WGU C706 - Secure Software Design (February 2023)

Compliance Checks

These checks verify that all of the controls listed in a compliance plan are functioning properly and are effectively meeting regulatory requirements.

Just-in-time (JIT) Provisioning

These solutions automatically create the relationship between two entities so that new users can access resources.

Business Case

To demonstrate a business-specific need to alter an existing process or choose an approach to a business task.

Security Audits

Use many of the same techniques followed during security assessments but must be performed by independent auditors. Audits are performed with the purpose of demonstrating the effectiveness of controls to a third party. Auditors provide an impartial, unbiased view of the organization's security controls.

Parameter Pollution

A web application attack where the attacker supplies multiple instances of the same parameter name in an HTTP request.

Cross-Site Scripting (XSS)

A web application vulnerability. Attackers embed malicious HTML or JavaScript code into a web site's code, which executes when a user visits the site.

Memory Leak

An undesirable state in which a program requests memory but never releases it, which can eventually prevent other programs from running.

Malware (Malicious Software)

Includes a broad range of software threats that exploit various network, operating system, software, and physical security vulnerabilities to spread malicious payloads to computer systems.

Boot Sector Virus

Infect the legitimate boot sector and are loaded into memory during the operating system load process.

Zero-Day Vulnerabilities

Security flaws discovered by hackers that have not been thoroughly addressed by the security community.

Threat Modeling

Security process where potential threats are identified, categorized, and analyzed.

Security Tests

Security tests verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security. Security testing should take place on a regular schedule, with attention paid to each of the key security controls protecting an organization.

Primary Key

Selected from the set of candidate keys for a table to be used to uniquely identify the records in a table. Each table has only one primary key.

TCP ACK Scanning

Sends a packet with the ACK flag set, indicating that it is part of an open connection. May be done to attempt to determine the rules enforced by the firewall, and the firewall methodology.

Xmas Scanning

Sends a packet with the FIN, PSH, and URG flags set -a packet with so many flags lit is said to be "lit up like an xmas tree"

TCP SYN Scanning

Sends a single packet to each scanned port with the SYN flag set. -aka "half-open" scanning -looking to see if receives the SYN and ACK flags

Concepts, conditions, and aspects of confidentiality include the following:

Sensitivity Discretion Criticality Concealment Secrecy Privacy Seclusion Isolation

Terminal Access Controller Access-Control System Plus (TACACS+)

Separates authentication, authorization, and accounting into separate processes, which can be hosted on three different servers if desired. Encrypts all authentication information, not just the password. Developed by CISCO.

Chief Information Officer (CIO)

The senior manager responsible for the overall management of information resources in an organization

Third-Party Governance

The system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.

Information Security (Infosec) Team

The team or department responsible for security within an organization.

Time of Check (TOC)

The time at which a subject checks on the status of an object.

Time of Use (TOU)

The time at which the decision is made by a subject to access an object.

Dirty Reads

The transaction reads a changed record that has not been committed to the database.

two-factor authentication (2FA)

The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication.

Graph Database

a database that uses graph structures for query operation with nodes, edges, and properties to represent and store data. Example of NoSQL.

Identity as a Service (IDaaS)

third party service that provides id and access mgmt. -effectively provides SSO for the cloud and is esp. useful when clients access SaaS app's.

Supervised Learning

uses labeled data sets to train the algorithm

Trusts

Established between domains to create a security bridge and allow users from one domain to access resources on another. Trusts can be one-way only, or two-way.

Due Diligence

Establishing a plan, policy, and process to protect the interests of an organization.

Test Coverage Analysis

Estimates the degree of testing conducted against the new software test coverage = # of use cases tested / total # of use cases.

Dynamic Application Security Testing (DAST)

Evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.

Static Application Security Testing (SAST)

Evaluates the security of software without running it by analyzing either the source code or the compiled application.

Discretionary Access Control (DAC)

Every object has an owner and the owner can grant or deny access to any other subjects.

White-Box Testing

Examines the internal logical structures of a program and steps through the code line by line, analyzing the program for potential errors. Testers have access to the source code.

Black-Box Testing

Examines the program from a user prospective by providing a wide variety of input scenarios and inspecting the output. Testers do not have access to the internal code.

Physical Interfaces

Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.

Cross-Site Request Forgery (CSRF or XSRF)

Exploits the trust a site has in the user's browser. Tricks a user into sending unauthorized commands to a web application.

Request Forgery Attack

Exploits trust relationships and attempts to have users unwittingly execute commands against a remote server.

External Audits

External audits are performed by an outside auditing firm. These audits have a high degree of external validity because the auditors performing the assessment theoretically have no conflict of interest with the organization itself. Audits performed by these firms are generally considered acceptable by most investors and governing body members.

Security Through Obscurity

Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices. Different from data hiding.

Tokenization

Replaces personal identifiers that might directly reveal an individual's identity with a unique identifier using a lookup table.

False Positive Report

Reports a vulnerability when there really is no problem

Change Management Process Components

Request Control: Provides an organized framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks. Change Control: The change control process is used by developers to re-create the situation encountered by the user and to analyze the appropriate changes to remedy the situation. Release Control: Once changes are finalized, they must be approved for release through the release control procedure. Any code used for troubleshooting or debugging is removed before release. Usually includes acceptance testing.

Process/Policy Review

Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review.

Need to Know

Requirement of access to data for a clearly defined purpose.

Context-Dependent Access Control

Requires specific activity before granting users access. An example would be the data flow of a transaction selling digital products.

Software Development Kit (SDK)

A package containing development tools and libraries for creating applications.

Object

A passive entity that provides information to active subjects.

Open Database Connectivity (ODBC)

- A database feature that allows applications to communication with different types of databases without having to be directly programmed for interaction with each type. - Acts as a proxy between applications and backend database drivers, giving application programmers greater freedom in creating solutions without having to worry about the backend database system.

Vulnerability Management Workflow

- Detect - Validate - Remediate

DevOps Approach

- Seeks to resolve issues of software development, quality assurance, and technology operations by bringing the three functions together in a single operational model. - The name symbolizes that the functions must merge and cooperate to meet business requirements. - Closely aligned with the Agile development approach. - Aims to dramatically decrease the time required to develop, test, and deploy software changes.

