the network

remote access use case

means that the user's device does not make a direct cabled or wireless connection to the network

Email and web use case

media gateway servers must connect to untrusted networks

personal identity verification card (PIV)

meets the standards for FIPS 201, in that it is resistant to tampering and provides quick electronic authentication of the card's owner.

refactoring

metamorphic malware and is a different program each time it is downloaded

competitors

might be facilitated by employees who have recently changed companies and bring an element of insider knowledge with them

standard users

might require training on product- or sector-specific issues

continuous monitoring

might use a locally installed agent or heartbeat protocol or may involve checking availability remotely

typo squatting attack

misspelled domains can be profitable depending on the frequency that users enter the misspelled name (for example, visiting amazoon.com or amazun.com)

Bring Your Own Device (BYOD)

mobile deployment model that describes how employees can use their own personal mobile devices to get work done, if they so choose

supporting obfuscation

modern malware tries to hide itself. Encrypted data hides the active malware code. Decryption occurs during execution.

rootkit

modifies core system files as part of the kernel; represents a class of backdoor malware that is harder to detect and remove

host-based intrusion detection system (HIDS)

monitors a computer system for unexpected behavior or drastic changes to the system's state

choose your own device (CYOD)

much the same as COPE but the employee is given a choice of device from a list

machine/computer certificate

necessary to issue certificates to servers, PCs, smartphones, and tablets, regardless of function

elliptic curve

needs large integers composed of two or more large prime factors and is an asymmetric encryption; an asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields

permission auditing and review

needs to be put in place so that privileges are reviewed regularly

password authentication protocol (PAP)

obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping

fencing/gate/cage

needs to be transparent (so that guards can see any attempt to penetrate it), robust (so that it is difficult to cut), and secure against climbing (which is generally achieved by making it tall and possibly by using razor wire). Fencing is generally effective, but the drawback is that it gives a building an intimidating appearance

cyber-incident response teams

needs to have a very specific set of skills to combat each incident deftly

layer 3

network layer

Open

no authentication password is required; the client is not required to authenticate. This mode would be used on a public AP (or "hotspot")

accept/retention

no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed

dynamic link library (DLL) injection

not a vulnerability of an application but of the way the operating system allows one process to attach to another; To perform DLL injection, the malware must already be operating with sufficient privileges (typically, local administrator or system privileges). It must also evade detection by anti-virus software. One means of doing this is code refactoring.

disassociation attack

not completely disconnected, but neither can it communicate on the network until it reassociates; an attack that removes a wireless client from a wireless network by using a spoofed MAC address of the client and sending a disassociation frame to the network

passive reconnaissance

not likely to alert the target of the investigation as it means querying publicly available information; the use of open-source intelligence and vulnerability scanning to analyze a system, network or organization

application whitelisting

nothing can run if it is not on the approved whitelist

replay attack (application/service attacks)

occur when an attacker captures some communication between two parties, and then re-transmits it later. This might get them authenticated, or repeat a transaction

race conditions

occur when the outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer; the condition in which two or more applications attempt to access a resource at the same time

external threat

occurs when an individual or a group seeks to gain protected information by infiltrating and taking over profile of a trusted user from outside the organization

DNS poisoning attack/pollution attack

occurs when modifying the DNS server

service account

often used by scheduled processes, such as maintenance tasks, or may be used by application software, such as databases, for account or system access

Realtime Operating System (RTOS)

often used for time-sensitive embedded controllers, of the sort required for the modulation and frequency shifts that underpin radio-based connectivity

resource vs security constraints

on-going battle. Browser support vs. supported encryption. Make sure browser supports encryption type. VPN software support vs. supported algorithms. Make sure VPN concentrator can support the clients being installed on workstations.

watering hole attack

once a visitor visits an unsecured website infected with malware, the visitor's computer is infected with malware

reverse proxy

one that is sitting on the outside of the internet, and anyone who needs to gain access to an internal service such as a web server will first connect to a proxy

cross-site request forgery (XSRF) attack

one-click attack, session riding

script viruses

operating system and browser-based

asymmetric algorithm

operations are performed by two different but related public and private keys in a key pair

Steganography Tools

or "stego" for short, is frequently found in CTFs. Stego is the science of hiding messages in other content. The book has nothing else to say about that so just... be aware, I guess?

