CompTIA Security+ (SY0-501) Objectives
PSK vs. Enterprise vs. Open (methods)
When building out a wireless network, you must decide how you are going to employ security on the network. Specifically, you need to address who will be allowed to connect, and what level of protection will be provided in the transmission of data between mobile devices and the access point. Both WPA and WPA2 have two methods to establish a connection, ____1_____ and ___2___. ______1______ is typically entered as a passphrase of up to 63 characters. This key must be securely shared between users, as it is the basis of the security provided by the protocol. The ____1____ is converted to a 256-bit key that is then used to secure all communications between the device and access point. ____1____ has one particular vulnerability: simple and short ones are at risk of brute force attempts. Keeping ____1____ at least 20 random characters long or longer should mitigate this attack vector. In ____2____ mode, the devices use IEEEE 802.1X and a RADIUS authentication server to enable a connection. This method allows the use of usernames and passwords and provides enterprise-class options such as network access control (NAC) integration, multiple random keys, instead of everyone sharing the same PSK. If everyone has the same PSK then secrecy between clients is limited to other means, and in the event of one client failure, other could be compromised. In WEP-based systems, there are two options, __________ system authentication and shared key authentication. _________ system authentication is not truly authentication, for it is merely a sharing of a secret key based on the SSID. The process is simple: the mobile client matches SSID with the access point and requests a key (called authentication) to the access point. Then the access point generates an authentication code (the key, as there is no specific authentication of the client), a random number intended for use only during that session. The mobile client uses the authentication code and joins the network. The session continues until disassociation either by request or loss of signal.
Mission-essential functions
When examining risk an index to business, it is important to identify mission essential functions from other business functions. In most businesses, the vast majority of daily functions, although important, are not mission essential. __________ are those that should they not occur, or be performed in properly, the mission of the organization will be directly affected. In other terms, these are functions that must be restored first after business impact to enable the organization to restore its operations.
VM escape protection
When multiple VMs are operating on a single hardware platform, one concern is __________, where software, either malware or an attacker, escapes from one VM to the underlying OS. Once the VM escape occurs, the attacker can attack the underlying OS, or resurface in a different VM. When you examine the problem from a logical point of view, both VM's use the same RAM, the same processors, and so forth; the difference is one of timing and specific combinations. While the VM system is designed to provide protection, as with all things larger scale, the devil is in the details. Large-scale VM environments have specific modules designed to detect escape and provide ___________ to other modules.
Business Partnership Agreement - BPA (agreement types)
A __________ is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between partners.
Privacy threshold assessment
A __________ is an analysis of whether PII is collected and maintained by a system. If PII is stored, then the next step in determining privacy risk is a privacy impact assessment (PIA).
Secret algorithm
Algorithms can be broken into two types: those with published details and those whose steps are kept __________.
Medical devices (Special purpose)
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. __________ are a very diverse group, from small implantable devices, such as pacemakers, some multi-ton MRI machines. In between is a wide range of devices, from those that measure vital signs to those that actually control vital functions. Each of these has several interesting characteristics, and they all have an interesting caveat--they can have a direct affect on humans life. This makes security of these devices also a safety function.
VM sprawl avoidance
Sprawl is the uncontrolled spreading and disorganization caused by lack of an organizational structure when many similar elements require management. Just as you can lose track of a file in a large file directory and have to hunt for it, you can lose track of a VM among many others that have been created. VMs basically are files that contain a copy of a working machine disk and memory structures creating a new VM is a simple process. If an organization has only a couple of VMs, keeping track of them is relatively easy. But as the number of VMs grows rapidly over time, sprawl can set in. VM sprawl is a symptom of a disorganized structure. An organization needs to implement __________ through policy. It can avoid VM sprawl through naming conventions and proper storage architectures, so that the files are in the correct directory, making finding the correct VM easy and efficient. But as in any filing system, it works only everyone routinely follows established policies and procedures to ensure that proper VM naming and filing are performed.
Supply chain assessment (risk assessment)
The analysis of risk in a supply chain has become an important issue in our connected society. Organizations need to consider not just the risk associated with system but the risk embedded in the system as a result of its components that the vendor has obtained supply chain, which could span the globe. For instance, if the system has critical components that are not replaceable except from a single source, what happens if that source quits making the component? The term __________ describes the process of exploring and identifying these risks.
Attribute-based Access Control - ABAC (Access control modules)
The term access control describes a variety of protection schemes. It sometimes refers to all security features used to prevent unauthorized access to a computer system or network. In this sense, it may be confused with authentication. More properly, access is the ability of the subject, such as an individual or a process running on a computer system, to interact with an object, such as a file or hardware device. Authentication, on the other hand, deals with verifying the identity of a subject. __________ is a form of access control based on attributes. These attributes can be any wide variety of forms, such as user attributes, the source or object attributes, and environmental attributes. For instance, a doctor can access medical records, but only for patients to which she is assigned, or only when she is on shift. The major difference between this and role-based access control is the ability to include Boolean logic in the access control decision.
netcat (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. __________ is the network utility designed for Linux environments. It has been ported to Windows, but is not regularly used in Windows environments. The actual command line command to invoke it is nc-options-address.
PaaS (Cloud deployment models)
There are many different cloud deployment models. Clouds can be created by many entities, internal and external to an organization. Many commercial cloud services are available, and are offered from a variety of firms as large as Google and Amazon, to smaller, local providers. Internally, and organizations own services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility. __________ is a marketing term used to describe the offering of a computing platform in the cloud. Multiple sets of software working together to provide services, such as database services, can be delivered via the cloud as this. The offerings of this generally focus on security and scalability, both which are characteristics that fit with cloud and platform needs.
Buffer overflow (Memory/buffer vulnerability)
These attacks are input validation attacks, designed to take advantage of input routines that do not validate the length of inputs.
Cross-site request forgery (application/service attacks)
These attacks utilize unintended behaviors that are proper in defined use but are performed under circumstances outside the authorized use. EX: With banking, if a user has logged in and has not closed their browser, then an action in another browser tab could send a hidden request to the bank, resulting in a transaction that appears to be authorized but in fact was not done by the user.
Replay (cryptographic attacks)
These attacks work against cryptographic systems like they do against other systems. If an attacker can record a series of packets and then replay them, what was valid before may well be valid again.
Hacktivist (types of actors)
These people are capable of writing scripts to exploit known vulnerabilities.
RFID (wireless attacks)
These tags are used in a wide range of use cases. From tracking devices to keys, the unique serialization of these remotely sensible devices has made them useful in a wide range of applications. Can either be active or passive. Active have a power source while passive have energy transmitted to them for power. Used as a means of identification and have the advantage over bar codes since they do not have to be visible to be read. Both IT/IS attacks and eavesdropping (sniffing) attacks are possible with these. Replay (spoofing) attacks are also possible.
Internal/external (attributes of actors)
These types of actors have access to the system, although it may be limited to user access, access provides the threat actor the ability to pursue their attack. The other type of actor has an additional step, the establishment of access to the system under attack.
Insiders (types of actors)(types of actors)
These types of actors have the access and knowledge necessary to cause immediate damage to an organization. Often, attacks are done by disgruntled employees.
Organized crime (types of actors)
These types of actors lurk in the shadows of anonymity and create malware and other attacks, as well as perform attacks, all with an eye on making money.
Injection (application/service attacks)
These types of attacks involve the manipulation of input, resulting in a SQL statement that is different than intended by the designer. Can also be used against XML and LDAP injections. Can give the attacker command-line access at the privilege level of the application.
Modes of operation
This 5 types of this are Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher Feedback Mode (CFB), Output Feedback Mode (OFB), and Counter Mode (CTR). This ensures blocks of identical data in ciphertext are not identified due to patterns in symmetric or block algorithms.
Pointer dereference (Memory/buffer vulnerability)
This act changes the meaning of a pointer object (in some computer languages) to the contents of the memory location, not the memory location as identified by the pointer. This can be dangerous, as mistakes in their use can lead to unexpected consequences.
Man-in-the-browser (application/service attacks)
This attack is a variant of a man-in-the-middle attack. Here, the first element is a malware attack that places a Trojan element that can act as a proxy on the target machine. EX: When a user connects to their bank, the malware recognizes the target and injects itself in the stream of the conversation. When the user approves a transfer of $150 to pay a utility bill, for example, the malware intercepts the user's keystrokes and modifies them to perform a different transaction. Zeus is a famous attack like this.
Third-party app stores (Enforcement and monitoring for:)
Your organization's policies regarding mobile devices should be consistent with your existing computer security policies. Your training programs should include instruction on mobile device security. Disciplinary actions should be consistent. Your monitoring programs should be enhanced to include monitoring and control of mobile devices. Currently there two main app stores, the Apple App Store for iOS devices and Google Play for Android devices. Managing what apps a user can add to the device is essential because many of these apps can create security risks for an organization. Using __________ app stores increases this risk.
Backup utilities
__________ are tools designed to perform one of the most important tasks in computer security, the backing up of data in case of loss.
Federation
__________ defines policies, protocols, and practices to manage identities across systems and organizations. The ultimate goal of this is to allow users to seamlessly access data or systems across domains. It is enabled through the use of industry standards such as SAML.
Carrier unlocking (Enforcement and monitoring for:)
__________ is the process of programming the device to sever itself from the carrier. This is usually done through the inputting of a special key sequence that unlocks the device.
Cellular (connection methods)
____________ connections use mobile telephony circuits, today typically fourth-generation (4G) or LTE in nature, although some 3G services still exist.
Cable locks
Portable equipment has a principal feature of being portable. This can also be a problem, as portable equipment--laptops, projectors, and the like--can be easily removed or stolen. _________ provide a simple means of securing portable equipment and furniture or another fixture in the room with the equipment resides. These can be used by road warriors to secure laptops from casual theft. They also can be used in open areas such as conference centers or rooms were portable equipment is exposed to a wide range of visitors.
Clean desk policy
Preventing access to information is also important in the work area. Firms with sensitive information should have a __________ policy specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as a custodian. Even leaving the desk area and going to the bathroom can leave information exposed and subject compromised. This policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads or in unsecured desk drawers.
1.) Version control and 2.) Change management
Programs are developed, released, use and the changes are desired, either to change functionality, fix errors, or improve performance. This leads to multiple versions of programs. _____1____ is as simple as tracking which version of a program is being worked on, whether in development, testing, or production. _____1_____ systems tend to use primary numbers to indicate major releases, and numbers after a decimal point to indicate minor changes. Having the availability of multiple versions brings into focus the issue of ___2______, which addresses how an organization manages which versions are currently being used, and how it coordinates changes as they are released by manufacturer. Ultimately, you need a process that ensures that all changes in production are authorized, properly tested, and, in case of failure, rollback. It should also ensure that accurate documentation is produced and kept up-to-date.
Lighting
Proper ________ is essential for physical security. Unlit or dimly lit areas allow intruders to work and conduct unauthorized activities without a significant risk of observation by car or other personnel.
Data-at-rest
Protecting __________ is the most prominent use of encryption, and is typically referred to as data encryption. Whole disk encryption of laptop data to provide security in the event of device loss is an example of _________ protection. The same concept applies to data being stored in the cloud, where encryption can protect against unauthorized reading.
Supporting confidentiality (common use cases)
Protecting data from unauthorized reading is the definition of __________. Cryptography is the primary means of protecting data this way -- at rest, in transit, and in use.
Secure POP/IMAP (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. FYI... no blank: Secure POP/IMAP, listed under exam objective 2.6 basically refers to POP3 and IMAP over an SSL/TLS session. Secure POP3 utilizes TCP port 995 and Secure IMAP uses TCP port 993. Encrypted data from the email client is sent to the email server over a SSL/TLS session. With the deprecation of SSL, TLS is the preferred protocol today. It email connections are started in nonsecure mode, the STARTTLS directive tells the clients to change to the secure ports. The other male protocol, SMTP uses port 25, and SSL/TLS encrypted SMTP uses port for 65. IMAP uses port 143, secure IMAP uses port 993. POP uses port 110, but secure POP uses port 995.
Domain Name System Security Extensions - DNSSEC (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. The Domain Name Service (DNS) is a protocol for the translation of names into IP addresses. When a user enters a name such as www.example.com, the DNS system converts this name into the actual numerical IP address. DNS records are also used for email delivery. The DNS protocol uses UDP over port 53 for standard queries, although TCP can be used for large transfers such as zone transfers. The problem with DNS is that requests and replies are sent in plaintext and are subject to spoofing. __________ is a set of extensions to the DNS protocol that, through the use of cryptography, enables origin authentication of DNS data, authenticated denial of existence, and data integrity, but DOES NOT extend to availability or confidentiality. __________ records are signed so that all __________ responses are authenticated but not encrypted. This prevents unauthorized DNS responses from being interpreted as correct. Data transfers over UDP 53 are size limited to 512 bytes, and ________ packets can be larger. For this reason, _________ typically uses TCP port 53 for its work.
Secure Shell - SSH (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. The __________ protocol is an encrypted remote terminal connection program used for remote connections to a server. It uses asymmetric encryption but generally requires an independent source of trust with a server, such as manually receiving a server key, to operate. It uses TCP port 22 as its default port. It was designed as a secure replacement for Telnet.
1.) Secure Sockets Layer - SSL / 2.) Transport Layer Security - TLS (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. _______1__________ Is an application of encryption technology developed for transport layer protocols across the web. This protocol uses public-key encryption methods to exchange a symmetric key for use in confidentiality and integrity protection as well as authentication. The current version, version 3, is outdated, having been replaced by the IETF standard TLS. All versions of this have been deprecated due to security issues, and in the vast majority of commercial servers employing this, has been retired. Because of the ubiquity of the usage of the term, the term will last for quite a while, but in function, it is now done via TLS. _________2_________ is an IETF standard for the employment of encryption technology and replaces the above. Using the same basic principles, it updates the mechanisms employed by the above. Although sometimes referred to as SSL, it is a separate standard. The standard port for both the above and this is undefined, for it depends upon what the protocol that is being protected uses; for example, port 84 HTTP becomes port 443 when it is for HTTPS.
SFTP (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. __________ This letter is is the use of FTP over and SSH channel. This leverages the encryption protections of SSH to secure FTP transfers. Because of its reliance on SSH, it uses TCP port 22.
Simple Network Management Protocol - SNMPv3 (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. __________ is a standard for managing devices on IP-based networks. This was developed specifically to address the security concerns and vulnerabilities of version 1 and version 2. It is an application layer protocol, part of VIP suite of protocols and can be used to manage and monitor devices, including network devices, computers, and other devices connected to the IP network. All versions of this require ports 161 and 162 to be open on a firewall.
FTPS (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. __________ is the implementation of FTP over SSL/TLS secure channel. This supports complete FTP compatibility, yet provides the encryption protections enabled by SSL/TLS. This uses TCP ports 989 and 990.
LDAPS (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. __________ is the primary protocol for transmitting directory information. Directory services may provide any organized set of records, often with a hierarchical structure, and are used in a wide variety of situations including active directory data sets. By default this traffic is transmitted insecurely. You can make this traffic secure by using it with SSL/TLS. This uses a TLS/SSL, to connect its services. Technically, this method was retired with version 2 and replaced with simple authentication and security layer in version 3. SASL, which is not listed in the exam objectives, is a standard method of using TLS seek to secure services across the Internet. This occurs over port TCP 636. Communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any traffic is exchanged.
Hypertext Transfer Protocol Secure - HTTPS (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. __________ use delete is the use of SSL or TLS to encrypt a channel over which HTTP traffic is transmitted. Because of issues with all versions of SSL, only TLS is recommended for use. This uses TCP port 443. It is the most widely used method to secure HTTP traffic.
Secure Multipurpose Internet Mail Extensions - S/MIME (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. ____________ is a standard for transmitting binary data via an email. Emails are sent as plaintext files and any attachments need to be encoded so as to fit the plaintext format, and MIME specifies how this is done with base 64 encoding. Because it is plaintext, there is no security associated with the attachments; they can be seen by any machine between sender and receiver. It is a standard for public key encryption and signing of an IME E data in emails. It is designed to provide cryptographic protections to emails and is built into the majority of modern email software to facilitate interoperability.
Secure Real-time Transport Protocol - SRTP (protocols)
Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals. _____________ is a network protocol for securely delivering audio and video over IP networks. This uses cryptography to provide encryption, message authentication and integrity, and replay protection to the RTP data..
Domain name resolution (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing.
Network address allocation (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. Managing __________ functions in a network requires multiple decision criteria, including the reduction of complexity and the management of device names and locations. SNMPv3 has many functions that can be employed to manage the data flows of this information to management applications that can assist administrators in network assignments. IP addresses can be allocated either statically, which means manually configuring a fixed IP address for each device, or via DHCP, which allows the automation of assigning IP addresses. In some cases, a mix of static and DHCP is used. IP address allocation is part of proper network design which is crucial to the performance expandability of a network learn how to properly allocate IP addresses are the network and know your options if you run out of IP addresses.
Time synchronization (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. Network Time Protocol (NTP) is the standard for __________ across servers and clients. NTP is transmitted over UDP port 123. NTP has no assurance against a man in the middle attack, and although this has raised concerns over the implications, to date, nothing has been done to secure NTP directly, or to engineer an out of band security check. If you are hypersensitive to this risk, you could enclose all time communications using a TLS tunnel, although this is not an industry practice.
File transfer (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. Secure __________ can be accomplished via a wide range of methods, ensuring the confidentiality and integrity of these across networks. FTP is not secure, but as previously discussed, SFTP and FTPS our secure alternatives that can be used.
Subscription services (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. _________ is the management of data flows to and from a system based on either a push (publish) or pull (subscribe) model. Managing what data elements are needed by which nodes is a problem that you can tackle by using directory services, such as LDAP. Another use of this is the Software as a Service (SaaS) model, where software is licensed on a subscription basis. The actual software is hosted centrally, commonly in the cloud, and user access is based on subscriptions. This is becoming a common software business model.
Remote access (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. _________ is the means by which users can access computer resources across a network. Securing this can be done via many needs some for securing the authentication process and others for the actual data access itself. As with many situations that require securing communication channels or data in transit, organizations commonly use SSL/TLS to secure these. Depending upon the device being accessed, a variety of secure protocols exist. For networking equipment, such as routers and switches, SSH is the secure alternative to Telnet. For servers and other computer connections, accessed via VPN, or use of IP SEC, is common.
Directory services (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. _________ use LDAP as the primary protocol. When security is required, LDAPS is a common option, as described previously. These are frequently found behind the scenes with respect to logon information.
Email and web (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. ___________ are both native plaintext based systems. As previously discussed, HTTPS, which relies on SSL/TLS, is used to secure web connections. Use of HTTPS is widespread in common. Keep in mind that SSL is no longer considered secure. The best option for this is via S/MIME, also previously discussed.
Voice and video (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. _____________ are frequently streaming media and, as such, have their own protocols for the encoding of the data streams. To securely transfer this material, you can use the secure real-time transport protocol (SRTP), which securely delivers this over IP networks.
Routing and switching (use cases)
Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, is an example of such an effort; it is a standardized method of invoking a TLS tunnel secure communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing. __________________ are the backbone functions of networking in the system. Managing the data associated with networking is the province of SNMPv3. SNMPv3 enables applications to manage data associated with networking and devices. Local access to the boxes may be accomplished by telnet, although for security reasons SSH should be used instead.
Adverse actions
Punishing employees when they violate policies is always a difficult subject. There are two schools of thought regarding when to take __________: 1. Zero tolerance: one strike and you're out is the norm. 2. Discretionary action: the flexibility that this offers makes handling cases more challenging because management must determine the correct level of adverse action, but it also gives the flexibility to salvage. Employees was made an uncharacteristic mistake.
SSL/TLS accelerators
Rather than continue to use larger and larger servers for web pages, organization with significant SSL/TLS needs use a specialized device that is specifically designed to handle the computations. This device, called an ___________, includes hardware based SSL/TLS operations to handle the throughput, and it acts as a transparent device between the web server and the internet. When an enterprise experiences web server bottlenecks due to SSL/TLS demands, this can be an economical solution. These are also cheaper than buying extra servers.
Spear phishing (social engineering)
Refers to a phishing attack that targets a specific group with something in common. Tends to seem more plausible than a message sent to users randomly.
Warm site (recovery sites)
Related to the location of backup storage is where the restoration services will be located. If the organization has suffered physical damage to its facility, having off-site data storage is only part of the solution. This data will need to be processed somewhere, which means that computing facilities similar to those used in normal operations are required. The sites are referred to as recovery sites. The recovery problem can be approached in a number of ways. A _________ is partially configured, usually having the peripherals and software but perhaps not the more expensive main processing computer. It is designed to be operational within a few days.
Hot site (recovery sites)
Related to the location of backup storage is where the restoration services will be located. If the organization has suffered physical damage to its facility, having off-site data storage is only part of the solution. This data will need to be processed somewhere, which means that computing facilities similar to those used in normal operations are required. The sites are referred to as recovery sites. The recovery problem can be approached in a number of ways. A __________ is a fully configured environment, similar to the normal operating environments that can be operational immediately or within a few hours depending on its configuration and the needs of the organization.
Cold site (recovery sites)
Related to the location of backup storage is where the restoration services will be located. If the organization has suffered physical damage to its facility, having off-site data storage is only part of the solution. This data will need to be processed somewhere, which means that computing facilities similar to those used in normal operations are required. The sites are referred to as recovery sites. The recovery problem can be approached in a number of ways. A ___________ will have the basic environmental controls necessary to operate but few of the computing components necessary for processing. Getting this site operational may take weeks.
Mandatory vacations
Requiring employees to use their vacation time through policy of __________ can be a security protection mechanism. Using vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. Having a second person familiar with security procedures is also a good policy in case something happens to the primary.
Risk response techniques, mitigate (risk assessment)
Risk can also be _________ through the application of controls that reduce the impact of an attack. Controls can alert operators that level of exposure is reduced process intervention. When an action occurs that is outside the accepted risk profile, a second set of rules can be applied, such as calling the customer for verification before committing the transaction. Control such as these can act to reduce the risks associated with potential virus operations.
Reputation (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. Corporate ___________ is important in marketing. Would you do with the bank with a shoddy record of accounting or losing personal information? How about online retailing? Which or customer base and twice before entering their credit card information after a data breach?
Life (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. Many IT systems are involved in healthcare, and failures of some of the systems can and have resulted in injury and death to patients. IT systems are also frequently integral to the operation of machines in industrial settings, and their failure can have similar impacts. Injury and loss of __________ are outcomes that backups cannot address and can result in consequences beyond others. As part of a business impact analysis, you would identify the systems and ensure that they are highly redundant, to avoid impact to this.
Property (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. __________ damage can be the result of unmitigated risk. This type of damage can be company owned, damage to other peoples, and even environmental damage from toxic releases in industrial settings. These are all examples of damage that can be caused by IT security failures.
Safety (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. __________ is the condition of being protected from or unlikely to cause danger, risk, or injury. This makes sense from both a business risk perspective and when you consider the level of concern one places for the well-being of people. In a manufacturing environment, with moving equipment and machines that can present a danger to workers, government regulations trust specific actions to mitigate risk and make the workplace as safe as possible. Computers are increasingly becoming involved in all aspects of businesses, and they can impact this.
Finance (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. ___________ is in many ways the final arbiter of all activities, for it is how we keep score. We can measure the games through sales and profits, and the losses through unmitigated risks.
Antispoofing (router)
Routers are network management devices used to connect different network segments together. Routers form the backbone of the Internet, moving traffic from network to network, inspecting packets from every communication as they move traffic in optimal paths. One of the persistent problems at edge devices is verifying that the source IP address on a packet matches the expected source IP address at the interface. Many DDoS attacks rely upon bots sending packets with spoofed IP addresses. ___________ measures are performed to prevent this type of attach from happening.
ACLs (router)
Routers are network management devices used to connect different network segments together. Routers form the backbone of the Internet, moving traffic from network to network, inspecting packets from every communication as they move traffic in optimal paths. Routers use ___________ as a method of deciding whether a packet is allowed to enter the network. With these, it is also possible to examine source address and determine whether or not to allow a packet to pass. This can tremendously increase the time for a router to pass traffic and can significantly decrease router throughput.
Vendor diversity (Defense-in-depth/layered security)
Secure system design relies upon many elements, a key one being defense in depth, or layered security. Defense in depth is a security principal by which multiple, differing security elements are employed to increase the level of security. Having multiple suppliers creates __________, which reduces the risk from any single supplier. Having multiple operating systems, such as both Linux and windows, reduces the total risk should something happen to one of them.
Control diversity, technical (Defense-in-depth/layered security)
Secure system design relies upon many elements, a key one being defense in depth, or layered security. Defense in depth is a security principal by which multiple, differing security elements are employed to increase the level of security. Security controls are the mechanisms by which security functions are achieved. It is important to have control diversity. __________ are those that operates through a technological intervention in the system. Examples include elements such as user authentication (passwords), logical access controls, antivirus/anti-malware software, firewalls, intrusion detection and prevention systems, and so forth.
Control diversity, administrative (Defense-in-depth/layered security)
Secure system design relies upon many elements, a key one being defense in depth, or layered security. Defense in depth is a security principal by which multiple, differing security elements are employed to increase the level of security. Security controls are the mechanisms by which security functions are achieved. It is important to have control diversity. ___________ controls are those that operate on the management aspects of an organization. They include control such as policies, regulations, and laws. Management activities such as planning and risk assessment are common examples of these. Having multiple independent, overlapping ones can act as a form of layered security.
1.) Salt, 2.) IV, 3.) Nonce
1.)__________ is a high-entropy piece of data concatenated with the material being hashed. It is useful when the material being hashed is short and low in entropy. For example, using this on a 3 character password could add 30 characters to it and greatly increases the entropy. 2.)__________ is used in several ciphers, particularly in the wireless space, to achieve randomness even with normally deterministic inputs. These can add randomness and are used in block ciphers to initiate modes of operation. 3.)A __________ is similar to the above two, but is only used once, and if needed again, a different value is used. These provide random, nondeterministic entropy in cryptographic functions and are commonly used in stream ciphers to break stateful properties when the key is reused.
User training (Defense-in-depth/layered security)
Secure system design relies upon many elements, a key one being defense in depth, or layered security. Defense in depth is a security principal by which multiple, differing security elements are employed to increase the level of security. The best defense in an organization is to implement a strong __________ program that instructs users to recognize safe and unsafe computing behaviors. The best form of this has proven to be user-specific training, training that is related to the tasks that individuals use computers to accomplish. That means you need separate training for executives and management. Users who continually have problems should have to do remedial training.
Availability
= MTBF / (MTBF + MTTR) Ex: 6 months / (6 months + 30 mins) = 99.9884%
PFX (certificate formats)
A PKCS#12 file is a portable file format with a _________ extension. It is a binary format for storing the server certificate, intermediate certificates, and the private key in one file. _______ files are typically used on Windows machines to import and export certificates and private keys.
IPSec, Encapsulating Security Payload - ESP (VPN concentrator)
A VPN concentrator acts as a VPN endpoint, providing a method of managing multiple separate VPN conversations, each isolated from the others and converting each encrypted stream to its unencrypted, plaintext form, on the network. A VPN offers a means of cryptographically securing a communication channel, and the concentrator is the endpoint for this activity. It is referred to as a concentrator because it typically converts many different, independent conversations into one channel. IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF) to securely exchange packets at the network layer (layer 3) of the Open System Interconnection (OSI) model. The IPSec protocol series has a sweeping array of services it is designed to provide, including but not limited to access control, connectionless integrity, traffic-flow confidentiality, rejection of replayed packets, data security (encryption), and dat-origin authentication. The __________ provides security services for the higher-level protocol portion of the packet only, not the IP header.
IPSec, Authentication Header - AH (VPN concentrator)
A VPN concentrator acts as a VPN endpoint, providing a method of managing multiple separate VPN conversations, each isolated from the others and converting each encrypted stream to its unencrypted, plaintext form, on the network. A VPN offers a means of cryptographically securing a communication channel, and the concentrator is the endpoint for this activity. It is referred to as a concentrator because it typically converts many different, independent conversations into one channel. IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF) to securely exchange packets at the network layer (layer 3) of the Open System Interconnection (OSI) model. The IPSec protocol series has a sweeping array of services it is designed to provide, including but not limited to access control, connectionless integrity, traffic-flow confidentiality, rejection of replayed packets, data security (encryption), and dat-origin authentication. The ___________ protects the IP address, which enables data-origin authentication by protecting the non-changing elements of the IP header. It ensures the integrity of the data and also the authenticity of the data's origin.
IPSec, Tunnel Mode (VPN concentrator)
A VPN concentrator acts as a VPN endpoint, providing a method of managing multiple separate VPN conversations, each isolated from the others and converting each encrypted stream to its unencrypted, plaintext form, on the network. A VPN offers a means of cryptographically securing a communication channel, and the concentrator is the endpoint for this activity. It is referred to as a concentrator because it typically converts many different, independent conversations into one channel. IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF) to securely exchange packets at the network layer (layer 3) of the Open System Interconnection (OSI) model. The IPSec protocol series has a sweeping array of services it is designed to provide, including but not limited to access control, connectionless integrity, traffic-flow confidentiality, rejection of replayed packets, data security (encryption), and dat-origin authentication. ________ mode provides encryption of course and destination IP addresses, as well as of the data itself. This provides the greatest security, but it can be done between IPSec servers (or routers) because the final destination needs to be known for delivery. Protection of the header information is known as context protection.
IPSec, Transport Mode (VPN concentrator)
A VPN concentrator acts as a VPN endpoint, providing a method of managing multiple separate VPN conversations, each isolated from the others and converting each encrypted stream to its unencrypted, plaintext form, on the network. A VPN offers a means of cryptographically securing a communication channel, and the concentrator is the endpoint for this activity. It is referred to as a concentrator because it typically converts many different, independent conversations into one channel. IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF) to securely exchange packets at the network layer (layer 3) of the Open System Interconnection (OSI) model. The IPSec protocol series has a sweeping array of services it is designed to provide, including but not limited to access control, connectionless integrity, traffic-flow confidentiality, rejection of replayed packets, data security (encryption), and dat-origin authentication. __________ mode encrypts only the data portion of a packet, thus enabling an outsider to see source and destination IP addresses. This mode protects the higher-level protocols associated with a packet and protects the data being transmitted but allows knowledge of the transmission itself. Protection of the data portion of a packet is referred to as content protection.
Always-on VPN (VPN concentrator)
A VPN concentrator acts as a VPN endpoint, providing a method of managing multiple separate VPN conversations, each isolated from the others and converting each encrypted stream to its unencrypted, plaintext form, on the network. A VPN offers a means of cryptographically securing a communication channel, and the concentrator is the endpoint for this activity. It is referred to as a concentrator because it typically converts many different, independent conversations into one channel. One of the challenges associated with VPNs is the establishment of the secure connection. In many cases, this requires additional end-user involvement, either in the form of launching a program, entering credentials, or both. This acts as an impediment to use, as users avoid the extra steps. _________ VPNs are a means to avoid this issue, through the use of pre-established connection parameters and automation. These VPNs can self-configure and connect once an Internet connection is sensed and provide VPN functionality without user intervention.
1.) Remote access vs. 2.) Site-to-site (VPN concentrator)
A VPN concentrator acts as a VPN endpoint, providing a method of managing multiple separate VPN conversations, each isolated from the others and converting each encrypted stream to its unencrypted, plaintext form, on the network. A VPN offers a means of cryptographically securing a communication channel, and the concentrator is the endpoint for this activity. It is referred to as a concentrator because it typically converts many different, independent conversations into one channel. VPNs can connect machines from different networks over a private channel. When the VPN is set up to connect specific machines between two networks on an ongoing basis, with no setup per communication required, it is referred to as a ____2_____ VPN configuration. If the VPN connection is designed to allow remote hosts to connect to a network, they are called ____1_____ VPNs. Both of these VPNs offer the same protection from outside eavesdropping on the communication channel they protect, the difference is in why they are set up.
Split tunnel vs. full tunnel (VPN concentrator)
A VPN concentrator acts as a VPN endpoint, providing a method of managing multiple separate VPN conversations, each isolated from the others and converting each encrypted stream to its unencrypted, plaintext form, on the network. A VPN offers a means of cryptographically securing a communication channel, and the concentrator is the endpoint for this activity. It is referred to as a concentrator because it typically converts many different, independent conversations into one channel. _____1_____ is a form of VPN where not all traffic is routed via the VPN. It allows multiple connection paths, some via the protected route such as the VPN, whereas other traffic from, say, public Internet sources is routed via non-VPN paths. The advantage of this is the ability to avoid bottlenecks from all traffic having to be encrypted across the VPN. A ____1_____ would allow a user private access to information from locations over the VPN and less secure access to information from other sites. The disadvantage is that attacks from the non-VPN side of the communication channel can affect the traffic requests from the VPN side. _____2______ solution routes all traffic over the VPN, providing protection to all networking traffic.
Transport Layer Security - TLS (VPN concentrator)
A VPN concentrator acts as a VPN endpoint, providing a method of managing multiple separate VPN conversations, each isolated from the others and converting each encrypted stream to its unencrypted, plaintext form, on the network. A VPN offers a means of cryptographically securing a communication channel, and the concentrator is the endpoint for this activity. It is referred to as a concentrator because it typically converts many different, independent conversations into one channel. ___________, the successor to Secure Sockets Layer (SSL), can be used to exchange keys and create a secure tunnel that enables a secure communications across a public network. _____=based VPNs have some advantages over IPSec-based VPNs when networks are havily NAT coded, because IPSec-based VPNs can have issues crossing multiple NAT domains.