Network Vulnerability Scans

-go deeper than network discovery scans -these do not stop with detecting open ports but continue to probe a system for the presence of known vuln's -uses the tests in its database to determine whether a system may contain the vuln -can give false positives -can give false negatives -> much more dangerous -by default, these run unauthenticated scans (w/o special privileges like user login)

Ethical Disclosure

1-Notify the vendor of the vulnerability 2-Provide the vendor a reasonable amount of time to create a patch 3-Disclose the vulnerability publicly

Time-Based One-Time Password (TOTP)

A password that is used once and is only valid during a specific time period. Time based.

Password Policy Components

1. Maximum age 2. Password Complexity 3. Password Length 4. Minimum Age 5. Password History

PCI DSS Password Requirements

1. Passwords expire at least every 90 days 2. Passwords must be at least seven characters long

NIST Password Recommendations (NIST SP 800-63B)

1. Passwords must be hashed 2. Passwords should not expire 3. Users should not be required to use special characters 4. Users should be able to copy and paste passwords 5. Users should be able to use all characters 6. Password length should be at least eight characters and as many as 64 characters 7. Password systems should screen passwords.

Three Primary Authentication Factors

1. Something you know (Type 1) 2. Something you have (Type 2) 3. Something you are (Type 3)

Reduction Analysis (AKA Decomposing) Key Concepts

1. Trust Boundaries 2. Dataflow Paths 3. Input Points 4. Privileged Operations 5. Details about Security Stance and Approach

Security Content Automation Protocol (SCAP)

A NIST framework that outlines various accepted practices for automating vulnerability scanning.

Capability Table

A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.

Directory Service

A centralized database that includes information about subjects and objects, including authentication data. Example: Light-weight Directory Access Protocol (LDAP).

NoSQL

A class of databases that use models other than the relational model to store data.

Access Control List (ACL)

A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.

Software Libraries

A collection of code modules that solve a particular problem and are developed with reuse in mind

Privileges

A combination of rights and permissions.

DevSecOps

A combination of software development, security operations, and systems operations by integrating each discipline with the others.

Nmap

A command-line tool used to scan networks. It is a type of network scanner.

Stuxnet

A computer worm designed to find and infect a particular piece of industrial hardware; used in an attack against Iranian nuclear plants

Lost Updates

A concurrency control problem in which data updates are lost during the concurrent execution of transactions.

Service-Level Requirement (SLR)

A customer requirement for an aspect of an IT service. Service level requirements are based on business objectives and used to negotiate agreed service level targets.

Relational Database

A database that represents data as a collection of tables in which all data relationships are represented by common values in related tables. The data mapping relationship is one-to-one.

Security Policy

A document that defines the security requirements for an organization.

Web Application Firewall (WAF)

A firewall that operates at the application level, specifically designed to protect web applications by examining requests at the application stack level.

Real User Monitoring (RUM)

A passive way to monitor the interaction of real users with a website, using agents to capture metrics such as delay, jitter and errors.

Distributed Data Model

A form of database in which data is stored in more than one database but remains logically connected. The user perceives the database as a single entity, even though it consists of numerous parts interconnected over a network. Each field may have numerous children as well as numerous parents. Thus, the data mapping relationship is many-to-many.

Input Blacklisting

A form of input validation in which developers do not try to explicitly describe acceptable input but instead describe potentially malicious input that must be blocked.

Input Whitelisting

A form of input validation in which the developer describes the exact type of input that is expected from the user and then verifies that the input matches that specification before passing the input to other processes or servers.

Code Red Worm

A form of malware activated online on July 13, 2001 that infected any web server using Microsoft's IIS web server software

Fagan Inspection

A formal code review process that relies on specified entry and exit criteria for each phase. utilizes six steps. 1. Planning 2. Overview 3. Preparation 4. Inspection 5. Rework 6. Follow-Up

Authorization to Operate (ATO)

A formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations.

Security Policy

A formalized statement that defines how security will be implemented within a particular organization.

Botnet

A group of compromised computers or mobile devices connected to a network under the control of an attacker. Often used in denial-of-service attacks.

Assembly Language

A higher-level alternative to machine language that uses mnemonics to represent the basic instruction set of a CPU, but it still requires hardware-specific knowledge of a relatively obscure language. It also requires a large amount of tedious programming.

Mandatory Access Control (MAC)

A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf. Referred to as a lattice-based model.

Version Control

A method of tracking changes to software as it is updated.

Scripted Access

A method to automate the logon process with a script that provides the logon credentials to a system. It is considered a form of single sign-on.

HMAC-based one-time password (HOTP)

A one-time password that changes when a specific event occurs. Hash message authentication code based.

Token Device

A password-generating device that users can carry with them. They use dynamic onetime passwords, making them more secure than static passwords. These are typically six or eight PINs.

Code Review

A peer review process in which programmers check over one another's work to ensure its quality.

Virus

A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data. Depends on unsuspecting computer users to replicate.

Metasploit Framework

A platform for launching modularized attacks against known software vulnerabilities.

Concurrency

A preventative security mechanism that endeavors to make certain that the information stored in a database is always correct, or at least has its integrity and availability protected.

Birthday Attack

A probability method of finding a collision in a hash function in order to obtain passwords.

Encryption

A process of encoding messages to keep them secret, so only "authorized" parties can read it.

Misuse Case Testing

A process used by software testers to evaluate the vulnerability of their software to known risks. Testers first enumerate the known misuse cases and then attempt to exploit those use cases with manual and/or automated attack techniques. Aka abuse case testing.

Decompiler

A program that reverts an executable back in to source code.

Program Evaluation Review Technique (PERT)

A project-scheduling tool used to judge the size of a software product in development and calculate the standard deviation (SD) for risk assessment.

Audit Trail

A report that traces who has accessed electronic information, when information was accessed, and whether any information was changed

Functional Requirement

A requirement that specifies a function that a component or system must perform. The following are the three major characteristics of a functional requirement: Input(s) Behavior Output(s)

Mutual Authentication

A security mechanism that requires that each party in a communication verify its identity.

Software-Defined Security

A security model in which security processes are working in an automated fashion.

Issue-Specific Security Policy

A security policy that addresses specific security issues.

System-Specific Security Policy

A security policy that focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls.

Authenticated Scan

A security scanner is granted authenticated read‐only access to the servers being scanned - typically via a user account - and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing results.

Companion Virus

A self-contained executable that escapes detection by using a filename similar to, but slightly different from, a legitimate operating system file. They rely on default filename extensions that Windows-based operating systems append to commands when executing program files (.com, .exe, and .bat, in that order).