Rogue System Detection

organizations will also use topology discovery as an auditing technique to build an asset database and identify non-authorized hosts or network configuration errors

international Framework

others simply mandate "best practice"

exclusive OR (XOR)

outputs true when inputs differ; an operation that outputs to true only if one input is true and the other input is false

buffer overflow attack (compare and contrast types of attacks)

overwriting a buffer of memory that spills over into other memory areas

domain validation

owner of the certificate has some control over a DNS domain

camera systems (CCTV)

part of a physical security system

passive tools

passive tools do not interact with the system in a way that allows detection

penetration testing vs. vulnerability scanning

penetration testing exploits vulnerabilities, while vulnerability scanning just scans for vulnerabilities

take hashes

performed before and after the creation of a forensic image

authentication header (AH)

performs a cryptographic hash on the packet plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality and is consequently not often used.

Network Mapping

performs host discovery and identifies how the hosts are connected together on the network

penetration testing authorization

permission to perform a penetration test

vulnerability testing authorization

permission to perform a vulnerability test.

spear phishing

phishing with inside information by making the attack more believable (by attacking high profile targets like a CEO)

something you are

physical characteristic (fingerprint, face, eye, palm)

preventive

physically or logically restricts unauthorized access

something you know

piece of knowledge (password, PIN)

Backup Utilities

pretty self-explanatory, but at scale, backups become an issue. If you have an entire enterprise to worry about, there are hundreds or thousands of servers and workstations. Each of those need to be backed up on an automated schedule. And, the data needs to be segregated, managed, etc. at scale.

data execution prevention (DEP)

prevent areas in memory marked for data storage from executing code (running a new program)

host-based Intrusion Prevention System (HIPS)

prevent system files from being modified or deleted, prevent services from being stopped, log off unauthorized users, and filter network traffic

content filters

prevent viruses or Trojans infecting computers from the Internet, block spam, and restrict web use to authorized sites; understand basic payload structures and basic encoding formats, such as ASCII, Hex and Unicode, as well as processed results when dealing with content filters

port security

preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

screen filters

prevents anyone but the user from reading the screen (shoulder surfing)

conventional lock

prevents the door handle from being operated without the use of a key. More expensive types offer greater resistance against lock picking

canonical encoding rules (CER)

primarily a Windows X.509 file extension

Passwords and PINs

private phrases or words that give a particular user a unique access to a particular program or network

active logging

proactively logging in activity

encryption

process of converting readable data into unreadable characters to prevent unauthorized access.

rules

processes traffic according to access control list rules; traffic that does not conform to a rule that allows it access is blocked.

pointer dereference

programming technique that references a portion of memory; Application crash, debug information displayed, Denial of Service, etc; a failed dereference operation that can corrupt memory and sometimes cause an application to crash

redundancy/fault tolerance

protection against system failure by providing extra capacity

supporting integrity

prove the message was not changed. prevent modification of data. Validate the contents with hashes. File download, password storage, etc.

supporting authentication

prove the source of the message. password hashing. Protect the original password. Add salts to randomize the stored password hash.

network traffic and logs

provide empirical evidence if the forensic analysts properly collect and preserve them

captive portals

provides a way to authenticate to a network or at least have you agree to certain terms and conditions

common access card (CAC)

provides certificate-based authentication and supports two-factor authentication

HyperText Transfer Protocol Secure (HTTPS)

provides for encrypted transfers, using SSL/TLS and port 443

diffie-hellman ephemeral mode (DHE)

provides for secure key exchange by using ephemeral keys

elliptic curve diffie-hellman ephemeral

provides for secure key exchange by using ephemeral keys and elliptic curve cryptography

address resolution protocol (arp)

query or manipulate a device's ARP table.