False positive
A ________ is an incorrect finding -- something that is incorrectly reported as a vulnerability. The scanner tells you there is a problem when in reality nothing is wrong.
Bridge
A _________ is a network segregation device that operates at layer 2 of the OSI model. It operates by connecting two separate network segments and allows communication between the two segments based on the layer 2 address on a packet. Traffic can be separated using ________, switches, and VLANs. Traffic separation prevents sensitive traffic from being sniffed by limiting the range over which the traffic travels.
Honeypot
A _________ is a server that is designed to act like a real server on the corporate network, but rather than having the real data, the data it possesses is fake. They serve as an attractive target to attackers. They also act as a trap for attackers as traffic in it can be assumed to be malicious. On the other side a honey net is a network designed to look like a corporate network, but is made attractive to attackers is a collection of honeypots. It looks like the corporate network but because it is known to be a false copy all of the traffic is assumed to be illegitimate. This makes it easy to characterize the attackers traffic and also to understand where attacks are coming from.
Protocol analyzer
A _________ is simply a tool user hardware or software that can be used to capture and analyze traffic passing over a communications channel such as a network although these exist for many types of communication channels such as telecommunications traffic system buses the most common use of this is for the capture an examination of network traffic.
Transitive trust
A _________ relationship means that the trust relationship extended to one domain will be extended to any other domain trusted by that domain. A two-way trust relationship means that two domains trust each other. This involves three parties: if A trusts B, and B trusts C, in this relationship, then A will trust C.
Secure token
A _________ service is responsible for issuing, validating, renewing, and canceling these security tokens. The tokens issued can then be used to identify the holders of the tokens to any services that adhere to the WS-Trust standard. These solve the problem of authentication across stateless platforms, for user identity must be established with each request. The basic five-step process to use tokens is as follows: 1. User requests access with username/password. 2. Secure token service validates credentials. 3. Secure token service provides a signed token to the client. 4. Client stores that token and sends it along with every request. 5. Server verifies token and responds with data.
Memorandum of Understanding - MOU / Memorandum of Agreement - MOA (agreement types)
A __________ & ___________ are legal documents used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal.
Recording microphone (Enforcement and monitoring for:)
A __________ can be used to record conversations, collecting sensitive data without the parties under observation even being aware of the activity. As with other high-tech gadgets, the key is to determine the policy of where these can be used and the rules for their use.
Root (types of certificates)
A __________ certificate is a certificate that forms the initial basis of trust in a trust chain. All certificates are signed by the CA that issues them, and CAs can be chained together in a trust signature. Following the chain, one climbs the tree of trust until they find a self-signed certificate, indicating it is a root certificate. What determines whether or not a system trusts a root certificate is whether or not the root certificate is in the system's store of trusted certificates. Different vendors, such as Microsoft and Apple, have trusted root certificate programs that determine by corporate policy which CAs they will label as trusted. __________ certificates, because they form anchors of trust for other certificates, are examples of CA certificates.
Trust model (concepts)
A __________ is a construct of systems, personnel, applications, protocols, technologies, and policies that work together to provide a certain level of protection. All of these components can work together seamlessly within the same trust domain because they are known to the other components within the domain and are trusted to some degree.
Digital signatures
A __________ is a cryptographic implementation designed to demonstrate authenticity and identity associated with a message. Using public key cryptography, a ____________ allows traceability to the person signing the message through the use of their private key. The addition of hash codes allows for the assurance of integrity of the message as well. The operation of a __________ is a combination of cryptographic elements to achieve a desired outcome. Doing this does NOT by itself protect the contents of the message from interception. Encryption would need to be used to do this.
Host-based firewall
A __________ is a firewall located on the host system. Because of its proximity, you can tune it to the exact specifications of that machine, making it highly specific in its granularity of function.
Crypto modules (implementation vs. algorithm selection)
A __________ is a hardware or software device or component that performs cryptographic operations securely within a physical or logical boundary. These use hardware, software, or hybrid cryptographic engines contained within the boundary, and cryptographic keys that do not leave the boundary, maintaining a level of security. Maintaining all secrets within a specified protected boundary is a foundational element of a secure cryptographic solution.
Risk register (risk assessment)
A __________ is a list of the risks associated with the system. They can also contain additional information associated with the risk element, such as categories to group like risks, probability of occurrence, impact the organization, mitigation factors, and other data. There is no standardized form.
Service Level Agreement - SLA (agreement types)
A __________ is a negotiated agreement between parties detailing the expectations between a customer and a service provider. These essentially set the requisite level of performance of a given contractual service. These are typically included as part of a service contract and set the level of technical expectations. It can defined specific services, the performance level associated with the service, issue management and resolution, and so on.
Master image
A __________ is a pre-made, fully patched image of your organization systems. This, in the form of a virtual machine can be configured and deployed in seconds to replace a system that has become tainted or is untrustworthy because of an incident. These provide the true clean backup of the operating systems, applications, everything but the data.
Crypto service provider (CSP) (implementation vs. algorithm selection)
A __________ is a software library that implements cryptographic functions. They implement encoding and decoding functions, which computer application programs may use, for example, to implement strong user authentication or for secure email. EX: Microsoft CryptoAPI (CAPI)
Privacy impact assessment
A __________ is a structured approach to determining the gap between desired privacy performance and actual privacy performance. This is an analysis of how personally identifiable information (PII) is handled through business processes and an assessment of risks to the PII during storage, use, and communication. This provides a means to assess the effectiveness of a process relative to compliance requirements and identify issues that need to be addressed.
Session keys
A __________ is a symmetric key used for encrypting messages during a communication session. It is generated from random seeds and it used for the duration of a communication session. When correctly generated and propagated during session setup, a __________ provides significant levels of protection during the communication sessions and also can afford perfect forward secrecy. They also offer the advantages of symmetric encryption, speed, strength, and simplicity, and with key exchanges possible via digital methods, significant levels of automated security.
Race conditions
A __________ is an error condition that occurs when the output of a function is dependent on the sequence or timing of the inputs. In becomes a bug when the inputs do not happen in the order the programmer intended.
Single point of failure
A __________ is any system component whose failure or malfunctioning could result in the failure of the entire system. An example of this would be a single connection to the Internet, find for small business, but not so for a large enterprise with servers serving content to customers. Redundancies have costs, but is the alternative cost is failure, then implementing levels of redundancy is acceptable.
Trusted operating system (Operating systems)
A __________ is one that is designed to allow multilevel security in its operation. This is further defined by its ability to meet a series of criteria required by the US government. These are expensive to create and maintain because any change must typically undergo a recertification process. These are most commonly used by government agencies and contractors for sensitive systems that require this level of protection.
Certificate Signing Request - CSR (components)
A __________ is the actual request to a CA containing a public key and the requisite information needed to generate a certificate. The CSR contains all of the identifying information that is to be bound to the key by the certificate generation process.
Collision
A __________ is when two different inputs have the same output on a cryptographic function such as a hash. If two inputs can be generated that produce the same hash value, this enables the movement of a digital signature from an original to a near duplicate, resulting in the failure of the digital signature to protect an original.
Privileged user (Role-based awareness training)
A ___________ Has more authority than a standard user. Short of full administrative or root access, this user has permissions to do a wider range of tasks, as their job role may require greater responsibilities. For example, a database administrator would need the equivalent of root access to database functions, but not to all servers or other operating system options. Aligning privileges to user responsibilities is good standard policy.
Web application firewall - WAF
A ___________ is a device that performs restriction based on rules associated with HTTP/HTTPS traffic. By definition, these are a form of content filter, and their configuration capabilities allow them to provide significant capability and protections. EX: Allowing Facebook but blocking Facebook games.
Hardware security module (HSM)
A ___________ is a device used to manage or store encryption keys. They offer significant performance advantages over general-purpose computers when it comes to cryptographic operations. When an enterprise has significant levels of cryptographic operations, these can provide throughput efficiencies. They are designed to allow the use of the key without exposing it to the wide range of host-based threats.
Vulnerability scanner
A ___________ is a program designed to probe the system for weaknesses, mis-configurations, old versions of software, and so on. There are essentially three main categories of these: network, host, and application. The bottom line is if you need to perform a broad sweep for vulnerabilities on one or more hosts across the network, then this is the right tool for the job.
Credentialed vs. non-credentialed
A ____________ vulnerability scan will be more accurate in determining whether a vulnerability exists, as they are not encumbered by access controls. _____________ vulnerability scans demonstrate what the system may be vulnerable against an outside attacker without access to a user account.
Faraday cage
A bigger example of shielding would be a __________, which is an enclosure of conductive material that is grounded. These can be room-sized or built into a building's construction; the critical elements is that there is no significant gap in the enclosure material. These measures can help shield EMI, especially in high radiofrequency environments.
WiFi-enabled MicroSD cards (peripherals)
A class of __________ was developed to eliminate the need to move the car from device to device to move the data. Primarily designed for digital cameras, these cards are very useful for creating Wi-Fi devices out of devices that had an SD slot. These devices work by having a tiny computer embedded in the car running the stripped-down version of Linux.
1.) Logs / 2.) WORM (SIEM)
Security Information and Event Management (SIEM) systems are a combination of hardware and software designed to classify and analyze security data from numerous sources. Log files, or ___1_____, exist across a wide array of sources, and have a wide range of locations and details recorded. The ____2____ concept is commonly employed to achieve operational efficiencies, especially when working with large data sets, such as log files on large systems.
Redundant Array of Independent Disks - RAID
A common approach to increasing reliability in disk storage is employing a _________. __________ case data that is normally stored on a single disc and spread out among several others. If any single disc is lost, the data can be recovered from the other discs with the data also reside with the price of this storage decreasing, this approach has become increasingly popular to the point users even have _________ arrays for their own systems. __________ can also increase the speed of data recovery as multiple drives me busy retrieve requested data at the same time instead of relying on just one disc to do the work. Several different _________ approaches can be considered: 0: Striped disks 1: Mirrored disks 2: Bit-level error-correcting code 3: Byte-striped with error check 4: Dedicated parity drive 5: Block-striped with error check
Risk response techniques, transfer (risk assessment)
A common method of __________ risk is to purchase insurance. Insurance allows risk to be ___________ to a third-party that manages specific types of risk for multiple parties, thus reducing the individual cost.
Virtual IPs (load balancer)
A common technique that is used in fault tolerance is load balancing through the use of a load balancer, which move loads across a set of resources in an effort not to overload individual servers. This technique is designed to distribute the processing load over two or more systems. In a load balanced environment, the IP addresses for the target servers of a load balancer will not necessarily match the address associated with the router sending the traffic. Load balancers handle this through the concept of ___________, that allow for multiple systems to be reflected back as a single IP address.
Active-Active (load balancer)
A common technique that is used in fault tolerance is load balancing through the use of a load balancer, which move loads across a set of resources in an effort not to overload individual servers. This technique is designed to distribute the processing load over two or more systems. In an __________ scheme, all the load balancers are active, sharing the load balancing duties. Here, it is important to watch the load, since failure of one could cause overload in another, backing up or stopping traffic. A standby system can help to mitigate this.
Active-Passive (load balancer)
A common technique that is used in fault tolerance is load balancing through the use of a load balancer, which move loads across a set of resources in an effort not to overload individual servers. This technique is designed to distribute the processing load over two or more systems. In an __________ scheme, the primary load balancer is actively doing the balancing while the secondary load balancer passively observes and is ready to step in at any time the primary system fails.
1.) Scheduling: 2.) Affinity-based & 3.) Round-robin scheduling (load balancer)
A common technique that is used in fault tolerance is load balancing through the use of a load balancer, which move loads across a set of resources in an effort not to overload individual servers. This technique is designed to distribute the processing load over two or more systems. When a load balancer moves loads across a set of resources, it decides which machine gets a request via a ___1_____ algorithm. There are two-types of these: 1.) ____2_____ is designed to keep a host connected to the same server across a session. The method is to have the load balancer keep track of where it last balanced a particular session and direct all continuing session traffic to the same server. 2.) ____3_____ involves sending each new request to the next server in the rotation. All requests are sent to servers in equal amounts, regardless of the server load.
Aggregation (SIEM)
Security Information and Event Management (SIEM) systems are a combination of hardware and software designed to classify and analyze security data from numerous sources. One of SIEMs key functions is the ___________ of security information sources, which refers to the collecting of information in a central place, in a common format, to facilitate analysis and decision making. Things that can feed this include system event logs, firewall logs, security application logs, and specific program feeds.
Capture video (Data acquisition)
A convenient method of capturing significant information at the time of collection is __________. videos allow high-bandwidth data collection that can show what was connected to what, how things were laid out, desktops, and so forth. A picture can be worth 1000 words, so take the time to document everything with pictures. Pictures of serial numbers and network and USB connections can prove invaluable later in the forensics process. Another source of this data is the CCTV's that are used for security, both in the industry and, in growing numbers, homes.
1.) Automated alerting and 2.) Triggers (SIEM)
Security Information and Event Management (SIEM) systems are a combination of hardware and software designed to classify and analyze security data from numerous sources. _____1_____ can remove much of the time delay between specific activity and security operations reaction. Consider a SIEM like an IDS on steroids, for it can use external information in addition to current traffic information to provide a much richer pattern-matching environment. A _____2_____ event can result in the SIEM highlighting a connection on an analyst's workstation or, in some cases, responding automatically.
Time synchronization (SIEM)
Security Information and Event Management (SIEM) systems are a combination of hardware and software designed to classify and analyze security data from numerous sources. _________ is a common problem for computer systems. Having a common time standard for all the systems is essential if you want to be able to compare their logs. UTC (Coordinated Universal Time) is a global time standard and does not have the issues of daylight saving settings, or even different time zones.
Correlation (SIEM)
Security Information and Event Management (SIEM) systems are a combination of hardware and software designed to classify and analyze security data from numerous sources. __________ is the connection of events based on some common basis. Events can correlate base don time, based on common events, based on behaviors, and so on. It is useful to help look for patterns and then use those patterns to find future issues.
Certificate (components)
A digital __________ binds an individual's identity to a public key, and it contains all the information a receiver needs to be assured of the identity of the public key owner. After an RA verifies an individual's identity, the CA generates the digital certificate, but how does the CA know what type of data to insert into the certificate? The certificates are created and formatted based on the X.509 standard, which outlines the necessary fields of a certificate and the possible values that can be inserted into the fields. X.509 version 3 is the most current version. The following fields are included in a X.509 digital __________: -Version number -Subject -Public key -Issuer -Serial number -Validity -Certificate usage -Signature algorithm -Extensions
Lightweight Directory Access Protocol - LDAP
A directory is a data storage mechanism similar to a database, but it has several distinct differences designed to provide efficient data I retrieval services compared to standard database mechanisms. A directory is designed and optimized for reading data, offering very fast search and retrieval operations. The types of information stored in a directory tend to be descriptive attribute data. A directory offers a static view of data that can be changed without a complex update transaction. The data is hierarchically describe any treelike structure, and a network interface for reading typical. Common uses of directories including email address lists, domain server data, and resource maps of network resources. The __________ is commonly used to handle user authentication and authorization and to control access to Active Directory objects
1.) Stateless vs. 2.) Stateful (Firewall)
A firewall can be hardware, software, or a combination of both whose purpose is to enforce a set of network security policies across network connections. A typical network firewall operates on IP addresses and ports, in essence a ____1____ interaction with the traffic. A ____2_____ packet inspection firewall can act upon the state condition of a conversation -- is this a new conversation or a continuation of a conversation, and did it originate inside or outside the firewall? This means that the firewall maintains, or knows, the context of a conversation. These will be accomplished on Ports 1023 and up.
Implicit deny (Firewall)
A firewall can be hardware, software, or a combination of both whose purpose is to enforce a set of network security policies across network connections. All firewall rulesets should include an __________ rule that is in place to prevent any traffic from passing that is not specifically recognized as allowed. Firewalls execute their rules upon traffic in a top-down manner, with any allow or block rule whose conditions are met ending the processing. This means the order of rules is important. It also means that the last rule should be a deny all rule, for any traffic that gets to the last rule and has not met a rule allowing it to pass should be blocked. To invoke this, the last rule should be a deny all rule, because any traffic that gets to the last rule and has not met a rule allowing it to pass should be blocked.
1.) Application-based vs. 2.) Network-based (Firewall)
A firewall can be hardware, software, or a combination of both whose purpose is to enforce a set of network security policies across network connections. _____1____can analyze traffic at an even deeper level, examining the application characteristics of traffic and blocking specific actions while allowing others, even inside web-connected applications. This gives these types of firewalls much greater specificity than _____2____ that only look at IP addresses and ports.
ACL (Firewall)
A firewall can be hardware, software, or a combination of both whose purpose is to enforce a set of network security policies across network connections. A web server connected to the Internet may be configured to allow traffic only on port 80 for HTTP and have all other ports blocked except for port 25, which is for the mail server. __________ are lists of users and their permitted actions. The simple objective is to create a lookup system that allows a device to determine which actions are permitted and which are denied. A router can contain an _______ that list permitted addresses or blocked addresses, or a combination of both. Users can be identified in a variety of ways, including by a user ID, a network address, or a token.
Rootkit
A form of malware that is specifically designed to modify the operation of the operating system in some fashion to facilitate nonstandard functionality. These modify the operating system kernel and supporting functions, changing the nature of the system's operation. Designed to avoid the security functions of the OS to avoid detection. EX: Sony BMG Corp used this to provide copy protection technology on some of the company's CDs.
Ransomware
A form of malware that performs some action and extracts ransom from a user. EX: CryptoLocker which is a Trojan horse that will encrypt certain files using RSA public key encryption.
Bots
A functioning piece of software that performs some task, under the control of another program. An entire assembly is called a botnet. Can perform spam, spyware, fraud and more. EX: Latest botnets mined Bitcoins. Zeus was a keystroke logger that stole banking information. Conficker was another one that involved a gov't working group to study it.
Application cells/containers (Hypervisor)
A hypervisor is a low-level program that allows multiple operating systems to run concurrently on a single host computer. Hypervisor's use a thin layer of code to allocate resources in real-time. The hypervisor at the traffic, that controls I/O and memory management. A hypervisor-based virtualization system enables multiple operating system instances to coexist on a single hardware platform. The concept of __________ is similar, but rather than having multiple independent operating systems, a ____________ holds the portions of an operating system that it need separate from the kernel. So, in essence, multiple _________ can share and operating system, yet have separate memory, EU, and storage threads, guaranteeing that they will not interact with other ________. this allows multiple instances of an application or different applications to share a host operating system with virtually no overhead. This also allows portability of the application to a degree separate from the operating system stack. You can think of these is the evolution of the virtual machine concepts to the application space. A ________ consists of an entire runtime environment bundled into one package: an application, including all its dependencies, libraries, and other binaries, and the configuration files needed to run it.
Type I (Hypervisor)
A hypervisor is a low-level program that allows multiple operating systems to run concurrently on a single host computer. Hypervisor's use a thin layer of code to allocate resources in real-time. The hypervisor at the traffic, that controls I/O and memory management. __________ hypervisors run directly on the system hardware. They are referred to as a native, air-metal, or embedded hypervisor's in typical vendor literature. __________ hypervisor's are designed for speed and efficiency, as they do not have to operate through another operating system layer area examples of this type of hypervisor include KVM (Kernel-based Virtual Machine, a Linux implementation), Xen, Microsoft Windows Server Hyper-V, and VMware's vSphere/ESXi platforms. All of these hypervisor's are designed for the high-end server market in enterprises, and are designed to allow multiple virtual machines on a single set of server hardware. These platforms come with management toolsets to facilitate VM management in the enterprise.
Type II (Hypervisor)
A hypervisor is a low-level program that allows multiple operating systems to run concurrently on a single host computer. Hypervisor's use a thin layer of code to allocate resources in real-time. The hypervisor at the traffic, that controls I/O and memory management. ____________ hypervisors run on top of a host operating system. In the beginning of the virtualization movement, ________ hypervisor's were most popular. Administrators can buy the VM software install it on the server they already have money. Typical _________ hypervisor's include Oracle's VirtualBox and VMware's VMware Player. These are designed for limited numbers of virtual machines, typically running in a desktop or small server environment.
Snapshots (backup concepts)
A key element in business continuity/disaster recovery plans is the availability of backups. Data backup is a critical element in the planning, as well as the normal operation. Keep in mind that the purpose of the backup is to provide valid, uncorrupted data in the event of corruption or loss of the original file or the media where the data was stored. Depending on the type of organization, legal requirements for maintaining backups can also affect how it is accomplished. A __________ is a copy of a virtual machine at a specific point in time. It is created by copying the files that store the virtual machine. One of the advantages of a virtual machine over a physical machine is the ease with which the virtual machine can backup and restore--the ability to refer to an earlier __________ is as easy as clicking a button and waiting for the machine to be restored via a change of the files.
Differential (backup concepts)
A key element in business continuity/disaster recovery plans is the availability of backups. Data backup is a critical element in the planning, as well as the normal operation. Keep in mind that the purpose of the backup is to provide valid, uncorrupted data in the event of corruption or loss of the original file or the media where the data was stored. Depending on the type of organization, legal requirements for maintaining backups can also affect how it is accomplished. In a __________ backup, only the files that have changed since the last full backup was completed are backed up. This also implies that periodically a full backup needs to be accomplished. The frequency of the full backup versus the interim differential backups depends on your organization and needs to be part of your defined strategy. Restoration from this backup requires two steps: the last full backup first needs to be loaded, and then the last __________ backup performed can be applied to update the files that have been changed since the full backup was conducted. Again, this is not a difficult process but it does take some time.
Incremental (backup concepts)
A key element in business continuity/disaster recovery plans is the availability of backups. Data backup is a critical element in the planning, as well as the normal operation. Keep in mind that the purpose of the backup is to provide valid, uncorrupted data in the event of corruption or loss of the original file or the media where the data was stored. Depending on the type of organization, legal requirements for maintaining backups can also affect how it is accomplished. The __________ backup Is a variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, this backup backs up only files that have changed since the last full OR _________ backup occurred, thus requiring fewer files to be backed up. With fees backups, even less information will be stored in each backup. In this backup, the archive bit is cleared.
Full (backup concepts)
A key element in business continuity/disaster recovery plans is the availability of backups. Data backup is a critical element in the planning, as well as the normal operation. Keep in mind that the purpose of the backup is to provide valid, uncorrupted data in the event of corruption or loss of the original file or the media where the data was stored. Depending on the type of organization, legal requirements for maintaining backups can also affect how it is accomplished. The easiest type of backup to understand is the __________ backup. In this backup, all files and software are copied onto the storage media. Restoration from this backup is similarly straightforward--you must copy all the files back on your system. This process can take a considerable amount of time. Consider the size of even the average home PC today, for which storage is measured in tens and hundreds of gigabytes. Copying this amount of data takes time. In this backup, the archive bit is cleared.
On-boarding
A key element when __________ personnel is to ensure that the personnel are aware of and understand their responsibilities with respect to securing company information and assets. This procedure should be well documented to ensure compliance with legal requirements.
Rogue system detection (Network scanners)
A network scanner is a tool designed to probe network or systems for open ports and hence machines that are on the network's. Its job is to probe for open or listening ports and report back to the user which ports are closed which are filtered in which are open. Network scanners are also called Port scanners and can be used to do the following: search for live hosts on a network; search for any open ports on the network; search for specific ports; identify services on ports; look for TCP/UDP services. One of the challenges of network engineers is to determine if unauthorized equipment is attached to a network. Ro systems are unauthorized systems and fall outside of the enterprise operations umbrella adding risks to a system. This is why the first elements of the top 20 security controls consist of knowing the authorized software and hardware in your environment. You should do _________ on a regular basis, which you can do in two ways with the network scanner. First, you can do active scans of the network to detect any device is not authorized. Second, you can do a passive scan via an examination of packets to see if anyone is communicating who is not authorized.
Identification of critical systems
A part of identifying mission-essential functions is identifying the systems and data that support functions. __________ enables the security team to properly prioritize defenses to protect the systems and data in a manner commensurate with the associated risk. It also enables the proper sequence and of restoring operations to ensure proper restoration of services.
Virus
A piece of malicious code that replicates by attaching itself to another piece of executable code. Two types -- boot sector and program. Note that an Armored Virus employs encryption
Trojan
A piece of software that appears to do one thing but hides some other functionality. Once it is inside the system it will perform its hidden purpose with the user often still unaware of its true nature.
Keylogger
A piece of software that logs all of the keystrokes that a user enters.
1.) Forward & 2.) Reverse proxy (proxy)
A proxy server can be used to filter out undesirable traffic and prevent employees from accessing potentially hostile websites. A proxy server takes requests from a client system and forwards them to the destination server on behalf of the client. A ___1_____ operates to forward requests to servers based on a variety of parameters. A _____2____ is typically installed on the server side of a network connection, often in front of a group of web servers, and intercepts all incoming web requests.
Degaussing (data destruction and media sanitization)
A safer method for destroying files on magnetic storage devices is to destroy the data magnetically, using a strong magnetic field to _________ the media. _________ realigns the magnetic particles, removing the organized structure that represented the data. This effectively destroys all data on the media. Several commercial ones are available for this purpose.
Impersonation (social engineering)
A situation where the attacker assumes a role that is recognized by the person being attacked, and in assuming that role, the attacker uses the potential victim's biases against their judgement to follow procedures. EX: Third-Party Authorization, Help Desk/Tech Support, Contractors/Outside Parties, Online Attacks
Flood guard (switch)
A switch forms the basis for connections in most Ethernet-based local area networks (LANs). A switch has separate collision domains for each port. This means that for each port, two collision domains exist: one from the port to the client on the downstream side and one from the switch to the network upstream. SNMP and Telnet protocols, both of which have a serious weakness in that they send passwords across the network in clear text. SNMPv3 adds cryptographic protections, making it a preferred solution. One form of attack is a flood. There are numerous types of flooding attacks: ping floods, SYN floods, ICMP floods (Smurf attacks), and traffic flooding. __________ act by managing traffic flows.
Transparent (proxy)
A switch forms the basis for connections in most Ethernet-based local area networks (LANs). A switch has separate collision domains for each port. This means that for each port, two collision domains exist: one from the port to the client on the downstream side and one from the switch to the network upstream. SNMP and Telnet protocols, both of which have a serious weakness in that they send passwords across the network in clear text. SNMPv3 adds cryptographic protections, making it a preferred solution. Proxy servers can be completely __________ (these are usually called gateways or tunneling proxies), or they can modify the client request before serve the client's request without needing contact the destination.
1.) Layer 2 vs. 2.) Layer 3 (switch)
A switch forms the basis for connections in most Ethernet-based local area networks (LANs). A switch has separate collision domains for each port. This means that for each port, two collision domains exist: one from the port to the client on the downstream side and one from the switch to the network upstream. SNMP and Telnet protocols, both of which have a serious weakness in that they send passwords across the network in clear text. SNMPv3 adds cryptographic protections, making it a preferred solution. Switches operate at the data link layer of the OSI model, while routers acts at the network layer. Switch have become what routers are on the Internet -- the device of choice for connecting machines. A switch is usually a ___1____ device, operating at the data link layer, but ____2_____ switches that operate at the network layer can incorporate routing functionality.
Loop prevention (switch)
A switch forms the basis for connections in most Ethernet-based local area networks (LANs). A switch has separate collision domains for each port. This means that for each port, two collision domains exist: one from the port to the client on the downstream side and one from the switch to the network upstream. SNMP and Telnet protocols, both of which have a serious weakness in that they send passwords across the network in clear text. SNMPv3 adds cryptographic protections, making it a preferred solution. There is no countdown mechanism to kill packets that get caught in loops or on paths that will never resolve. This means that another mechanism is needed for ____________. Spanning trees are employed to help prevent this. It acts by trimming connections that are not part of the spanning tree connecting all of the nodes.
1.) Application / 2.) Multipurpose (proxy)
A switch forms the basis for connections in most Ethernet-based local area networks (LANs). A switch has separate collision domains for each port. This means that for each port, two collision domains exist: one from the port to the client on the downstream side and one from the switch to the network upstream. SNMP and Telnet protocols, both of which have a serious weakness in that they send passwords across the network in clear text. SNMPv3 adds cryptographic protections, making it a preferred solution. ____1_____ proxies act as proxies for a specific application only, while ____2_____ proxies act as a proxy for multiple systems or purposes. Proxy servers can provide a wide range of services in a system including: -Anonymizing proxy -Caching proxy -Content-filtering proxy -Open proxy -Web proxy
Port security (switch)
A switch forms the basis for connections in most Ethernet-based local area networks (LANs). A switch has separate collision domains for each port. This means that for each port, two collision domains exist: one from the port to the client on the downstream side and one from the switch to the network upstream. SNMP and Telnet protocols, both of which have a serious weakness in that they send passwords across the network in clear text. SNMPv3 adds cryptographic protections, making it a preferred solution. ___________ is a capability provided by switches that enables you to control which devices and how many of them are allowed to connect via each port on a switch. This is based on MAC addresses so it can be determined whether a packet is allowed or blocked from a connection. This is the very function that a firewall uses for its determination, and this same functionality is what allows an 802.1X device to act as an "edge device". It has three variants: 1. Static learning - MAC addresses need to be known and programmed in advance. 2. Dynamic learning - Learns MAC addresses when they connect. 3. Sticky learning - Stores the info in memory that persists through reboots. Prevents changes in settings from an attacker through power cycling.
Intrusive vs. non-intrusive
A test that changes the system state is referred to as an ___________ test. The other method is to perform a test in a manner that does not directly interact with the specific vulnerability. This is referred to as a _______________ test.
Environmental (threat assessment)
A threat assessment is a structured analysis of the threats that confronts an enterprise. Threats are important to understand, for you generally cannot change the threat--you can only change how it affects you. One of the largest sources of threats is from this. __________ changes can come from a wide variety of sources, whether, lightning, storms, and even solar flares, and these can cause changes to the system in a manner that disrupts normal operations. These changes can increase risk. Making systems resilient can reduce impacts and mitigate the sources of risk to the enterprise.
1.) Internal vs. 2.) External (threat assessment)
A threat assessment is a structured analysis of the threats that confronts an enterprise. Threats are important to understand, for you generally cannot change the threat--you can only change how it affects you. _____1_____ threats include disgruntled employees, and well-meaning employees who make mistakes or have an accident. These threats tend to be more damaging, as the perpetrator has already been granted some form of access. The risk is related to the level of access and the value of the asset being worked on. For instance, if a system administrator working on the domain controller accessory erases a critical value and crashes the system, it can be just as costly as an unauthorized outsider performing the DoS attack against the enterprise. _____2_____ threats come from outside the organization, and by definition begin without access to the system. Access is reserved to users who have a business need to know and have authorized accounts on the system. Outsiders must first hijacked one of these accounts. These extra steps and the reliance on external connections we make these attackers easier to detect.
Manmade (threat assessment)
A threat assessment is a structured analysis of the threats that confronts an enterprise. Threats are important to understand, for you generally cannot change the threat--you can only change how it affects you. ___________ threats are those that are attributable to the actions of a person. But these threats are limited to hostile actions by attacker; they can include accidents by users. Users can represent one of the greatest risks to an IT system. More files or lost by accidental user deletion then by hackers deleting files, and to the team trying to restore the lost files, the attribution has no bearing on the restoration effort. User actions, such as poor cyber hygiene and reusing passwords, have all been shown to be the starting point for many major cyber security events of the past several years. Proper controls to manage the risk to the system must include controls against both accidental and purposeful acts.
1.) Random / 2.) pseudo-random number generation
A true _____1_____ number has no correlation to previous ____1_____ numbers, nor future ____1_____numbers, and has a uniform frequency distribution over the range of interest. Other numbers, call ____2____ appear to be random but because they are algorithmically generated, if no one knows the algorithm and the seeds, then they cannot predict future values.
Logic bomb
A type of malicious software that is deliberately installed, generally by an AUTHORIZED user. It is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload. EX: A program that checks the company's payroll roster and if a certain employee is missing, then this will delete vital corporate files.
Phishing (social engineering)
A type of social engineering in which an attacker attempts to obtain sensitive information from users by masquerading as a trusted entity in an email or instant message sent to a large group of often random users. Attacker attempts to obtain information such as usernames, passwords, credit cards numbers, and bank account info.
Vishing (social engineering)
A variation of phishing that uses voice communication technology to obtain the information the attacker is seeking. EX: VoIP
Resources/funding (attributes of actors)
APTs, and nation states have a penchant for long-term attacks, which requires this which only major organizations or government can manage over time.
Expiration (account policy enforcement)
Account _________ should occur when a user is no longer authorized system. This requires coordination between those who manage access control lists and accounts and those who manage the need for access. The best solution is to have those who manage users also manage account expiration because they are better situated to know when an employee transfers, quits, or otherwise no longer requires an account.
Disablement (account policy enforcement)
Account __________ is a step between the account having access in the account being removed from the system. Whenever an employee leaves a firm, all associated accounts should be disabled to prevent further access by the X-employee. Doing this is preferable to removal as removal they result in permissions and ownership problems.