Key-value stores

A simple pair of a key and an associated collection of values. Key is usually a string. Database has no knowledge of the structure or meaning of the values. Example of NoSQL.

Resource Exhaustion

A situation in which a hardware device with limited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.

Trojan Horse

A software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network.

Fuzz Testing

A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.

Passphrase

A string of characters similar to a password but has a unique meaning to the user. They're easy to remember, and encourage the user to create longer passwords.

Remote Access Trojan (RAT)

A subcategory of trojans that open backdoors in systems that grant the attacker remote administrative control of the infected system.

Candidate Key

A subset of attributes that can be used to uniquely identify any record in a table.

Access Control Matrix

A table that includes subjects, objects and assigned privileges.

Visual, Agile, and Simple Threat (VAST)

A threat modeling concept based on Agile project management and programming principles.

Asynchronous Dynamic Password Token

A token device that generates onetime passwords after the user enters a PIN in the token device. The PIN is provided by a server as a challenge, and the user enters the onetime password created by the token as the response.

Runtime Application Self-Protection (RASP)

A tool that runs on a server and intercepts calls to and from an application and validates data requests.

Phishing Simulations

A training or simulation that helps employees recognize phishing emails.

Machine Learning

A type of artificial intelligence that enables computers to both understand concepts in the environment, and also to learn.

Gantt Chart

A type of bar chart that shows the interrelationships over time between projects and schedules. Provides a graphical illustration of a schedule that helps you plan, coordinate, and track specific tasks in a project.

Fileless Malware

A type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.

Vertical Privilege Escalation

A type of privilege escalation in which an attacker obtains privileges of a higher level than what they have been assigned.

API Key

A unique identifying value that proves a client is allowed to make a request to a server. API keys are like passwords and should be treated as sensitive information. They should be stored in secure locations and transmitted only over encrypted communications channels.

netstat

A universal command-line utility used to examine the TCP/IP connections open on a given host.

Cognitive Password (aka security questions)

A variant of the password authentication factor that asks a series of questions about facts or predefined responses that only the subject should know.

Macro Virus

A virus that attaches itself to a document that uses macros. Commonly encountered in malicious Microsoft Office documents.

Polymorphic Virus

A virus that changes its virus signature (the binary pattern that makes the virus identifiable) every time it infects a new file. This makes it more difficult for antivirus programs to detect the virus.

File Infector Virus

A virus that infects program executable files with an .EXE or .COM file extension.

Encrypted Virus

A virus that uses cryptographic techniques to avoid detection. In their outward appearance, they are quite similar to polymorphic viruses—each infected system has a virus with a different signature. However, they do not generate these modified signatures by changing their code; instead, they alter the way they are stored on the disk.

Zero-Day Exploit

A vulnerability that is exploited before the software creator/vendor is even aware of its existence.

Fast Identity Online (FIDO) Alliance

An open-industry association with a stated mission of reducing the over-reliance on passwords.

Privilege Escalation Attack

An unauthorized attempt to increase permission levels.

Attribute-Based Access Control

Access is based on attributes (of a person, a resource, or an environment). Commonly used in software-defined networks (SDN).

Concepts, conditions, and aspects of integrity include the following:

Accuracy Truthfulness Validity Accountability Responsibility Completeness Comprehensiveness

Salting

Adding random data into a one-way cryptographic hash to help protect against password cracking techniques, such as rainbow table attacks.

System Development Lifecycle

All systems development processes should have several activities in common. Although they may not necessarily share the same names, these core activities are essential to the development of sound, secure systems: Conceptual definition Functional requirements determination Control specifications development Design review Coding Code review walk-through System test review Maintenance and change management

Web Shell

Allow the attacker to execute commands on the server and view the results in the browser.

Runtime Environments

Allow the portable execution of code across different operating systems. The Java virtual machine (JVM) is a well- known example of this type of runtime. Users install the JVM runtime on their systems and may then rely on that runtime to execute compiled Java code.

Single Sign-On (SSO)

Allows a user to authenticate once to gain access to multiple systems, without requiring the user to independently authenticate with each system.

Application Programming Interface (API)

Allows application developers to bypass traditional web pages and interact directly with the underlying service through function calls.

Fail-Open State

Allows users to bypass failed security controls, erring on the side of permissiveness.

Crossover Error Rate (CER)

Also called the equal error rate, the point at which the rate of false rejections equals the rate of false acceptances. Devices with lower CERs are more accurate than devices with higher CERs.

Delta Rule

Also known as the learning rule. It is the feature of expert systems that allows them to learn from experience.

Rule-Based Access Control

An access control model that based on a list of predefined rules that determine what accesses should be granted for subjects.

Role-Based Access Control (RBAC)

An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. Based on organization's hierarchy.

Service Account

An account used by a service or application.

Subject

An active entity that accesses a passive object to receive information from, or data about, an object.

Signature-Based Detection

An antivirus solution utilizes a database of telltale characteristics of known viruses. The antivirus solution examines files on a system looking for these virus characteristics. Virus definitions must be updated on a regular basis.

Agile Software Development

An approach to database and software development that emphasizes "individuals and interactions over processes and tools, working software over comprehensive documentation, customer collaboration over contract negotiation, and response to change over following a plan."

LDAP Injection Attack

An attack that constructs LDAP statements based on user input statements, allowing the attacker to retrieve information from the LDAP database or modify its content.

DLL Injection Attack

An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite DLL, inserting malicious code.

Script Kiddie

An attacker with little expertise or sophistication. Script kiddies use existing scripts to launch attacks.

Spoofing attack

An attempt by someone or something to masquerade as someone else.

Third-Party Audit

An audit conducted by, or on behalf of, another organization, such as a regulatory authority.

OpenID Connect (OIDC)

An authentication layer that sits on top of the OAuth 2.0 authorization protocol. Uses a JavaScript Object Notation (JSON) web token (JWT).

multifactor authentication (MFA)

An authentication process that requires the client to provide two or more pieces of information. The three categories of authentication factors are knowledge (something you know), possession (something you have), and inherence (something you are).

Kerberos

An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users. Provides a single sign-on solution for users and protects logon credentials. Utilizes a ticket system.

Penetration Test

An authorized attempt to break into the organization's information system

Buffer Overflow

An error that occurs when an application receives more input, or different input, than it expects. It exposes system memory that is normally inaccessible.