electronic lock

rather than a key, the lock is operated by entering a PIN on an electronic keypad. This type of lock is also referred to as cipher, combination, or keyless

shredding

reducing the size of objects to render them useless. These objects can be sheets of paper, CDs and DVDs. Cross-cut and micro-shredders are preferable to strip shredding, as they make the shredded pieces smaller and therefore even harder to use

distributive allocation

refers to the ability to switch between available processing and data resources to meet service requests. This is typically achieved using load balancing services during normal operations or automated failover during a disaster.

modes of operation

refers to the way a cryptographic product processes multiple blocks

bluesnarfing

refers to using an exploit in Bluetooth to steal information from someone else's phone

password history

remembers past passwords and prevents users from reusing passwords

wiping

removing data from a data storage device. Wiping is a synonym for sanitization or purging. The techniques discussed above all lead to a form of data wiping, depending on the thoroughness/quality of the wiping

printers/multifunction devices (MFD)

represent a powerful pivot point on an enterprise network

untrained users

represent a serious vulnerability because they are susceptible to social engineering and malware attacks and may be careless when handling sensitive or confidential data

medical devices

represent an array of systems potentially vulnerable to a wide range of attacks. It is important to recognize that use of these devices is not confined to hospitals and clinics but includes portable devices such as cardiac monitors/ defibrillators and insulin pumps

executive user

require training on compliance and regulatory issues and may need a good understanding of technical controls, secure system architecture and design, and secure supply chain management depending on the business function they represent

disable default accounts/passwords

required to harden the OS of a workstation PC

corrective

responds to and fixes an incident and may also prevent its reoccurrence

roles and responsibilities

right people and that they know exactly what their role and responsibility are within the incident response plan

evil twin attack

rogue access point disguising as a legitimate one

antenna types and placement

rubber ducky antenna, yagi, parabolic,

application-based

run as software on any type of computing host

identify lack of security controls

scan for lack of up-to-date patches or lack of a running antivirus software

identify vulnerability

scan for vulnerabilities without interrupting normal operations; scan vulnerabilities to determine which ones to mitigate; The scanner looks for everything; Well, not _everything; The signatures are the key; The vulnerabilities can be cross-referenced online; Almost all scanners give you a place to go; National Vulnerability Database: http://nvd.nist.gov/; Microsoft Security Bulletins; Some vulnerabilities cannot be definitively identified; You'll have to check manually to see if a system is vulnerable; But the scanner gives you a heads-up

retinal scanner

scan patterns of blood vessels in the back of the retina

acceptable use policy (AUP)/fair use policy/rules of behavior

sets out what someone is allowed to use a particular service or resource for

driver manipulation

shimming and refactoring

credential management

should instruct users on how to keep their authentication method secure (whether this be a password, smart card, or biometric ID). The credential management policy also needs to alert users to different types of social engineering attacks

personal email

should never be used to conduct official company business. Should only be access at work if the company permits. Acceptable use policies should explicitly state what is permissible.

screenshots

shouldn't trust the software tools on the perpetrator's machine. Therefore, it's unwise to use native screen-capture tool for taking screenshots

netstat

shows network connections to/from a system.

template

similar to a master image, this is the build instructions for an instance. Rather than storing a master image, the software may build and provision an instance according to the template instructions

intermediate certificate authority (CA)/hierarchical

single CA issues certs to intermediate CAs; issue certificates to subjects (leaf or end entities)

scarcity (principle)

situation will not be this way for long; must make the change before time expires

proximity cards

small credit card-sized cards that activate when they are in close proximity to a card reader. They are often used by authorized personnel to open doors.

passively test security controls

sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types vulnerabilities; identify vulnerabilities without exploiting them

general security policies

social media networks/applications, personal email

antivirus

software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on.