Lockout (account policy enforcement)
Account __________ is akin to disablement, although this typically refers to temporarily blocking the user's ability to log into a system. For example, if a user NIST types are password a certain number of times, she may be forced to wait a set amount of time while her account is locked out before attempting to log in again.
Recovery (account policy enforcement)
Account __________ seems like one of those esoteric topics until you lose the password on your laptop and have no way back in. The same is even more serious if you lose administrator account passwords to key elements of your infrastructure. Having a recovery plan for accounts should something happen to the person who knows the password is important for the enterprise to continue after the loss of that resource.
Annual Loss Expectancy - ALE (risk assessment)
After calculating the SLE, the ___________ is then calculated simply by multiplying the SLE by the likelihood or number of times the event is expected to occur in a year, which is called the annualized rate of occurrence (ARO): = SLE x ARO This represents the expected losses over the course of a year based on the __________. if multiple events are considered, the arithmetic sum of all of the SLEs and AROs can be done to provide a summation amount.
Chain of custody
After evidence is collected, it must be properly controlled to prevent tampering. The __________ accounts for all persons who handled or had access to the evidence. More specifically, this shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time the evidence was obtained. The following shows the critical steps in the __________: 1. Record each item collected as evidence. 2. Record who collected the evidence along with the date and time it was collected or recorded. 3. Write a description of the evidence in the documentation. 4. Put the evidence in containers and take the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container. 5. Record all message digest (hash) values in the documentation. 6. Securely transport the evidence to a protected storage facility. 7. Obtain a signature from the person who accepts the evidence at this storage facility. 8. Provide controls to prevent access to and compromise of the evidence while it is being stored. 9. Securely transport the evidence to court for proceedings.
Airgap
An _________ is a term used to describe the physical and logical separation of a network from all other networks. This separation is designed to prevent unauthorized data transfers to and from the network. The flaw in this logic is that users will move data by other means, such as a USB drive, get their work done. Frequently called "sneaker net," this unauthorized bypassing of the __________, although ostensibly for the purpose of mission accomplishment, increases system risk because it also bypasses checks, blogging, and other processes important in development and deployment.
Interconnection Security Agreement - ISA (agreement types)
An __________ is a specialized a grievance between organizations that have interconnected IT systems, the purpose of which is to document the security requirements associated with the interconnection. This can be part of an MOU detailing the specific technical security aspects of a data interconnection.
Immutable systems (Secure DevOps)
An __________ is a system that, once deployed, is never modified, patched, or upgraded. If a password update is required, the system is merely replaced with a new system that is patched and updated.
Acceptable use policy - AUP/rules of behavior
An ___________ outlines what the organization considers to be the appropriate use of its resources, such as computer systems, email, Internet, and networks. Organizations should be concerned about any personal use of organizational assets that does not benefit the company.
Software (Tokens)
An access token is a physical object that identify specific access rights, and in authentication falls into the "something you have"factor. Your house key, for example, is a basic physical access token that allows you access into your home. Access tokens may also be implemented software. _________ still provide to-factor authentication but don't require the user to have separate physical device on hand. Some tokens require software clients that store a symmetric key--sometimes called a seed record--in a secure location on the user's device.
Hardware (Tokens)
An access token is a physical object that identify specific access rights, and in authentication falls into the "something you have"factor. Your house key, for example, is a basic physical access token that allows you access into your home. There are several forms of __________, from proximity cards and smart cards to common access cards (CACs), USB tokens, and key files with RFID chips.
1.) HMAC-based One-Time Password - HOTP / 2.) Time-based One-Time Password - TOTP (Tokens)
An access token is a physical object that identify specific access rights, and in authentication falls into the "something you have"factor. Your house key, for example, is a basic physical access token that allows you access into your home. _______1_______ is an algorithm that can be used to authenticate a user in a system by using an authentication server. The _____2______ is a specific implementation of number one that uses a secret key with a current timestamp to generate a one-time password.
Social engineering
An attack against a user, and typically involves some form of social interaction. The weakness that is being exploited in the attack is not necessarily one of technical knowledge, or even security awareness. It involves manipulating the very social nature of interpersonal relationships.
DDoS (application/service attacks)
An attack employing multiple attacking systems. Used to deny the use of or access to a specific service or system. EX: In the year 2000, there were highly publicized attacks on eBay, CNN, Amazon, and Yahoo!.
Man-in-the-middle (application/service attacks)
An attack where an attacker is able to place himself in the middle of two other hosts that are communicating. All communication going to or from the target host is routed through the attacker's host. The attacker then observe all traffic before relaying it, and can modify it or block traffic. A way to instantiate an attack like this is via session hijacking which can occur when information like a cookie is stolen.
Whaling (social engineering)
An attack where the target is a high-value person, such as a CEO or CFO. Custom-built to increase the odds of success -- crafted to imitate a non-suspicious communication.
Crypto-malware
An early name given to malware that encrypts files on a system and then leaves them unusable either permanently, acting as a denial of service, or temporarily until a ransom is paid. EX: WannaCry was an example of this
Location selection (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. FYSA... Taking a storage location for backups has several key elements. First is physical safety of the backup media. Because of the importance to maintain a proper environmental conditions safe from outside harm, this can limit locations. HVAC can be a consideration, as well as issues such as potential flooding and theft. Protecting the backup media is important as damage to it may not be discovered until the media is needed and then the loss becomes potentially catastrophic.
Distance (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. The __________ associated with an off-site backup is a logistics problem. If you need to restore system in the back of the store hours away by car, that increases the recovery time. The delay resulting from physical movement of backup tapes has been alleviated in many systems or networks that move the data at the speed of the network. __________ is also critical when examining the reach of a disaster. It is important that the off-site location is far enough away that it is not affected by the same incident. This includes the physical location of cloud storage provider servers. These are businesses in Puerto Rico and so is your cloud provider servers, for example, Hurricane Maria likely major data unavailable for a long time.
Legal implications (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. With regard to location selection, if you are considering cloud storage for your backups you must take into consideration the __________ of where the data would actually be stored. Different jurisdictions have different laws, rules, and regulations concerning court tools such as encryption. Understanding how these affect data backup storage plans critical to prevent downstream problems. Some countries require storage of data concerning their citizens to be done within their borders, under their legal jurisdiction. Other countries may have different government regulations concerning privacy that would impact the security of the data. In the end, without proper contracting review, one may not have any idea where their data is actually stored, for what might be a cloud in Atlanta this week, could be Albania next week.
Off-site backups (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. _________ are just that, backups that are stored in a separate location from the system being backed up. This can be important in the realm of problems that can affect larger areas that a single room. A building fire, a hurricane, tornado... These are all disasters that occur frequently and typically affect a larger area than a single room or building. Having this type of backup alleviates the risk of losing the backup to the same problem. In today's high-speed network world with cloud services, storing backups in the cloud is an option that can result many of the risk issues associated with backup availability.
Data sovereignty (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. ___________ is a relatively new type of legislation several countries have enacted recently that mandates data stored within their borders is subject to their laws, and in some cases that data originating within their borders must be stored there.
Network traffic logs (Data acquisition)
An important source of information in an investigation can be the network activity associated with the device. There can be a lot of useful information in the _________ associated with network infrastructure. The level and breadth of this information is determined by the scope of the investigation.
Roles and responsibilities (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. A critical step in the incident response planning process define the __________ of the incident response team members. These may vary slightly based on the identified categories of incident, but the finding them before an incident occurs empowers the team to perform the necessary tasks during the time sensitive aspects of an incident. Permissions to cut connections, change servers, and start/stop services are common examples of actions that are best defined in advance to prevent time-consuming approvals during actual incident.
Exercise (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. One really doesn't know how well a plan is crafted until is tested. __________ , in many forms and functions, and doing a tabletop one where planning and preparations are tested is an important final step in the planning process. Having a process in the team is not enough unless the team's practice the process on the systems of the enterprise.
Reporting requirements/escalation (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. Planning the desired __________ including escalation steps is an important part of the operational plan for an incident. We'll talk to the incident and to whom, and will they say? How does the information flow? Who needs to be involved? When does the issue escalates higher levels of management? These are all questions that handle the call of a pre-incident planning meeting where the procedures are crafted rather than on the fly as an incident is occurring.
Cyber-incident response teams (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. The __________ is composed of the personnel are designated to respond to the incident. The incident response plan should identify the membership and backup members, prior to incident occurring. Once incidence response begins, trying to find personnel to the tasks only slows down the function, and in many cases would make it manageable. Whether a dedicated team or a group of situational volunteers, the planning aspect of this is to address the topic of who is on and what are their duties.
Documented incident types/category definitions (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. To assist in the planning of incident responses into group the myriad possible incidents into a manageable set of categories, one step of the incident response planning process is the ___________. This provides planners and responders with a set number of preplanned scripts that can be applied quickly, minimizing repetitive approvals and process flows. Examples of how categories are defined include items such as interruption of service, malicious communication, data exfiltration, malware delivery, phishing attack, and so on, although this list will be customized to meet the IT needs of each organization.
Job rotation
Another policy that provides multiple benefits is __________. rotating through jobs provides individuals with a better perspective of how the various parts of the organization can enhance or hinder the business.
Code signing (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. An important factor in ensuring that software is genuine and has not been altered is a method of testing the software integrity. With software being updated across the web, how can you be sure that the code received is genuine and has not been tampered with? The answer is a process known as __________, which involves applying a digital signature to code, providing a mechanism where the end user can verify the code integrity. In addition to verifying the integrity of the code, digital signatures provide evidence as to the source of the software.
Server-side vs. client-side execution and validation (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. FYSA... Input validation can be performed either on the server side of a client-server architecture or on the client side. In all client-server and peer-two-peer operations, one universal truth applies: never trust input without validation. Systems that are designed and configured without regard to this truth are subject to client-side attacks. Systems can be designed with the client has the functionality needed to assure input veracity, but there's always the risk that the client can become corrupted, whether by malware, a disgruntled user, or simple misconfiguration. The veracity of client-side execution actions cannot be guaranteed. Server-side execution of code can be secured making it the preferred location for sensitive operations such as input validation.
Proper error handling (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. FYSA.... Every application will encounter errors and exceptions, and these need to be handled in a secure manner. One attack methodology includes forcing errors to move an application from normal operation to the exception handling. During exception, it is common practice to record/report the condition, including supporting information such as the data that resulted in the air. This information can be invaluable in diagnosing the cause of the error condition. The challenge is in where this information is captured. The best method is to capture it in a log file, where it can be secured by an ACL. The worst case is when it is echoed to the user. Echoing error condition details to users can provide valuable information to attackers when they cause errors on purpose.
1.) Code reuse / 2.) Dead code (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. Modern software development includes extensive reuse of components. From component libraries to comment functions across multiple components, there is significant opportunity to reduce development time and costs through ____1_____. this can also simplify the system through the use of known elements. The downside of massive ___1____ is that failure of a widely reuse code component has a ripple effect across many applications. _____2______ is code that while it may be asked, the results that it produces are never used elsewhere in the program. There are compiler options that can remove dead code, called dead code elimination, but you must use these options with care. Assume you have a section of code that you put in specifically to set a secret value to all zeros. The logic is as follows: generate secret key, you secret key, set secret key to zero. You do this last step to remove the key for memory and keep it from being stolen. But along comes the ___2____ removal routine. It seems that you set the value of secretkey ==0, but then you never use it again. So the compiler, in optimizing your code, removes your protection step.
Use of third-party libraries and Software Development Kits - SDKs (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. Programming today is, to a great extent, an exercise in using ___________. this is because once code has been debugged and proven to work, rewriting it is generally not a valuable use of time. Also, some fairly complex routines, such as encryption, have vetted, proven library sets that remove a lot of risk from programming these functions.
Proper input validation (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. With the move to web-based applications, the errors have shifted from buffer overflows to input-handling issues. Users have the ability to manipulate input, so it is up to the developer to handle the input appropriately to prevent malicious entries from having an effect. _________ is especially well-suited for the following vulnerabilities: buffer overflow, reliance on un-trusted inputs in a security decision, cross-site scripting (XSS), cross-site request forgery (XSRF), path traversal, and incorrect calculation of buffer size. Consider all input to be hostile. This is one of the most important secure coding techniques employed, mitigating a wide array of potential vulnerabilities.
Normalization (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. _________ is an initial step in the input validation process. Specifically, it is the step of creating the canonical form, or simplest form, of a string before processing. Strings can be encoded using Unicode and other encoding methods. This makes byte-by-byte comparisons meaningless when trying to screen user input strings. Checking to see if the string is "rose" can be difficult when: A Rose, is a rose, is a r%6fse (all of these represent the same string, just different forms). The process of __________ converts all of these two rows, where can then be screened as valid input. Different libraries exist to assist developers in performing this part of input validation.
Stored procedures (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. __________ are precompiled methods implemented with in a database engine. They act as a secure coding mechanism because they offer and isolation of user input from the actual SQL statements being executed. What cannot happen is to allow a user to write the actual SQL code that is executed. There are too many things that can go wrong, too much power to allow user to directly wielded, and eliminating SQL injection attacks by fixing input has never worked.
Memory management (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. __________ comprises the actions used to control and coordinate computer memory, assigning memory to variables and reclaiming it when it is no longer being used. Errors in __________ can result in a program that has a memory leak, and the league can grow over time, consuming more and more resources.
Encryption (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. __________ is one of the elements where secure coding techniques have some unique guidance: "never roll your own crypto." This not only means that you should not write your own cryptographic algorithms, but also means you should not attempt to implement standard algorithms by yourself. Fetid, proven cryptographic libraries exist for all major languages, and the use of these libraries is considered best practice. The guidance has a variety of interrelated rationales, but the simple explanation is that crypto is almost impossible to invent, and very hard to implement correctly. Thus, to have usable, secure _________ in your application, you need to adopt proven algorithms and utilize proven code bases.
Data exposure (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. __________ is the loss of control over data from a system during operations. Data must be protected during storage (data at rest), during communication (data in transit), and at times during use. Protection of the data will typically be done using various forms of cryptography.
Obfuscation/camouflage (secure coding techniques)
Application security begins with code that is secure and free of vulnerabilities. Unfortunately, all code has weaknesses and vulnerabilities, so instantiating the code in a manner that has effective defenses preventing the exploitation of vulnerabilities can maintain a desired level of security. Proper handling of configurations, errors and exceptions, and inputs can assist in the creation of a secure application. Testing of the application throughout the software development lifecycle (SDLC) can be used to determine the actual security risk profile of a system. _____________ is the hiding of obvious meaning from observation. While it is not considered adequate security under most circumstances, adding this to a system to make it harder for an attacker to understand and exploit is a good thing. Numbering your email servers email1, email2, email3,... tells an attacker what namespace to explore. Removing her hiding these hints makes the work harder and offers another layer of protection.
Permission auditing and review (general concepts)
As with all security controls, an important aspect of security controls that are used to mitigate risk is an auditing component. Just as it is important to periodically verify all users with accounts on the system are still valid users of the system from a business perspective, is equally important to periodically perform __________. this is an action that verifies the user accounts on the system are all needed, justified, and actually represent real authorized users. As users can come and go from groups, is important to do this periodically to ensure that they have not retained permissions granted to a group they no longer belong to.
Diffie-Hellman Ephemeral - DHE (Asymmetric algorithms)
Asymmetric cryptography is in many ways completely different from symmetric cryptography. Also known as public key cryptography, asymmetric algorithms are built around hard-to-reverse math problems. The strength of these functions is very important: because an attacker is likely to have access to the public key, he can run tests of known plaintext and produce ciphertext. This allows instant checking of guesses that are made about the keys of the algorithm. Diffie-Hellman is one of the most common encryption protocols in use today. It plays a role in the electronic key exchange method of the Secure Sockets Layer (SSL) and TLS protocols. It is also used by the Secure Shell (SSH) and IP Security (IPsec) protocols. It is important because it enables the sharing of a secret key between two people who have not contacted each other before. There are several variants of the Diffie-Hellman key exchange. __________ is a variant where a temporary key is used in the key exchange rather than reusing the same key over and over.
Elliptic Curve Diffie-Hellman - ECDHE (Asymmetric algorithms)
Asymmetric cryptography is in many ways completely different from symmetric cryptography. Also known as public key cryptography, asymmetric algorithms are built around hard-to-reverse math problems. The strength of these functions is very important: because an attacker is likely to have access to the public key, he can run tests of known plaintext and produce ciphertext. This allows instant checking of guesses that are made about the keys of the algorithm. Diffie-Hellman is one of the most common encryption protocols in use today. It plays a role in the electronic key exchange method of the Secure Sockets Layer (SSL) and TLS protocols. It is also used by the Secure Shell (SSH) and IP Security (IPsec) protocols. It is important because it enables the sharing of a secret key between two people who have not contacted each other before. __________ is a variant of the Diffie-Hellman protocol that uses elliptic curve cryptography. It can also be used with ephemeral keys, becoming __________ Ephemeral, to enable perfect forward secrecy.
Diffie-Hellman, Groups (Asymmetric algorithms)
Asymmetric cryptography is in many ways completely different from symmetric cryptography. Also known as public key cryptography, asymmetric algorithms are built around hard-to-reverse math problems. The strength of these functions is very important: because an attacker is likely to have access to the public key, he can run tests of known plaintext and produce ciphertext. This allows instant checking of guesses that are made about the keys of the algorithm. Diffie-Hellman is one of the most common encryption protocols in use today. It plays a role in the electronic key exchange method of the Secure Sockets Layer (SSL) and TLS protocols. It is also used by the Secure Shell (SSH) and IP Security (IPsec) protocols. It is important because it enables the sharing of a secret key between two people who have not contacted each other before. ____________ determine the strength of the key used in the key exchange process. Higher group numbers are more secure, but require additional time to compute the key. DH group 1 consists of a 768-bit key, group 2 consists of a 1024-bit key, and group 5 comes with a 1536-bit key. Higher number groups are also supported, with correspondingly longer keys.
Elliptic Curve Cryptography - ECC (Asymmetric algorithms)
Asymmetric cryptography is in many ways completely different from symmetric cryptography. Also known as public key cryptography, asymmetric algorithms are built around hard-to-reverse math problems. The strength of these functions is very important: because an attacker is likely to have access to the public key, he can run tests of known plaintext and produce ciphertext. This allows instant checking of guesses that are made about the keys of the algorithm. It is important to note here that _________ is well suited for platforms with limited computing power, such as mobile devices.
1.) Pretty Good Privacy - PGP / 2.) Gnu Privacy Guard - GPG (Asymmetric algorithms)
Asymmetric cryptography is in many ways completely different from symmetric cryptography. Also known as public key cryptography, asymmetric algorithms are built around hard-to-reverse math problems. The strength of these functions is very important: because an attacker is likely to have access to the public key, he can run tests of known plaintext and produce ciphertext. This allows instant checking of guesses that are made about the keys of the algorithm. _____1_____, created by Philip Zimmermann in 1991, passed through several versions that were available for free under a noncommercial license. It is now a commercial enterprise encryption product offered by Symantec. It can be applied to popular email programs to handle the majority of day-to-day encryption tasks using a combination of symmetric and asymmetric encryption protocols. _____2_____, is an open source implementation of the OpenPGP standard. It is a command-line-based tool and is a public key encryption program designed to protect electronic communications such as email. It operates similarly to the other example above and includes a method for managing public/private keys.
Digital Signature Algorithm - DSA (Asymmetric algorithms)
Asymmetric cryptography is in many ways completely different from symmetric cryptography. Also known as public key cryptography, asymmetric algorithms are built around hard-to-reverse math problems. The strength of these functions is very important: because an attacker is likely to have access to the public key, he can run tests of known plaintext and produce ciphertext. This allows instant checking of guesses that are made about the keys of the algorithm. __________ uses public key cryptography and allows traceability to the person signing the message through the use of their private key. The addition of hash codes allows for the assurance of integrity of the message as well. The most important element in the signature is the per message random signature value k, which needs to change with every signed message and must be kept secret. An example of this was an attack on Sony's improper implementation of it when signing software for PS3.
Physical (types of controls)
Security controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, integrity, and availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives. A __________ control Is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. These controls prevent specific human interaction with the system, and are primarily designed to prevent accidental operation of something. These controls act before an event, preventing it from actually occurring. The use of covers over critical buttons is one example, as is a big red "STOP" button, positioned so it is easily reachable. The former stop's inadvertent activation, while the latter facilitates easy activation an emergency.
Rivest, Shamir, and Adleman - RSA (Asymmetric algorithms)
Asymmetric cryptography is in many ways completely different from symmetric cryptography. Also known as public key cryptography, asymmetric algorithms are built around hard-to-reverse math problems. The strength of these functions is very important: because an attacker is likely to have access to the public key, he can run tests of known plaintext and produce ciphertext. This allows instant checking of guesses that are made about the keys of the algorithm. _________, one of the first public key cryptosystems ever invented, can be used for both encryption and digital signatures. It is names after its inventors, and was first published in 1977. This algorithm uses the product of two very large prime numbers and works on the principle of difficulty in factoring such large numbers. It's best to choose large prime numbers from 100 to 200 digits in length that are equal in length. The only reason this is not used more often is because of its slow speed. It can be up to 100 times slower than DES. Public key, the slower protocol, is used to exchange the symmetric key (or shared secret), and then the communication uses the faster symmetric key protocol. This process is known as electronic key exchange.
Nation states/APT (types of actors)
At the top end of the actor spectrum, this type of group are highly technical individuals who have the capability of discovering new vulnerabilities. They make up about 1 to 2 percent of intrusive activity. The attack type is characterized by using toolkits to achieve a presence on a target network and then, instead of just moving to steal information, focusing on the long game, maintaining a persistence on the target network.
Birthday (cryptographic attacks)
Attacks against the cryptographic system are referred to as cryptographic attacks. In particular, this attack is a special type of brute force attack that gets its name from something known as the ______ paradox, which states that in a group of at least 23 people, the chance that two individuals will have the same birthday is greater than 50 percent.
Authentication issues
Authentication is a key process in maintaining security. When there are _________, such as default passwords, the end result can be a vulnerability. Authentication failures occur when the system fails to present proper user identification to the access control system. It may occur because a user just changed their password or mistyped the password. These errors are typically resolved after a couple of tries. More concerning is a wave of hundreds or thousands of failed logins to a specific account, as this is a sign of brute-force hacking.
EAP-TTLS (authentication protocols)
Authentication protocols are the standardized methods used to provide authentication services, and in the case of wireless networks, remotely. Wireless networks have a need for secure authentication protocols. The Wi-Fi Alliance also added __________ to its list of supported protocols for WPA/WPA2 in 2010. This is a variant of the EAP-TLA protocol. It works much the same way as EAP-TLS, with the server authenticating to the client with a certificate, but the protocol tunnels the client side of the authentication, allowing the use of legacy authentication protocols such as Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), MS-CHAP, or MS-CHAP-V2. In this, the authentication process is protected by the tunnel from man-in-the-middle attacks, and although client-side certificates can be used, they are not required, making this easier to set up than EAP-TLS to clients without certificates.
EAP-TLS (authentication protocols)
Authentication protocols are the standardized methods used to provide authentication services, and in the case of wireless networks, remotely. Wireless networks have a need for secure authentication protocols. The Wi-Fi Alliance also added this to its list of supported protocols for WPA/WPA2 in 2010. This is an IETF open standard (RFC 5216) that uses the Transport Layer Security (TLS) protocol to secure the authentication process. It relies on TLS, an attempt to standardize the SSL structure to pass credentials. This is still considered one of the most secure implementations, primarily because common implementations employ client-side certificates. This means that an attacker must also possess the key for the client-side certificate to break the TLS channel.
EAP-FAST (authentication protocols)
Authentication protocols are the standardized methods used to provide authentication services, and in the case of wireless networks, remotely. Wireless networks have a need for secure authentication protocols. The Wi-Fi alliance added __________ to its list of supported protocols for WPA/WPA2 in 2010. It is described in RFC 4851 and proposed by Cisco to be a replacement for LEAP, a previous Cisco version of EAP. It offers a lightweight tunneling protocol to enable authentication. The distinguishing characteristic is the passing of a Protected Access Credential (PAC) that is used to establish a TLS tunnel through which client credentials are verified.
Extensible Authentication Protocol - EAP (authentication protocols)
Authentication protocols are the standardized methods used to provide authentication services, and in the case of wireless networks, remotely. Wireless networks have a need for secure authentication protocols. The __________ is a protocol for wireless networks that expands on authentication methods used by the Point to Point Protocol (PPP). PPP is a protocol that was commonly used to directly connect devices to each other. __________ is designed to support multiple authentication mechanisms, including tokens, smart cards, certificates, one-time passwords, and public key encryption authentication. _________ has been expanded into multiple versions.
Protected EAP - PEAP (authentication protocols)
Authentication protocols are the standardized methods used to provide authentication services, and in the case of wireless networks, remotely. Wireless networks have a need for secure authentication protocols. __________ was developed to protect the EAP communication by encapsulating it with TLS. This is an open standard developed jointly by Cisco, Microsoft, and RSA. It was designed assuming a secure communication channel. It provides that protection as part of the protocol via a TLS tunnel. It is widely supported by vendors for use over wireless networks.
Automated courses of action (Automation/scripting)
Automation and scripting are valuable tools for system administrators and others to safely and efficiently execute tasks. Automation in the context of systems administration is the use of tools and methods to perform tasks otherwise performed manually by humans, thereby improving efficiency and accuracy and reducing risk. Scripts other best friend of administrators, analysts, investigators, and any other professional values efficient and accurate technical work. Scripts are small computer programs that allow __________. as with all programs, the subsequent steps can be tested and, when necessary, approved before use in the production environment. These can save time as well. If, during the investigation, you need to take an image of a hard drive of the system, calculate hash values, and record all of the details in a file for chain of custody, you can do so manually by entering a series of commands of the command line, or you can run a single script that has been tested and approved for use.
Continuous monitoring (Automation/scripting)
Automation and scripting are valuable tools for system administrators and others to safely and efficiently execute tasks. Automation in the context of systems administration is the use of tools and methods to perform tasks otherwise performed manually by humans, thereby improving efficiency and accuracy and reducing risk. __________ Is the term used to describe a system that has monitoring built into it, so rather than monitoring being an external events that may or may not happen, monitoring is an intrinsic aspect of the action. From a big picture point of view, this is the name used to describe a formal risk assessment process that follows the NIST Risk Management Framework (RMF) methodology. Part of that methodology is the use of security controls. __________ is the operational process by which you can monitor controls and determine if they are functioning in an effective manner.
Configuration validation (Automation/scripting)
Automation and scripting are valuable tools for system administrators and others to safely and efficiently execute tasks. Automation in the context of systems administration is the use of tools and methods to perform tasks otherwise performed manually by humans, thereby improving efficiency and accuracy and reducing risk. ___________ Is a challenge as systems age and change over time. When you place a system into service, you should validate its configuration against security standards, ensuring that the system will do what it is supposed to do, and only what it is supposed to do, with no added functionality. You should ensure that all extra ports, services, accounts, and so forth are disabled, removed, or turned off, and that the configuration files, including ACL's for the system, are correct and working as designed.
1.) Platform/vendor-specific guides, 2.) web server (Benchmarks/secure configuration guides)
Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented. The standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible. Setting up secure services is important to enterprises, and some of the best guidance comes from the manufacturer form of ____1_____. these include installation and configuration guidance, and in some cases operational guidance as well. Many different _____2____ are used in enterprises, but the market leaders are Microsoft, Apache, and nginx. By definition, _____2_____ offer a connection between users and webpages, and as such they are prone to attacks setting up any external facing application properly is key to prevent unnecessary risk fortunately for these, several authoritative and proscriptive sources of information are available to help administrators properly secure the application.
Platform/vendor-specific guides, operating system (Benchmarks/secure configuration guides)
Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented. The standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible. The __________ is the interface for the applications that we use to perform tasks and the actual physical computer hardware. As such, this is a key component for the secure operation of a system. Comprehensive, pro-scripted configuration guides for all major ones are available from their respective manufacturers, from the Center for Internet security, and from the DoD DISA STIGs program.
General purpose guides (Benchmarks/secure configuration guides)
Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented. The standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible. The best __________ is the CIS Controls, a common set of 20 security controls. This project began as a consensus project out of the US Department of Defense and has over nearly 20 years more into the de facto standard for selecting an effective set of security controls.
Platform/vendor-specific guides, application server (Benchmarks/secure configuration guides)
Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented. The standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible. __________ are the part of the enterprise that handle specific tasks we associate with IT systems. Whether it is an email server, a database server, a messaging platform, or any other server, these are where the work happens. Proper configuration of these depends to a great degree on the server specifics.
Platform/vendor-specific guides, network infrastructure devices (Benchmarks/secure configuration guides)
Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented. The standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible. __________ are the switches, routers, concentrators, firewalls, and other specialty devices that make the network function smoothly. Properly configuring these devices can be challenging but is very important because failures at this level can adversely affect the security of traffic being processed by them. The criticality of these devices makes them targets, for if a firewall fails, in many cases there are no indications until an investigation finds that it failed to do its job. Ensuring these devices are properly configured and maintained is not a job to gloss over, but one that requires professional attention by properly trained personnel, and backed by routine configuration audits to ensure they stay properly configured.
Fingerprint scanner (biometric factors)
Biometric factors our measurements of certain biological factors to identify one specific person from others. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint. A ________ measures the unique pattern of a person's fingerprints and translates that pattern into a numerical value, or template.
Retinal scanner (biometric factors)
Biometric factors our measurements of certain biological factors to identify one specific person from others. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint. A __________ examines blood vessel patterns in the back of the eye. Believed to be unique and unchanging, the retina is a readily detectable biometric. It does involve a laser scanning the inside of the user's eyeball, which raises some psychological issues for some users who are wary of letting a laser skin the inside of their eye.
Iris scanner (biometric factors)
Biometric factors our measurements of certain biological factors to identify one specific person from others. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint. An __________ works in a means similar to a retinal scanner in that it uses an image of a unique biological measurement, in this case the pigmentation associated with the iris of the eye. This can be photographed and measured from a distance, removing the psychological impediments of placing ones I up close to a scanner. The downside to being able to capture this at a distance is that it easy to do with our person's knowledge, and even construct contact lenses that mimic a pattern.
False rejection rate - FRR (biometric factors)
Biometric factors our measurements of certain biological factors to identify one specific person from others. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint. The _________ is just that, what level of false negatives, or rejections, are going to be allowed in the system?
Crossover error rate -CER (biometric factors)
Biometric factors our measurements of certain biological factors to identify one specific person from others. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint. The __________ is the rate where both accept and reject error rates are equal. This is the desired state for most efficient operation, and it can be managed by manipulating the threshold value used for matching.
False acceptance rate - FAR (biometric factors)
Biometric factors our measurements of certain biological factors to identify one specific person from others. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint. The ___________ is just that, what level of false positives are going to be allowed in the system?
Voice recognition (biometric factors)
Biometric factors our measurements of certain biological factors to identify one specific person from others. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint. __________ is the use of unique tonal qualities and speech patterns to identify a person. While the subject of sci-fi movies, this biometric has been one of the hardest to develop into a reliable mechanism, primarily because of problems with false acceptance and rejection rates.
Facial recognition (biometric factors)
Biometric factors our measurements of certain biological factors to identify one specific person from others. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint. __________ was also mostly the stuff of sci-fi until it was integrated into various mobile phones. A sensor that recognizes when you move the phone in a position to see your face, coupled with the state of not logged in, turns on the forward-facing camera and the system looks for it in role owner.
1.) HIDS / 2.) HIPS
Both a _____1_____ & _____2______ alert on behaviors that match specified behavioral patterns. Unlike antivirus detection, where the likelihood of a false negative is low, a these can have significant false positive rates depending upon the specificity of the ruleset. The primary difference between them is that ____2_____ is designed to provide automated responses to conditions to prevent intrusions.
Principles, Familiarity (social engineering)
Building this in social situations can lead to misplaced trust. It focuses on similar items instead of differences.
Principles, Scarcity (social engineering)
By giving the impression of this, or short supply, of a desirable product, an attacker can motivate a target to make a decision quickly without deliberation.
Replay (wireless attacks)
By repeating information, one can try to get repeated behavior from a system. Attackers can copy traffic rather easily between endpoints and the wireless access point.
Rogue AP (wireless attacks)
By setting up this, an attacker can attempt to get clients to connect to it as if it were authorized and then simply authenticate to the real AP, a simple way to have access to the network and the client's credentials. They can act as a man in the middle and easily steal users' credentials. Enterprises with wireless access points should routinely scan for and remove these, as users have difficulty avoiding them.
Protected distribution/protected cabling
Cable runs between systems need to be protected from physical damage to the cables and subsequent communication failures. This is accomplished by ___________ during the cable installation. This may be something as simple as metal tubes, or as complex as concrete pipes to run buried cables. The objective is to prevent any physical damage to the physical layer portion of the system. The protection of entire systems is referred to as Faraday Cages.
Hoax (social engineering)
Can be very damaging to an organization... an example would be an email that tells users to delete a certain file on their computer if they find it. Upon doing so, the OS acts up since the file was a very important one which should not have been deleted.
Corrective (types of controls)
Security controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, integrity, and availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives. A __________ control Is used post event, in an effort to minimize the extent of damage. Backups are prime example of this type of control, as they can facilitate rapid resumption of operations.