Pass-The-Hash Attack

An exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

Scrum Master

An individual in a project management role who is responsible for helping the team move forward and meet their objectives.

Security Assertion Markup Language (SAML)

An open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations. It provides SSO capabilities for browsers. Utilizes a principal (such as a user), a service provider (such as a website), and an identity provider (a third party that holds the authentication and authorization information).

Software Assurance Maturity Model (SAMM)

An open source project maintained by the Open Web Application Security Project (OWASP). It seeks to provide a framework for integrating security activities into the software development and maintenance process and to offer organizations the ability to asses their maturity.

OpenID

An open standard and decentralized authentication protocol.

OAuth 2.0

An open standard for authorization used for websites and applications

User and Entity Behavior Analytics (UEBA)

Analysis of behaviors and activities of human and nonhuman users, and of the software and hardware entities associated with those users and activities, as a way of detecting inappropriate or unauthorized activity, including fraud detection, malware and insider attacks.

Passive Monitoring

Analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server.

Heuristic-Based Detection

Analyzes the behavior of software looking for telltale signs of virus activity.

Alternate Key

Any candidate key that is not selected as the primary key.

User (End User)

Any person that has access to the secured system.

SOC 1 Engagements

Assess the organization's controls that might impact the accuracy of financial reporting.

SOC 2 Engagements

Assess the organization's that affect the security (Confidentiality, Integrity, and Availability) and privacy of information stored in a system. Confidential, and are normally only shared outside the organization under an NDA.

SOC 3 Engagements

Assess the organization's that affect the security (Confidentiality, Integrity, and Availability) and privacy of information stored in a system. SOC 3 audit results are intended for public disclosure.

Interface Testing

Assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete. Three types of interfaces should be tested: Application Programming Interfaces (APIs) User Interfaces (UIs) Physical Interfaces

File Inclusion Attack

Attack executes the code contained within a file. Two variants of this attack are local and remote file inclusion attacks.

XML Injection

Attack method where malicious XML is passed as input to exploit a vulnerability in the target app.

Impersonation attack

Attacker assumes the identity of one of the legitimate parties in a network

Horizontal Privilege Escalation

Attacker grants themselves the same access levels they already have but assumes the identity of another user.

Injection Vulnerabilities

Attackers use to break through a web application and gain access to systems supporting that application.. Allows an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute.

Dictionary Attack

Attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

Brute-Force Attack

Attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symbols. Attackers typically use programs that try all password combinations.

Misuse Cases

Attempt to model the activity of an attacker.

Rainbow Table Attack

Attempts to discover the password from the hash using databases of precomputed hashes; countermeasure is salting.

Authenticity

Authenticity is the security concept that data is authentic or genuine and originates from its alleged source.

Elasticity

Automatically provision resources to scale when necessary, and deprovision resources when demand goes down.

Availability

Availability means authorized subjects are granted timely and uninterrupted access to objects.

Smartcard

Badge that has an integrated circuit chip embedded in it to provide identity and auth -most have microprocessor and 1+ certificates (used for asymm crypto like enc'ing data or digitally signing email) -common to require users to enter a PIN to provide two factor auth -CAC (common access cards) and PIV (personal id verification) cards are used by US govt

Sniffing

Capturing and recording network traffic

Code Repositories

Centralized locations for the storage and management of application source code.

Supply Chain

Consists of all parties involved, directly or indirectly, in obtaining raw materials or a product.

Control Objectives for Information and Related Technology (COBIT)

COBIT describes the common requirements that organizations should have in place surrounding their information systems. The COBIT framework is maintained by ISACA.

Remote Authentication Dial-In User Service (RADIUS)

Centralizes authentication for remote access connections, such as with VPNs or dial-up access. Encrypts only the password's exchange by default, but it is possible to use RADIUS/TLS to encrypt the entire session. Provides AAA services between network access servers and a shared authentication server.

Neural Networks

Chains of computational units are used in an attempt to imitate the biological reasoning process of the human mind.

Metacharacters

Characters that have been assigned special programmatic meaning.

Credential Surfing Attack

Checks single username and password on multiple sites.

Dead Code

Code is in use in an organization but nobody is responsible for the maintenance of that code.

Continuous Integration / Continuous Delivery (CI/CD)

Code may roll out dozens or hundreds of times per day.

Error Handling

Coding methods to anticipate and deal with exceptions thrown during execution of a process.

Output Encoding

Coding methods to sanitize output created from user input.

Device Fingerprinting

Collects unique information from a user's browser or smartphone that can be combined with other data files to identify specific devices and users.

Aggregation

Combine records from one or more tables to produce potentially useful information.

Hierarchical Data Model

Combines records and fields that are related in a logical tree structure. The data mapping relationship is one-to-many.

Gray-Box Testing

Combines the two approaches and is popular for software validation. Testers examine the software from a user perspective, analyzing inputs and outputs. Testers have access to the source code and use it to help design their tests.

Security Assessments

Comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.

Logic Bomb

Computer code that lies dormant until it is triggered by a specific logical event.

Confidentiality

Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources.

CIA Triad

Confidentiality, Integrity, Availability

Software Configuration Management (SCM) Components

Configuration Identification: Configuration of covered software Configuration Control: Ensures changes to software versions are made in accordance with change control and configuration management policies. Configuration Status Accounting: Keeps track of all authorized changes. Configuration Audit: Periodic configuration audit to ensure that the production environment is consistent with accounting records.

Disassembler

Converts executables back to machine-readable assembly language (An intermediate step during the compilation process).

Compiler

Converts source code from a higher-level language into an executable file designed for use on a specific operating system.

Chief Executive Officer (CEO)

Corporate officer who has overall responsibility for managing the business and delegates responsibilities to other corporate officers.

Database Vulnerability Scanner

Database vulnerability scanners are tools that allow security professionals to scan both databases and web applications for vulnerabilities that may affect database security.

Standards

Define compulsory requirements for the homogenous use of hardware, software, technology, and security controls.

Acceptable Use Policy

Defines a level of acceptable performance and expectation of behavior and activity.

Breach and Attack Simulation (BAS)

Designed to inject threat indicators onto systems and networks in an effort to trigger other security controls.

Procedure

Detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.

STRIDE

Developed by Microsoft: Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

Generational (Intelligent) Fuzzing

Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

DAD Triad

Disclosure, Alteration, and Destruction. The opposite of the CIA triad.

Control Objectives for Information and Related Technology (COBIT)

Documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.

