Security Plus part 2
Offline Password Attack
Attempts to discover passwords from a captured database or capture packet scan
Principles of Social Engineering
Authority - Citing position, responsibility, or affiliation that grants the attacker the authority to make the request Intimidation - Suggesting you make face negative outcomes if you do not facilitate access or initiate a process Consensus - Claiming that someone in a similar position or peer has carried out the same task in the past Scarcity (quantity) - Limited opportunity, diminishing availability that requires we get this done in a certain amount of time, similar to urgency Familiarity (liking) - Attempting to establish a personal connection, often citing mutual acquaintances, social proof Trust - Citing knowledge and experience, assisting the target with an issue, to establish a relationship Urgency - Time sensitivity that demands immediate action, similar to scarcity
SSH (Secure Shell Protocol)
Can use symmetric or asymmetric encryption, but those ciphers are not associated with TLS.
Command and Control Malware
Computer controlled by an attacker or cybercriminal which is user to send commands to systems compromised by malware and receives stolen data form a target network
Key frameworks: National Institute of Standards and Technology (NIST)
Cyber Security Framework (CSF): NIST RMF/CSF a set of guidelines and best practices to help organizations build and improve their cyber security posture. -CSF is aimed at private industries (commercial businesses) -Replaces NIST's Risk Management Framework (RMF) and was designed to focus on risk management for governmental agencies.
General Data Protection Regulation (GDPR)
Deals with the handling of data while maintaining privacy and rights of an individual. Created by EU, which has 27 different countries as members GDPR applies to ANY company with customers in the EU
Key frameworks: International Organization for Standardization (ISO)
Develops global technical, industrial and commercial standards ISO Standards: ISO 27001 , ISO 27002, ISO 27701 (Ext of 27001/27002), ISO 31000
Detective Controls
Discover or detect unwanted or authorized activity Examples: Security guards, guard dogs, motion detectors, job rotation, mandatory vacations, audit trails, intrusion detection systems, etc.
SNMPv2 (Simple Network Management Protocol version 2)
Does not implement TLS, or any encryption, within the network communication.
Competitor threat actor
Doesn't have any direct financial gain by disrupting a website or stealing customer lists, and often their objective is to disable a competitor's business or to harm their reputation.
Continuity of Operations Plan (COOP)
Ensures that the business will continue to operate when these issues occur
Espionage & Sabotage
Espionage (External) - When a competitor tries to steal information, and they may use an internal employee. Sabotage (Internal) - Malicious insiders can perform sabotage against an org if they become disgruntled for some reason.
Gramm-Leach-Bliley Act (GLBA)
Focused on Privacy and Services of banks, lenders, and insurances
Typosquatting/URL hijacking
Form of cybersquatting (sitting on sites under someone else's brand or copyright) targeting users who type an incorrect website address - Often employ a drive-by download that can infect a device even if the user does on click anything
Memorandum of Understanding (MOU)
Formal agreement between two or more parties indicating their intention to work together towards a common goal. Similar to SLA, defines the responsibilities of each party Lacks the binding power of a contract
Passive Footprinting
Gathering information about a target without direct interaction collecting information from publicly accessible sources measures to collect information from publicly available sources: Websites, DNS records, business information databases
Benchmarks/secure configuration guides
Guidelines to help setup and operate computer systems to a secure level that is understood and documented. Benchmarks aim to ease process of securing a component, reduce attack footprint, and minimize risk for security breach -unneeded services are disabled, and the operating system is hardened to minimize risk of security breach
Protected Health Information (PHI)
Health-related information that can be related to specific person.
ISO 27002 Standard
It establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
Control Categories
Managerial - Policies and procedures defined by org's security policy, other regulations and requirements Operational - Executed by company personnel during their day to day. Examples: Security awareness training, change management, Business continuity plan (BCP) Technical - aka "logical", hardware or software mechanisms implemented by IT team to reduce risk. Examples: firewall rules, antivirus/malware, IDS/IPS, etc.
SoC (System on a Chip)
Multiple components that run on a single chip
Key frameworks: Center for Internet Security (CIS)
Not for profit organization that publishes information on cybersecurity best practices and threats. Has tools to help harden your environment and provide risk management. Provides benchmarks for different operating systems and provides controls to help secure your organization.
SSAE SOC Type 2
Often written as "Type II" Assesses how effective those controls are over time by observing operations for six months
Compensating Controls
Options to other existing controls to aid in enforcement of security policies. Examples: Security policy, personnel supervision, monitoring, and work task procedures.