1.) Personal Identity Verification - PIV / 2.) Common Access Card - CAC (certificate-based authentication)
Certificate-based authentication is a means of proving identity via the presentation of a certificate. Certificates offer a method of establishing authenticity of specific objects such as an individual's public key or downloaded software. A digital certificate is a digital file that is sent as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from. Using the digital certificate is a verifiable means of establishing possession of an item, specifically certificate. The United States federal government has several smartcard solutions for identification of personnel. The ____1_____ card is a United States government smartcard that contains the cardholders credential data used to determine access to federal facilities and information systems. The _____2_____ is a smartcard used by the United States Department of Defense for active duty military, selected reserve members, Department of Defense civilians, and eligible contractors. Like the PIV card, it is used for carrying the cardholders credential data, in the form of a certificate, used to determine access to federal facilities and information systems.
IEEE 802.1x (certificate-based authentication)
Certificate-based authentication is a means of proving identity via the presentation of a certificate. Certificates offer a method of establishing authenticity of specific objects such as an individual's public key or downloaded software. A digital certificate is a digital file that is sent as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from. Using the digital certificate is a verifiable means of establishing possession of an item, specifically certificate. __________ is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router. It is used by all types of networks, including ethernet, Token Ring, and wireless. This standard describes methods used to authenticate a user prior to granting access to a network and the authentication server, such as a RADIUS server.
Certificate issues
Certificates are means for carrying public keys and vouching for the authenticity. A common __________ is when a user attempts to use a certificate that lacks a complete chain of trust back to a trusted root, leaving the certificate hanging without any means of validation. Failure to install a needed trust chain makes a key that should be trusted, untrusted. Failure by accepting a trust chain that should not be trusted means accepting certificates in the future that should not be trusted.
Certificate chaining (concepts)
Certificates are used to convey identity and public key pairs to users, but this raises the question: why trust the certificate? The answer lies in the __________, a chain of trust from one certificate to another, based on signing by an issuer, until the chain ends with a certificate that the user trusts. This conveys the trust from the trusted certificate to the certificate that is being used.
Machine/computer (types of certificates)
Certificates bind identities to keys and provide a means of authentication, which at times is needed for computers. Active Directory Domain Services can keep track of machines in a system via machines identifying themselves using ___________ certificates, also known as ____________ certificates. This is an example of an end-entity certificate.
Code signing (types of certificates)
Certificates can be designated for specific purposes, such as code signing. This is to enable the flexibility of managing certificates for specific functions and reducing the risk in the event of compromise. __________ certificates are designated as such in the certificate itself, and the application that uses the certificate adheres to this policy restriction to ensure proper certificate usage.
Wildcard (types of certificates)
Certificates can be issued to an entity such as example.com. But what if there are multiple distinct entities under example.com that need certificates? There are two choices: issues distinct certificates for each specific address, or use __________ certificates. These certificates work exactly as one would expect. A certificate issues for *example.com would be valid for one.example.com as well as two.example.com.
1.) Online vs. 2.) Offline CA (concepts)
Certification servers must be _____1____ to provide certification services, so why would anyone have an _____2____ server? The primary reason is security. If a given certificate authority is used only for periodic functions -- for example, signing of specific certificates that are rarely reissued or signed -- then keeping the server _____2____ except when needed provides a significant level of security to the signing process. Other CA requests, such as CRL and validation requests, can be moved to a validation authority approved by the CA.
Model verification (Code quality and testing)
Code quality does not end with development, as the code needs to be delivered and installed both intact and correctly on the target system. Code analysis encompasses the processes used to inspect code for weaknesses and vulnerabilities code analysis can be divided into two forms: static and dynamic. Static analysis involves examination of the code without execution. Dynamic analysis involves the execution of the code as part of the testing. Both static and dynamic analyses are typically performed with tools, which are much better at the detailed analysis steps needed for any but the smallest code samples. Code testing is the verification that the code meets to functional requirements as laid out in the requirements process. While code analysis make certain the code works properly doing what it is supposed to do and only what it is supposed to do, code testing make certain it meets the business requirements. Ensuring the code does with the code is supposed to do, __________, is more complex than just running the program and looking for run-time errors. The program results for a given set of inputs need to match the expected results per the system model. For instance, if applying a simple mathematical operation, is the calculation correct? This is simple to verify on a case-by-case basis, but where program has many interdependent calculations, verifying that the result matches the desired design model can be a fairly complex task. Validation and verification of the terms used to describe this testing. Validation is the process of checking whether the program specification captures the requirements from the customer. Verification is the process of checking that the software developed the model specification. Performing ________ testing is important, as this is the assurance that the code as developed meets the design requirements.
Stress testing (Code quality and testing)
Code quality does not end with development, as the code needs to be delivered and installed both intact and correctly on the target system. Code analysis encompasses the processes used to inspect code for weaknesses and vulnerabilities code analysis can be divided into two forms: static and dynamic. Static analysis involves examination of the code without execution. Dynamic analysis involves the execution of the code as part of the testing. Both static and dynamic analyses are typically performed with tools, which are much better at the detailed analysis steps needed for any but the smallest code samples. Code testing is the verification that the code meets to functional requirements as laid out in the requirements process. While code analysis make certain the code works properly doing what it is supposed to do and only what it is supposed to do, code testing make certain it meets the business requirements. The typical objective in performance testing is not defined specific bugs, or rather to determine bottlenecks in performance factors for the systems under test. These tests are frequently referred to as load testing and _________. load testing involves running the system under controls the environment. __________ takes the system pass this operating point to see how it responds to overload conditions. One of the reasons this testing is performed on software underdevelopment is to determine the service levels that can be expected from software in a production environment. Typically, these are expressed in the terms of the service level agreement (SLA).
Dynamic analysis [fuzzing] (Code quality and testing)
Code quality does not end with development, as the code needs to be delivered and installed both intact and correctly on the target system. Code analysis encompasses the processes used to inspect code for weaknesses and vulnerabilities code analysis can be divided into two forms: static and dynamic. Static analysis involves examination of the code without execution. Dynamic analysis involves the execution of the code as part of the testing. Both static and dynamic analyses are typically performed with tools, which are much better at the detailed analysis steps needed for any but the smallest code samples. Code testing is the verification that the code meets to functional requirements as laid out in the requirements process. While code analysis make certain the code works properly doing what it is supposed to do and only what it is supposed to do, code testing make certain it meets the business requirements. __________ is performed while the software is executing, either on a target system or an emulated system. The system is fed specific test inputs designed to produce specific forms of behaviors. This can be particularly important on systems such as embedded systems, where a high degree of operational autonomy is expected. Fuzzing, or fuzz testing, is a brute force method of addressing input validation issues and vulnerabilities. The basis for fuzzing the program is the application of large numbers of inputs to determine which ones cost false and which ones might be vulnerable to exploitation. Fuzz testing can be applied to anywhere data is exchanged to verify that input validation is being performed properly. Network protocols can be fuzz, file protocols can be fuzz, and web protocols can be fuzz. The vast majority of browser errors are found via fuzzing. Fuzz testing works well in white, black, or gray box testing, as it can be performed without knowledge of the specifics of the application under test. There are several ways to classify fuzz testing. It can be classified as smart testing or dumb testing, indicating the type of logic used in creating input values. Smart testing uses knowledge of what could go wrong, and now forms the inputs using this knowledge. Dumb testing just uses random inputs.
Static code analysis (Code quality and testing)
Code quality does not end with development, as the code needs to be delivered and installed both intact and correctly on the target system. Code analysis encompasses the processes used to inspect code for weaknesses and vulnerabilities code analysis can be divided into two forms: static and dynamic. Static analysis involves examination of the code without execution. Dynamic analysis involves the execution of the code as part of the testing. Both static and dynamic analyses are typically performed with tools, which are much better at the detailed analysis steps needed for any but the smallest code samples. Code testing is the verification that the code meets to functional requirements as laid out in the requirements process. While code analysis make certain the code works properly doing what it is supposed to do and only what it is supposed to do, code testing make certain it meets the business requirements. __________ is when the code is examined without being executed. This analysis can be performed on both source code and object code bases the term "source code" is typically used to designate the high level language code, although technically, source code is the original code base in any form, from high-level language to machine code. ________ can be performed by humans or tools, although humans are limited to the high-level language, while tools can be used against virtually any form of code base. ___________ is frequently performed using automated tools. These tools are given a variety of names, are commonly called static code analyzers or source code analyzers.
Detective (types of controls)
Security controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, integrity, and availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives. A __________ control is one that facilitates the detection of a physical security breach. These controls act during an event, alerting operators to specific conditions. Alarms are common examples of these controls. An IDS is an example of an IT security alarm that the text intrusions.
Sandboxing (Code quality and testing)
Code quality does not end with development, as the code needs to be delivered and installed both intact and correctly on the target system. Code analysis encompasses the processes used to inspect code for weaknesses and vulnerabilities code analysis can be divided into two forms: static and dynamic. Static analysis involves examination of the code without execution. Dynamic analysis involves the execution of the code as part of the testing. Both static and dynamic analyses are typically performed with tools, which are much better at the detailed analysis steps needed for any but the smallest code samples. Code testing is the verification that the code meets to functional requirements as laid out in the requirements process. While code analysis make certain the code works properly doing what it is supposed to do and only what it is supposed to do, code testing make certain it meets the business requirements. __________ refers to the execution of computer code in an environment designed to isolate the code from direct contact with the target system. These are used to execute un-trusted code, code from guests, and unverified programs. These work like a virtual machine (VM) and can mediate a wide range of system interactions, from memory access to network access, and access to other programs, the file system, and devices. The level of protection offered by a ________ depends upon the level of isolation and mediation offered.
Displays (peripherals)
Computer __________ Are primarily connected two machines via a cable to one of several types of display connectors on a machine. But for conferences and other groups settings, there are a wide array of devices today that can enable the machine to connect to a display via a wireless network.
Compensating (types of controls)
Security controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, integrity, and availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives. A __________ control is one that is used to meet a requirements when there is no control available to directly address the threat. Fire suppression systems do not prevent fire damage, but it properly employed, they can mitigate or limit the level of damage from fire.
Heating, Ventilation, and Air Conditioning - HVAC (environmental controls)
Controlling of data centers temperature and humidity is important to keeping servers running. _________ systems are critical to keeping data center school, because typical servers without between 1000 in 2000 BTUs of heat. Multiple servers in my area can create conditions to hot needs operate. This problem is made worse with the advent of blade-style computing systems and with many other devices shrink in size. While physically smaller, they can still expel the same amount of heat.
Tokens/cards
Controlling physical access to a small facility can be achieved through door locks and physical keys, but that solution is unbelief or larger facilities with numerous people coming and going. Many organizations rely on a badging system using either ______ or _______ that can be tied to automated identification checks and logging of entry/exit. This can provide much greater detail in tracking who is in a facility and when they have come and gone.
Time-of-day restrictions (general concepts)
Creating _________ for access can solve many account management problems. For the majority of workers who work set shifts, having a system whereby their accounts are not act during their networking hours reduces the surface of user accounts available for attackers to use. This is even more important for privilege users, as their elevated accounts offer greater risk, and if an authorized user of an account is not working, there is no reason to have unauthorized. As with all policies, provisions need to be made for change and emergencies, whereby authorized users can obtain access we needed, even if outside normal working hours.
Resource vs. security constraints (common use cases)
Cryptographic functions require system resources. Using proper cryptographic functions for a particular functionality is important for both performance and resource reasons. Determining the correct set of __________ and ___________ constraints is an essential beginning step when planning a cryptographic implementation.
Wi-Fi Protected Access 2 - WPA2 (cryptographic protocols)
Cryptographic protocols are the standards used to describe cryptographic methods and implementations to ensure interoperability between different vendors equipment. IEEE 802.11i is the standard for security in wireless networks and is also known as ___________. It uses 802.1X to provide authentication and uses AES as the encryption protocol. This uses the AES block cipher, a significant improvement over WEP's and WPA's use of the RC4 stream cipher. The 802.11i standard specifies the use of CCMP.
Wi-Fi Protected Access - WPA (cryptographic protocols)
Cryptographic protocols are the standards used to describe cryptographic methods and implementations to ensure interoperability between different vendors equipment. The first standard to be used in the market to replace Wired Equivalent Privacy (WEP) was this. This standard uses the flawed WEP algorithm with the Temporal Ley Integrity Protocol (TKIP). TKIP employs a per-packet key, generating a new 128-bit key for each packet. However, this method suffers from a lack of forward secrecy protection. If the _______ key is known, as in a public Wi-Fi password, then an attacker can collect all the packets from all of the connections and decrypt packets later. This is why, when using public Wi-Fi, you should always use a secondary means of protection, either a VPN or a TLS-based solution, to protect your content. These flaws have resulted in ________ being considered a stopgap measure until the next version is widely adopted.
Temporal Key Integrity Protocol - TKIP (cryptographic protocols)
Cryptographic protocols are the standards used to describe cryptographic methods and implementations to ensure interoperability between different vendors equipment. __________ was created as a stopgap security measure to replace the WEP protocol without requiring the replacement of legacy hardware. The breaking of WEP had left Wi-Fi networks without viable link-layer security, and a solution was required for already deployed hardware. It works by mixing a secret root key with the IV before the RC4 encryption. WPA and this use the same underlying mechanism as WEP, and consequently are vulnerable to a number of similar attacks. This is no longer considered to be secure and has been deprecated with the release of WPA2.
Counter Mode with Cipher Block Chaining-Message Authentication Code Protocol - CCMP (cryptographic protocols)
Cryptographic protocols are the standards used to describe cryptographic methods and implementations to ensure interoperability between different vendors equipment. ___________ is a data encapsulation encryption mechanism designed for wireless use. It is actually the mode in which the AES cipher is used to provide message integrity. Unlike WPA, __________ requires new hardware to perform the AES encryption.
Privilege escalation (application/service attacks)
Cyberattacks are multistep processes. Most attacks begin at a privilege level associated with an ordinary user. From this level, the attacker exploits vulnerabilities that enable them to achieve root- or admin-level access. This step in the attack chain is called ___________ and is essential for many attack efforts.
Purging (data destruction and media sanitization)
Data __________ Is a term that is commonly used to describe methods that permanently arrays and remove data from a storage space. The key phrase is "remove data," for unlike deletion, which just destroys the data, this is designed to open up the storage space for a reuse. A circular buffer is a great example of an automatic _________ mechanism.
Data exfiltration
Data is the primary target of most attackers. The value of the data can vary, making some data more valuable and, hence, more at risk of theft. _________ is where an attacker attempts to steal a copy of your data and export it from your system.
Cloud-based (DLP)
Data loss prevention (DLP) refers to technology employed to detect and prevent transfers of data across an enterprise. DLP technology can scan packets for specific data patterns. This technology can be tuned to detect account numbers, secrets, specific markers, or files. As data moves to the cloud, so does the need for data loss prevention. But performing __________ DLP is not a simple matter of moving the enterprise edge methodology to the cloud.
Email (DLP)
Data loss prevention (DLP) refers to technology employed to detect and prevent transfers of data across an enterprise. DLP technology can scan packets for specific data patterns. This technology can be tuned to detect account numbers, secrets, specific markers, or files. ________ is a common means of communication in the enterprise, and files are commonly attached to _______ messages to provide additional information, so a solution is needed to scan emails for unauthorized data transfers.
USB blocking (DLP)
Data loss prevention (DLP) refers to technology employed to detect and prevent transfers of data across an enterprise. DLP technology can scan packets for specific data patterns. This technology can be tuned to detect account numbers, secrets, specific markers, or files. There are numerous methods of performing _________, from the extreme of physically disabling ports, to software solutions that enable a wide range of controls. Most enterprise-level DLP solutions include a means of blocking or limiting USB devices.
Data owner (Role-based awareness training)
Data requires a __________. Data ownership roles for all data elements need to be defined business. Data ownership is a business function, with the requirements for security, privacy, retention, and other business functions should be established. Not all data requires the same handling restrictions, but all data requires these characteristics to be defined. This is the responsibility of the ___________. It is important that these people received training and understand their responsibilities with respect to this important requirement.
Principles, Trust (social engineering)
Defined as having an understanding of how something will act under specific conditions. Objective is not to force people to do things they would not do, but rather to give them a pathway that leads them to feel they are doing the correct thing in the moment.
Track man-hours
Demonstrating the efforts and tasks performed in the forensics process may become an issue in court and other proceedings. Having the ability to demonstrate who did what, when they get it, and how long it took can provide information to establish that the steps were taken per the processes employed. Having solid accounting data on _________ and other expenses can provide corroborating evidence as to the actions performed.
Corporate Owned, Personally Enabled - COPE (Deployment models)
Deployment models allow you to choose from a variety of device deployment models to support your security strategy. In the __________ deployment model, employees are supplied a mobile device that is chosen and paid for by the organization, but they are given permission to use it for personal activities. The organization can decide how much choice and freedom employees get with regard to personal use of the device. This allows the organization to control security functionality without dealing with the employee dissatisfaction associated with the traditional method of device supply, corporate-owned business only (COBO).
Corporate-owned (Deployment models)
Deployment models allow you to choose from a variety of device deployment models to support your security strategy. In the __________ deployment model, the company supplies employees with a mobile device that is restricted to company-only use. The disadvantage of this model is that employees have to carry two devices, one personal and one for work, and then separate functions between the devices based on purpose of use in each instance. The advantage is that the corporation has complete control over it devices and can apply any security controls desired without interference from other device functionality.
Virtual Desktop Infrastructure - VDI (Deployment models)
Deployment models allow you to choose from a variety of device deployment models to support your security strategy. In the case of laptops, a __________ solution can bring control to the mobile environment associated with non-corporate-owned equipment. This can solve most if not all of the security and application functionality issues associated with mobile devices. It does require an IT staff that is capable of setting up, maintaining, and managing the _________ in the organization, which is not necessarily a small task depending on the number of instances needed.
Bring Your Own Device - BYOD (Deployment models)
Deployment models allow you to choose from a variety of device deployment models to support your security strategy. The __________ deployment model has many advantages in business, and not just from the perspective of minimizing device cost for the organization. Users tend to prefer to have a single device rather than carry multiple devices. This model is popular in small firms. The big disadvantage is that employees will not be eager to limit their use of their personal device based on corporate policies, so corporate control will be limited.
Choose Your Own Device - CYOD (Deployment models)
Deployment models allow you to choose from a variety of device deployment models to support your security strategy. The __________ deployment model is similar to BYOD in concept in that it gives users a choice in the type of device. Because the device is owned by the organization, it has greater flexibility in imposing restrictions on device use in terms of apps, data, updates, and so forth.
Security automation (Secure DevOps)
DevOps is a combination of development and operations, and a blending of tasks performed by a company's application development and systems operations teams. It emphasizes communication and collaboration between product management, software development, and operations professionals in order to facilitate continuous development, continuous integration, continuous delivery, and continuous monitoring processes. __________ is the addition of security steps to the DevOps process. Just as you can add security steps to the waterfall model, or any other software development model, you can add them to DevOps as well, promoting a secure DevOps outcome.
Kerberos
Developed as part of MIT's project Athena, _________ is a network authentication protocol designed for a client/server environment. This securely passes asymmetric key over an insecure network using the Needham-Schroeder symmetric key protocol. It is built around the idea of a trusted third-party, turned a key distribution center (KDC), which consists of two logically separate parts: an authentication server (AS) and a ticket-granting server (TGS). It communicates via "tickets" that serve to prove the identity of users.
Email (types of certificates)
Digital certificates can be used with email systems for items such as digital signatures associated with emails. Just as other specialized functions such as code signing have their own certificates, it is common for a separate __________ certificate to be used for identity associated with email. This is an example of an end-entity certificate.
Preservation
Digital evidence has one huge, glaring issue: it can change, and not leave a record of the change. The fact that the outcome of a case can hinge on information that can be argued as not static leads to the crucial elements of ___________. From the initial step in the forensic process, the most important issue must always be __________ of the data.
Preventive (types of controls)
Security controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, integrity, and availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives. A __________ control is one that prevents specific actions from occurring, such as a man-trap prevents tailgating. These controls act before an event, preventing it from advancing. A firewall is an example of this control, as it can block access to a specific resource.
Technical (types of controls)
Security controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, integrity, and availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives. A __________ control is the use of some form of technology to address a physical security issue. Biometrics are these controls.
DLL injection (Memory/buffer vulnerability)
Dynamic link libraries (DLLs) are pieces of code that can add functionality to a program through the inclusion of library routines linked at run time. ___________ is the process of adding to a program at run time a DLL that has a specific vulnerability of function that can be capitalized upon by an attacker. EX: In Microsoft Office, adding an "evil" DLL in the correct directory, or via a registry key, can result in "additional functionality" being incurred.
Object identifiers [OID] (components)
Each extension, or optical field, to a certificate has its own ID, expressed as an __________, which is a set of values, together with either a critical or noncritical indication. The system using a certificate must reject the certificate if it encounters a critical extension that it does not recognize, or that contains information that it cannot process. A noncritical extension may be ignored if it is not recognized, but must be processed if it is recognized.
Private (data sensitivity labeling and handling)
Effective data classification programs include measures to ensure data sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required. When the data is inside information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure continued protection by other means. This is where data sensitivity labeling assist users in fulfilling their responsibilities. Data is labeled __________ if it's disclosure to an unauthorized party would potentially cause harm or disruption to the organization. Passwords could be considered __________. this term is usually associated with personal data belonging to a person and less often with corporate entities. The level of damage typically associated with this data is lower than confidential, but still significant to the organization.
Confidential (data sensitivity labeling and handling)
Effective data classification programs include measures to ensure data sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required. When the data is inside information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure continued protection by other means. This is where data sensitivity labeling assist users in fulfilling their responsibilities. Data is labeled __________ if it's disclosure to an unauthorized party would potentially cause serious harm to the organization. This data should be defined by policy, and that policy should include details regarding who has the authority to release the data. Common examples of this data include trade secrets, proprietary software code, new product designs, etc., as the release of these could result in significant loss to the firm.
PHI (data sensitivity labeling and handling)
Effective data classification programs include measures to ensure data sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required. When the data is inside information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure continued protection by other means. This is where data sensitivity labeling assist users in fulfilling their responsibilities. The Health Insurance Portability and Accountability Act (HIPAA) regulations define __________ as "any information, whether oral or recorded in any form or medium" that is created or received by healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse... And relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Personally Identifiable Information - PII (data sensitivity labeling and handling)
Effective data classification programs include measures to ensure data sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required. When the data is inside information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure continued protection by other means. This is where data sensitivity labeling assist users in fulfilling their responsibilities. When information is about a person, failure to protect it can have specific consequences. Business secrets are protected through trade secret laws, government information is protected through laws concerning national security, and privacy laws protect information associated with people. A set of elements that can lead to the specific identity of a person is referred to as __________. by definition, this can be used to identify a specific individual, even if an entire set is not disclosed. As little information as the ZIP Code, gender, and date of birth can result to a single person.
Proprietary (data sensitivity labeling and handling)
Effective data classification programs include measures to ensure data sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required. When the data is inside information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure continued protection by other means. This is where data sensitivity labeling assist users in fulfilling their responsibilities. ___________ data is data that is restricted to a company because of potential competitive use. If a company has data that could be used by a competitor for any particular reason, say internal cost and pricing data, then it needs to be labeled handled in a manner to protect it for release to competitors. This data may be shared with any third party that is not a competitor, but in labeling the data this way, you alert the party you have shared with that the data is not to be shared further.
Public (data sensitivity labeling and handling)
Effective data classification programs include measures to ensure data sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required. When the data is inside information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure continued protection by other means. This is where data sensitivity labeling assist users in fulfilling their responsibilities. ____________ data is data that can be seen by the public and has no needed protections with respect to confidentiality. It is important to protect the integrity of this data, lest one communicate incorrect data as being true. Public facing web pages, press releases, corporate statements--these are examples of this data that still needs protection, but specifically with respect to integrity.
Vehicles (Special purpose)
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. A modern __________ has not a single computer in it, but actually hundreds of them, all interconnected on a bus. The controller area network (CAN) bus is designed to allow multiple micro-controllers to communicate with each other without a central host computer. Before the CAN bus was invented, individual micro-controllers were used to control the engine, emissions, transmission, breaking, heating, electrical, and other systems, and the wiring harnesses used to interconnect everything became unwieldy. Robert Bosch developed the CAN bus for cars, specifically to address the wiring harness issue, and when first employee in 1986 at BMW, the weight reduction was over 100 pounds.
Heating, Ventilation, and Air-Conditioning - HVAC
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. Building-automation systems, climate control systems, __________ systems, are examples of systems that are managed by embedded systems. Interconnecting the systems and adding in Internet-based central control mechanisms does increase the risk profile from outside attacks. These outside attacks could result in __________ malfunction or failure, rendering a major office building uninhabitable due to heat and safety.
Camera systems
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. Digital __________ have entered the computing world through a couple of different portals. First there is the world of high-end digital cameras that have networking stacks, image processors, and even 4K video feeds. These are used in enterprises such as news organizations, which rely on getting the data live without extra processing delays. What is important to note is that most of these devices, although they are network into other networks, have built-in VPNs that are always on, because the content is considered valuable enough to protect as a feature. The other set is video surveillance cameras, including cameras for household surveillance, baby monitoring, and the like.
Wearable technology (Smart devices/Internet of Things)
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. Smart devices and devices that comprise the Internet of things (IoT) have taken the world's markets by storm. From key fobs that can track the location of things via GPS, to cameras that can provide surveillance, to connected household appliances, TVs, dishwashers, refrigerators, crockpots, washers, and dryers--anything with a microcontroller now seems to be connected to the web so that it can be controlled remotely. Artificial intelligence (AI) has also entered into the mix, enabling even greater functionality, embodied in products such as Amazon echo, Google home, Microsoft Cortana, and Apple Siri. __________ include everything from biometric sensors measuring heart rate, to step counters measuring how far one walks, to Smart watches that combine all these functions and more. As these learn more and more of our personal data, they become a source of interest for hackers. Protecting the data is the security objective for these devices.
Home automation (Smart devices/IoT)
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. Smart devices and devices that comprise the Internet of things (IoT) have taken the world's markets by storm. From key fobs that can track the location of things via GPS, to cameras that can provide surveillance, to connected household appliances, TVs, dishwashers, refrigerators, crockpots, washers, and dryers--anything with a microcontroller now seems to be connected to the web so that it can be controlled remotely. Artificial intelligence (AI) has also entered into the mix, enabling even greater functionality, embodied in products such as Amazon echo, Google home, Microsoft Cortana, and Apple Siri. __________ is one of the driving factors behind the Internet of things movement. From programmable smart thermostats to electrical control devices that replace wall switches to enable voice-operated lights, the home environment is awash with tech.
1.) Supervisory Control and Data Acquisition - SCADA / 2.) Industrial Control System - ICS
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. _____1____, a system designed to control automated systems in cyber-physical environments. _____1_____ systems have their own smart components, each of which is an example of an embedded system. Together they form a ____1______ system, which can control manufacturing plants, traffic lights, refineries, energy networks, water plants, building automation and environmental controls, and a host of other systems. A ____1_____ system is also known by means such as distributed control system (DCS) and _____2_____, the variations depending on the industry and the configuration. Where computers control a physical process directly, a _____1_____- system likely is involved.
Deterrent (types of controls)
Security controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, integrity, and availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives. A ___________ control acts to discourage the attacker by reducing the likelihood of success from the perspective of the attacker. An example would be laws and regulations that increase punishment, increasing risk and costs for the attacker.
Real-time Operating Systems - RTOS
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. __________ are designed for systems where the processing must occur in real time and data cannot be cute or buffer for any significant length of time. These are not general-purpose machines, but are programmed for a specific purpose. They still have to deal with contention, and they have scheduling algorithms to deal with timing collisions, but in general an _________ processes each input as it is received, or within a specific time slice defined as the response time. Examples of this are from something as common as an antilock braking computer in a car, to as complex as a robotic system used on an assembly line.
System on a Chip - SoC
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. __________ refers to a complete computer system miniaturized on a single integrated circuit, designed to provide the old functionality of a computing platform on a single chip. This includes networking and graphics display. Some of these solutions, memory, while others have the memory separate. These are very common in the mobile computing market with both phones and tablets because of their low power consumption and efficient design. EX: Intel Quad-core and eight-core systems
Printer/Multi Function Devices - MFDs
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. __________, which combine a printer, scanner, and fax, have embedded compute power to act as a print server, manage the actual printing or scanning process, and allow complete network connectivity. Security has become more of an afterthought than a design element with these, as such, these devices have been shown to be hackle and capable of passing malware from the printer to the computer.
Aircraft/Unmanned Aerial Vehicle - UAV (Special purpose)
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. ___________ also have significant computer footprints inside, as most modern ones have what is called a all glass cockpit, meaning the old individual gauges and switches have been replaced with a computer display that includes a touchscreen. This enables greater functionality and is more reliable than the older systems. But as with vehicles, the connecting of all this equipment onto buses that are then eventually connected to outside networks has led to a lot of security questions for the aviation industry. And, as is true of medical devices, patching the operating system for aircraft systems is a difficult process because the industry is heavily regulated, with strict testing requirements. This makes for systems that, over time, will become vulnerable as the base operating system has been thoroughly explored every vulnerability maps and exploited in the aviation systems, and these use cases can port easily to aircraft.
Weak cipher suites and implementations
Errors in coding implementations are common and lead to ___________________ of secure algorithms that are vulnerable to bypass. ______________ are those that at one time were considered secure but are no longer considered secure. A common example of this is SSL; all versions of SSL are now considered deprecated, and should not be used. Everyone should switch their system to TLS-based solutions.
Standard naming convention (general concepts)
Establishing a __________ for account names, and systems, is a topic that can stir controversy even among professionals who seem to agree on most things. One advantage of having this is that it enables users to extract meaning from a name. For example, having server names with dev, test, and prod as part of the main can help to prevent inadvertent changes by user because of the myths identification of an asset. The standard name also helpsaccount maintenance functions as it provides easily seen information on the account by way of its name. The simplest example is in memory of accounts. For instance, for email accounts, and organizations convention may BTUs first initial plus last name, plus a single digit if two or more people have the same name, such as [email protected].
Password complexity (account policy enforcement)
Every organization should have defined ___________ requirements that passwords must meet. Typical requirements specified the password must meet the minimum length requirement and have characters from at least three of four groups.
System owner (Role-based awareness training)
Every system requires a __________. like data ownership, this is a business function, with the requirements for security, privacy, retention, and other business functions are established for an entire system. Not all systems require the same policies, but the determination of what the policies for a given system are is the responsibility of this person. It is important that these people received training and understand the responsibilities with respect to this important requirement.
Secure configurations (Operating systems)
FYSA... The process of securing and operating system is called hardening, and it is intended to make the system more resistant to attack, much like armor or steel is hardened to make it less susceptible to breakage or damaged. The manufacturer typically does little to nothing with regard to security. Each operating system has its own approach to security, and while the process of hardening is generally the same, different steps must be taken to secure each operating.
Single Loss Expectancy - SLE (risk assessment)
FYSA... A risk assessment is a method to analyze potential risk based on statistical and mathematical models. You can use any one of a variety of models to calculate potential risk assessment values. The __________ is the value of a loss expected from a single event. It is calculated using this formula: = Asset value x exposure factor To calculate the exposure factor, assuming the asset value of a small office building and its contents is $2 million. Also assume that this building houses the call center for business, and the complete loss of the center would take away about half the capability of the company. Therefore, the exposure factor is 50%. The example would look like this: $2 million x 0.5 = $1 million
Least privilege (general concepts)
FYSA... Account management, frequently called privilege management, is the process of restricting a user's ability to interact with the computer system. A user's interaction with the computer system covers of fairly broad area and includes viewing, modifying, and deleting data; running applications; stopping and starting processes; and controlling computer resources. Essentially, controlling everything a user can do to or with a computer system falls into the realm of account management. One of the most fundamental principles in account management is __________. this means that an object (which may be a user, application, or process) should have only the rights and privileges necessary to perform its task, with no additional permissions.
1.) Recovery Time Objective - RTO / 2.) Recovery Point Objective - RPO
FYSA... Business impact analysis (BIA) is the process used to determine the sources and relative impact values of risk elements in process. Bargains of it is also the main often used to describe document created by addressing questions associated with sources of risk and the steps taken to mitigate and in the enterprise. It also outlines how the loss of any of your critical functions will impact the organization. The term _____1_____ will is used to describe the target time that is set for resumption of operations after an incident. This is a period of time that is defined by the business, based on the needs of the business. A shorter one results in higher costs because it requires greater coordination resources. This term is commonly used in business continuity and disaster recovery operations. _____2______, a totally different from the one above, is the time period representing the maximum period of acceptable data loss. This defines the frequency of backup operations necessary to prevent unacceptable levels of data loss. A simple example of establishing this is the answer the following questions: how much data can you afford to lose? How much rework is tolerable?