Defense in Depth

Employing multiple layers of controls to avoid a single point-of-failure. Also known as layering.

Semantic Integrity

Ensures that data types, logical values, uniqueness constraints and operations are enforced.

Reasonableness Check

Ensures that values returned by software match specified criteria that are within reasonable bounds.

Chief Technical Officer (CTO)

Focuses on ensuring that equipment and software work properly to support the business functions.

Service-Level Agreement (SLA)

Formal contract between customers and their service providers that defines the specific responsibilities of the service provider and the level of service expected by the customer

Service Level Agreement (SLA)

Formal contract between customers and their service providers that defines the specific responsibilities of the service provider and the level of service expected by the customer.

Assurance Procedures

Formalized processes by which trust is built into the lifecycle of a system.

SAMM Business Functions for Software Development

Governance: The activities an organization undertakes to manage its software development process. Includes practices for strategy, metrics, policy, compliance, education, and guidance. Design: The process used by the organization to define software requirements and create software. Includes practices for threat modeling, threat assessment, security requirements, and security architecture. Implementation: Building and deploying software components and managing flaws in those components. Includes secure build, secure deployment, and defect management practices. Verification: Activities undertaken by the organization to confirm that code meets business and security requirements. Includes architecture assessment, requirements-driven testing, and security testing. Operations: The actions taken by an organization to maintain security throughout the software lifecycle after code is released. Includes incident management, environment management, and operational management.

Risk-Based Access Control

Grants access after evaluating risk. Makes risk-based decisions using policies embedded within software code. Can require users to authenticate with multifactor authentication.

NIST SP 800-53A

Guide for Assessing the Security Controls an privacy controls in Federal Information Systems.

Third-Party Audit

Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity's security infrastructure, based on Service Organization Control (SOC) (SOC) reports.

Stealth Virus

Hide themselves by actually tampering with the OS to fool antivirus packages.

Scalability

How well a system can scale up, or adapt to the increased demands of growth

Spiral Model

In 1988, Barry Boehm of TRW proposed an alternative lifecycle model that allows for multiple iterations of a waterfall-style process. Each "loop" of the spiral results in the development of a new system prototype. Theoretically, system developers would apply the entire waterfall process to the development of each prototype, thereby incrementally working toward a mature system that incorporates all the functional requirements in a fully validated fashion.

Virus Decryption Routine

In an encrypted virus, a short segment of code that contains the cryptographic information necessary to load and decrypt the main virus code stored elsewhere on the disk.

Regression Testing

In cases where the project is releasing updates to an existing system, regression testing formalizes the process of verifying that the new code performs in the same manner as the old code, other than any changes expected as part of the new release.

Escaping Input

In some cases, the input validation routine can transform the input to remove risky character sequences and replace them with safe values. This process is performed by replacing occurrences of sensitive characters with alternative code that will render the same to the end user but will not be executed by the system.

Tuple

In the relational model, a table row.

The IDEAL model has five phases

Initiating: The business reasons behind the change are outlined, support is built for the initiative, and the appropriate infrastructure is put in place. Diagnosing: Engineers analyze the current state of the organization and make general recommendations for change. Establishing: The organization takes the general recommendations from the diagnosing phase and develops a specific plan of action that helps achieve those changes. Acting: The organization develops solutions and then tests, refines, and implements them. Learning: The organization must continuously analyze its efforts to determine whether it has achieved the desired goals, and when necessary, propose new actions to put the organization back on course.

Noise & perturbation

Inserting false or misleading data into a DBMS in order to redirect or thwart information confidentiality attacks.

Integrity

Integrity is the concept of protecting the reliability and correctness of data.

Document Exchange and Review

Investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews.

Single-Factor Authentication

Involves the use of simply one of the three available factors solely in order to carry out the authentication process being requested.

Gray-Box Penetration Test

Known as partial knowledge test. Sometimes chosen to balance the advantages and disadvantages of the white and black box penetration testing.

The Stages of the Software Capability Maturity Model (SW-CMM)

Level 1: Initial In this phase, you'll often find hard working people charging ahead in a disorganized fashion. Usually little or no defined software development process. Level 2: Repeatable Basic lifecycle management processes are introduced. Reuse of code begins, and repeatable results are expected. Level 3: Defined Software developers operate according to a set of formal documented software development processes. Level 4: Managed Quantitative measures are used to gain a detailed understanding of the development process. Level 5: Optimizing In the optimized organization, a process of continuous improvement occurs.

Document Stores

Like a key-value store, but "document" goes further than "value". Document is structured so specific elements can be manipulated separately. Example of NoSQL.

Data Minimization

Limiting data collection to only what is required to fulfill a specific purpose.

Stored XSS

Malicious code is stored on a site, via a messaging board or comment posting. Malicious code is stored in the website's internal database. This code is later served to other users that visit the resource where the code is stored.

Worm

Malicious code that can propagate itself without requiring any human intervention.

Supply Chain Risk Management (SCRM)

Means to ensure that all of the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners. Each link in the supply chain should be responsible and accountable to the next link in the chain.

Penetration Testing Process

NIST defines the penetration testing process as consisting of four phases. 1. Planning 2. Information Gathering and Discovery 3. Attack 4. Reporting

Common Object-Oriented Programming Terms

Message - A message is a communication to or input of an object. Method - A method is internal code that defines the actions an object performs in response to a message. Behavior - The results or output exhibited by an object is a behavior. Behaviors are the results of a message being processed through a method. Class - A collection of the common methods from a set of objects that defines the behavior of those objects is a class. Instance - Objects are instances of or examples of classes that contain their methods. Inheritance - Inheritance occurs when methods from a class (parent or superclass) are inherited by another subclass (child) or object. Delegation - Delegation is the forwarding of a request by an object to another object or delegate. An object delegates if it does not have a method to handle the message. Polymorphism - A polymorphism is the characteristic of an object that allows it to respond with different behaviors to the same message or method because of changes in external conditions. Cohesion - Cohesion describes the strength of the relationship between the purposes of the methods within the same class. When all the methods have similar purposes, there is high cohesion, a desirable condition that promotes good software design principles. When the methods of a class have low cohesion, this is a sign that the system is not well designed. Coupling - Coupling is the level of interaction between objects. Lower coupling means less interaction. Lower coupling provides better software design because objects are more independent. Lower coupling is easier to troubleshoot and update. Objects that have low cohesion require lots of assistance from other objects to perform tasks and have high coupling.