Reconnaissance Techniques
Passive Discovery - Do not send packets to the target, like google hacking, phone calls, DNS and WHOIS lookups Semi-Passive Discovery - Touches the target with packets in a non-aggressive fashion to avoid alarms of the target Active Discovery - Aggressive techniques likely to be noticed by the target, including port scanning, and tools like Nmap and Metaspoit
Key frameworks: Cloud Security Alliance (CSA)
Produces resources to help Cloud Service Providers (CSPs), like online training, webinars, discussion groups, and virtual summits. -Cloud Control Matrix (CCM) -CSA Reference Architecture
Electronic Communications Privacy Act (ECPA)
Prohibits a third party from intercepting or disclosing communications without authorization
Measurement System Analysis (MSA)
Provides a way for an organization to evaluate the quality of the process used in their measurement systems. MSA is an important element of Six Sigma methodology and of other quality management systems.
ISO 31000
Provides principles, a framework and a process for managing risk for organizations of any size in any sector. - Meaning commercial or government
ISO 27701 (Extension of 27001/27002)
Provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving an information system with private data.
SSAE SOC Type 1
Reports that assesses the design of security processes at a specific point in time.
Corrective Controls
Return systems to normal after unwanted or unauthorized activity has occurred. Examples: Intrusion prevention systems, antivirus solutions, alarms, mantraps, business continuity planning and security policies.
Key frameworks: Statements on Standards for Attestation Engagements (SSAE)
SSAE 18 is an audit standard to enhance the quality and usefulness of System and Organization Control (SOC) reports. -SOC Types 1 and 2 -Designed for larger organizations, such as cloud providers
PCI DSS (Payment Card Industry Data Security Standard)
Set of policies and procedures intended to optimize the security of credit, debit and cash card transactions -Card info must be protected wherever it is stored -System should be protected against the activities of malicious hackers -A formal information security policy must be defined, maintained, and followed
Anonymization Techniques
The process of removing all relevant data so that it is impossible to identify original subject or person. Good if you don't need the data
Pseudonymization
The process of using pseudonyms to represent other data. It can be done to prevent the data from directly identifying an entity, such as a person. Good if you need data and want to reduce exposure
Children's Online Privacy Protection Act (COPPA)
Was designed to protect children under the age 13
IoT (Internet of Things)
Wearable technology and home automation devices
Role-based training
When a company carries out security awareness training and ensures that all employees are sufficiently trained for their job roles.
CSA Reference Architecture
contains best security practices for CSPs and examples, examines topics, such as: -Security and risks -Presentation services -Application services -Information services -IT Operation and Support (ITOS) -Business Operation and Support Services (BOSS)
RTO (Recovery Time Objectives)
define a set of objectives needed to restore a particular service level
Service Level Agreement (SLA)
formal contract between customers and their service providers that defines the specific responsibilities of the service provider and the level of service expected by the customer. Often includes penalties if the vendor doesn't meet expectations. Example: Maximum downtimes Generally used with vendors (external)
Transport Layer Security (TLS)
is a cryptographic protocol used to encrypt network communication. we don't commonly see SSL (Secure Sockets Layer) in use any longer, you may see TLS communication referenced as SSL.
Communication plan
is a predefined list of contacts and processes used to inform key members of the organization
EAP-FAST (Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling)
is an updated version of LEAP (Lightweight EAP) that was commonly used after WEP (Wired Equivalent Privacy) was replaced with WPA (Wi-Fi Protected Access
Sensitive Data
is any information that isn't public or unclassified. -Personally Identifiable information(PII) -Protected Health Information (PHI)
Organized crime actor
is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital
MTTR (Mean Time to Restore)
is the amount of time it takes to repair a component.
MTTF (Mean Time to Failure)
is the expected lifetime of a nonrepairable product or system.
MTBF (Mean Time Between Failures)
prediction of how often a repairable system will fail
PEAP (Protected Extensible Authentication Protocol)
provides a method of authentication over a protected TLS (Transport Layer Security) tunnel EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake Authentication Protocol v2) is a common implementation of PEAP
Public Key Infrastructure (PKI)
the system for issuing pairs of public and private keys and corresponding digital certificates
Tabletop exercise
usually consists of a meeting where members of a recovery team or disaster recovery talk through a disaster scenario
Federation
would allow members of one organization to authenticate using the credentials of another organization.