Personal email use policy
FYSA... Co-mingling of personal and work-related materials may not appear to be a real problem when viewed from an employee's perspective... What can be the harm? But the reality of modern e-discovery and other processes raises many concerns from a corporate perspective while occasional use of work email for personal use probably doesn't add enough data to be a storage concern, what happens when that email becomes involved in a personal legal dispute? Whether the issue is one inherently personal, as in divorce, or financial, as in a case of suspected fraud, when the lawyers get involved in sent a litigation hold request to a firm for an employee's personal email on a corporate server, the co-mingling becomes a problem. The simplest and easiest policy is to disallow use of corporate resources for personal use, including email, storage, devices, and so forth.
Take hashes (Data acquisition)
FYSA... If files, logs, and other information are going to be captured and used for evidence, you need to ensure that the data isn't modified. In most cases, a tool that implements a hashing algorithm to create message digests is used. A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream to calculate some number that is unique based on the information contained in the data stream. The subsequent hash in the same data stream results in a different hash value, it usually means that the data stream is changed.
Witness interviews (Data acquisition)
FYSA... Remember that witness credibility is extremely important. It is easy to imagine how quickly credibility can be damaged if the witness is asked "did you lock the file system?" And can't answer affirmatively. Or, when asked "when you imaged this disk drive, did you use a new system?" The witness can't answer that the destination disk was needed or had formatted using a low-level format before data was copied to it. Witness preparation can be critical in a case, even for technical experts.
Capture system image (Data acquisition)
FYSA....Imaging for dumping the physical memory of a computer system can help identify evidence not available on a hard drive. This is especially appropriate for root kits, where evidence on the hard drive is hard to find. Once the memories image, you can use a hex editors analyze the image off-line on another system. Note that dumping memory is more applicable for investigative work where court proceedings will not be pursued. If the case is likely to end up in court, do not dump memory without first seeking legal advice to confirm that live analysis of the memories that the bull; otherwise, the defendant will be able to dispute easily the claim that evidence was not tampered with.
File system security
File systems need a method of applying security, to prevent unauthorized access and unauthorized alterations. _________ is the set of mechanisms and processes employed to ensure this critical function.
Administrative (types of controls)
Security controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, integrity, and availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives. An ___________ control is a policy or procedure used to limit security risk. Instructions to guards act as these controls.
Hardware root of trust (Hardware/firmware security)
Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with the enterprise. While you can easily replace hardware it is lost or stolen, you can't retrieve the information lost or stolen hardware contains. There are some hardware protection mechanisms that your organization should consider employing to safeguard servers, workstations, and mobile devices from that, such as placing cable locks on mobile devices and using locking cabinets and safes to secure portable media, USB drives, and CDs/DVDs. A __________ is a concept that if one has a trusted source of specific security functions, this layer can be used to promote security to higher layers of the system. Because these are inherently trusted, they must be secured by design.
Hardware Security Module - HSM (Hardware/firmware security)
Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with the enterprise. While you can easily replace hardware it is lost or stolen, you can't retrieve the information lost or stolen hardware contains. There are some hardware protection mechanisms that your organization should consider employing to safeguard servers, workstations, and mobile devices from that, such as placing cable locks on mobile devices and using locking cabinets and safes to secure portable media, USB drives, and CDs/DVDs. A __________ is a device used to manage or store encryption keys it can also assist in cryptographic operations such as encryption, hashing, or the application of digital signatures. They are typically peripheral devices, connected via USB or a network connection. They have temper protection to prevent physical access to these secrets they protect.
Supply chain (Hardware/firmware security)
Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with the enterprise. While you can easily replace hardware it is lost or stolen, you can't retrieve the information lost or stolen hardware contains. There are some hardware protection mechanisms that your organization should consider employing to safeguard servers, workstations, and mobile devices from that, such as placing cable locks on mobile devices and using locking cabinets and safes to secure portable media, USB drives, and CDs/DVDs. Hardware and firmware security is ultimately dependent upon the manufacturer of the root of trust. In today's world of global manufacturing with global outsourcing, attempting to identify all the suppliers in the hardware manufacturers __________, which commonly changes from device to device, and even between lots, is practically futile in most cases.
1.) Electromagnetic Interference - EMI / 2.) Electromagnetic Pulse - EMP (Hardware/firmware security)
Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with the enterprise. While you can easily replace hardware it is lost or stolen, you can't retrieve the information lost or stolen hardware contains. There are some hardware protection mechanisms that your organization should consider employing to safeguard servers, workstations, and mobile devices from that, such as placing cable locks on mobile devices and using locking cabinets and safes to secure portable media, USB drives, and CDs/DVDs. ____1______ is and electrical disturbance that affects an electrical circuit. This is due to either induction or radiation emitted from an external source, either of which can induce currents into the small circuits that make up computer systems and cause logic upsets. A ____2_____ is a burst of current in an electronic device as a result of the current Paul's from electromagnetic radiation. This can produce damaging current and voltage surges in today's sensitive electronics. The main sources of this would be industrial equipment on the same circuit, solar flares, a nuclear burst high in the atmosphere.
1.) Secure boot and 2.) Attestation (Hardware/firmware security)
Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with the enterprise. While you can easily replace hardware it is lost or stolen, you can't retrieve the information lost or stolen hardware contains. There are some hardware protection mechanisms that your organization should consider employing to safeguard servers, workstations, and mobile devices from that, such as placing cable locks on mobile devices and using locking cabinets and safes to secure portable media, USB drives, and CDs/DVDs. ______1_______ is a mode that, when enabled, only allow signed drivers and operating system voters to be invoked this requires specific set of steps, but when enabled, it blocks malware that attempts to alter the boot process. This enables the _____2______ that the drivers and operating system voters being used have not changed since they were approved for use. _____1______ is supported by Microsoft Windows and all major versions of Linux.
1.) Unified Extensible Firmware Interface - UEFI / 2.) Basic Input/Output System - BIOS (Hardware/firmware security)
Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with the enterprise. While you can easily replace hardware it is lost or stolen, you can't retrieve the information lost or stolen hardware contains. There are some hardware protection mechanisms that your organization should consider employing to safeguard servers, workstations, and mobile devices from that, such as placing cable locks on mobile devices and using locking cabinets and safes to secure portable media, USB drives, and CDs/DVDs. ______2_______ Is the firmware that a computer system uses at the connection between the actual hardware in the operating system. This is typically stored on non-volatile flash memory, which allows for updates yet persists when the machine is powered off. The purpose behind ____2_____ is to initialize and test the interfaces to any actual hardware in a system. Once the system is running, the ______2_____ functions to translate low-level access to the CPU, memory, and hardware devices, making a common interface for the operating system to connect you. This facilitates multiple hardware manufacturers in different configurations against a single operating system install. ____1_____ is the current replacement for the above. This offers significant modernization over the decades old system above, including the capability to deal with modern peripherals such as high-capacity storage and high-bandwidth communications. This also has more security design into it, including provisions for secure booting. From a system design aspect, this offers advantages newer hardware support, and from a security point of view, secure boot has some specific advantages. For these reasons, all new systems are ___1_____ based.
Full disk encryption - FDE / Self-encrypting disks - SED (Hardware/firmware security)
Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with the enterprise. While you can easily replace hardware it is lost or stolen, you can't retrieve the information lost or stolen hardware contains. There are some hardware protection mechanisms that your organization should consider employing to safeguard servers, workstations, and mobile devices from that, such as placing cable locks on mobile devices and using locking cabinets and safes to secure portable media, USB drives, and CDs/DVDs. _______1______ & ______2________ are methods of implementing cryptographic protection on hard disk drives and other similar storage media with the express purpose of protecting the data even if the disk drive is removed from the machine. Portable machines, such as laptops, have a physical security weakness in that they are relatively easy to steal, after which they can be attacked off-line at an attacker's leisure. The use of modern cryptography, coupled with hardware protection to the keys, makes this vector of attack much more difficult. In essence, both of these methods offer a transparent, seamless manner of encrypting the entire hard disk drive using keys that are only available to someone who can properly log into the machine.
Trusted Platform Module - TPM (Hardware/firmware security)
Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with the enterprise. While you can easily replace hardware it is lost or stolen, you can't retrieve the information lost or stolen hardware contains. There are some hardware protection mechanisms that your organization should consider employing to safeguard servers, workstations, and mobile devices from that, such as placing cable locks on mobile devices and using locking cabinets and safes to secure portable media, USB drives, and CDs/DVDs. _____________ is a hardware solution on the motherboard, one that assists with key generation and storage as well as random number generation. When the encryption keys are stored in this, they are not accessible via normal software channels and are physically separated from the hard drive or other encrypted data locations. This makes the __________ a more secure solution then storing the keys on the machines normal storage.
RACE Integrity Primitives Evaluation Message Digest - RIPEMD (Hashing algorithms)
Hashing algorithms are cryptographic methods that are commonly used to store computer passwords and to ensure message integrity. __________ is a hashing function developed by the RACE Integrity Primitives Evaluation (RIPE) consortium. It has a 160-bit hash. It is based on MD4, but it uses two parallel channels with five rounds. The output consists of 32-bit words to make a 160-bit hash. Other versions of this use 256 and 320 bits.
Message Digest - MD5 (Hashing algorithms)
Hashing algorithms are cryptographic methods that are commonly used to store computer passwords and to ensure message integrity. __________ is the generic version of one of several algorithms that are designed to create a message digest or hash from data input into the algorithm. This algorithm works just like SHA in that they use a secure method to compress the file and generate a computed output of a specified number of bits. This is considered the "grandfather" of hashing algorithms.
Secure Hash Algorithm - SHA (Hashing algorithms)
Hashing algorithms are cryptographic methods that are commonly used to store computer passwords and to ensure message integrity. __________ refers to a set of hash algorithms designed and published by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). Version 3 is the latest version, although version 2 is still in use. Version 1 has been discontinued.
Hashed Message Authentication Code - HMAC (Hashing algorithms)
Hashing algorithms are cryptographic methods that are commonly used to store computer passwords and to ensure message integrity. ___________, is a special subset of hashing technology. This is used to determine if a message has changed during transmission. When you add a secret key and crypto function, the MAC becomes this and you also have the ability to determine authenticity in addition to integrity.
SSL decryptors
How can the traffic be examined if it can't be seen? __________ are a solution to this problem. They can be implemented in hardware or software, or in a combination of both, and they act as a means of opening the SSL/TLS traffic using the equivalent of a man-in-the-middle method to allow for the screening of the traffic. Then, the traffic can be re-encrypted and sent on its way.
IP spoofing (application/service attacks)
IP is designed to work so that the originators of any IP packet include their own IP address in the FROM portion of the packet. While this is the intent, nothing prevents a system from inserting a different address in the FROM portion of the packet. This is known as ______ and can be spoofed for several reasons, including: -Smurf attack; this is where the attacker sends a spoofed packet to the broadcast address for a network, which distributes the packet to all systems on that network. In a Smurf attack, the packet sent by the attacker to the broadcast address is an echo request with the FROM address forged so that it appears that another system (the target system) has made the echo request.
Security Control
If a vulnerability is exposed to the vulnerability scanner, then a _______________ is needed to prevent the vulnerability from being exploited.
Known plain text/cipher text (cryptographic attacks)
If an attacker has the original plaintext and ciphertext for a message, then they can determine the key used through brute force attempts targeting the keyspace. These attacks can be difficult to mitigate, as some messages are particularly prone to this problem.
Principles, Urgency (social engineering)
If attackers produce/drive this, they can allow the target to believe that they can take advantage of a time situation, whether it really is present or not.
Brute force, online vs. offline(cryptographic attacks)
If the user has selected a password that is not found in a dictionary, even if various numbers or special characters are substituted for letters, the only way the password can be cracked is for an attacker to attempt this type of attack, in which the password-cracking program attempts all possible password combinations.
Event deduplication (SIEM)
In many cases, multiple records related to the same event can be generated. For example, an event may be noted in both the firewall log and the system log file. ____________ assists security analysts by reducing clutter in a dataset that can obscure real events that have meaning.
Location-based policies (general concepts)
In organizations with multiple locations, there may be situations where user access does not translate across different locations. A doctor may have access rights in one clinic system, but not another key is working in. There is also the issue of whether a user accessing the system via remote access should have the same rights and privileges as a user with local access. __________ for access control our risk-based access decisions that are best addressed by examining the business rationale, including risks and rewards for access control at different locations for a user. Once the policies are defined, they can be enforced via the specific access control mechanisms in place.
Principles, Intimidation (social engineering)
In social situations, this can be subtle through perceived power, or more direct, through the use of communications that build an expectation of superiority.
Principles, Authority (social engineering)
In social situations, this can lead to an environment where one party feels at risk in challenging another over an issue.
Principles, Consensus (social engineering)
In social situations, this is a group-wide decision. It frequently comes not from a champion, but rather through rounds of group negotiation.
1.) Block vs. 2.) Stream (Cipher modes)
In symmetric or block algorithms, there is a need to deal with multiple blocks of identical data to prevent multiple blocks of ciphertext that would identify the blocks of identical input data. There are multiple methods of dealing with this, called modes of operation. There are two primary modes of operation performed on data. One is _____1____ operations, which are performed on blocks of data, enabling both transposition and substitution operations. This is possible when large pieces of data are present for the operations. The other mode is ____2_____ which have become more common with the streaming of audio and video across the Web. The primary characteristic of this is that it is not available in large chunks, but rather either bit by bit or byte by byte, pieces too small for the other operation above. This mode operates using substitution only and therefore offer less robust protection than the first mode.
Galois Counter Mode - GCM (Cipher modes)
In symmetric or block algorithms, there is a need to deal with multiple blocks of identical data to prevent multiple blocks of ciphertext that would identify the blocks of identical input data. There are multiple methods of dealing with this, called modes of operation. _________ is an extension of CTM with the addition of a Galois mode of authentication. Galois fields are a mathematical representation that has significant utility in practical encoding. The addition of a Galois mode adds an authentication function to the cipher mode. Because the Galois field used in the process can be parallelized, this mode provides an efficient method of adding this capability. It is employed in many international standards, including IEEE 802.1ad and 802.1AE.
Cipher Block Chaining - CBC (Cipher modes)
In symmetric or block algorithms, there is a need to deal with multiple blocks of identical data to prevent multiple blocks of ciphertext that would identify the blocks of identical input data. There are multiple methods of dealing with this, called modes of operation. __________ is a block mode where each block is XORed with the previous ciphertext block before being encrypted. To obfuscate the first block, an initialization vector (IV) us XORed with the first block before encryption. This is one of the most common modes used, but it has two major weaknesses. First, because there is a dependence on previous blocks, the algorithm cannot be parallelized for speed and efficiency. Second, because of the nature of the chaining, a plaintext block can be recovered from two adjacent blocks of ciphertext. An example of this is in the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. This type of padding works because a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext, but the rest of the blocks remain intact.
Counter Mode [CTM/CTR] (Cipher modes)
In symmetric or block algorithms, there is a need to deal with multiple blocks of identical data to prevent multiple blocks of ciphertext that would identify the blocks of identical input data. There are multiple methods of dealing with this, called modes of operation. __________ uses a "counter" function to generate a nonce that is used for each block encryption. The sequence of operations is to take the counter function value (nonce), encrypt using the key, then XOR with plaintext. Each block can be done independently, resulting in the ability to multithread the processing. It's abbreviation is used interchangeably.
Electronic Code Book - ECB (Cipher modes)
In symmetric or block algorithms, there is a need to deal with multiple blocks of identical data to prevent multiple blocks of ciphertext that would identify the blocks of identical input data. There are multiple methods of dealing with this, called modes of operation. ___________ is the simplest cipher mode operation of all. The message to be encrypted is divided into blocks, and each block is encrypted separately. This has several major issues, most notable of which is that identical blocks yield identical encrypted blocks, telling the attacker that the blocks are identical. This mode is not recommended for use in cryptographic protocols.
Legal hold
In the United States legal system, legal precedent requires that potentially relevant information must be preserved at the instant a party "reasonably anticipates" litigation or another type of formal dispute. Although this sounds technical, it is fairly easy to grasp: once an organization is aware that it needs to preserve evidence for a court case, it must do it. The mechanism is fairly simple as well: once you realize your organization needs to preserve evidence, you must use a __________, for litigation hold, the process by which you properly preserve any and all digital evidence related to a potential case.
Media gateway
In the modern age, many media protocols exist that use voice and video signals. _________ have been built to handle all of these different protocols, including translating them to other common protocols used in a network. These can exist as a standalone device or as part of a switch/firewall.
Downgrade (cryptographic attacks)
In this type of attack, the attacker takes advantage of a commonly employed principle to support backward compatibility, to _______ the security to a lower or nonexistent state.
Script kiddies (types of actors)
Individuals who do not have the technical expertise to develop scripts or discover new vulnerabilities in software but who have just enough understanding of computer systems to be able to download and run scripts that others have developed.
National vs. international (Industry-standard frameworks and reference architectures)
Industry-standard frameworks and reference architectures our conceptual blueprints that define the structure and operation of the IT systems in the enterprise just as in an architecture diagram that provides a blueprint for constructing a building the enterprise architecture provides the blueprints and roadmap for aligning IT and security with the enterprise's business strategy. A framework is more generic than the specifics that are specified by an architecture. An enterprise can use both the framework describing the objectives and methodology desired, while in architecture will specify specific components, technologies, and protocols to achieve those design objectives. FYSA... The United States federal government has its own cloud-based reference architecture for systems that use the cloud. Called the Federal Risk and Authorization Management Program (FedRAMP), this process is a governmentwide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for systems using cloud products and services. One of the more interesting international frameworks has been the harmonization between the United States and European Union with respect to data privacy (U.S.) or data protection (EU) issues. The newest privacy sharing the methodology is called the European Union-United States Privacy Shield Framework and became effective in the summer of 2016.
Regulatory (Industry-standard frameworks and reference architectures)
Industry-standard frameworks and reference architectures our conceptual blueprints that define the structure and operation of the IT systems in the enterprise just as in an architecture diagram that provides a blueprint for constructing a building the enterprise architecture provides the blueprints and roadmap for aligning IT and security with the enterprise's business strategy. A framework is more generic than the specifics that are specified by an architecture. An enterprise can use both the framework describing the objectives and methodology desired, while in architecture will specify specific components, technologies, and protocols to achieve those design objectives. Industries under governmental regulation frequently have an approved set architectures defined by _________ bodies. For example the electric industry as the NERC (North American electric reliability Corporation) Critical Infrastructure Protection (CIP) Standards. This is a set of 14 individual standards that, when taken together, drives in reference framework/architecture for this bulk electric system in North America. Most industries in the United States are regulated in one manner or another. When it comes to cyber security, more and more regulations are beginning to apply, for privacy, to breach notification, to due diligence and due care provisions.
Non-regulatory (Industry-standard frameworks and reference architectures)
Industry-standard frameworks and reference architectures our conceptual blueprints that define the structure and operation of the IT systems in the enterprise just as in an architecture diagram that provides a blueprint for constructing a building the enterprise architecture provides the blueprints and roadmap for aligning IT and security with the enterprise's business strategy. A framework is more generic than the specifics that are specified by an architecture. An enterprise can use both the framework describing the objectives and methodology desired, while in architecture will specify specific components, technologies, and protocols to achieve those design objectives. Some reference architectures are neither industry-specific nor regulatory, but rather are technology focused and considered __________, such as the National Institutue of Standards and Technology (NIST) Cloud Computing Security Reference Architecture and the NIST Framework for Improving Critical Infrastructure Cybersecurity. The latter being a consensus created overarching framework to assist enterprises in their cyber security programs.
Industry-specific frameworks (Industry-standard frameworks and reference architectures)
Industry-standard frameworks and reference architectures our conceptual blueprints that define the structure and operation of the IT systems in the enterprise just as in an architecture diagram that provides a blueprint for constructing a building the enterprise architecture provides the blueprints and roadmap for aligning IT and security with the enterprise's business strategy. A framework is more generic than the specifics that are specified by an architecture. An enterprise can use both the framework describing the objectives and methodology desired, while in architecture will specify specific components, technologies, and protocols to achieve those design objectives. There are several examples of __________. these frameworks have been developed by entities within a particular industry--sometimes to address regulatory needs, other times because of industry specific concerns are risks. EX: HITRUST Common Security Framework (CSF) for use in the medical industry and enterprises that must address HIPAA/HITECH rules and regulations.
Infrared detection
Infrared radiation is not visible to the human eye, but can be used just like a light source to detect a range of things. Motion from living creatures can be seen because of the heat signatures of their bodies. __________ is a technical means of looking for things that otherwise may not be noticed. At night, when it is dark, someone can hide in the shadows, but __________ can point them out to IR-sensing cameras. These detectors consents differences in temperature, which can be from a person entering the room, even if not visible due to darkness. IR alarms are used extensively to monitor people movement in areas where there should be none.
Shoulder surfing (social engineering)
Involves the attacker directly observing the individual entering sensitive information on a form, keypad, or keyboard. May use a camera or binoculars. EX: ATM Machine
Watering hole attack (social engineering)
Involves the infecting of a target website with malware to infect a certain group of people.
Vulnerable business processes
Just as technology and users often have vulnerabilities that can be compromised, as previously discussed, ________________ are subject to compromise.
Least functionality (Operating systems)
Just as we have a principle of least privilege, we should follow a similar track with _________ on systems. A system should do what it is supposed to do, and only what it is supposed to do. Any additional functionality is added attack surface for an adversary and offers no additional benefits to the enterprise.
Security as a service
Just as you can get Software as a Service and Infrastructure as a Service, you can contract with an MSSP for __________. this is the outsourcing of security functions to a vendor that can offer advantages in scale, costs, and speed. Security is a complex, wide-ranging cornucopia of technical specialties, all working together to provide appropriate risk reductions in today's enterprise. This means effective security requires technically savvy security pros, experienced management, specialized hardware and software, and fairly complex operations, both routine and in response to incidents. Any or all of this can be outsourced to a security vendor, and firms routinely examine vendors for solutions where the business economics makes outsourcing attractive.
Password-Based Key Derivation Function 2 - PBKDF2 (key stretching algorithms)
Key stretching is a mechanism that takes what would otherwise be weak keys and "stretches" them to make the system more secure against brute force attacks. __________ is a key derivation function designed to produce a key derived from a password. This function uses a password or passphrase and a salt and applies an HMAC to the input thousands of times. The repetition makes brute force attacks computationally unfeasible.
BCRYPT (key stretching algorithms)
Key stretching is a mechanism that takes what would otherwise be weak keys and "stretches" them to make the system more secure against brute force attacks. __________ is a key-stretching mechanism that uses the Blowfish cipher and salting, and adds an adaptive function to increase the number of iterations. The result is the same as other key-stretching mechanisms (single use is computationally feasible), but when attempting to brute force the function, the billions of attempts make it computationally unfeasible.
Full device encryption (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. Just as laptop computers should be protected with a whole disk encryption to protect the data in case of loss or theft, you may need to consider __________ for mobile devices used by your organization's employees.
Remote wipe (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. Management of data on mobile devices should include a plan to manage the data even if the device is stolen. __________ a mobile device typically removes data stored on the device and resets the device to factory settings.
Geolocation (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. Many mobile devices use mapping applications, traffic monitoring apps, and apps that locate nearby businesses such as gas stations and restaurants. Such technology can be exploited to track movement and location of the mobile device, which is referred to as ___________.
Screen locks (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. Most corporate policies regarding mobile devices require the use of the mobile device's __________ capability. If the passcode is entered incorrectly a specified number of times, the device is automatically wiped.
Application management (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. Understanding what access is requested and approved upon installation of apps is an important security precaution. These are all potential problems for mobile users, concerned over data security and drive the need for a mobile __________ solution. Your company may have to restrict the types of applications that can be downloaded and used on mobile devices.
1.) Passwords and 2.) Pins (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. ___1_____ & ___2____ are common security measures used to protect mobile devices from unauthorized use. These are essential tools and should be used in all cases, and mandated by company policy.
Push notification services (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. __________ are services that deliver information to mobile devices without a specific request from a device. They are used by a lot of apps. As these enable the movement of information from external sources to the device, this has some security implications, such as device location, and potential interaction with the device. For instance, it is possible to push the device to emit a sound, even if the sound is muted on the device.
Biometrics (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. __________ are used across a wide range of mobile devices as a means of access control. Because ___________ sensors have been shown to be bypassable, they should be sidered convenience features, not security features.
Storage segmentation (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. __________ is similar to containerization in that it represents a logical separation of the storage in the unit. For devices that are used to handle highly sensitive corporate data, this of protection is highly recommend.
Content management (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. __________ is the set of actions used to control content issues, including what content is available and to what apps, on mobile devices.
Context-aware authentication (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. __________ is the use of contextual information such as who the user is, what resource they are requesting, what machine they are using, how they are connected, and so on, to make the authentication decision as to whether to permit the user access to the requested resource. The goal is to prevent unauthorized end users, devices, or network connections from being able to access corporate data. This approach can be used, for example, to allow an authorized user to access network-based resources from inside the office but deny the same user access if they are connecting via a public Wi-Fi network.
Geofencing (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. ___________ is the use of the Global Positioning System (GPS) and/or frequency identification (RFID) technology to create a virtual fence around a particular location and detect when mobile devices cross the fence. The enables devices to be recognized by others, based on location and have actions taken. It is generally used in marketing to send messages to devices that are in a specific area such as near a point of sale, or just to count potential customers.
Containerization (mobile device management concepts)
Knowledge of mobile device management concepts is essential in today's environment of connected devices. When viewed as a comprehensive set of security options for mobile devices, every corporation should have and enforce an MDM policy. ___________ on mobile devices refers to dividing the device into a series of containers, one container holding work-related materials, the other personal. They can separate apps, data... virtually everything on the device. MDM solutions offer the ability to encrypt the containers, especially the work-related container, providing another layer of protection for the data.
Lock types
Locks are common security measure that are used with near ubiquity. Everyone is familiar with using a lock to secure something. Many different _________ are used in and around the computer security arena. There are types for laptops, for desktops, even servers. Just as locks can keep your car or bike from being stolen, they can secure computers as well.
Usage auditing and review (general concepts)
Logs of the most frequently use auditing component, and with respect to privileged accounts, blogging can be especially important. __________ is just that, an examination of logs to determine user activity. Reviewing access control logs for root-level accounts is an important elements of securing access control methods. Because of the power and potential for misuse of administrative- or root-level accounts, they should be closely monitored, particularly the use of an administrative-level accounts on a production system.
Encryption (mail gateway)
Mail gateways are used to process email packets on a network, providing a wide range of email services. From filtering spam, to managing data loss, to handling the encryption needs, mail gateways are combinations of hardware and software optimized to perform these tasks in the enterprise. Email is by default a plaintext protocol, making email and email attachments subject to eavesdropping anywhere between sender and receiver. Email __________ can protect email from eavesdropping as well as add authentication services.
Data Loss Prevention - DLP (mail gateway)
Mail gateways are used to process email packets on a network, providing a wide range of email services. From filtering spam, to managing data loss, to handling the encryption needs, mail gateways are combinations of hardware and software optimized to perform these tasks in the enterprise. _________ is also an issue for outgoing mail, particularly email attachments. There are two options for preventing the loss of data via email: use an integrated _____ solution that scans both outgoing traffic and mail, or use a separate standalone system that scans only email.
Spam filter (mail gateway)
Mail gateways are used to process email packets on a network, providing a wide range of email services. From filtering spam, to managing data loss, to handling the encryption needs, mail gateways are combinations of hardware and software optimized to perform these tasks in the enterprise. The bane of users and system administrators everywhere, __________ is essentially unsolicited and undesired bulk electronic messages. ________ filtering is software that is designed to identify and remove this traffic from an email stream as it passes through the mail gateway. Some common uses to fight this are: -Blacklisting -Content or keyword filtering -Trusted servers -Delay-based filtering -PTR and reverse DNS checks -Callback verification -Statistical content filtering -Rule-based filtering -Egress filtering -Hybrid filtering
1.) Legal and 2.) Compliance
Many data security and privacy practices are guided by _____1______ requirements and regulatory _____2_______. different sectors have differing requirements concerning the use of personal information. The most heavily regulated sectors are medical, finance, and baking. For example, HIPAA covers PHI and PII associated with medical records. In banking, the Fair Credit Reporting Act and its Disposal Rule cover consumer information and its disposal with respect to credit.
Camera use (Enforcement and monitoring for:)
Many mobile devices include on-board _________, and the photos/videos they take can divulge information. Turning off GPS tagging can help mitigate risk of this function.
Group Policy objects (account policy enforcement)
Microsoft windows systems in an enterprise environment can be managed via __________ (GPOs). These act through a set of the registry settings that can be managed via the enterprise. A wide range of settings can be managed via these, including numerous settings that are related to security, including user credential settings such as password rules.
Access points (Misconfigured devices)
Misconfigured devices represent one of the more common security issues and can go completely unnoticed. __________ are the first line of defense, where access to a network is either granted or denied. Whether RJ-45 physical jacks or wireless, these need a method of determining entry criteria, before allowing access to network resources. These are only as good as the rules behind them.
Content filter (Misconfigured devices)
Misconfigured devices represent one of the more common security issues and can go completely unnoticed. __________ are used to limit specific types of content across the Web to users. A common use is to block sites that are not work related, and to limit items such as Google searches and other method of accessing content determined to be inappropriate. These rely upon a set of rules.
Firewall (Misconfigured devices)
Misconfigured devices represent one of the more common security issues and can go completely unnoticed. __________ essentially are devices to enforce network access policy. Using a set of rules, it either allows or blocks passage of packets. The key is the ruleset. A solid ruleset enables solid controls, whereas a sloppy ruleset enables sloppy controls.
Logical (VLAN) (Segregation/segmentation/isolation)
Modern networks, with their increasingly complex connections, result in systems where navigation can become complex between nodes. Just as a DMZ-based architecture allows for differing levels of trust, the isolation of specific pieces of the network using security rules can provide differing trust environments. There are several terms used to describe the resulting architecture, including network segmentation, segregation, isolation, and enclaves. Enclaves is the most commonly used term to describe sections of a network that are logically isolated by segmentation at the networking protocol. The concept of segregating a network into enclaves can create areas of trust where special protections can be employed and traffic from outside the enclaves is limited or properly screen before admission. A ___________ is a set of devices with similar functionality and similar communication needs, typically co-located and operated off a single switch. This is the lowest level of a network hierarchy and defines the domain for certain protocols at the data link layer for communication. It is a logical implementation of a LAN and allows computers connected to different physical networks to acting communicate as if they were on the same physical network. This has many of the same characteristic attributes of a LAN and behaves much like a physical LAN but is implemented using switches and software. This very powerful technique allows significant network flexibility, scalability, and performance and allows administrators to perform network reconfigurations without having to physically relocate or re-cable systems.
Air gaps (Segregation/segmentation/isolation)
Modern networks, with their increasingly complex connections, result in systems where navigation can become complex between nodes. Just as a DMZ-based architecture allows for differing levels of trust, the isolation of specific pieces of the network using security rules can provide differing trust environments. There are several terms used to describe the resulting architecture, including network segmentation, segregation, isolation, and enclaves. Enclaves is the most commonly used term to describe sections of a network that are logically isolated by segmentation at the networking protocol. The concept of segregating a network into enclaves can create areas of trust where special protections can be employed and traffic from outside the enclaves is limited or properly screen before admission. __________ is the term used to describe when no data path exists to networks that are not connected in any way except via a physical _______ between their. Physically or logically there is no direct path between the. It is a conceptual term that refers to isolating a secure network or computer from all other networks-particularly the Internet-and computers by ensuring that it can't establish external communication, the goal of which is to prevent any possibility of unauthorized access. These are considered by some to be a security measure, but this topology has several weaknesses. First, sooner or later, some form of data transfer is needed between the systems. When this happens, administrators transfer files via a USB connected external media, which effectively breaches the _________.
Virtualization (Segregation/segmentation/isolation)
Modern networks, with their increasingly complex connections, result in systems where navigation can become complex between nodes. Just as a DMZ-based architecture allows for differing levels of trust, the isolation of specific pieces of the network using security rules can provide differing trust environments. There are several terms used to describe the resulting architecture, including network segmentation, segregation, isolation, and enclaves. Enclaves is the most commonly used term to describe sections of a network that are logically isolated by segmentation at the networking protocol. The concept of segregating a network into enclaves can create areas of trust where special protections can be employed and traffic from outside the enclaves is limited or properly screen before admission. __________ offers server isolation logically while still enabling physical hosting. This allows you to run multiple servers on a single piece of hardware, enabling the use of more powerful machines in the enterprise at higher rates of utilization.
Physical (Segregation/segmentation/isolation)
Modern networks, with their increasingly complex connections, result in systems where navigation can become complex between nodes. Just as a DMZ-based architecture allows for differing levels of trust, the isolation of specific pieces of the network using security rules can provide differing trust environments. There are several terms used to describe the resulting architecture, including network segmentation, segregation, isolation, and enclaves. Enclaves is the most commonly used term to describe sections of a network that are logically isolated by segmentation at the networking protocol. The concept of segregating a network into enclaves can create areas of trust where special protections can be employed and traffic from outside the enclaves is limited or properly screen before admission. __________ segregation is where you have separate physical equipment to handle different classes of traffic, including separate switches, separate routers, and separate cables. This is the most secure method of separating traffic, but also the most expensive. Organizations commonly have separate ________ paths in the outermost sections of the network where connections to the Internet are made. This is mostly for redundancy, but it also acts to separate the traffic.