Vulnerability scanner

software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.

web application firewall (WAF)

software designed to run on a server to protect a particular application only (a web server firewall, for instance, or a firewall designed to protect an SQL Server® database). This is a type of host-based firewall and would typically be deployed in addition to a network firewall

remote wipe

software that allows deletion of data and settings on a mobile device to be initiated from a remote server.

trojan

software that pretends to be something else, so it can conquer your computer

Password cracker

software used to determine a password, often through brute force or dictionary searches.

network operating system (NOS) firewall

software-based firewall running under a network server OS, such as Windows® or Linux®. The server would function as a gateway or proxy for a network segment

external media

some Android and Windows devices support removable storage; such as a plug-in Micro SecureDigital (SD) card slot; some may support the connection of USB-based storage devices

event deduplication

some errors may cause hundreds or thousands of identical error messages to spawn, temporarily blinding the reporting mechanisms of the SIEM system. This type of event storm is identified as a single event.

low power devices

some technologies require more processing cycles and memory space. This makes them slower and means they consume more power. Consequently, some algorithms and key strengths are unsuitable for handheld devices and embedded systems, especially those that work on battery power. Another example is a contactless smart card, where the card only receives power from the reader and has fairly limited storage capacity, which might affect the maximum key size supported

key escrow

someone else holds your decryption keys; in key management, the storage of a backup key with a third party.

script kiddies

someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks

trust (principle)

someone who is safe; "I'm from IT, and I'm here to help"

familiarity/liking (principle)

someone you know; "we have common friends"

false positive

something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not.

false negative

something that is identified by a scanner or other assessment tool as not being a vulnerability, when in fact it is.

barricades/bollards

something that prevents access. As with any security system, no barricade is completely effective; a wall may be climbed or a lock may be picked, for instance. The purpose of barricades is to channel people through defined entry and exit points

multifactor authentication (MFA)

something you are, something you have, something you know, somewhere you are, something you do

runtime code

source code that is interpreted by an intermediary runtime environment that runs the code, rather than the system executing the code directly.

password length

specifies the minimum number of characters in the password

tabletop exercises

staff "ghost" the same procedures as they would in a disaster, without actually creating disaster conditions or applying or changing anything

shoulder surfing

stealing a password or PIN (or other secure information) by watching the user type it. Despite the name, the attacker may not have to be in close proximity to the target—they could use high-powered binoculars or CCTV to directly observe the target remotely

avoid

stop doing the activity that is risk-bearing

off-site backups

stored in a location separate from the computer or mobile device site

EAP Transport Layer Security (EAP-TLS)

strong security, wide adoption; requires a client-side certificate for authentication using SSL/ TLS

social media networks

such as Twitter, LinkedIn®, and Facebook

external storage devices

such as USB flash drives (and potentially any other type of firmware), presents adversaries with an incredible toolkit

removable media control

such as flash memory cards, USB-attached flash and hard disk storage, and optical discs

payment methods

such as wire transfer, bitcoin, or premium rate phone lines

EAP Tunneled Transport Layer Security (EAP-TTLS)

supports other authentication protocols in a TLS tunnel; enables a client and server to establish a secure connection without mandating a client-side certificate

vulnerabilities due to embedded systems

systems that are included within other systems. This term can apply to a stand-alone, single-purpose system designed to provide specific functionality to an overall system; out-of-date security patches; deployments with default configurations

immutable systems

systems that are replaced rather than changed. For example, rather than updating a server, the entire server would be replaced.