Centralized Access Control

Method of control in which all authorization verification is performed by a single entity within a system.

Tactical Plan

Midterm plan, developed to provide more details on accomplishing the goals set forth in the strategic plan. Useful for about a year.

Baseline

Minimum level of security that every system throughout the organization must meet.

Use Cases

Mirror normal activity.

Database Contamination

Mixing data with different classification levels and/or need-to-know requirements.

Spyware

Monitors your action and transmits important details to a remote system that spies on your activity. Can transmit banking credentials or credit card numbers.

Window of Vulnerability

Necessary delay between the discovery of a new type of malicious code and the issuance of patches and antivirus updates.

Nonrepudiation

Nonrepudiation ensures that the subject of an activity or who caused an event cannot deny that the event occurred.

Session Hijacking Attack

Occurs when a malicious individual intercepts part of the communication between an authorized user and a resource and then uses a hijacking technique to take over the session and assume the identity of the authorized user.

Blind SQL Injection

Occurs when the database is vulnerable but configured to suppress error messages. Statements are generated in effort to prompt a response. Can be content or timing based.

Application Programming Interfaces (API)

Offer a standardized way for code modules to interact and may be exposed to the outside world through web services.

Guideline

Offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.

Mimikatz

One of the tools to gather credential data from Windows systems. Mimikatz It's now well known to extract plaintext password, hash, PIN code, and kerberos tickets from memory. Capabilities include: 1. Read passwords from memory 2. Extract kerberos tickets 3. Extract certificates and private keys 4. Read LM and NTLM password hashes in mempry 5. Read cleartext passwords in Local Security Authority Subsystem Service (LSASS) 6. List running processes

Curl

Open source tool available for major operating systems that allows users to directly access websites without the use of a browser. Commonly used for API testing and potential API exploits by an attacker.

TCP Connect Scanning

Opens a full connection to the remote system on the specific port. -used when the user does not have necessary perm's to run a half-open scan.

Senior Manager

Organizational owner, who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. Must approve all policies before they are carried out.

Waterfall Model

Originally developed by Winston Royce in 1970, the waterfall model seeks to view the systems development lifecycle as a series of sequential activities. The traditional waterfall model has seven stages of development. As each stage is completed, the project moves into the next phase. Iterative variations allow developers to go back to previous phases. 1. System Requirements 2. Software Requirements 3. Preliminary Design 4. Detailed Design 5. Code and Debug 6. Testing 7. Operations and Maintenance

Internal Audits

Performed by an organization's internal audit staff and are typically intended for internal audiences.

UDP Scanning

Performs a scan of the remote system using the UDP protocol, checking for active UDP services. Does not use the 3-way handshake because UDP is a connectionless protocol.

Synthetic Monitoring

Performs artificial transactions against a website to assess performance.

Assets Include

Personnel, Information, Systems, Devices, Facilities, and Applications

Due Care

Practicing the individual activities that maintain the due diligence effort.

Data Hiding

Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Change Management

Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability.

Documentation Review

Process of reading the exchanged materials and verifying them against standards and expectations.

bit flipping

Process of slightly manipulating the input.

Object-Oriented Programming (OOP)

Programming concept based on objects and data and how they relate to one another, instead of logic and actions; C++ and Java are OOP languages.

Rootkits

Programs that allow hackers to gain access to your computer and take almost complete control of it without your knowledge. These programs are designed to subvert normal login procedures to a computer and to hide their operations from normal detection methods.

User Interfaces (UI)

Provide end users with the ability to interact with the software.

Network Flow (NetFlow) logs

Provide records of the connections between systems and the amount of data transferred.

Six key principals for governance and management of enterprise IT that COBIT is based on

Provide stakeholder value Holistic Approach Dynamic Governance System Governance Distinct from Management Tailored to Enterprise Needs End-to-end Governance System

Credential Management Systems

Provide storage space for usernames and passwords. Many web browsers can remember usernames and passwords for any site that a user has visited.

Open Vulnerability and Assessment Language (OVAL)

Provides a language for describing security testing procedures.

Extensible Configuration Checklist Description Format (XCCDF)

Provides a language for specifying security checklists.

Common Vulnerabilities and Exposures (CVE)

Provides a naming system for describing security vulnerabilities.

Common Platform Enumeration (CPE)

Provides a naming system for operating systems, applications, and devices.

Common Configuration Enumeration (CCE)

Provides a naming system for system configuration issues.

Common Vulnerability Scoring System (CVSS)

Provides a standardized scoring system for describing the severity of security vulnerabilities.

Debugging Mode

Provides detailed error messages for troubleshooting. Can also provide useful information to attackers.

Integrated Development Environment (IDE)

Provides programmers with a single environment where they can write their code, test it, debug it, and compile it (if applicable).

White-Box Penetration Test

Provides the attackers with detailed information about the system they target. Bypasses the reconnaissance steps that normally precede attacks.

Type I Report

Provides the auditor's opinion on the description provided by management and the suitability of the design of the controls. Usually focuses on a specific point in time.

Type II Report

Provides the auditor's opinion on the operating effectiveness of the controls. Covers an extended period of time.

Least Privilege

Providing only the minimum amount of privileges necessary to perform a job or function.

International Organization for Standardization (ISO)

Publishes a set of standards for information security.

Fail-Secure Failure State

Puts the system into a high level of security (and possibly even disables it entirely) until an administrator can diagnose the problem and restore the system to normal operation.

Permissions

Refer to access granted for an object and determine what you can do with it.

AAA Services

Refers to five elements: Identification - Claiming an identity Authentication - Proving identity Authorization - Defining allows/denies for an identity Auditing - Recording log of events Accounting - Review log files

Rights

Refers to the ability to take an action on an object.

Asset Owner

Responsible for classifying information for placement and protection within the security solution.

Auditor

Responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

Custodian

Responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.

Constrained Interface

Restrictions on interfaces that restrict users on what they can see and do based on their privileges

Content-Dependent Access Control

Restricts access to data based on the content within an object. An example would be a database view.

Endpoint Detection and Response (EDR)

Robust tools that monitor endpoint events and take immediate action. Combines traditional antivirus functionality with advanced threat detection capabilities.

Database Views

SQL statements that present data to the user as if the views were tables themselves. Used as a security tool by database administrators allowing users to interact only with limited views rather than raw tables of data.