Production (environment)
Most organizations have multiple, separate computing environments designed to provide isolation between the functions of development, test, staging, and production. The primary purpose of having the separate environments is to prevent security incidents arising from untested code ending up in the production environment. The hardware of these environments is segregated and access control lists are used to prevent users from accessing more than one environment at a time. Moving code between environments requires a special accounts that can access both, minimizing issues of cross-contamination. The _________ environment is where the systems work with real data, doing the business that the system is intended to perform. This is an environment where, by design, very few changes occur, and those that do must first be approved and tested via the systems change management process.
Development (environment)
Most organizations have multiple, separate computing environments designed to provide isolation between the functions of development, test, staging, and production. The primary purpose of having the separate environments is to prevent security incidents arising from untested code ending up in the production environment. The hardware of these environments is segregated and access control lists are used to prevent users from accessing more than one environment at a time. Moving code between environments requires a special accounts that can access both, minimizing issues of cross-contamination. The __________ environment is sized, configured, and set up for developers to develop applications and systems. Unlike production hardware, this hardware does not have to be scalable, and it probably does not need to be as responsive forgiven transactions. This platform does need to use the same operating system type and version as used in the production environment, for developing on Windows in the points of Linux is fraught with difficulties that can be avoided by matching environments in terms of operating system type and version. After code is successfully developed, it is moved to a test system.
Test (environment)
Most organizations have multiple, separate computing environments designed to provide isolation between the functions of development, test, staging, and production. The primary purpose of having the separate environments is to prevent security incidents arising from untested code ending up in the production environment. The hardware of these environments is segregated and access control lists are used to prevent users from accessing more than one environment at a time. Moving code between environments requires a special accounts that can access both, minimizing issues of cross-contamination. The __________ environments fairly closely mimics the production environments--same versions of software, down to patch levels, same-sex of permissions, same file structures, and so forth. The purpose of this environment is to test the system fully prior to deploying it into production to ensure that it is bug-free and will not disrupt the production environment. This environment may not scale like production, but from a software/hardware footprint, it will look exactly like production. This is important to ensure that system-specific settings are tested in an environment identical to that in which they will be run.
Staging (environment)
Most organizations have multiple, separate computing environments designed to provide isolation between the functions of development, test, staging, and production. The primary purpose of having the separate environments is to prevent security incidents arising from untested code ending up in the production environment. The hardware of these environments is segregated and access control lists are used to prevent users from accessing more than one environment at a time. Moving code between environments requires a special accounts that can access both, minimizing issues of cross-contamination. The __________ environments is an optional environments, but it is commonly used when an organization has multiple production environments. After passing testing, the system moves here, from where it can be deployed to the different production systems. The primary purpose of this environments is to serve as a sandbox after testing, so this test system can test the next set, while the current set is deployed across the enterprise. One method of deployment is this deployment, where software is deployed to part of the enterprise and then a pause occurs to watch for unseen problems. If not occur, the deployment continues, stage by stage, until all of the production systems are changed. By moving software in this manner, you never lose the old production system until the end of the move, giving you time to monitor and catch any unperceived problems. This also prevents the total loss of production to a failed update.
Somewhere you are (Multifactor authentication)
Multifactor authentication is simply the combination of two or more types of authentication. One of the more ruminant authentication factors is your location, also known as __________.
Something you are (Multifactor authentication)
Multifactor authentication is simply the combination of two or more types of authentication. _________ specifically refers to biometrics. One of the challenges with using this is that typically they are hard to change, so once assigned they inevitably become immutable, as you can change fingers, but only a limited number of times and then you run out of changes.
Something you do (Multifactor authentication)
Multifactor authentication is simply the combination of two or more types of authentication. __________ specifically refers to a physical action that you perform uniquely. An example of this is a signature; the movement of the pen and the two-dimensional output are difficult for others to reproduce.
Something you know (Multifactor authentication)
Multifactor authentication is simply the combination of two or more types of authentication. __________ specifically refers to passwords.
Something you have (Multifactor authentication)
Multifactor authentication is simply the combination of two or more types of authentication. __________ specifically refers to security tokens and other items that a user can possess physically.
Steward/custodian (data roles)
Multiple personnel in an organization are associated with the control and administration of data. Each of these roles has responsibilities in the protection and control the data. The leadership of this effort is under the auspices of the privacy officer. A data ___________ or __________ is the role responsible for the day-to-day caretaking of data. The data owner sets the relevant policies, and this person ensures they are followed.
Owner (data roles)
Multiple personnel in an organization are associated with the control and administration of data. Each of these roles has responsibilities in the protection and control the data. The leadership of this effort is under the auspices of the privacy officer. All data elements in an organization should have defined requirements for security, privacy, retention, and other business functions. It is the responsibility of the designated __________ to define these requirements.
Privacy officer (data roles)
Multiple personnel in an organization are associated with the control and administration of data. Each of these roles has responsibilities in the protection and control the data. The leadership of this effort is under the auspices of the privacy officer. The _________ is the C-level executive who is responsible for establishing and enforcing data privacy policy and addressing legal and compliance issues. Data minimization initiatives are also the responsibility of this person. They are responsible for determining the gap between a company's privacy practices and the required actions to close the gap to an approved level.
1.) In-band vs. 2.) Out-of-band (NIDs/NIPs)
Network-based Intrusion Detections Systems (NIDs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. These systems are implemented in software, but in large system, dedicated hardware is required as well. A Network-based Intrusion Prevention System (NIPS) has as its core an intrusion detection system. However, whereas a NIDS can only alert when network traffic matches a defined set of rules, a NIPS can take further actions. A NIPS can take direct action to block an attack, its actions governed by rules. By automating the response, a NIPS significantly shortens the response time between detection and action. An ____1__ NIDS/NIPS is an inline sensor couple to a NIDS/NIPS that makes its decisions in-band and enacts changes via the sensor. This has the advantage of high security but it also has implications related to traffic levels and traffic complexity. An ____2____ system relies on a passive sensor, or set of passive sensors, and has the advantage of greater flexibility in detection across a wider range of traffic types. The disadvantage is the delay in reacting to the positive findings, as the traffic has already passed to the end host.
1.) Inline vs. 2.) Passive (NIDs/NIPs)
Network-based Intrusion Detections Systems (NIDs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. These systems are implemented in software, but in large system, dedicated hardware is required as well. A Network-based Intrusion Prevention System (NIPS) has as its core an intrusion detection system. However, whereas a NIDS can only alert when network traffic matches a defined set of rules, a NIPS can take further actions. A NIPS can take direct action to block an attack, its actions governed by rules. By automating the response, a NIPS significantly shortens the response time between detection and action. An ____1____ sensor monitors the data packets as they actually pass through the device. A failure of this sensor would block traffic flow. A ____2____ sensor monitors the traffic via a copying process, so the actual traffic does not flow through or depend upon the sensor for connectivity. Most sensors are this type.
Analytics, False positive (NIPS/NIDS)
Network-based Intrusion Detections Systems (NIDs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. These systems are implemented in software, but in large system, dedicated hardware is required as well. A Network-based Intrusion Prevention System (NIPS) has as its core an intrusion detection system. However, whereas a NIDS can only alert when network traffic matches a defined set of rules, a NIPS can take further actions. A NIPS can take direct action to block an attack, its actions governed by rules. By automating the response, a NIPS significantly shortens the response time between detection and action. Big data analytics is currently all the rage in the IT industry, with varying claims of how much value can be derived from large datasets. If you are testing for the presence of an unauthorized user, and the system says the user is not the authorized person, yet in reality the user is who they say they are, then this is a __________. The positive result is not really true.
Analytics, False negative (NIPS/NIDS)
Network-based Intrusion Detections Systems (NIDs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. These systems are implemented in software, but in large system, dedicated hardware is required as well. A Network-based Intrusion Prevention System (NIPS) has as its core an intrusion detection system. However, whereas a NIDS can only alert when network traffic matches a defined set of rules, a NIPS can take further actions. A NIPS can take direct action to block an attack, its actions governed by rules. By automating the response, a NIPS significantly shortens the response time between detection and action. Big data analytics is currently all the rage in the IT industry, with varying claims of how much value can be derived from large datasets. _________ are the opposite of false positives. This result would happen when a test fails to find something that is actually an issue.
Rules (NIPS/NIDS)
Network-based Intrusion Detections Systems (NIDs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. These systems are implemented in software, but in large system, dedicated hardware is required as well. A Network-based Intrusion Prevention System (NIPS) has as its core an intrusion detection system. However, whereas a NIDS can only alert when network traffic matches a defined set of rules, a NIPS can take further actions. A NIPS can take direct action to block an attack, its actions governed by rules. By automating the response, a NIPS significantly shortens the response time between detection and action. NIDS/NIPS solutions makes use of an analytics engine that uses _________ to determine whether an event of interest has occurred or not. These can be signature-based or more complex Bayesian ones with heuristic/behavioral systems or anomaly-based systems.
Anomaly (NIPS/NIDS)
Network-based Intrusion Detections Systems (NIDs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. These systems are implemented in software, but in large system, dedicated hardware is required as well. A Network-based Intrusion Prevention System (NIPS) has as its core an intrusion detection system. However, whereas a NIDS can only alert when network traffic matches a defined set of rules, a NIPS can take further actions. A NIPS can take direct action to block an attack, its actions governed by rules. By automating the response, a NIPS significantly shortens the response time between detection and action. The IDS is first taught what "normal" traffic looks like and then looks for deviations from those "normal" patterns. An ________ is a deviation from an expected pattern or behavior.
Heuristic/behavioral (NIPS/NIDS)
Network-based Intrusion Detections Systems (NIDs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. These systems are implemented in software, but in large system, dedicated hardware is required as well. A Network-based Intrusion Prevention System (NIPS) has as its core an intrusion detection system. However, whereas a NIDS can only alert when network traffic matches a defined set of rules, a NIPS can take further actions. A NIPS can take direct action to block an attack, its actions governed by rules. By automating the response, a NIPS significantly shortens the response time between detection and action. The ___1___ model uses artificial intelligence to detect intrusions and malicious traffic. It is typically implemented through algorithms. The ____2___ model relies on a collected set of "normal behavior" -- what should happen on the network and is considered "normal" or "acceptable" traffic. Behavior that does not fit into this normal activity categories or patterns is considered suspicious or malicious.
Signature-based (NIPS/NIDS)
Network-based Intrusion Detections Systems (NIDs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. These systems are implemented in software, but in large system, dedicated hardware is required as well. A Network-based Intrusion Prevention System (NIPS) has as its core an intrusion detection system. However, whereas a NIDS can only alert when network traffic matches a defined set of rules, a NIPS can take further actions. A NIPS can take direct action to block an attack, its actions governed by rules. By automating the response, a NIPS significantly shortens the response time between detection and action. Whether network-based or host-based, an IDS will typically consist of several specialized components working together. __________ systems work by matching signatures in the network traffic stream to defined patterns stored in the system. These types of NIDs/NIPs can be very fast and precise, with low false-positive rates. The weakness of this system is that they rely on having accurate signature definitions beforehand, and as the number of signatures expand, this creates an issue in scalability.
1.) Agent vs. 2.) Agentless (NAC)
Networks comprise connected workstations and servers. Managing the endpoints on a case-by-case basis as they connect is a security methodology known as network access control (NAC). Out of this, two main methodologies exist: network access protection (NAP) which is a Microsoft technology for controlling network access to a computer host, and network admission control (NAC) is Cisco's technology for controlling network admission. In ____1____-based solutions, code is stored on the host machine for activation and use at time of connection. In _____2_____ solutions, the code resides on the network and is deployed to memory for use in a machine requesting connections, but since it never persists on the host machine, it is referred to as _____2_____.
Host health checks (NAC)
Networks comprise connected workstations and servers. Managing the endpoints on a case-by-case basis as they connect is a security methodology known as network access control (NAC). Out of this, two main methodologies exist: network access protection (NAP) which is a Microsoft technology for controlling network access to a computer host, and network admission control (NAC) is Cisco's technology for controlling network admission. One of the key benefits of a NAC solution is the ability to enforce a specific level of ___________ on clients before they are admitted to the network. Some common ones include verifying antivirus solution is present, has the latest patches, and has been run recently, and verifying that the OS and applications are patched.
1.) Dissolvable vs. 2.) Permanent (NAC)
Networks comprise connected workstations and servers. Managing the endpoints on a case-by-case basis as they connect is a security methodology known as network access control (NAC). Out of this, two main methodologies exist: network access protection (NAP) which is a Microsoft technology for controlling network access to a computer host, and network admission control (NAC) is Cisco's technology for controlling network admission. The use of NAC technologies requires an examination of a host before allowing it to connect to the network. This examination is performed by a piece of software, frequently referred to as an agent. When agents are pre-deployed to endpoints, these ____2_____ agents act as the gateway to NAC functionality. In cases where deployment on an as-needed basis is chose, an agent can be deployed upon request and later discarded after use. These agents are frequently referred to as ____1____ agents, for they in essence disappear after use.
Live boot media (non-persistence)
Non--persistence is when a change to a system is not permanent. Making a system non--persistent can be a useful tool when you wish to prevent certain types of malware attacks. A system that cannot preserve changes to not have persistent files added into their operations. A simple reboot wipes out the new files, malware, etc. A system that has been made non-persistent is not able to save changes to its configuration, it's applications, or anything else. A __________ is an optical disk or USB device that contains a complete bootable system. These are specially formatted so as to be bootable from the media. This gives you a means of putting the system from external operating system source, should the OS on the internal drive become unusable. This may be used as a recovery mechanism, although internal drives encrypted, you'll need backup keys to access it.
Revert to known state (non-persistence)
Non--persistence is when a change to a system is not permanent. Making a system non--persistent can be a useful tool when you wish to prevent certain types of malware attacks. A system that cannot preserve changes to not have persistent files added into their operations. A simple reboot wipes out the new files, malware, etc. A system that has been made non-persistent is not able to save changes to its configuration, it's applications, or anything else. __________ Is and operating system capability that is akin to reverting to a snapshot of a VM. Many OSs now have the capability to produce a restore point, a copy of key files that change upon updates to the OS. If you add a driver or updates to the OS, and the update results in problems, you can refer the system to the previously saved restore point. This is a very commonly used often in Microsoft Windows, and the system by default creates restore points before and processes updates to the operating system, and at that point in time between updates.
Snapshots (non-persistence)
Non--persistence is when a change to a system is not permanent. Making a system non--persistent can be a useful tool when you wish to prevent certain types of malware attacks. A system that cannot preserve changes to not have persistent files added into their operations. A simple reboot wipes out the new files, malware, etc. A system that has been made non-persistent is not able to save changes to its configuration, it's applications, or anything else. __________ are instantaneous save points in time on virtual machines. These allow you to restore the virtual machine to a previous point in time. These work because a VM is just a file on a machine, and setting the file back to a previous version reverts the VM to the state it was in at that time. A ________ is a point in time saving of the state of a virtual machine. These have great utility because they are like a save point for entire system. They can be used to roll a system back to a previous point in time, undo operations, or provide a quick means of recovery from a complex, system-altering change that has gone awry. These act as a form of backup and are typically much faster than normal system backup and recovery operations.
Rollback to known configuration (non-persistence)
Non--persistence is when a change to a system is not permanent. Making a system non--persistent can be a useful tool when you wish to prevent certain types of malware attacks. A system that cannot preserve changes to not have persistent files added into their operations. A simple reboot wipes out the new files, malware, etc. A system that has been made non-persistent is not able to save changes to its configuration, it's applications, or anything else. ____________ is another way of saying revert to a known state, but it is also the specific language Microsoft uses with respect to rolling back the registry values to a known good configuration on boot.
Users (Role-based awareness training)
Normal _________ need limited access based on their job role and tasks assigned. This is where the principle of least privilege comes into play. Limiting and objects privileges limits the amount of harm that can be caused, thus limiting organizations exposure to damage.
Self-signed (types of certificates)
Not all certificates have to have the same root node (higher-level CA). A company can create its own certificate chain for use inside the company, and thus it creates its own root node. This certificate is an example of a __________ certificate, as there is no other "higher" node of trust.
Backdoor
Nothing more than methods used by software developers to ensure that they can gain access to an application even if something were to happen in the future to prevent normal access methods. EX: NetBus and Back Orifice
Exclusive OR - XOR (Obfuscation)
Obfuscation is the purposeful hiding of the meaning of a communication. By itself, obfuscation is weak, because once the method/algorithm used for hiding is discovered, the protection is gone. But it still has use in increasing the complexity of solving the hidden message problem. __________ is a simple cipher operation and is performed by the addition of the text and the key, using modulus 2 arithmetic. A string of text can be encrypted by applying the bitwise __________ operator to every character using a given key. To decrypt the output, merely reapplying the _________ function with the key will remove the cipher. It is a common component inside many of the more complex cipher algorithms because it is so fast. The weakness of this is when the text length is significantly longer than the key, forcing the reuse of the key across the length of the cipher. If the key is as long as the text being encrypted and is never reused, then this forms a perfect cipher from a mathematical perspective.
ROT13 (Obfuscation)
Obfuscation is the purposeful hiding of the meaning of a communication. By itself, obfuscation is weak, because once the method/algorithm used for hiding is discovered, the protection is gone. But it still has use in increasing the complexity of solving the hidden message problem. __________ is a special case of a Caesar substitution cipher where each character is replaced by a character 13 places later in the alphabet.
Substitution ciphers (Obfuscation)
Obfuscation is the purposeful hiding of the meaning of a communication. By itself, obfuscation is weak, because once the method/algorithm used for hiding is discovered, the protection is gone. But it still has use in increasing the complexity of solving the hidden message problem. ___________ substitute characters on a character-by-character basis via a specific scheme. The order of the characters in each block is maintained. A transportation cipher is one where the order of the characters is changed per a given algorithm. A simple __________ cipher replaces each character with a corresponding __________ character, the length of the message. Although this has an entropy of 88 bits, because of structures in language, this is relatively easily broken using frequency analysis of the characters. A more complex method is a polyalphabetic __________, of which the Vigenere cipher is an example, where the ___________ alphabet changes with each use of a character. This increases the complexity and thwarts basic frequency analysis as it obscures repeated letters and frequency analysis in general across a message.
Testing, Vulnerability testing authorization (risk assessment)
Obtaining __________ from management before commencing the test is the step designed to prevent avoidable misunderstandings, such as triggering an IR response. Just as it is important to obtain authorization for penetration tests, is important to obtain permission for vulnerability tests of productions machines.
Testing, Penetration testing authorization (risk assessment)
Obtaining ___________ is the first step in penetration testing. The testing team, in advance, obtains permission, in writing with specifics, from the system owner to perform the penetration test. The authorization should explain the full scope of the penetration testing. This penetration testing authorization is used as a communication plan for the test.
Disabling unnecessary ports and services (Operating systems)
On important management issue for running a secure system is to identify the specific needs of a system for its proper operation and to enable all the items necessary for those functions. _____________ prevents their use by unauthorized users and improves system throughput increases security. Systems have ports and connections that need to be disabled if not in use.
Cross-site scripting (application/service attacks)
One of the most common web attack methodologies. The cause of the vulnerability is weak user input validation. If input is not validated properly, an attacker can include a script in their input and have it rendered as part of the web process. The three types of these attacks are: -Non-persistent -Persistent -DOM-based These attacks can result in numerous issues, including session hijacking, deploying hostile content, and impersonating a user.
High availability
One of the objectives of security is the availability of data and processing power when an authorized user desires it. __________ refers to the ability to maintain availability of data and operational processing (services) despite a disrupting event. Generally this requires redundant systems, both in terms of power and processing, so that should one system fail, the other can take over operations without any break in service. This is more than data redundancy; it requires that both data and services be available.
Online Certificate Status Protocol - OCSP (components)
One of the protocols used for online revocation services is the ___________, a request and response protocol that obtains the serial number of the certificate that is being validated and reviews CRLs for the client. The protocol has a responder service that reports the status of the certificate back to the client, indicating whether it has been revoked, it is valid, or its status is unknown. This protocol and service saves the client from having to find, download, and process the right lists. FYI: Suspension of a certificate has the same immediate effect as revocation, but it can be reversed.
Unauthorized software
One of the security challenges in an enterprise is the addition of _________ to a system, which poses additional risk to the enterprise. This can either be the use of an unapproved program or the use of an approved program with improper licensing.
Identify common misconfigurations
One source of failure with respect to vulnerabilities is in the ___________________ of a system. Common ________ include access control failures and failure to protect configuration parameters. Vulnerability scanners can be programmed to test for these specific conditions and report on them.
Types, Appliance (Operating systems)
Operating systems our complex programs designed to provide a platform for a wide variety of services to run. Some of these services are extensions of the operating system itself, while others are standalone applications that use the operating system as a mechanism to connect to other programs and hardware resources. It is up to the operating system to manage the security aspects of the hardware being utilized. Appliances are stand-alone devices, wired into the network and designed to run an application to perform a specific function on traffic. These systems operate as headless servers, preconfigured with applications that run and perform a wide range of security services on the network traffic that they see. For reasons of economics, portability, and functionality, the vast majority of __________ operating systems are built using a Linux-based operating system.
Types, Mobile OS (Operating systems)
Operating systems our complex programs designed to provide a platform for a wide variety of services to run. Some of these services are extensions of the operating system itself, while others are standalone applications that use the operating system as a mechanism to connect to other programs and hardware resources. It is up to the operating system to manage the security aspects of the hardware being utilized. Mobile devices began as a phone, with limited other abilities. ________ operating systems come in two main types: Apple's iOS and Google's android operating system.
Types, Network (Operating systems)
Operating systems our complex programs designed to provide a platform for a wide variety of services to run. Some of these services are extensions of the operating system itself, while others are standalone applications that use the operating system as a mechanism to connect to other programs and hardware resources. It is up to the operating system to manage the security aspects of the hardware being utilized. Network components use a ________ operating systems to provide the actual configuration and computation portion of networking. There are many vendors of networking equipment, and each has its own proprietary operating system. Cisco has the largest footprint with its IOS, internetworking operating system, the operating system that runs on all Cisco routers and switches.
Types, Workstation (Operating systems)
Operating systems our complex programs designed to provide a platform for a wide variety of services to run. Some of these services are extensions of the operating system itself, while others are standalone applications that use the operating system as a mechanism to connect to other programs and hardware resources. It is up to the operating system to manage the security aspects of the hardware being utilized. The __________ operating system exists to provide a functional working space, typically a graphical interface, for a user to interact with the system and its various applications. Because of the high level of user interaction on workstations, it is very common to see windows in the role of workstation operating systems.
Types, Kiosk (Operating systems)
Operating systems our complex programs designed to provide a platform for a wide variety of services to run. Some of these services are extensions of the operating system itself, while others are standalone applications that use the operating system as a mechanism to connect to other programs and hardware resources. It is up to the operating system to manage the security aspects of the hardware being utilized. __________ are standalone machines, typically operating a browser instance on top of the Windows operating system. These machines are usually set up to auto log into a browser instance that is locked to a website that allows all of the functionality desired. These are commonly used for interactive customer service applications, such as interactive information sites, menus, and so on. The operating system on this needs to be to be locked down to minimum functionality so that users can't make any configuration changes. It also should have elements such as are login and an easy way to construct the applications.
Types, Server (Operating systems)
Operating systems our complex programs designed to provide a platform for a wide variety of services to run. Some of these services are extensions of the operating system itself, while others are standalone applications that use the operating system as a mechanism to connect to other programs and hardware resources. It is up to the operating system to manage the security aspects of the hardware being utilized. ___________ operating systems bridge the gap between the server hardware and the applications that are being run on the server. Currently, server operating systems include Microsoft Windows Server, many flavors of Linux, and an ever increasing number of virtual machine/hypervisor environments.
Weak/deprecated algorithms
Over time, cryptographic algorithms fall to attacks or just the raw power of computation. You should not use these. EX: Old algorithms include hash algorithms like MD5 and SHA-1 are old. DES and 3DES have also fallen from favor. The best solution currently is using AES.
Order of restoration
Part of the planning for a disaster is to decide the __________, which systems should be restored first, second, and ultimately last. There are a couple of distinct factors to consider. First are dependencies. Any system that is dependent upon another for proper operation might as well wait in line to be restored until the prerequisite services are up and running. The second factor is criticality to the enterprise. The most critical service should be brought back up first.
Patch management (Operating systems)
Past management involves three types of hierarchy for software updates: FYSA... Hotfix - this term refers to a small software update designed to address a specific problem, such as a buffer overflow in an application that exposes the system attacks. Hot fixes are typically developed in reaction to a discovered problem and are produced and released rather quickly. Patch - this term refers to a more formal, larger software update that can address several or many software problems. Patches often contain enhancements or additional capabilities as well as fixes for known bugs. Patches are usually developed over a longer period of time. Service pack - this refers to a large collection of patches and hot fixes rolled into a single, rather large package. Service packs are designed to bring the system up to the latest known good level all at once, rather than requiring the user or system administrator to download dozens or hundreds of updates separately.
Screenshots (Data acquisition)
Pay particular attention to the state of what is on the screen at the time of evidence collection. The information on a video screen is lost once the system changes or power is removed. Take __________, using a digital camera or video camera, to provide documentation as to what was on the screen at the time of collection. Because you cannot trust the system internals themselves to be free of tampering, do not use internal __________ capture methods.
Background checks
Personnel are key to security in the enterprise. Hiring good personnel has always been a challenge in the technical field, but it is equally important to hire trustworthy people, especially in key roles that have greater system access. Performing routine __________ provides the human resources team the necessary information needed to make the correct decisions. These can validate previous employment, criminal backgrounds, and financial background. Depending upon the industry, firm, and position, different elements from these areas may be included.
Insider threat (personnel issues)
Personnel issues in the context of security are the problems caused by users, through their actions and errors. An insider who acts maliciously abuses the trust emparted in them to perform their duties. This is considered an ___________. They are a more significant challenge to an organization that an outside attacker since this person already has access to at least basic privileges on the system. EX: Edward Snowden of the NSA
Personal email (personnel issues)
Personnel issues in the context of security are the problems caused by users, through their actions and errors. The use of _________ at work can cause a variety of issues. It can offer a data exfiltration pathway that is outside of corporate control.
Policy violations (personnel issues)
Personnel issues in the context of security are the problems caused by users, through their actions and errors. _________ occur when personnel do not adhere to written policies established by the organization. These could include password policies, acceptable use policies, clean desk and vacation policies, and more.
Social engineering (personnel issues)
Personnel issues in the context of security are the problems caused by users, through their actions and errors. __________ is a form of hacking a user. Training users to have an awareness of social engineering, enabling them to recognize this is the best defense.
Social media (personnel issues)
Personnel issues in the context of security are the problems caused by users, through their actions and errors. __________ is a popular method of communicating with friends, family, associates, and others across the Web. Over-sharing on this can lead to a huge risk.
GPS tagging (Enforcement and monitoring for:)
Photos taken on mobile devices or with cameras that have GPS capabilities can have location information embedded in the digital photo. This is called __________ by CompTIA, and geo-tagging by others. It is recommended that it be disabled unless you have a specific reason for having the location information embedded in the photo.
Smart cards (physical access control)
Physical access control is the process of defining and enforcing who can have physical access to a system. Physical access control lists work in the physical world in the same way they worked in the electronic world. Access list define the group of individuals who are authorized to utilize a resource. Entry into a server room, access to equipment rooms, and keys for locks protecting sensitive areas are all examples of elements that require access control. A __________ is a credit card-sized card with in that he circuits that is used to provide identification security authentication. They can increase the physical security because they can carry long cryptographic tokens, too long to remember and too large a space to guess.
Proximity cards (physical access control)
Physical access control is the process of defining and enforcing who can have physical access to a system. Physical access control lists work in the physical world in the same way they worked in the electronic world. Access list define the group of individuals who are authorized to utilize a resource. Entry into a server room, access to equipment rooms, and keys for locks protecting sensitive areas are all examples of elements that require access control. One method of electronic door control is through the use of _________, or contactless access cards. A keypad, a combination of the car or any separate PIN code, may also be required to open the door to his secure space.
Key management
Physical locks have physical keys, and keeping track of who has what keys can be a chore. Adding in master keys and maintaining a list of who has physical access space, and such tracking can quickly become a task requiring a software solution. _________ is the process of keeping track of where the keys are and who has access to what. A physical security environment that does not have a means of _________ is not verifiably secure. __________ will be essential when, say, a server in a locked room goes missing and management wants to know "Who has keys that can give them access to that room?"
Logs
Physical security _________ provide the same utility as computer _________ do for a security investigation. They act as a record of what was observed at specific points in time. Having roving guards check in at various places across a shift via a ________ entry provides a record of the actual surveillance. _________ of visitors arriving and departing, equipment received and shipped out, and so forth all serve as a record of the physical happenings in a facility.
Worm
Pieces of code that attempt to penetrate networks and computer systems. Once a penetration occurs, this will create a new copy of itself on the penetrated system. Does not rely on a virus or another piece of code. EX: Sobig, SQL Slammer, Code Red, Nimba, and Zotob
Screen filters
Shoulder surfing involves the attacker directly observing the individual entering information on a form, keypad, or keyboard, usually to read passwords or other sensitive information. _________ are optical filters that limit the angle of view ability to a very narrow range, making it difficult for others to visually eavesdrop.
Spyware
Software that "spies" on the users, recording and reporting on their activities. Designed to steal information.
License compliance violations [availability/integrity]
Software that is in an improper license state may not receive proper updates. ____________ need to be resolved in a timely manner to prevent inadvertent availability issues.
Adware
Software that is supported by advertising. EX: Pop-up browser windows which can cascade upon any user action.
Low latency (common use cases)
Some use cases involve __________ operations, requiring specialized cryptographic functions to support operations that have extreme time constraints. Stream ciphers are examples of this use case.
Advanced Encryption Standard - AES (symmetric algorithms)
Symmetric algorithms are characterized by using the same key for both encryption and decryption. They are used for bulk encryption because they are comparatively fast and have few computational requirements. NIST put out a request for proposals of a new one of these. Rijndael ultimately won and was chosen for its overall security as well as its good performance on limited-capacity devices. The three different standard key sizes are 128, 192, and 256. No efficient attacks currently exists against this.
RC4 - Rivest Cipher 4 (symmetric algorithms)
Symmetric algorithms are characterized by using the same key for both encryption and decryption. They are used for bulk encryption because they are comparatively fast and have few computational requirements. Ron Rivest designed this algorithm. It is a stream cipher, whereas all other ones in Security+ objectives are block-mode ciphers. This can use a key strength of 8 to 2048 bits, though most versions only use 128. It is vulnerable mostly because of weak keys. Proper implementations of this need to include weak key detection.
3DES (symmetric algorithms)
Symmetric algorithms are characterized by using the same key for both encryption and decryption. They are used for bulk encryption because they are comparatively fast and have few computational requirements. This is a follow-on implementation of DES. Depending on the specific variant, it uses either two or three keys instead of the single key that DES uses. It also spins through the DES algorithm three times via what's called multiple encryption. It uses 168 bits. Having been cracked, AES has taken over as the symmetric encryption standard.
Data Encryption Standard - DES (symmetric algorithms)
Symmetric algorithms are characterized by using the same key for both encryption and decryption. They are used for bulk encryption because they are comparatively fast and have few computational requirements. This was developed in response to the National Bureau of Standards (NBS), now known as the National Institute of Standards and Technology (NIST), issuing a request for proposals for a standard cryptographic algorithm in 1973. It uses 56 bits. AES has now been certified by NIST to replace this.
1.) Blowfish / 2.) Twofish (symmetric algorithms)
Symmetric algorithms are characterized by using the same key for both encryption and decryption. They are used for bulk encryption because they are comparatively fast and have few computational requirements. ____1_____ was designed in 1994 by Bruce Schneier. It is a block-mode cipher using 64-bit blocks and a variable key length from 32 to 448 bits. It was designed to run quickly on 32-bit microprocessors and is optimized for situations with few key changes. _____2____ was one of the five finalists in the AES competition. It is a block cipher utilizing 128-bit blocks with a variable-length key of up to 256 bits. It is available for public use, and has proven to be secure. It is less vulnerable that the one above in that it is less vulnerable to certain classes of weak keys.
1.) On-premise vs. 2.) hosted vs. 3.) cloud
Systems can exist in a wide array of places. _____1______ means the system resides locally in the building of the organization. Whether VM, storage, or even services, if the solution is locally hosted and maintained, it is referred to as _____1_______. the advantage is that the organization has total control and generally high connectivity. The disadvantage is that it requires local resources and is not as easy to scale. ______2_______ services refers to having the services posted somewhere else, commonly in a shared environment. Using third-party services for this provides you a set cost based on the amount you use. This has cost advantages, especially when scale is included--does it make sense to have all the local infrastructure, including personnel, for a small, informational only website? Of course not; you would have that website hosted. Storage works the opposite with scale. Small-scale storage needs are easily met in-house, whereas large-scale storage needs are typically either hosted or in the _____3______.
Continuing education
Technology and security practices are far from static environments. They advance every year, and relevant skills can become outdated in as little as a couple of years. Maintaining a skilled workforce in security necessitates ongoing training and education. A __________ program can assist greatly in helping employees keep their skills up-to-date.
Buffer overflow (application/service attacks)
The "Most Wanted" in coding security. In this attack, the input buffer that is used to hold program input is overwritten with data that is larger than the buffer can hold. The root cause of this vulnerability is a mixture of two things: poor programming practice and programming language weakness.