heating, ventilation, and air conditioning (HVAC)

systems that provide and regulate heating and cooling

fire suppression

systems work on the basis of the Fire Triangle. The Fire Triangle works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn

content management

tags corporate or confidential data and prevents it from being shared or copied to unauthorized media or channels, such as non-corporate email systems or cloud storage services

asset management

takes inventory of and tracks all the organization's critical systems, components, devices, and other objects of value

home automation

technology makes heating, lighting, alarms, and appliances all controllable through a computer and network interface

host-based firewall/personal firewall

tend to be program-or process-based; implemented as a software application running on a single host designed to protect that host only

least functionality

that a system should run only the protocols and services required by legitimate users and no more

dynamic analysis

that the application is tested under "real world" conditions using a staging environment

application proxy

that the proxy itself understands the way applications operate so that it's able to take a request for an application and proxy that request on the user's behalf

transport mode

the IP header for each packet is not encrypted, just the data (or payload). This mode would be used to secure communications on a private network (an end-to-end implementation).

message digest 5 (MD5)

the Message Digest Algorithm was designed in 1990 by Ronald Rivest, one of the "fathers" of modern cryptography. The most widely used version is MD5, released in 1991, which uses a 128-bit hash value. It is used in IPSec policies for data authentication

file integrity check

the OS package manager checks the signature or fingerprint of each executable file and notifies the user if there is a problem

high resiliency

the ability to quickly recover from resource vs. security constraints

collision

the act of two different plaintext inputs producing the same exact ciphertext output.

amplification attack/ Distributed Reflection DoS (DRDoS) attack

the adversary spoofs the victim's IP address and attempts to open connections with multiple servers; Those servers direct their SYN/ACK responses to the victim server. This rapidly consumes the victim's available bandwidth; a more powerful TCP SYN flood attack

signal strength

the amount of power used by the radio in an access point or station.

single loss expectancy (SLE)

the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). EF is the percentage of the asset value that would be lost

annual loss expectancy (ALE)

the amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO)

known cipher text attack

the analyst has obtained the ciphertext but has no additional information about it. The attacker may use statistical methods such as frequency analysis to try to break the encryption

IP Spoofing attack

the attacker changes the source and/or destination address recorded in the IP packet

known plain text attack

the attacker knows or can guess some plaintext presented in a ciphertext, but not its exact location or context. This can greatly assist with analysis

buffer overflow (impact associated with types of vulnerabilities)

the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data

mean time to repair/replace/recover

the average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure

architecture/design weaknesses

the best security system fails if you don't have locks on the doors; the network doors aren't always visible; examine every part of the network: • Ingress • VPN • Third-party access • Internal controls • Account access • Front door access • Conference room access

execution

the carrying out or completion of some task

white box (full disclosure) test

the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. Useful for simulating the behavior of a privileged insider threat

black box (blind) test

the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform the reconnaissance phase. Useful for simulating the behavior of an external threat

collision attack

the creation of a hash from different passwords by a hashing algorithm; different messages are unlikely to produce the same digest

Corporate Owned, Personally-Enabled (COPE)

the device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in force)

corporate owned, business only (COBO)

the device is the property of the company and may only be used for company business

firewalls

the devices principally used to implement security zones, such as intranet, demilitarized zone (DMZ), and the Internet

transparent proxy

the end users have no idea there's a proxy in the middle, and no additional configuration needs to occur on the operating system to be able to take advantage of the proxy

supply chain

the end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.

production environment

the environment for the actual system operation. It includes hardware and software configurations, system utilities, and communications resources. Also called the operational environment.

artifical/manufactured

the evaluation and assessment of the intentions of people who could pose a threat to an organization, how they might cause harm, and their ability and motivation to carry out the task

supply chain assessment

the evaluation of tradeoffs in your supply chain, including delivery times, inventory availability, transportation costs, facility costs, inventory investment and which suppliers to purchase from, to find the highest service and lowest cost supply chain design

testing environment

the hardware and software that are used to test (usually integration testing and system testing) a software product

control diversity

the idea is that to fully compromise a system, the attacker must get past multiple security controls

geolocation

the identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.

escalation of privilege

the initial exploit might give them local administrator privileges. They might be able to use these to obtain system privileges on another machine and then domain administrator privileges from another pivot point.