Non-Disclosure Agreement (NDA)
A legal contract with vendors and suppliers not to disclose the company's confidential information. Example: Employer-employee NDA: Restricts employees from revealing trade secrets and business information. Company-contractor NDA: Restricts hired contractors from taking business information and sharing it with competitors or using it for themselves.
potentially unwanted program (PUP) Malware
A program that may be unwanted app, often delivered alongside a program the user wants. PUPs include spyware, adware, and dialers
Personally Identifiable information(PII)
Any data that could potentially identify a specific individual (name, SSN, birthdate/place, biometric records, etc.)
Pretexting
Attacker develops a story, or pretext, in order to fool the victim. Pretext often leans on establishing authority.
Online Password Attack
Attempts to discover a password from an online system. For example, an attacker trying to log on to an account by trying to guess a user's password. - Most web and WIFI attacks are online attacks
Deterrent Controls
Deployed to discourage violation of security policies Examples: Cable Locks. Hardware Locks. Video surveillance & guards
SOAR (Security Orchestration, Automation, and Response)
Designed to make security teams more effective by automating processes and integrating third-party security tools
(CSA): Cloud Control Matrix (CCM)
Designed to provide a guide on security principles for cloud vendors and potential cloud customers to assess the overall risk of a cloud provider. -For exam remember CSA CCM helps potential customers measure the overall risk of a CSP
Collusion
Is an agreement among multiple persons to perform some unauthorized or illegal actions Example: Several airlines agree not to offer routes in each other's markets, thereby restricting supply and keeping prices high.
End of Life (EOL)
Point at which vendors stops selling a product and may limit replacement parts and support.
Security Controls
Preventive - physically limits access to a device or area Corrective - can actively work to mitigate any damage Detective - may not prevent access, but it can identify and record any intrusion attempts Compensating - doesn't prevent an attack, but it does restore from an attack using other means Physical - is real-world security, such as a fence or door lock
Health Insurance Portability and Accountability Act (HIPAA)
Relates to Personal Health Information(PHI)
Federal Information Security Management Act (FISMA)
Requires that government agencies include the activities of contractors in their security management programs
Memorandum of Agreement (MOA)
Similar to a MOU but is legally binding and describes terms and details of the agreement.
Reducing GDPR Exposure
Steps to reduce or eliminate GDPR requirements Anonymization, Pseudonymization
Preventative Controls
Stop unwanted or unauthorized activity from occurring Examples: Fences, locks, biometrics, mantraps, alarm systems, etc.
CASB (Cloud Access Security Broker)
Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal standards and the monitoring and identification of threats
Business Partnership Agreement (BPA)
Two companies who want to participate in a business venture to make a profit. Details on how much each partner's contributions, rights and responsibilities, as well as the details of operations, decision-making, and sharing of profits.
Gamification
Used in computer-based training (CBT) to provide employees with a question/challenge. -May promote competition by awarding points and a leader board
VPN concentrators
Used to connect many remote networks and clients to a central corporate network. Commonly used to provide security connectivity for remote users
Dictionary Attack - Password attack
Uses programs with built-in dictionaries The attempt all dictionary words to try to find the correct password. Remediate: MFA, Biometric authentication, limit numbers of attempts, force resets after certain number of failed attempts
Health information technology for economic and clinical health (HITECH)
Widens the scope of privacy protections under HIPAA
Physical Controls
a control you can physically touch. Examples: Guards, fences, motion detectors, locked doors, sealed windows, lights, cable protectors, laptop locks, etc.
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security)
allows the use of multiple authentication protocols transported inside of an encrypted TLS (Transport Layer Security) tunnel. This allows the use of any authentication while maintaining confidentiality with TLS
RTOS (Real-time Operating Systems)
commonly used in manufacturing and automobiles
End of Service Life (EOSL)
- Manufacturer stops selling a product - Support is no longer available for the product - No ongoing security patches or updates - May have a premium-cost support option
Keyloggers Malware
A type of spyware where a hacker captures keyboard keystrokes, including the keystrokes used to sign in to accounts.
Multifunctional Device (MFD)
An all-in-one printer that can print, scan, and fax
ISO 27001
An international standard that details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)
Social Media Analysis
Analysis of a potential employee's social media during the hiring process to understand more about an individual based on their internet presence. -helps identify cultural alignment, character concerns