Stored Procedures

SQL statements written and stored on the database that can be called by applications.

Service Organization Controls (SOC) Audits

SSAE 18 and ISAE 3402 engagements are commonly referred to as service organization controls (SOC) audits, and they come in three forms: SOC 1 Engagements SOC 2 Engagements SOC 3 Engagements

Synthetic Transactions

Scripted transactions with known expected results. The testers run the synthetic transactions against the tested code and then compare the output of the transactions to the expected state. Any deviations between the actual and expected results represent possible flaws in the code and must be further investigated.

Process for Attack Simulation and Threat Analysis (PASTA)

Seven stage risk-centric threat-modeling methodology: 1. Definition of the objectives (DO) for the analysis of risks. 2. Definition of the technical scope (DTS). 3. Application Decomposition and Analysis (ADA). 4. Threat Analysis (TA). 5. Weakness and vulnerability analysis (WVA) 6. Attack modeling and simulation (AMS). 7. Risk analysis and management (RAM). A risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected.

Operational Plan

Short-term, highly detailed plan based on the strategic and tactical plans. Valid only for a short time. must be updated often.

Abstraction

Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Black-Box Penetration Test

Simulates an external hacking or cyber warfare attack.

Potentially Unwanted Program (PUP)

Software that a user might consent to installing on their system that carries out functions that the user did not desire or authorize.

Ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

Advanced Persistent Threat (APT)

Sophisticated adversaries with advanced technical skills and significant financial resources. They are often military units, intelligence agencies, or shadowy groups that are likely affiliated with government agencies.

Web Vulnerability Scanner

Special-purpose tools that scour web applications for known vulnerabilities.

Security Control Framework

Structure of the security solution desired by the organization.

Authorization

Subjects are granted access to objects based on proven identities.

Capability Maturity Model Integration (CMMI)

Supersedes CMM and uses the same five stages as CMM, but refers to level 4 as quantitatively managed. CMM focuses on isolated processes, and CMMI focuses on integration among those processes.

Decentralized Access Control

System of access control in which authorization verification is performed by various entities located throughout a system.

DREAD Rating System

System used to determine threat prioritization: - Damage Potential - Reproducibility - Exploitability - Affected Users - Discoverability

State Attacks

TOCTTOU attacks, race condition exploits and communication disconnects are known as this type of attack because they attack timing, data flow control, and transition between one system state to another.

Insecure Direct Object Reference

Takes advantage of lack of checks to ensure a user requesting a resource actually has permissions to do so, and is authorized.

Directory Traversal Attack

Takes advantage of vulnerability in the web application, program, or the web server software so that a user can move from the root directory to other restricted directories.

Mutation (Dumb) Fuzzing

Takes previous input values from actual operation of the sw and manipulates (mutates) it to create fuzzed input -may alter the char's, strings, etc.

Interactive Application Security Testing (IAST)

Testing that combines or integrates SAST and DAST to improve testing and provide behavioral analysis capabilities to pinpoint the source of vulnerabilities.

ISO 27001

The ISO (International Organization for Standardization) 27001 standard is a code of practice for implementing an information security management system, against which organizations can be certified.

ISO 27002

The ISO (International Organization for Standardization) 27002 standard is a code of practice for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".

Sprints

The Scrum methodology organizes work into short sprints of activity. These are well-defined periods of time, typically between one and four weeks, where the team focuses on achieving short-term objectives that contribute to the broader goals of the project.

Capability Maturity Model (CMM)

The Software Engineering Institute (SEI) at Carnegie Mellon University introduced the Capability Maturity Model for Software, also known as the Software Capability Maturity Model (abbreviated as SW-CMM, CMM, or SCMM), which contends that all organizations engaged in software development move through a variety of maturity phases in sequential fashion. Also known as the software capability maturity model (SW-CMM).

IDEAL Model

The Software Engineering Institute also developed the IDEAL model for software development, which implements many of the SC-CMM attributes.

SSAE 18

The Statement on Standards for Attestation Engagements document 18. SAE 18, titled Reporting on Controls , provides a common standard to be used by auditors performing assessments of service organizations with the intent of allowing the organization to conduct an external assessment instead of multiple third- party assessments and then sharing the resulting report with customers and potential customers. Outside of the United States, similar engagements are conducted under the International Standard for Attestation Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization .

Security Function

The aspect of operating a business that focuses on the task of evaluating and improving security over time.

Security Governance

The collection of practices related to supporting, evaluating, defining, and directing the security efforts of an organization.

Cell Suppression

The concept of hiding individual database fields or cells or imposing more security restrictions on them.

Identity and Access Provisioning Lifecycle

The creation, management, and deletion of accounts. Provisioning refers to granting accounts with appropriate privileges when they are created and during the lifetime of the account.

Parameterized Queries

The developer prepares a SQL statement and then allows user input to be passed into that statement as carefully defined variables that do not allow the insertion of code.

Reference Profile

The digitally stored sample of a biometric factor. Also known as a reference template.

Botmaster

The hacker who is in control of a botnet. Also called bot herder.

Organizational Security Policy

The highest-level security policy adopted by an organization that outlines security goals.

Machine Language

The language made up of binary-coded instructions that is used directly by the computer.

Scrum

The leading agile development methodology for completing projects with a complex, innovative scope of work. Scrum takes its name from the daily team meetings, called scrums , that are its hallmark. Each day the team gets together for a short meeting, where they discuss the contributions made by each team member, plan the next day's work, and work to clear any impediments to their progress

Vulnerabilities

Weaknesses in systems and security controls that might be exploited by a threat.

ACID Model

The letters represent the four required characteristics of database transactions: 1. Atomocity - a database transaction must be an "all-or-nothing" affair. If any part of the transaction fails, the entire transaction must be rolled back. 2. Consistency - all transactions must begin operating in an environment that is consistent with all of the database's rules (e.g. All records have a unique primary key). 3. Isolation - requires that transactions operate separately from each other. 4. Durability - the concept that database transactions must be resilient. Once a transaction is committed to the database, it must be preserved. This is ensured through the use of backup mechanisms, such as transaction logs.

Security Boundary

The line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Strategic Plan

The long-term plan for future activities and operations, usually involving at least five years.

Biometrics

The measurement and analysis of unique physical or behavioral characteristics (as fingerprint or voice patterns) especially as a means of verifying personal identity. Methods include fingerprints, face scans, retina scans (The most accurate), iris scans, palm scans, and voice patterns.