recovery time objective (RTO)

the length of time it takes after an event to resume normal business operations and activities

user account

the logon ID required for any user who wants to access a Windows computer

recovery point objective (RPO)

the longest period of time that an organization can tolerate lost data being unrecoverable

public

the lowest data classification level. Public data disclosure will not have a significant negative impact on an organization

confidential

the most sensitive classification level. Generally, this data is for internal use only. If disclosed, it will have a significant negative impact for the organization

federation

the notion that a network needs to be accessible to more than just a well-defined group, such as employees

annual rate of occurrence (ARO)

the number of times an incident is expected to occur in a year

nation states/advanced persistent threat (APT)

the ongoing ability of an adversary to compromise network security (to obtain and maintain access) using a variety of tools and techniques

trusted operating system (TOS)

the operating system component of the TCB that protects the resources from applications

mandatory access control (MAC)

the operating system limits the operation on an object based on security clearance levels

order of volatility (OOV)

the order in which volatile data should be recovered from various storage locations and devices after a security incident occurs

mitigate/remediate

the overall process of reducing exposure to or the effects of risk factors

owner

the person who has final organizational responsibility for classifying, labeling, protecting and storing the information

triple DES (3DES)

the plaintext is encrypted three times using different subkeys

rubber ducky antennas

the plastic-coated variants often used on access points

crossover error rate (CER)

the point at which FRR and FAR meet. The lower the CER, the more efficient and reliable the technology

job rotation

the policy of preventing any one individual performing the same role or tasks for too long. Personnel should rotate between job roles to prevent abuses of power, reduce boredom, and improve professional skills

geofencing

the practice of creating a virtual boundary based on real-world geography.

version control

the practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.; an ID system for each iteration of a software product

cloud

the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer

continuous integration

the principle that developers should commit updates often (every day or sometimes even more frequently). This is designed to reduce the chances of two developers spending time on code changes that are later found to conflict with one another

legal and compliance

the process by which a business ensures that it observes and complies with the external statutory laws and regulations

data exfiltration

the process by which an attacker takes data that is stored inside of a private network and moves it to an external network.

GPS tagging

the process of adding geographical identification metadata, such as the latitude and longitude where the device was located at the time, to media such as photographs, SMS messages, video, and so on

data retention

the process of an organization maintaining the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations

change management

the process of approving and executing change in order to assure maximum security, stability, and availability of IT services.

impact

the process of assessing the probabilities and consequences of risk events if they are realized

vulnerability scanning

the process of auditing a network (or application) for known vulnerabilities; scans for vulnerabilities

onboarding

the process of bringing in a new employee, contractor, or supplier.

domain name resolution use case

the process of converting a domain name into a public IP address.

virtualization

the process of creating a simulation of a computing environment, where the virtualized system can simulate the hardware, operating system, and applications of a typical computer without being a separate physical computer.

provisioning

the process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.

authorization

the process of determining what rights and privileges a particular entity has.

offboarding

the process of ensuring that all HR and other requirements are covered when an employee leaves an organization.

exit interview

the process of ensuring that an employee leaves a company gracefully

analytics

the process of reviewing the events and incidents that trigger IDS/IPS.

onboarding

the process of welcoming a new employee to the organization

elasticity

the property by which a computing environment can instantly react to both increasing and decreasing demands in workload.

scalability

the property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.

high availability

the property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.

mean time between failures (MTBF)

the rating on a device or component that predicts the expected time between failures

chain of custody

the record of evidence history from collection, to presentation in court, to disposal.

non-credenialed scan

the scanner cannot login to the remote device; one that proceeds without being able to log on to a host. Consequently, the only view obtained is the one that the host exposes to the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces but they are not given any sort of privileged access

Secure POP

the secured version of the protocol, operating over TCP port 995 by default

record time offset

the server and workstation times often slightly differ (or out of sync to some degree) from actual time

electronic code book (ECB)

the simplest encryption mode and too simple for most use cases; an encryption mode of operation where each plaintext block is encrypted with the same key

authority (principle)

the social engineer is in charge; "calling from the help desk/office of the CEO/police"

expiration

the specified amount of time when an account expires to eliminate the possibility that it will be forgotten about and act as possible system backdoors

persistence

the tester's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor

tunnel mode

the whole IP packet (header and payload) is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN). This is also referred to as a router implementation.

tethering

there are also various means for a mobile device to share its cellular data or Wi-Fi connection with other devices

aggregation switches

these are functionally similar to layer 3 switches, but the term is often used for high-performing switches deployed to aggregate links in a large enterprise or service provider's routing infrastructure.