Certificate Revocation List - CRL (components)
The CA provides this type of protection by maintaining a _______________, a list of serial numbers of certificates that have been revoked. The __________ also contains a statement indicating why the individual certificates were revoked and a date when the revocation took place.
P7B (certificate formats)
The PKCS#7 or ________ format is stored in Base64 ASCII format and has a file extension of ______ or .P7C. A __________ file begins with -----BEGIN PKCS&----- and only contains certificates and chain certificates (intermediate CAs), not the private key. The most common platforms that support ________ files are Microsoft Windows and Java Tomcat.
1.) Waterfall vs. 2.) Agile (Development life-cycle models)
The _____1____ model is a development model based on simple manufacturing design. The worker process begins with the requirements analysis phase and progresses through a series of four more phases, with each phase being completed before progressing to the next phase--without overlap. This is a linear, sequential process, and the model discourages backing up and repeating earlier stages (after all, you can't reverse the flow of a ____1_____). the five steps are requirements, design, implementation, verification, and maintenance. The _____2_____ model is not a single development methodology, but a whole group of related methods. Designed to increase innovation and efficiency of small programming teams, ____2_____ methods rely on quick turns involving small increases in functionality. The use of repetitive, small development cycles can enable different developer behaviors, which in turn can result in more efficient development. There are many different methods in variations, but some of the major forms of this development are Scrum and Extreme Programming (XP).
CER (certificate formats)
The _______ file extension is used to denote an alternative form, from Microsoft, of CRT files. The _____/.CRT extension is used for certificates and may be encoded as binary DER or as ASCII PEM. These along with .CRT extensions are nearly synonymous. The _______ extension is most commonly associated with Microsoft Windows systems, while .CRT is associated with Unix systems.
Annualized Rate of Occurrence - ARO (risk assessment)
The __________ Is a representation of the frequency of the event, measured in a standard year. If the event is expected to occur once in 20 years, then the this is 1/20. Typically, this is defined by historical data, either from a company's own experience or from industry surveys. Continuing our example, assume that a fire at businesses location is expected to occur about once in 20 years given this information, the ALE is: $1 million x 1/20 = $50,000 The ALE determines a threshold for evaluating the cost/benefit ratio of a given countermeasure. Therefore, countermeasure to protect this business adequately should cost no more than be calculated ALE of $50,000 per year.
Asset value - AV (risk assessment)
The __________ is the amount of money it would take to replace an asset. This term is used with the exposure factor, a measure of how much an asset is at risk, to determine the single loss expectancy.
Private key (components)
The __________ is the key from the key pair that is to be protected from all outside actors. It seldom leaves the machine upon which it is generated. In high-security environments, these keys are often kept in a tamper-proof hardware encryption store, only accessible to individuals with a need to access.
Certificate Authority - CA (components)
The __________ is the trusted authority that certifies individuals' identities and creates electronic documents indicating that individuals are who they day they are. The electronic document is referred to as a digital certificate, and it establishes an association between the subject's identity and a public key. The private key that is paired with the public key in the certificate is stored separately. The __________ is more than just a piece of software, however; it is actually made up of the software, hardware, procedures, policies, and people who are involved in validating individuals' identities and generating the certificates. This means that if one of these components is compromised, it can negatively affect the __________ overall and can threaten the integrity of the certificates it produces.
Impact (risk assessment)
The __________ of an event is a measure of the actual loss when a threat exploits a vulnerability. The common method is to define the impact levels in terms of important business criteria. Impacts can be in terms of cost, performance, schedule, or any other important item.
Terminal Access Controller Access Control System - ACACS+
The __________ protocol is the current generation of its family. It has extended attribute control and accounting processes one of the fundamental design aspects is the separation of authentication, authorization, and accounting in this protocol. Although there is a straightforward lineage of these protocols from the original version, this is a major revision and is not backward compatible with previous versions of the protocol series. It uses TCP as its transport protocol, typically operating over TCP port 49. This port is used for the login process. Both UDP and TCP port 49 are reserved for the _________ login host protocol.
Likelihood of occurrence (risk assessment)
The ___________ is the chance that a particular risk will occur. This measure can be qualitative or quantitative. For qualitative measures, the likelihood of occurrence is typically defined on an annual basis so that it can be compared to other and utilized measures. It defined quantitatively, is used to create rank-order outcomes.
DNS poisoning (application/service attacks)
The changing of where DNS is resolved can be this type of attack. The challenge in detecting this attack is knowing what the authoritative DNS entry should be, and detecting when it changes in an unauthorized fashion. Using a VPN can change a DNS source, and this may be desired, but unauthorized changes can be attacks.
Network Address Translation - NAT (Zones/topologies)
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, and inside wall, and even a cheap, so too, does a modern secure network have different layers of protection. Different zones/topologies are designed to provide layers of defense, with the outermost layers providing basic protection and the innermost layers providing the highest level of protection. 32 bit address space that's chopped up in subletting isn't enough to handle all the systems in the world. While IPv4 address blocks are assigned to organizations such as companies and universities, there usually aren't enough Internet visible IP addresses to assigned to every system on the planet unique, Internet routable IP address. To compensate for this lack of available IP address space, organizations use _________, which translates private, non-routable, IP addresses into public, routable, IP addresses. There are 3 types of these... Static, Dynamic, and Port Address Translation (PAT)
Honeynets (Zones/topologies)
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, and inside wall, and even a cheap, so too, does a modern secure network have different layers of protection. Different zones/topologies are designed to provide layers of defense, with the outermost layers providing basic protection and the innermost layers providing the highest level of protection. A __________ is a network designed to look like a corporate network, it is made attractive to attackers. It is a collection of honeypots, servers that are designed to act like real network servers but possess only fake data. This looks like the corporate network, but because it is known to be a false copy, all of the traffic is assumed to be illegitimate. This makes it easy to characterize the attacker's traffic and also to understand where attacks are coming from.
Guest (Zones/topologies)
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, and inside wall, and even a cheap, so too, does a modern secure network have different layers of protection. Different zones/topologies are designed to provide layers of defense, with the outermost layers providing basic protection and the innermost layers providing the highest level of protection. A __________ zone is a network segment that is isolated from systems that guests should never have access to. Administrators commonly configure on the same hardware multiple logical wireless networks, including this type of network, providing separate access to separate resources based on login credentials.
Ad hoc (Zones/topologies)
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, and inside wall, and even a cheap, so too, does a modern secure network have different layers of protection. Different zones/topologies are designed to provide layers of defense, with the outermost layers providing basic protection and the innermost layers providing the highest level of protection. An _________ network is one where the systems on the network direct packets to and from their source and target locations without using a central router or switch. Windows supports this networking, although it is best to keep the number of systems relatively small. An example of this network is in the wireless space from Zigbee devices that form these networks to Wi-Fi direct, a wireless ________ is one where the devices talk to each other without an access point or central switch to manage traffic. These networks provide an easy and cheap means of direct clients to client communication. They can be easy to configure and provide a simple way to communicate with nearby devices when running cable is not an option. Disadvantages include the fact that there isn't a single place to visit for traffic stats, security implementations, and so forth. This makes monitoring these networks very difficult.
Intranet (Zones/topologies)
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, and inside wall, and even a cheap, so too, does a modern secure network have different layers of protection. Different zones/topologies are designed to provide layers of defense, with the outermost layers providing basic protection and the innermost layers providing the highest level of protection. An __________ describes a network that has the same functionality as the Internet for users but lies completely inside the trusted area of a network and is under the security control of the system and network administrators. Typically referred to as campus or corporate networks, these are used every day companies around the world. This layer of security offers a significant amount of control and regulation, allowing users to fulfill business functionality while ensuring security. Note: Ensure you understand how cache is used without sending requests to the Internet. If a page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the Internet.
Extranet (Zones/topologies)
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, and inside wall, and even a cheap, so too, does a modern secure network have different layers of protection. Different zones/topologies are designed to provide layers of defense, with the outermost layers providing basic protection and the innermost layers providing the highest level of protection. The __________ is an extension of a selected portion of the company's intranet to external partners. This allows a business to share information with customers, suppliers, partners, and other trusted groups are using a common set of Internet protocols to facilitate operations. These can use public networks to extend their reach beyond the company's own internal network, and some form of security, typically VPN, is used to secure this channel. The use of this term implies both privacy and security. Privacy is required for many communications, security is needed to prevent unauthorized use an offense from occurring. This is a semi private network that uses common network technologies to share information and provide resources to business partners. It can be accessed by more than one company, because they share information between organizations.
Demilitarized Zone - DMZ (Zones/topologies)
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, and inside wall, and even a cheap, so too, does a modern secure network have different layers of protection. Different zones/topologies are designed to provide layers of defense, with the outermost layers providing basic protection and the innermost layers providing the highest level of protection. The zone that is between the un-trusted Internet and the trusted internal network is called the _________, after its military counterpart, when neither side has any specific controls. On a computer network is used in the same way; it acts as a buffer zone between the Internet, where no controls exist, and the inner secure network, where organization has security policies in place. The area between these firewalls is accessible from either the inner, secure network or the Internet. Pay special attention to the security settings of network devices based here, and consider them to be compromised by unauthorized use at all times.
Wireless (Zones/topologies)
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, and inside wall, and even a cheap, so too, does a modern secure network have different layers of protection. Different zones/topologies are designed to provide layers of defense, with the outermost layers providing basic protection and the innermost layers providing the highest level of protection. __________ is the transmission of packetized data by means of a physical topology that does not use direct physical links. This definition can be narrowed to apply to networks that use radio waves to carry the signals over either public or private bands, started using standard network cabling.
CIA of Security
The goal of security is defined as CIA. Confidentiality - The goal of keeping data secret from anyone who doesn't have the need or right to access that data. Integrity - Ensures that the data and systems stay in an unaltered state when stored, transmitted, and received. Can also talk about no unauthorized creation, alteration, modification or deletion of the data. Availability - Have to ensure that systems and data are available to authorized users when needed. Auditing and accountability are also added by Mike Meyers, along with non-repudiation (a user can't deny that they performed a particular action).
Mantrap
The implementation of a _________ is one way to combat tailgating. These are comprised of two doors closely spaced that require the user to card through one and didn't the other sequentially. These make it nearly impossible to trail through a doorway undetected--is an intruder happens to catch the first hour before it closes, you'll be trapped in by the second door as the second door remains locked until the first one closes the locks.
Key escrow (concepts)
The impressive growth of the use of encryption technology has led to new methods for handling keys. __________ is a system by which your private key is kept both by you and by a third party. It provides a method of obtaining a key in the event that the key holder is not available -- this is used in corporate enterprises.
Lessons learned (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. A post-mortem session should collect __________ and assign action items to correct weaknesses and to suggest ways to improve. To paraphrase a famous quote, those who fail to learn from history are destined to repeat it.
Recovery (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. After the issue has been eradicated, this process begins. At this point the investigation is complete and documented. __________ is the process of returning the asset into the business function and restoration of normal business operations. Eradication, the previous step, remove the problem, but in most cases the eradicated system will be isolated. This process includes the steps necessary to return the systems and applications operational status.
Eradication (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. Once the incident response team has contained a problem to a set footprint, the next step is to ___________ the problem. This involves removing the problem, and in today's complex system environment, this may mean rebuilding a clean machine. A key part of this is the prevention of reinfection.
Containment (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. Once the incident response team has determined that an incident has in fact occurred and requires a response, their first step is to contain the incident and prevent its spread. ___________ is the set of actions taken to constrain the incident to the minimal number of machines. This preserves as much of production as possible and ultimately makes handling the incident easier.
Preparation (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. __________ is the phase of incident response that occurs before a specific incident. This includes all the tasks needed to be organized and ready to respond to an incident. Without doing this properly, this task can quickly become impossible or intractably expensive.
Identification (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. __________ is the process where team member suspects that a problem is bigger than an isolated incidents and notifies the incident response team for further investigation. An incident is defined as a situation that the parts from normal, routine operations. Whether incident is important or not is the first point of decision as part of incident response process.
IV (wireless attacks)
The initialization vector is used in wireless systems as the randomization element at the beginning of a connection. Attacks against the IV aim to determine it, thus find the repeating key sequence.
Competitors (types of actors)
The interconnectedness and digital nature of modern business has enabled this sort of corporate crime to be committed to an even greater degree.
Rainbow tables (cryptographic attacks)
The most common form of authentication is the user ID and password combination. These are pre-computed tables or hash values associated with passwords. Using these can change the search for a password from a computational problem to a lookup problem. The best defense against these are salted hashes. A salt is merely a random set of characters designed to increase the length of the item being hashed, effectively making these too big to compute.
Configuration compliance scanner
The need to automate configuration checks has existed for years, and became important enough that a standard format was developed. CAP, security content automation protocol, is a protocol to manage information related to security configurations and the automated validation of them. There is a wide variety of __________ that can perform this task, some as CAP compliant, some not, all with the intended purpose of informing system administrators whether or not their systems align with their defined requirements.
1.) Logs and 2.) Events anomalies
The objective of ___1____ is to is to record ____2____. ____2____ are conditions that differ from expected outcomes. One of the challenges is in determining what to log and what not to log. EX: If you notice that a particular user, who only accesses the system monthly to audit the machine, has started logging in every day, and late at night, this is clearly an anomalous event.
Alternate business practices (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. Because continuity of operations involves maintaining only key systems, the business practices that are appropriate for continuity of operations will most likely be different than those used in normal operations. This leads to ___________, an element of continuity of operations that must be planned and tested. These practices need to meet the objectives of the continuity of operations objectives. There are many operations that are performed in business that may be suspended during alternative operations. For instance, assuming use an internal clocking system to record employee time, one where they bought into an application when they start and stop working. This operation may not be deemed important enough to continue during alternative processing, so an alternative means of logging employee time and pain venues needed.
After-action reports (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. Just as identifying and documenting lessons learned is a key element of the incident response process, __________ should be prepared after invoking the continuity of operations LAN. Similar to lessons learned, these serve to functions. First, they document the level of operations upon transfer to the backup system. Is all of the capability necessary to continue operations up and running? The second question set addresses how the actual change from normal operations to those supported by continuity systems occurred, including documenting what went right and what went wrong.
Alternate processing sites (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. Of the key aspects of planning a solid, cost-effective continuity of operations plan is to consider _________. in the worst case, the action that triggered the shifts to the continuity systems that also have rendered the physical location of the original business system unusable. If you choose a ___________ that is 500 miles away in another major city and you do not have staffer personnel there, you need to have a plan to temporarily move the required personnel, including temporary lodging, etc.
Exercises/tabletop (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. Once a continuity of operations plan is in place, a __________ should be performed to walk through all of the steps and ensure all elements are covered and that the plan does not forget a key dataset or person. This is a critical final step, for it is this step that validates the planning covered the needed elements.
Failover (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. _________is the process for moving from a normal operational capability to the continuity-of-operations version of the business. The required speed and flexibility of this depends on the business type, from seamless for most financial sites, to a slightly delayed process where A is turned off in someone goes and turns B on with some period of no service between.
VPN concentrators (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. A ____________ takes multiple individual VPN connections and terminates them into a single network points. This single endpoint is what should define where this is located in the network. It is typically outward facing, exposed to the Internet. The internal side of the device should terminate in a network segment where you would allow all of the VPN users to connect their machines directly.
Aggregation switches (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. An _________ is a switch that provides connectivity for several other switches. Think of it as a one-to-many type of service. It's the one switch that many other switches connect to. It is placed upstream from the multitude of devices and takes the place of a router or a much larger switch.
SSL accelerators (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. An ____________ is used to provide SSL/TLS encryption/decryption at scale, removing the load from Web servers. Because of this, it needs to be placed between the appropriate Web servers and the clients they serve, typically Internet facing.
1.) Taps and 2.) port mirror (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. Most enterprise switches have the ability to copy the activity of one or more ports through a Switch Port Analyzer (SPAN) port, also known as a ___2____. this traffic can then be sent to a device for analysis. These can have issues when traffic levels get heavy as the aggregate SPAN traffic can exceed the throughput of the device. For example, a 16 port switch, with each port running at 100 Mbps, to have traffic levels of 1.6 GB if all circuits are maxed, which gives you a good idea of why this technology can have issues in high-traffic environments. A _____1_____ is a passive signal mechanism installed between two points on the network. This can copy all packets it receives, rebuilding a copy of all messages. These provide the one distinct advantage of not being overwhelmed by traffic levels at least not in the process of data collection. The primary disadvantage is that this is a separate piece of hardware and adds to network costs.
Filters (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. Packet _______ process packets at a network interface based on source and destination addresses, ports, or protocols, and either allow passage or block them based on a set of rules. Packet filtering is often part of a firewall program for protecting the local network from unwanted traffic.The _______ are local to the traffic being passed, so they must be placed in line with the system's connection to the network and Internet or else they will not be able to see traffic to act upon it.
Proxies (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. _______ are servers that act as a go-between between clients and other systems; in essence, they are designed to act on the client's behalf. As networks become segregated, the placement of these must be such that it is in the natural flow of the router traffic for it to intervene on the client's behalf.
Collectors (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. _________ are sensors, or concentrators that combine multiple sensors that collect data for processing by other systems. These are subject to the same placement rules and limitations as sensors.
Sensors (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. __________ are devices that capture data and act upon it. There are multiple kinds of these in various placement scenarios. Each type of one is different, and no single type of one consents everything these can be divided into two types based on where they are placed: network or host. Network-based ________ can provide coverage across multiple machines, but are limited by traffic engineering to systems that packets pass the sensor. They may have issues with encrypted traffic, for if the packet is encrypted and they cannot read it, they're unable to act upon it. Host-based __________ provide more specific and accurate information in relation to what the host machine is seeing in doing, but are limited to just that host. A good example of the differences in placement and capabilities is seen in the host-based intrusion detection and network-based intrusion detection systems.
Firewalls (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. __________ at their base level are policy enforcement engines that determine whether traffic can pass or not based on a set of rules. Regardless the type, the placement is easy: they must be in line with the traffic they are regulating. These are commonly placed between network segments, enabling them to examine traffic that enters or leaves a statement. This gives them the ability to isolate a segment while avoiding the cost or overhead of doing this segregation on each and every system.
Load balancers (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. __________ take incoming traffic from one network location and distributed across multiple network operations. These must reside in the traffic path between the requesters of a service and the servers that are providing the service. The role of these is to manage the workloads on multiple systems by distributing the traffic to and from them. To do this, it must be located within the traffic pathway. For reasons of efficiency, these are typically located close to the systems that they are managing the traffic for.
Correlation engines (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. __________ take sets of data and match the patterns against known patterns they are a crucial part of a wide range of tools such as anti-virus or intrusion detection devices, to provide a means of matching a collected pattern of data against a set of patterns associated with known issues.
DDoS mitigator (Security device/technology placement)
The placement of each security device is related to the purpose of the device and the environment that requires. Technology placement has similar restrictions; these devices must be in the flow of the network traffic that they use to function. ____________ by nature must exist outside the area that they are protecting their acts as an umbrella, shielding away the unwanted DDoS packets. These must reside in the network path of the traffic is shielding the inner part of the networks from. Because the purpose of this is to stop unwanted DDoS traffic, it should be positioned at the very edge of the network, before other devices.
1.) Barricades / 2.) Bollards
The primary defense against a majority a physical attacks are the ___1_____ between the assets in a potential attacker--walls, fences, gates, and doors. These provide the foundation upon which all other security initiatives are based, but the security must be designed carefully, as an attacker has to find only a single To gain access. These can also be used to control vehicular access to an era building or structure. The simple post-type barricade that prevents a vehicle from passing but allows people to walk past is called a _____2_____.
Secure baseline
The process of establishing software's-based security state is called baselining, and the resulting product is a __________ that allows the software to run safely and securely. Software and hardware can be tied intimately when it comes to security, so you must consider them together. Once you have completed the baselining process for a particular hardware and software combination, you can configure any similar systems with the same baseline to achieve the same level and death of security and protection. Uniform software baselines are critical in large-scale operations, because maintaining separate configurations and. Levels for hundreds or thousands of systems is far too costly.
Dumpster diving (social engineering)
The process of going through a target's trash in hopes of finding valuable information that might be used in a penetration attempt.
Social media networks/applications
The rise of __________ has changed many aspects of business. Whether used for marketing, communications, customer relations, or some other purpose, these can be considered a form of third-party. One of the challenges in working with these and/or applications is there terms of use. While a relationship with the typical third-party involves a negotiated settlement agreements with respect to requirements, there is no negotiation with these. The only option is to adopt their terms of service, so it is important to understand the implications of these terms with respect to the business use of it.
External storage devices (peripherals)
The rise of network attached storage (NAS) devices moved quickly from the enterprise into form factors that are found in homes. As users have developed large collections of digital videos and music, these __________, running on the home network, so the storage problem. These devices are typically fairly simple Linux-based appliances, with multiple hard drives any RAID arrangement.
Tailgating (social engineering)
The simple tactic of following closely behind a person who has just used their own access card or personal identification number (PIN) to gain physical access to a room or building.
Role-based access control (Access control modules)
The term access control describes a variety of protection schemes. It sometimes refers to all security features used to prevent unauthorized access to a computer system or network. In this sense, it may be confused with authentication. More properly, access is the ability of the subject, such as an individual or a process running on a computer system, to interact with an object, such as a file or hardware device. Authentication, on the other hand, deals with verifying the identity of a subject. ACLs can be cumbersome and can take time to administer properly. Another access control mechanism that has been attracting increased attention is __________. in this scheme, instead of each user being assigned specific access permissions for the objects associated with the computer system or network, each user is assigned a set of roles that he or she may perform. The roles are current assigned access permissions necessary to perform the tasks associated with the role. Users will thus be granted permissions to objects in terms of the specific duties they must perform--not according to a security classification associated with individual objects.
Discretionary Access Control - DAC (Access control modules)
The term access control describes a variety of protection schemes. It sometimes refers to all security features used to prevent unauthorized access to a computer system or network. In this sense, it may be confused with authentication. More properly, access is the ability of the subject, such as an individual or a process running on a computer system, to interact with an object, such as a file or hardware device. Authentication, on the other hand, deals with verifying the identity of a subject. Both _________ and mandatory access control are terms originally used by the military to describe two different approaches to controlling and individuals access to a system. As defined by the "Orange Book," a Department of Defense (DoD) document that at one time was the standard for describing what constituted a trusted computing system, this is "a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission-perhaps indirectly-on to any other subject."
Mandatory Access Control - MAC (Access control modules)
The term access control describes a variety of protection schemes. It sometimes refers to all security features used to prevent unauthorized access to a computer system or network. In this sense, it may be confused with authentication. More properly, access is the ability of the subject, such as an individual or a process running on a computer system, to interact with an object, such as a file or hardware device. Authentication, on the other hand, deals with verifying the identity of a subject. Frequent and less frequently employed system for restricting access is __________. This system, generally used only in environments in which different levels of security classifications exist, is much more restrictive regarding what the user is allowed to do. Referring to the "Orange Book," this is a "means of restricting access to objects based on the sensitivity of the information contained in the objects in the formal authorization of subjects to access information of such sensitivity." In this case, the owners subject can't determine whether access is to be granted to another subject; it is the job of the operating system to decide. Common information classifications include high, medium, low, confidential, private, and public.
Rule-based access control (Access control modules)
The term access control describes a variety of protection schemes. It sometimes refers to all security features used to prevent unauthorized access to a computer system or network. In this sense, it may be confused with authentication. More properly, access is the ability of the subject, such as an individual or a process running on a computer system, to interact with an object, such as a file or hardware device. Authentication, on the other hand, deals with verifying the identity of a subject. ___________ again uses objects such as ACLs to help determine whether access should be granted or not. In this case, a series of rules are contained in the ACL and the determination of whether to grant access will be made based on these rules. An example of such a rule is one that states that no employee may have access to the payroll file after hours or on weekends.
Read, Write & Execute
The three Linux permissions... use "chmod" to change permissions... "chmod" and "passwd" both require SUDO user
Hot and cold aisles (environmental controls)
The trend towards smaller, denser servers means more servers and devices per rack, putting a greater load on the cooling systems. This encourages the use of hot aisle/cold aisle layout. A data center that is arranged into __________ dictates that all the intake fans on all equipment face the cold aisle, in the exhaust fans all face the opposite. The HVAC system is been designed to push cool air underneath the raised floor and up through perforated tiles on the cold aisle. Hot air from the hot aisle is captured by return air ducts for the HVAC system. The use of this layout is designed to control airflow, the purpose being never to mix the hot and cold air. This requires the use of blocking plates and side plates to close open rack slots. The benefits of this arrangement are that cooling is more efficient and can handle higher intensity.
1.) ipconfig/ip/2.) ifconfig (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. Both ______1_____ for Windows and _____2____ for Linux Are command line tools to manipulate the network interfaces on the system. They have the ability to list the interfaces in connection parameters, altered parameters, and refresh/renew connections. If you are having network connection issues, this is one of the first tools you should use, to verify the network set up of the operating system and its interfaces. The IP command in the Linux is used to show an manipulate routing, devices, policy routing, and tunnels.
nslookup/dig (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. The DNS system is used to convert a name into an IP address. There is not a single DNS system, but rather a hierarchy of DNS servers, from root servers on the backbone of the Internet, to copies at your ISP, your home router, and your local machine, each in the form of a DNS cache. To examine a DNS query for a specific address, you can use the ______ command. For Linux, the command dig works.
arp (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. The _______ command is designed to interface with the operating systems address resolution protocol (ARP) caches on a system. In moving packets between machines, a device sometimes needs to know where to send a packet using the MAC or layer to address this handles this problem through four basic message types.
tracert (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. The _________ command is a Windows command for tracing the route that packets take over the network. This command provides a list of the host, switches, and routers in the order that packet passes by them, providing a trace of the network routes from source to target. On Linux and Mac operating systems the command with similar functionality is traceroute.
ping (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. The _________ command sends echo requests to a designated machine to determine if communication is possible. The syntax is ping [options] targetname/address. The options include items such as name resolution, how many paintings, data size, TTL counts, and more.
netstat (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. The __________ command is used to monitor network connections to and from the system. The following are some examples of this command: - netstat -a - netstat -at - netstat -an
tcpdump (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. The ___________ Utility is designed to analyze network packets either from a network connection or recorded file. You also can use this to create files of packet captures, called PCAP files, and perform filtering between input and output, making it a valuable tool to lesson downloads and other tools. For example, if you have a complete packet capture file that has hundreds of millions of records, but you are only interested in one server's connections, you can make a copy of the PCAP file containing only the packets associated with server of interest. This file will be smaller and easier to analyze with other tools.
nmap (command line tools)
There are many command line tools that provide a user direct information concerning the system. These are built into the operating system itself or our common programs that are used by system administrators and security professionals on a regular basis. _______ is a program developed by Gordon line and has been the standard network mapping utility for Windows and Linux 1999. The _________ command is the command line command to launch and run the ________ utility.
Community (Cloud deployment models)
There are many different cloud deployment models. Clouds can be created by many entities, internal and external to an organization. Many commercial cloud services are available, and are offered from a variety of firms as large as Google and Amazon, to smaller, local providers. Internally, and organizations own services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility. A ___________ is one where several organizations with a common interest sharing cloud environments for the specific purposes of the shared endeavor. For example, local public entities and key local firms may share this to serving the interests of community initiatives. This can be an attractive cost-sharing mechanism for specific data sharing initiatives.
Hybrid (Cloud deployment models)
There are many different cloud deployment models. Clouds can be created by many entities, internal and external to an organization. Many commercial cloud services are available, and are offered from a variety of firms as large as Google and Amazon, to smaller, local providers. Internally, and organizations own services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility. A ___________ structure is one where elements are combined from private, public, and community cloud structures. When examining this structure, you need to remain cognizant that, operationally, these differing environments may not actually be joined, but rather used together. Sensitive information can be stored in the private cloud an issue related information can be stored in the community cloud, all of which information is accessed by an application. This makes the overall system a _________ system.
Private (Cloud deployment models)
There are many different cloud deployment models. Clouds can be created by many entities, internal and external to an organization. Many commercial cloud services are available, and are offered from a variety of firms as large as Google and Amazon, to smaller, local providers. Internally, and organizations own services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility. If your organization is highly sensitive to sharing resources, you may wish to consider the use of a __________. these are essentially reserved resources used only for your organization-your own little cloud in the cloud. This service will be considerably more expensive, but it should also carry less exposure and should enable your organization to better define the security, processing, handling of data, and so on that occurs with inner cloud.
Public (Cloud deployment models)
There are many different cloud deployment models. Clouds can be created by many entities, internal and external to an organization. Many commercial cloud services are available, and are offered from a variety of firms as large as Google and Amazon, to smaller, local providers. Internally, and organizations own services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility. The term ____________ refers to win the cloud service is rendered over a system that is open for public use. In most cases, there is little operational difference between these and private cloud architectures, but the security ramifications can be substantial. Although these cloud services will separate users with security restrictions, the death and level of these restrictions, by definition, will be significantly less in this.
IaaS (Cloud deployment models)
There are many different cloud deployment models. Clouds can be created by many entities, internal and external to an organization. Many commercial cloud services are available, and are offered from a variety of firms as large as Google and Amazon, to smaller, local providers. Internally, and organizations own services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility. __________ is a term used to describe cloud-based systems that are delivered as a virtual solution for computing. Rather than building data centers, this allows firms to contract for utility computing as needed. This is specifically marketed on a pay-per-use basis, scalable directly with need.
SaaS (Cloud deployment models)
There are many different cloud deployment models. Clouds can be created by many entities, internal and external to an organization. Many commercial cloud services are available, and are offered from a variety of firms as large as Google and Amazon, to smaller, local providers. Internally, and organizations own services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility. __________ is the offering of software to end-users from with in the cloud. Rather than installing software on client machines, this acts as software on demand, with the software runs from the cloud. This has several advantages: updates can be seamless to end-users, and integration between components can be enhanced. Common examples of this are products that are offered via the web by subscription services, such as Microsoft Office 365 and Adobe Creative Suite.
Order of volatility
There are many sources of data in a computer system, and if the machine is running, some of these sources are volatile. Things such as the state of the CPU and its registers, RAM, and even storage are always changing, which can make the collection of electronic data difficult and delicate task. These elements tend to change at different rates, and you should pay attention to the __________, for lifetime of the data, so that you can prioritize your collection efforts after a security incident to ensure that you don't lose valuable forensic evidence. Following is the __________ of digital information in a system: 1. CPU, cache, and register contents (collect first) 2. Routing tables, ARP cache, process tables, kernel statistics 3. Live network connections and data flows 4. Memory (RAM) 5. Temporary file system/swap space 6. Data on hard disk 7. Remotely logged data 8. Data stored on archival media/backups (collect last)
Secure cabinets/enclosures
There are times when a safe is overkill, providing a higher level of security that is really needed. A simpler solution is _______ & ________. these provide system owners a place to park and asset until its use. Most of these do not offer all levels of protection that one gets with a safe, but they can be useful, especially when the volume of secure storage is large.
Supporting obfuscation (common use cases)
There are times where information needs to be __________, protected from casual observation. In the case of a program, __________ can protect the code from observation by unauthorized parties. EX: Some computers will have variable and function names changed to random names masking their uses. Another example would be someone writing down their PIN code, but changing the order of the digits so it is not immediately obvious.
Weak implementations (cryptographic attacks)
These are another problem associated with backward compatibility. The best example of this is SSL. SSL, in all of its version, has now fallen to attackers. TLS, an equivalent methodology that does not suffer these weaknesses, is the obvious solution, yet many websites still employ SSL. Cryptography has long been described as an arms race between attackers and defenders, with multiple versions and improvements over the years. Whenever an older version is allowed to continue operations, there is a risk associated with _________________.
Architecture/design weaknesses
These are issues that result in vulnerabilities and increased risk in a systematic manner. These flaws are not easily corrected without addressing the specific architecture or design without any segmentation.
Memory leak (Memory/buffer vulnerability)
These are programming errors caused when a computer program does not properly handle memory resources. Over time, while a program runs, if it does not clean memory resources as they are no longer needed, it can grow in size, with chunks of dead memory being scattered across the program's footprint in memory. If a program executes for a long time, these chunks can grow and consume resources, causing a system to crash. Even if the program only runs for a short time, in some cases, leaks can cause issues when referencing values later in a run, returning improper values.
Hijacking and related attacks, Session hijacking (application/service attacks)
These are terms used to refer to the process of taking control of an already existing session between a client and a server. The advantage to an attacker is that the attacker doesn't have to circumvent any authentication mechanisms, since the user has already authenticated and established the session. Generally used against web and Telnet sessions.
Evil twin (wireless attacks)
This attack is in essence an attack against the wireless protocol via substitute hardware. It uses an access point owned by an attacker that usually has been enhanced with higher-power and higher-gain antennas to look like a better connection to the user and computers attaching to it. By getting users to connect through the ___ access point, attackers can more easily analyze traffic and perform man-in-the-middle type attacks.
Replay (application/service attacks)
This attack occurs when the attacker captures a portion of a communication between two parties and retransmits it at a later time. EX: An attacker might retransmit a series of commands and codes used in a financial transaction to cause the transaction to be conducted multiple times.