Code Signing

The method of using a digital signature to ensure the source and integrity of programming code.

Degree

The number of columns in a relational database table.

Cardinality

The number or rows in a relational database table.

Security Role

The part an individual plays in the overall scheme of security implementation and administration within an organization.

Time of Check/Time of Use (TOC/TOU) Attacks

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.

Separation of Duties

The practice of requiring that processes should be divided between two or more individuals.

Implicit Deny

The principle that establishes that everything that is not explicitly allowed is denied. Think of it as deny by default.

Identification

The process of a subject claiming, or professing, and identity.

Privilege Escalation

The process of gaining elevated rights and permissions. Malware typically uses a variety of techniques to gain elevated privileges.

Exception Handling

The process of handling unexpected activity within software.

Escaping Metacharacters

The process of marking the metacharacter as merely a normal or common character, such as a letter or number, thus removing its special programmatic powers. Often done by adding a backslash in front of the character.

Database Normalization

The process of organizing the fields and tables of a relational database to minimize redundancy and dependency.

Database Partitioning

The process of splitting a single database into multiple parts, each with a unique and distinct security level or type of content.

Software Configuration Management (SCM)

The process used to control the versions of software used throughout an organization, and formally track and control changes to the software configuration.

Reduction Analysis (AKA Decomposing)

The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if focusing on software; computers, operating systems, and protocols if focusing on systems or networks; or departments, tasks, and networks if focusing on an entire business infrastructure. Each identified subelement should be evaluated in order to understand inputs, processing, security, data management, storage, and outputs. This is also sometimes referred to as decomposing the application, system, or environment.

False Acceptance Rate (FAR)

The rate at which a biometric solution allows in individuals it should have rejected. Referred to as a type 2 error.

False Rejection Rate (FRR)

The rate at which a biometric solution rejects individuals it should have allowed. Referred to as a type 1 error.

Inference Attack

This form of attack relies on the attacker's ability to make logical connections between seemingly unrelated pieces of information.

Knowledge-Based Authentication (KBA)

This is used for fraud prevention. Consumers probably know this as the "secret question" users must answer before being granted access.

Synchronous Dynamic Password Token

Time-based and synchronized with an authentication server.

Integrity Monitoring Tools

Tools that maintain and monitor a list of hash values for all files on a system in order to detect unauthorized file modifications.

Security Professional

Trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.

Spraying Attack

Tries to log onto a system with common passwords before moving on. Used to bypass account lockout security controls.

Cryptomalware

Trojans and other malware that perform cryptocurrency mining.

Limit Check

Type of input validation where the code checks to ensure that a number falls within an acceptable range.

Master Boot Record (MBR) Virus

Type of virus that attacks the MBR and causes it to execute code during startup. MBR viruses store the majority of their code on another portion of the storage media. When a system reads an infected MBR, the virus instructs it to read and execute the additional stored code.

Chief Information Security Officer (CISO)

Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.

Data Exposure

Unintended exposure of personal and confidential data.

Top-Down Approach

Upper, or senior, management is responsible for initiating and defining policies for the organization.

Concepts, conditions, and aspects of availability include the following:

Usability Accessibility Timeliness

Multipartite Virus

Use more than one propagation technique in an attempt to penetrate systems that defend against only one method or another. For example a multipartite virus could infect critical COM and EXE files, as well as adding malicious code to a system's master boot record.

System Testing

Used by development personnel to seek out obvious errors. As the testing progresses, developers and actual users validate the system against predefined scenarios that model common and unusual user activities.

Backdoors

Used to access programs and bypass authentication by administrators and developers, but can be found by hackers with malicious intent.

Foreign Key

Used to enforce relationships between two tables.

Managed Service Accounts

Used to run and manage services and applications.

Accountability

Users and other subjects can be held accountable for their actions when auditing is implemented.

User Acceptance Testing (UAT)

Users verify that the code meets their requirements and formally accept it as ready to move into production use.

Hashing

Uses a cryptographic hash function to replace sensitive identifiers with an irreversible alternate identifier.

Adware

Uses a variety of techniques to display advertisements on infected computers. In addition to pop-ups, it can also redirect a user to a competitor's website.

Network Discovery Scanning

Uses a variety of techniques to scan a range of IP addresses, searching for systems with open ports.

Context-Aware Authentication

Uses multiple elements to authenticate a user and a mobile device.

Cloud-Based Federation

Uses third-party services to share federated identities.

Managed Detection & Response (MDR)

Vendor provided installation, configuration, and monitoring services for endpoint security.

Input Validation

Verifies that the values provided by a user match the programmer's expectation before allowing further processing.

Authentication

Verifies the subject's identity by comparing one or more factors against a database of valid identities, such as user accounts.

On-Site Assessment

Visit the site of the organization to interview personnel and observe their operating habits.

Server-Side Request Forgery (SSRF)

Web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

Federated Identity Management (FIM)

When a user's identity is shared across multiple identity management (IdM) systems.

Unsupervised Learning

When an AI system can look at data on its own and build rules for deciding what it is seeing.

False Negative Report

When the vulnerability scanner misses a vulnerability and fails to alert the administrator to the presence of a dangerous situation

Time and Date Stamps

When time and date stamps are applied to database transactions, the transactions are applied in chronological order during replication.

Polyinstantiation

When two or more rows in the same relational database appear to have identical primary key elements but contain different data for use at differing classification levels.

Memory Pointers

an area of memory that stores an address of another location in memory

Vulnerability Scans

automatically probe systems, app's, and networks, looking for weaknesses that may be exploited by an attacker.

Aggregation Attack

individual(s) use their access to specific pieces of information to piece together a larger picture that they are not authorized to access.

Command Injection Attack

inject OS commands into an application using web page forms/text boxes.

Code Injection Attack

input includes code that is then executed by the attacked system.

SQL Injection Attack

inserting a malicious SQL query in input such that it is passed to and executed by an application program.

Pointer Dereferencing

return the value stored at the location represented by the pointers value

Expert Systems

rule-based systems that encode human knowledge in the form of if/then rules.

Virus Hoax

usually arrives as an email message or social media message containing dire warnings about a supposedly new virus on the loose.

Service Injection Virus

virus injects itself into trusted runtime processes such as svchost.exe, winlogin.exe, and explorer.exe. -malicious code is able to bypass detection bc it runs on trusted processes protection: ensure all software allowing the viewing of web content receive current sec patches