Exploitation frameworks

these are toolsets designed to help attackers exploit systems. Some of these tools include automation. Groupings of these tools represent (sorta) standardized ways of attacking, and a framework for moving through an attack. The most famous example is Metasploit.

secure cabinets/enclosures

these can be supplied with key-operated or electronic locks

Non-Regulatory Framework

they do not attempt to address the specific regulations of a specific industry but represent "best practice" in IT security governance generally

application management

they focus on managing a part of the device, not all of it, When the device is joined to the corporate network through enrollment with the EMM software, it can be configured into a corporate "workspace" mode in which only a certain number of whitelisted applications can run

containerization

this allows the employer to manage and maintain the portion of the device that interfaces with the corporate network

property

this includes damage to business property, property of others, or environmental damage

deadbolt lock

this is a bolt on the frame of the door, separate to the handle mechanism

passive test access point (TAP)

this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port

snapshot/revert to known state

this is a saved system state that can be reapplied to the instance

master image

this is the "gold" copy of a server instance, with the OS, applications, and patches all installed and configured. This is faster than using a template, but keeping the image up to date can involve more work than updating a template.

infrastructure as code

this is the principle that when deploying an application, the server instance supporting the application can be defined and provisioned through the software code. Imagine a setup program that not only installs the application but also creates a VM and OS on which to run the application.

community cloud

this is where several organizations share the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies

switched port analyzer/mirror port

this means that the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports)

integrity measurement

this process determines whether the development environment varies from the secure baseline

background checks

this process essentially determines that a person is who they say they are and are not concealing criminal activity, bankruptcy, or connections that would make them unsuitable or risky

encapsulating security payload (ESP)

this provides confidentiality and authentication by encrypting the packet rather than simply calculating an HMAC. ESP attaches three fields to the packet (a header, a trailer [providing padding for the cryptographic function], and an Integrity Check Value).

system owner

this role is responsible for designing and planning computer, network, and database systems. The role requires expert knowledge of IT security and network design

aircraft/unmanned aerial vehicle

this sector ranges from full-size fixed wing aircraft to much smaller multi-rotor hover drones

rooting

this term is associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device

environmental

those caused by some sort of failure in the surrounding environment. These could include power or telecoms failure, pollution, or accidental damage (including fire)

subscription services use case

those services that offer membership for a fee, usually on a monthly or annual basis

mission-essential functions

those that MUST occur. If they don't occur, or are performed improperly, the mission of the business is directly impacted

sensors

to aggregate data outputs from multiple sources

secure configurations

to allow the OS and applications software to execute that role

initial exploitation/weaponization

used to gain some sort of access to the target's network. This initial exploitation might be accomplished using a phishing email and payload or by obtaining credentials via social engineering

replay attack (wireless attacks)

used to make the access point generate lots of packets, usually by replaying ARP packets at it, and cycle through IV values quickly

digital signatures

used to prove the identity of the sender of a message and to show that a message has not been tampered with since the sender posted it. This provides authentication, integrity, and non-repudiation. To create a digital signature using RSA encryption, the private key is used to encrypt the signature; the public key is distributed to allow others to read it

cable locks

used to secure portable computers, external hard drives, and other portable pieces of hardware to a table or other object

email certificate

used to sign and encrypt email messages, typically using S/MIME or PGP

horizontal privilege escalation

user A can access user B resources

single sign-on (SSO)

user only has to authenticate to a system once to gain access to all the resources to which the user's account has been granted rights

attribute-based access control (ABAC)

users can have complex relationships to applications and data, and access may be based on many different criteria

RADIUS Federation

uses 802.1X as the authentication method and RADIUS on the backend, EAP to authenticate

initialization vector (IV) attack

uses a number, the IV, to find a wireless protocol's pre-shared key and use packet injection techniques on the network

Transport Layer Security (TLS)

uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection.

Secure Sockets Layer (SSL)

uses certificates for authentication and encryption to protect web communication.

iris scanner

uses pattern-recognition techniques based on images of the irises of an individual's eyes.

code reuse

using a block of code from elsewhere in the same application or from another application to perform a different function (or perform the same function in a different context). The risk here is that the copy and paste approach causes the developer to overlook potential vulnerabilities (perhaps the function's input parameters are no longer validated in the new context)

client-side

usually restricted to informing the user that there is some sort of problem with the input before submitting it to the server. Even after passing client-side validation, the input will still undergo server-side validation before it can be posted (accepted). Relying on client-side validation only is poor programming practice.

zero day attack

vulnerability that is exploited before the developer knows about it or can release a patch

development life-cycle models

waterfall, agile

smart devices/IoT

wearable/technology, home automation

new threats/zero day

what you don't know can really hurt you; And you won't even see it coming Vulnerabilities are sitting in your system,waiting for someone to find them; Some problems are hidden for years As soon as the problem is discovered (day zero), patch it; There isn't always time to properly test; Balance severity with stability WannaCry ransomware hit on May 12, 2017; However, the patch had been available since March 14

vertical privilege escalation/elevation

where a user or application can access functionality or data that should not be available to them. For instance, a user might have been originally assigned read-only access (or even no access) to certain files, but after vertical escalation, the user can edit or even delete the files in question

mail gateaway

where all the information coming in and out is filtered through that gateway before ever coming into an internal email server

stack overflow

where an attacker could use a buffer overflow to change the return address, allowing the attacker to run arbitrary code on the system. Two examples of this are the Code Red worm, which targeted Microsoft's IIS web server (version 5) and the SQLSlammer worm, which targeted Microsoft SQL Server® 2000

false positive

where legitimate behavior is identified as an incident; a reported vulnerability that does not exist

VPN concentrators

where the functionality is part of a router or dedicated security appliance

waterfall

where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.

somewhere you are

where the user is located

man-in-the-browser (MITB) attack

where the web browser is compromised by installing malicious plug-ins or scripts or intercepting API calls between the browser process and DLLs

thin AP

while one that requires a wireless controller in order to function is known as a thin AP

business partners agreement (BPA)

while there are many ways of establishing business partnerships, the most common model in IT is the partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers

tracert or traceroute

windows command for tracing the route a packet takes over the network.

urgency (principle)

works alongside scarcity; "act quickly, don't think"

ARP poisoning attack

works by broadcasting unsolicited ARP reply packets; Because ARP is an antiquated protocol with no security, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address

credentialed scan

you are a normal user, emulates an insider attack; given a user account with logon rights to various hosts plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also demonstrates what an insider attack or one where the attacker has compromised a user account may be able to achieve

clickjacking attack

you are clicking on a button, but you are actually clicking on something else

intrusive scan

you will try out the vulnerability to see if it works; an exploitation framework; a test that disrupts the operations of a system; also known as a penetration test; attempts to exploit vulnerabilities


Ensembles d'études connexes

Life Insurance (Includes All Sections)

View Set

MAR 3400 - Chs 12-18 Quiz Questions

View Set

Section 16 Unit 2 Legislation Regulating Financing

View Set

Maternity & Pediatric Nursing - Ricci - Ch's 32-50, 52

View Set

Hematology Exam 2 Book Questions

View Set

basic economic problems and economic systems

View Set

Schema/Assimilation/Acommodation

View Set