Intent/motivation (attributes of actors)
This can be simple or multifold in nature. A script kiddie is just trying to make a technique work. A more skilled threat actor is usually pursuing a specific objective, such as trying to make a point as a hacktivist. At the top of the intent pyramid is the APT threat actor, whose intent or motivation is at least threefold.
Improper certificate & key management
This can lead to key problems and cryptographic failures. Failure to properly validate a key before use can result in an expired or compromised key being used. ///BREAK/// This can result in failure to secure data if, for example, a compromised key continues to be used. The PKI system has established processes and procedures to ensure proper key hygiene and limit the potential issues associated with public key cryptography.
Symmetric algorithms
This form of encryption is older and a simpler method of encrypting information. The basis of this encryption is that both the sender and the receiver of the message have previously obtained the same key.
Jamming (wireless attacks)
This is a form of denial of service that specifically targets the radio spectrum aspect of wireless. Just as other DoS attacks can manipulate things behind the scenes, so can this on a wireless AP, enabling things such as attachment to a rogue AP.
Hijacking and related attacks, URL hijacking (application/service attacks)
This is a generic name for a wide range of attacks that target the URL. If the URL is tampered with or altered, you can get different content.
Pass the hash (application/service attacks)
This is a hacking technique where the attacker captures the hash used to authenticate a process. They can then use this hash by injecting it into a process in place of the password. This is a very technically specific hack, and tools have been developed to facilitate its operation.
Pivoting
This is a key method used by a pen tester or attacker to move across a network. This is also referred to as traversing the network.
WPS (wireless attacks)
This is a network security standard that was created to provide users with an easy method of configuring wireless networks. It is designed for home networks and small business networks. It involves the use of an eight-digit PIN to configure wireless devices.
Integer overflow (Memory/buffer vulnerability)
This is a programming error condition that occurs when a program attempts to store a numeric value, an integer, in a variable that is too small to hold it. The results vary by language and numeric type. In some cases, the value saturates the variable, assuming the maximum value for the defined type and no more. This can create significant logic errors in a program which attackers can exploit.
NFC (wireless attacks)
This is a set of wireless technologies that enables smartphones and other devices to establish radio communication over a short proximity, typically a distance of 10cm or less.
New threats/zero day
This is a term used to define vulnerabilities that are newly discovered and not yet addressed by a patch. If a researcher or developer discovers a vulnerability but does not share the information, then this vulnerability can be exploited without a vendor's ability to fix it, because for all practical knowledge the issue is unknown, except to the person who found it. This term indicates that it has not been found yet.
Remote Access Trojan - RAT
This is a toolkit designed to provide the capability of covert surveillance and/or the capability to gain unauthorized access to a target system. Often mimic similar behaviors of keylogger or packet sniffer applications using the automated collection of keystrokes, usernames, passwords, screenshots, browser history, e-mails, chat logs, and more. This is malware but there is actually an operator behind it, controlling it to do even more persistent damage.
Amplification (application/service attacks)
This is a trick where an attacker uses a specific protocol aspect to achieve what a single machine cannot by itself. This type of attack is dependent upon volume. Consider the ICMP command "ping".
Untrained users
This is a user who does not know how to operate a system properly because they haven't received training associated with the system's capabilities. Unfortunately, these types of users are fairly common in most modern organizations.
Hijacking and related attacks, Clickjacking (application/service attacks)
This is an attack against the design element of a user interface. This tricks a web browser into clicking something different from what the user perceives, by means of malicious code in the web page. The malicious code may be transparent overlay or other means of disguising rouge elements, but the net result is the user thinks they are clicking one thing but in reality are clicking the attacker's hidden control, causing the browser to execute the attacker's code.
Hijacking and related attacks, Typo squatting (application/service attacks)
This is an attack form that involves capitalizing upon common typo errors. Sending someone to a fake site can allow a malware attack to occur and can collect credentials.
Driver manipulation, Shimming (application/service attacks)
This is an attack on a system by changing drivers, thus changing the behavior of the system. Drivers sit between the operating system and a peripheral device. In particular, this is a process of putting a layer of code between the driver and the OS. It allows flexibility and portability, for it enables changes between different versions of an OS without modifying the original driver code.
Zero day (application/service attacks)
This is an attack that uses a vulnerability for which there is no previous knowledge outside of the attacker, or at least not the software vendor. No known defense to the vulnerability itself.
MAC spoofing (application/service attacks)
This is nothing more than making data look like it has come from a different source. It is possible in TCP/IP because of the friendly assumptions behind the protocols.
Persistence
This is one of the key elements of a whole class of attacks referred to as advanced persistent threats (APTs). This can be achieved via a wide range of mechanisms, from agents that beacon back out, to malicious accounts, to vulnerabilities introduced to enable reinfection.
Domain hijacking (application/service attacks)
This is the act of changing the registration of a domain name without the permission of its original registrant. It is technically a crime.
Default configuration
This is the configuration that a system enters upon start, upon recovering from an error, and at times when operating. This configuration acts as a system baseline, a position from which all other states can be measured. It is very important for the default configuration to be secure from the beginning, for if not, then a system will be vulnerable whenever entering this configuration, which in many conditions is common.
Initial exploitation
This is the key first step in penetration testing that exploits the vulnerabilities encountered which demonstrates the level of risk that is actually present and the viability of the mechanism of the attack vector.
Escalation of privilege
This is the movement from a lower-level account to an account that enables root-level activity.
Driver manipulation, Refactoring (application/service attacks)
This is the process of restructuring existing computer code without changing its external behavior. It is done to improve nonfunctional attributes of the software, such as improving code readability and/or reducing complexity.
Resource exhaustion
This is the state where a system does not have all of the resources it needs to continue to function. This could include capacity and memory.
Bluejacking (wireless attacks)
This is the term used for the sending of unauthorized messages to another Bluetooth device. It involves sending a message as a phonebook contact. It can also involve sending videos or images.
System sprawl/undocumented assets
This is when the systems in an organization/network expand over time, adding elements and functionality, and over time the growth and changed exceeds the documentation. This addition of ______________ assets means that these specific assets are not necessarily included in plans for upgrades, security, etc.
Use of open-source intelligence
This refers to intelligence data collected from public sources, including news articles, blogs, government reports, etc. EX: ISAO and ISACs are groups that help to enhance their member's security posture.
Bluesnarfing (wireless attacks)
This sends an unsolicited message to a victim's phone. The attacker then copies off the victim's information, which can include emails, contact lists, calendar, and anything else that exists on that device. EX: RedFang attempts to perform this brute force attack by sending all possible names and seeing what gets a response.
Improperly configured accounts
This type of account can lead to improper allowances via ACLs. Accounts form the basis for access control, for they define the user, and this leads to the list of allowed action via an access control list.
Hashing
This type of algorithm is a special mathematical function that performs one-way encryption, which means that once the algorithm is processed, there is no feasible way to use the ciphertext to retrieve the plaintext that was used to generate it. Also, ideally, there is no feasible way to generate two different plaintexts that compute to the same ______ value. HMAC, is a special subset of this technology that uses the above algorithm to apply to a message to make a MAC, but it is done with a previously shared secret. So, the HMAC can provide integrity simultaneously with authentication. EX: Common uses of this include storing of computer passwords and to ensure message integrity.
DoS (application/service attacks)
This type of attack can exploit a known vulnerability in a specific application or operating system, or they can attack features (or weaknesses) in specific protocols or services. In this type of attack, the attacker attempts to deny authorized user access either to specific information or to the computer system or network itself. Purpose of this attack can be to prevent access to the target system, or the attack can be used in conjunction with other actions to gain unauthorized access to a computer or network. EX: A SYN flooding attack can be used to prevent service to a system temporarily in order to take advantage of a trusted relationship that exists between that system and another. SYN flooding takes advantage of the way TCP/IP networks were designed to function. SYN flooding uses the TCP three-way handshake that establishes a connection between two systems. EX: Ping of Death (POD)
Disassociation (wireless attacks)
This type of attack is against a wireless system and are attacks designed to disassociate a host from the wireless access point, and from the wireless network. They stem from the deauthentication frame that is in the IEEE 802.11 (Wi-Fi) standard. It is a form of DoS attack.
Collision (cryptographic attacks)
This type of attack is where two different inputs yield the same output of a hash function. Through manipulation of data, creating subtle changes that are not visible to the user yet create different versions of a digital file and the creation of many different versions, then using the birthday attack to find a _____ between any two of the many versions, an attacker has a chance to create a file with changed visible content but identical hashes.
ARP poisoning (application/service attacks)
This type of attack results in malicious address redirection. It can allow a mechanism whereby an attacker can inject themselves into the middle of a conversation between two machines, a man-in-the-middle attack. EX: "Who has this IP address?" -- "I have that IP address; my MAC address is..." "Who has this MAC address?" -- "I have that MAC address; my IP address is..."
Asymmetric algorithms
This type of cryptography is more commonly known as public key cryptography. This uses two keys instead of one. It was invented by Whitfield Diffie and Martin Hellman in 1975. The system uses a pair of keys -- known as a key pair: a private key that is kept secret and a public key that can be sent to anyone. The system's security relies upon resistance to deducing one key, given the other, and thus retrieving the plaintext from the ciphertext.
Elliptic curve cryptography
This type of cryptography work on the basis of elliptic curves. It is a simple function that is drawn as a gently looping curve on the X, Y plane. Elliptic curves are defined by the equation in the picture.
Black box
This type of software-testing technique consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Testers of this test typically have no knowledge of the internal workings of the software they are testing.
Gray box
This type of software-testing technique consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Testers typically have some knowledge of the software, network, or systems they are testing.
White box
This type of software-testing technique consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Testers will have detailed knowledge of the application they are examining.
Passive reconnaissance
This type of testing involves the use of tools that do not provide information to the network or systems under investigation. Using information obtained via Google or other third-party search engines such as Shodan is a prime example. This allows the gathering of information without the actual sending of packets to a system where they could be observed,
Active reconnaissance
This type of testing involves tools that actually interact with the network and systems in a manner that their use can be observed. It can provide a lot of useful information, but you should be aware as a pen tester that its use may alert defenders to the impending attack.
Dictionary (cryptographic attacks)
This uses dictionary words to try to guess the password, hence the name. The words can be used by themselves, or two or more smaller words can be combined to form a single possible password.
User account (account types)
To manage the privileges of many different people effectively on the same system, a mechanism for separating people into distinct entities (users) is required, so you can control access on an individual level. It's convenient and efficient to be able to log users together when granting many different people (groups) access to a resource at the same time. At other times, it is useful to be able to grant or restrict access based on a person's job or function within the organization (role). While you can manage privileges on the basis of users alone, managing user, group, and role assignments together is far more convenient and efficient. The term _________ refers to the account credentials that are used when accessing a computer system. In privilege management, a user is a single individual, such as "John Smith" or "Sally Slutmuffin." This is generally the lowest level addressed by privilege management and the most common area for addressing access, rights, and capabilities.
1.) Shared Accounts and 2.) Generic Accounts/credentials (account types)
To manage the privileges of many different people effectively on the same system, a mechanism for separating people into distinct entities (users) is required, so you can control access on an individual level. It's convenient and efficient to be able to log users together when granting many different people (groups) access to a resource at the same time. At other times, it is useful to be able to grant or restrict access based on a person's job or function within the organization (role). While you can manage privileges on the basis of users alone, managing user, group, and role assignments together is far more convenient and efficient. ______1_____ go against the specific premise that accounts exist so that user activity can be tracked. This said, there are times that these are used for groups like guests. Sometimes these are called ______2______ and exist only to provide a specific set of functionality, such as any PC running in kiosk mode, with a browser and limited to accessing specific sites as an information display. Under these circumstances, being able to trace the activity to a user is not particularly useful. A common form of this account is one created to run nightly batch operations. As every action must be associated to a user account, this account in the name of a bash user can be used to run batch jobs. This is a generic set of credentials, not actually associated with a single person, but rather is associated with a particular type of process.
Service accounts (account types)
To manage the privileges of many different people effectively on the same system, a mechanism for separating people into distinct entities (users) is required, so you can control access on an individual level. It's convenient and efficient to be able to log users together when granting many different people (groups) access to a resource at the same time. At other times, it is useful to be able to grant or restrict access based on a person's job or function within the organization (role). While you can manage privileges on the basis of users alone, managing user, group, and role assignments together is far more convenient and efficient. __________ are accounts that are used to run processes that do not require human intervention to start, stop, or administer. From running batch jobs in the data center to executing simple tasks that an organization must complete for purposes of regulatory compliance, many reasons exist for running processes with these accounts that don't require an account holder. From a security perspective, administrators can configure these accounts to minimize risks associated with them.
Privileged accounts (account types)
To manage the privileges of many different people effectively on the same system, a mechanism for separating people into distinct entities (users) is required, so you can control access on an individual level. It's convenient and efficient to be able to log users together when granting many different people (groups) access to a resource at the same time. At other times, it is useful to be able to grant or restrict access based on a person's job or function within the organization (role). While you can manage privileges on the basis of users alone, managing user, group, and role assignments together is far more convenient and efficient. __________ are any accounts with greater than normal user access. These accounts are typically root- or administrative-level accounts and represent risk in that they are unlimited in their powers. These accounts require regular real-time monitoring, if at all possible, and should always be monitored when operating remotely. Administrators may need to perform tasks via a remote session in certain scenarios, but when they do, they first need to identify the purpose and get approval.
Guest accounts (account types)
To manage the privileges of many different people effectively on the same system, a mechanism for separating people into distinct entities (users) is required, so you can control access on an individual level. It's convenient and efficient to be able to log users together when granting many different people (groups) access to a resource at the same time. At other times, it is useful to be able to grant or restrict access based on a person's job or function within the organization (role). While you can manage privileges on the basis of users alone, managing user, group, and role assignments together is far more convenient and efficient. __________ are frequently used on corporate networks to provide visitors access to the Internet and some common corporate resources, such as projectors, printers in conference rooms, and so forth. Again, like generic accounts, these types of accounts are restricted in the network capability to a defined set of machines, with a defined set of access, much like of user visiting the company's public-facing website via the Internet. As such, logging in tracing activity have little to no use, so the overhead of establishing a unique account does not make sense.
Passive vs. Active
Tools can be classified as passive or active.__________ tools are those that do not interact with the system in a manner that would permit detection, as in sending packets or altering traffic. An example of this tool is tripwire, which can detect changes to a file based on hash values. Another example of this tool is why are sharp, which among other activities, performs operating system mapping by analyzing TCP/IP traces. The sensors for this can use existing traffic to provide data for analysis.________ tools interact with the target system in a fashion where their use can be detected. Standard network with Nmap is this type of interaction that can be detected. In the case of an map, the tool itself may not be specifically detectable, but its use, the sending of packets, can be detected. When you need to map out your network or look for open services on one or more hosts, and network scanners probably the most efficient tool for the job.
Data-in-transit
Transport encryption is used to protect __________, or data that is in motion. When data is being transported across a network, it is at risk of interception. When utilizing the TCP/IP protocol , Transport Layer Security (TLS) is one specific method of managing security at the transport level. Secure Sockets Layer (SSL) is another example.
Site-to-site (tunneling/VPN)
Tunneling/virtual private networking (VPN) technologies allowed to networks to connect Shirley across an unsecure stretch of network. These technologies such as IPSec, L2TP, SSL/TLS, and SSH. At this level, understand that these technologies enable to sites, such as a remote workers home network and the corporate network, to communicate across unsecure networks, including the Internet, at a much lower risk profile. The two main uses for tunneling/VPN technologies are site-to-site communications and remote access to a network. __________ communication links our network connections that connect two or more networks across an intermediary network layer. In almost all cases, this intermediary network is the Internet or some other public network. To secure the traffic that is going from site to site, encryption in the form of either a VPN or a tunnel can be employed. In essence, this makes all of the packets between the endpoints in the two networks unreadable to nodes between the two sites.
Remote access (tunneling/VPN)
Tunneling/virtual private networking (VPN) technologies allowed to networks to connect Shirley across an unsecure stretch of network. These technologies such as IPSec, L2TP, SSL/TLS, and SSH. At this level, understand that these technologies enable to sites, such as a remote workers home network and the corporate network, to communicate across unsecure networks, including the Internet, at a much lower risk profile. The two main uses for tunneling/VPN technologies are site-to-site communications and remote access to a network. __________ ss when a user requires access to a network and its resources, but is not able to make a physical connection. This access via a tunnel or VPN has the same effect is directly connecting the remote system to the network--it's as if the remote user just plug a network cable directly into her machine. So, if you do not trust the machine to be directly connected to your network, you should not use a VPN or tunnel, for if you do, that is what you are logically doing.
Payment methods (Enforcement and monitoring for:)
Twenty years ago, _________ were cash, check, or charge. Today, we have new intermediaries: smart devices with Near Field Communication (NFC) linked to credit cards offer a convenient alternative form of payment.
Level of sophistication (attributes of actors)
Types of attacks can be attributed to this, which can be divided into several categories, including skill level.
USB On the Go - OTG (Enforcement and monitoring for:)
Universal Serial Bus (USB) is a common method of connecting mobile devices to computers and other host-based platforms. Connecting mobile devices directly to each other required changes to USB connections. Enter __________, an extension of USB technology that facilitates direct connection between ________-enabled devices.
Recertification (general concepts)
User accounts should be recertified periodically as necessary. The process of __________ can be as simple as a check against current payroll records to ensure all users are still employed, or as intrusive as having users come re-identify themselves.
RADIUS Federation (authentication protocols)
Using a series of __________ servers in a federated connection has been employed in several worldwide ___________________ networks. One example is the EDUROAM project that connects users of education institutions worldwide. The process is relatively simple in concept, although the technical details to maintain the hierarchy of these servers and routing tables is daunting at worldwide scale. A user packages their credentials at a local access point using a certificate-based tunneling protocol method.
Cameras
Video surveillance is typically done through closed-circuit television (CCTV). The use of CCTV _________ for surveillance purposes dates back to at least 1961, when they were installed in the London Transport train station. The development of smaller components and lower costs has caused a boon in the CCTV industry since then.
Identify vulnerability
Vulnerabilities are known entities; otherwise, the scanners would not have the ability to scan for them. When a scanner finds a vulnerability present in a system, it makes a log of the fact. In the end, an enumeration of the vulnerabilities that were discovered is part of the vulnerability analysis report.
Penetration testing vs. vulnerability scanning
Vulnerability scanning is the scanning of a system for vulnerabilities, whether they are exploitable or not. This other kind of testing is the examination of a system for vulnerabilities that CAN be exploited. The key is exploitation.
Pinning (concepts)
When a certificate is presented for a host, either identifying the host or providing a public key, this information can be saved in an act called __________. __________ is the process of associating a host with a previously provided X.509 certificate or public key.
Misconfiguration/weak configuration
When a system suffers from __________, it may not achieve all of the desired performance or security objectives. Most systems have significant options that administrators can adjust to enable or disable functionality based on usage.
Passively test security controls
When an automated vulnerability scanner is used to examine a system for vulnerabilities, one of the side effects is the ________ testing of the security controls. This is named this because the target of the vulnerability scanner is the system, not the controls. If the security controls are effective, then the vulnerability scan may not properly identify the vulnerability. If the security control prevents a vulnerability from being attacked, then it may not be exploitable.
Risk response techniques, accept (risk assessment)
When analyzing the specific risk, after weighing the costs to avoid, transfer, or mitigate the risk against the probability of its occurrence and its potential impact, the best response is to __________ the risk.
1.) Block vs. 2.) Stream
When encryption operations are performed on data, there are two primary modes of operation, _____1____ and ____2_____. _____1______ operations are performed on blocks of data, enabling both transportation and substitution operations. _____2_____ data has become more common with audio and video across the Web; and these operate using bit by bit or byte by byte encryption.
Motion detection
When monitoring an area for unauthorized activity, one potentially useful tool is a __________. in areas where there is little or no expected traffic, these can alert and operator to activity in an area. These come in a variety of types, but most are based on infrared radiation and can detect the changes of a warm body moving. They can be tuned for size, ignoring smaller movements such as small animals in outdoor settings. Although not useful in busy office buildings during normal daily use, these can be useful during off hours, when traffic is minimal.
File integrity check
Whenever you download a file from an online source, even if from the vendor of the file, you should perform a __________ to ensure that the file has not been tampered with in any fashion. This will alert you to a changed binary, even if the hosting agents of the file doesn't know about the specific issue.
1.) Wi-Fi direct / 2.) Wi-Fi ad hoc (Enforcement and monitoring for:)
Wi-Fi typically connects a Wi-Fi device to a network via a wireless access point. Other methods exist, namely these 2: In ____1____, two Wi-Fi devices connect to each other via a single-hop connection. In essence, one of the two devices acts as an access point for the other device. The key element is the single-hop nature of a ____1_____ connection. ____1______ connects only two devices, but these two devices can be connected with all of the bells and whistles of modern wireless networking, including WPA2. The primary difference with _____2______ is that in this network, multiple devices can communicate with each other, with each device capable of communicating with all other devices.
1.) Controller-based vs. 2.) Standalone (access point)
Wireless access points are the point of entry and exit for radio-based network signals into and out of a network. Fat,_____2____ Wi-Fi access points can have substantial capabilities with respect to authentication, encryption, and even, to a degree, channel management. _____1_____, or thin access point solutions allows for centralized management and control, which can facilitate better channel management for adjacent access points, better load balancing, and easier deployment of patches and firmware updates.
Service Set Identifier - SSID (access point)
Wireless access points are the point of entry and exit for radio-based network signals into and out of a network. In the 802.11 protocol, the authentication function is known as the ___________. This unique 32-character identifier is attached to the header of the packet. Association occurs only if the client has all the correct parameters needed in the handshake, among them, this.
Signal strength (access point)
Wireless access points are the point of entry and exit for radio-based network signals into and out of a network. The usability of a wireless signal is directly related to its __________. Too weak of a signal and the connection can drop out or lose data. This can be influenced by a couple of factors: the transmitting power level and the environment across which the signal is transmitted.
1.) Antenna types and 2.) Antenna placement (access point)
Wireless access points are the point of entry and exit for radio-based network signals into and out of a network. WiFi is by nature a radio-based method of communication, and as such uses antennas to transmit and receive the signals. Antennas come in a variety of ____1_____, each with its own transmission pattern and gain factor. Gain is a measurement of antenna efficiency. The objective of ____2_____ is to maximize the coverage over a physical area and reduce low-gain areas.
1.) Fat vs. 2.) Thin (access point)
Wireless access points are the point of entry and exit for radio-based network signals into and out of a network. ____1____ (or thick) access points are standalone access points, while ____2_____ access points are controller-based access points. Determining which is more effective requires a closer examination of the difference.
Media Access Control (MAC) filtering (access point)
Wireless access points are the point of entry and exit for radio-based network signals into and out of a network. __________ is the selective admission of packets based on a list of approved MAC addresses. It is used to provide a means of machine authentication.
Band selection/width (access point)
Wireless access points are the point of entry and exit for radio-based network signals into and out of a network. ___________ may seem trivial, but with 802.11a, b/g, n, and ac radios, access points should be configured for client needs. Wi-Fie operates over two different frequencies, 2.4GHz for b/g and n, and 5 GHz for a, n, and ac.
Firmware Over the Air -OTA- updates (Enforcement and monitoring for:)
With mobile devices being literarily everywhere, the scale does not support bringing the devices to a central location or connection for updating. __________ are a solution to this problem.
Wireless scanner/cracker
You can use _________ to Perform network analysis of the wireless side of your networks. Who is connecting to them? Where this accessing? Is everything in conformance with your security plan? You need to actively pursue an answer these questions on a regular basis there are a wide variety of ___________ that can assist in developing this form of monitoring. EX: Kismet, NetStumbler, Mini-Stumbler... with cracking ability AirSnort, AirCrack, and CoWPAtty
1.) Rooting / 2.) Jailbreaking (Enforcement and monitoring for:)
Your organization's policies regarding mobile devices should be consistent with your existing computer security policies. Your training programs should include instruction on mobile device security. Disciplinary actions should be consistent. Your monitoring programs should be enhanced to include monitoring and control of mobile devices. A common hack associated with mobile devices is the ____2____. This is a process by which the user escalates their privilege level, bypassing the operating system's controls and limitations. Running any device with enhanced privileges can result in errors that cause more damage, because normal security controls are typically bypassed. _____1_____ a device is a process by which OS controls are bypassed, and this is the term frequently used for Android devices. For both of these situations, the effect is the same: the OS controls designed to constrain operations are no longer in play and the device can do things it was never intended to do, good or bad.
1.) Provisioning and 2.) Deprovisioning
____1_____ is the process of assigning to users permissions or authorities to access objects. Users can be put into groups, enabling them to be managed as a group rather than individually. ______2______ is the removal of permissions or authorities.
1.) Application whitelisting / 2.) Application blacklisting (Operating systems)
____2_____ is essentially noting which applications should not be allowed to run on the machine. This is basically a permanent ignore or call block capability. ____1______ is the exact opposite: it consists of a list of allowed applications.
1.) Fencing / 2.) Gate / 3.) Cage
_____1____ serves as a physical barrier around property. It can serve to keep people out and in, preventing the free movement across unauthorized areas. It can be an important part of a physical security plan. Properly employed, it can keep secure areas from unauthorized visitors. Inside a building fencing can be used to provide a means of restricting entry into areas where separate physical security policies apply. Material storage, servers, networking gear, and other sensitive items can be separated from unauthorized access simple chain-link fences. These areas are typically called a _____3______, and entry/exit to these areas is via a ____2_____.
1.) Strategic intelligence / 2.) Counterintelligence gathering, 3.) Active logging
_____1_____ Is the use of all resources to make determinations. This can make a large difference in whether a firm is prepared for threats or not. The same idea fits into digital forensics. This can provide information that limits the scope of an investigation into a manageable level. If we have an idea of specific acts for which we would like to have demonstrable evidence of either occurrence or nonoccurrence, we can build a _____1_____ set on the information. Where is it, what is it, and what is allowed/not allowed are all pieces of information, that when arranged in analyze, can lead to a data-logging plan to help support forensic event capture. ______2______ Is the gathering of information specifically targeting the strategic intelligence effort of another entity. Knowing what people are looking at and what information they are obtaining can provide information into their motives and potential future actions. Making and using the tool so that it does not leave specific traces of where, when, or on what it was used is a form of _____2_____ in action. Ideally, you should minimize the scope of logging so that when you have to search logs, event you are interested in stands out without being hidden in a sea of irrelevant log items. When you have an idea of what information you will want to be able to examine, you can make an ____3______ plan that assures the information is logged when it occurs, and if at all possible in a location that prevents alteration.
1.) Short Message Service - SMS / 2.) Multimedia Messaging Service - MMS (Enforcement and monitoring for:)
_____1______ & _____2______ are standard protocols used to send messages, including multimedia content in the case of _____2_____, to and from mobile devices over a cellular network. ____1_____ is limited to short, text-only messages of fewer than 160 characters and is carried over the signaling path of the cellular network when signaling data is not being sent.
1.) Identification, 2.) Authentication, 3.) Authorization, and 4.) Accounting (AAA)
_____1______ is the process of describing a computer ID to a specific user, computer, network device, or computer process. This process is typically performed only once, when a user ID is issued to a particular user. This enables authentication and authorization to form the basis for accountability. _____2_____ is the process of verifying the identity previously established in a computer system. There are a variety of methods of performing this function, each with its advantages and disadvantages. _____3______ is the process of permitting or denying access to a specific resource. Once identity is confirmed the authentication, specific actions can be this or denied. ____4______ is the process of ascribing resource usage by account for the purpose of tracking resource utilization.
1.) Compiled vs. 2.) Runtime code
_____1_______ is code that is written in one language, then run through a compiler and transform into executable code that can be run on a system. Compilers can do many things to optimize coding creates smaller, faster-running programs on the actual hardware. But compilers have problems with dynamic code capable of changing at runtime. Interpreters create ______2______ that can be executed via an interpreter engine, like a Java virtual machine (JVM), on a computer system. In today's world, we have both compilers and interpreters for most languages, so that the correct tool can be used for the correct situation. We also have systems such as just-in-time compilers and byte code interpreters that blur the traditional categorizations of compilers and interpreters.
1.) Virtual Desktop Infrastructure - VDI / 2.) Virtual Desktop Environment - VDE
______1_______ refers to all the components needed to set up the environment. ______2______ is what the user sees, the actual user environment
P12 (certificate formats)
________ is an alternative file extension for a PKCS#12 file format.
Antivirus
_________ applications check files for matches to known viruses and other forms of malware. Should it alert you, the only wise course of action is to either quarantine the file or erase it using the utility feature.
Ephemeral key
_________ are cryptographic keys that are used only once after generation. When this is key is used as part of the Diffie-Hellman scheme, it forms an _________ Diffie-Hellman (EDH) key exchange. An EDH key exchange generates a temporary key for each connection, never using the same key twice. This provides for perfect forward secrecy.
Public key (components)
_________ are the key from the key pair that are intended to be freely shared with the message -- to everyone, hence the term in its title.
Exploitation frameworks
_________ are tool sets designed to assist hackers in the tasks associated with exploiting vulnerabilities in the system. These frameworks are important because the exploitation path typically involves multiple steps, all done in precise order on a system to gain meaningful effect. The most commonly used one is Metasploit, a set of tools designed to assist a penetration tester in carrying out the steps needed to exploit a vulnerability on a system.
Password Authentication Protocol - PAP
_________ authentication involves a two-way handshake in which the username and password are sent across the length and clear text. This authentication does not provide any protection against playback in line sniffing. It is now deprecated standard. It is a clear text authentication protocol and hence is subject to interception.
ANT (connection methods)
_________ is a multicast wireless sensor network technology that operates in the 2.4-GHz ISM band. It is conceptually similar to Bluetooth Low Energy, but is oriented toward usage with sensors, such as heart rate monitors, fitness devices, and personal devices. This works well with multiple devices without interference.
Banner grabbing
_________ is a technique used to gather information from service that publicizes information via a banner. That verse can be used for many things for example they can be used to identify services by type, version, and so forth, and they enable administrators to post information, including warnings, to users when they login. Attackers can use banners to determine what services are running, and typically do for common banner issuing services such as HTTP, FTP, SMTP, and telnet.
Baseline deviation
_________ is the measuring of a system's current state of security readiness. Various tools are available that you can use to examine a system to see if it has specific weaknesses that make it vulnerable to attack -- weaknesses like default passwords, issues with permissions, and so forth.
Redundancy
_________ is the use of multiple, independent elements to perform a critical function, so that if one fails, there is another that can take over the work. When developing a resiliency strategy for ensuring that an organization has what it needs to keep operating, even if hardware or software fails or if security is breached, you should consider other measures involving _________ and spare parts.
Access violations
_________ occur when someone attempts to access a resource that they do not have permission to access. These occur for two reasons: first, the user is unauthorized and is either making a mistake or attempting to get past security. The other option is that permission are set inappropriately. Secondly, for if the user should have permission, they typically request the issue be fixed.
Wireless keyboards (peripherals)
_________ operate via a short range wireless signal between it and the computer. The main method of connection is via either a USB Bluetooth connector, in essence creating a small personal area network (PAN), or a 2.4 GHz dongle. These are frequently paired with wireless mice, removing troublesome and annoying cables off the desktop.
WiFi (connection methods)
_________ refers to the radio communication methods developed under the _________ Alliance. These systems exists on 2.4- and 5-GHz frequency spectrums and networks are constructed by both the enterprise you are associated with and third parties.
NT LAN Manager - NTLM
_________, also known as a Windows challenge/response, is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. It is the successor to the authentication protocol Microsoft LAN manager (LANMAN), an older Microsoft product. _________ uses an encrypted challenge, response protocol to authenticate the user without sending the user's password over the wire, but the cryptography used for this, MD4, is considered weak and deprecated by today's standards.
Onboarding/offboarding (general concepts)
__________ & ___________ refer to the process of adding personnel to a project or team and removing personnel from a project working. When coming on, proper account relationships need to be initiated, including the establishment of accounts. New members should be put into the correct access control is based on their needed permissions and assigned tasks, and within the, this is removed from the access control groups, and have their account disabled.
System Administrator (Role-based awareness training)
__________ are administrative users with the responsibility of maintaining a system with in its defined requirements. The system owner defined requirements, such as frequency of backups, whereas the ___________ configures the system to operationally meet these requirements. These people have virtually unlimited power over the system, for they can control all functions, but they should not have the power, or the responsibility, to set policies for the system. That falls to the system owner. It is important that these people received training and understand their responsibilities with respect to this important requirement, and the delineation of their responsibilities.
Steganography tools
__________ are designed to perform the act of __________. this is the science of hidden writing, or more specifically the hiding of messages in other content. Historically, this is been done by painting over messages, and later removing the cover page, as well as other methods.
Removable media control
__________ are designed to prevent the transfer of data from a system to a removable media location, such as a flash drive or an external hard drive.
Standard operating procedure
__________ are mandatory step-by-step instructions set by the organization so that in the performance of their duties, employees will meet the stated security objectives of the firm.
Templates
__________ are master recipes for the building of objects, be they servers, programs, or even entire systems. _________ are what make Infrastructure as a Service possible. To establish a business relationship with an IaaS firm, they need to collect billing information, and there are a lots of terms and conditions that you should review with your legal team. But, then, the part you want, is the standing up of some piece of infrastructure. These enable the setting up of standard business arrangements, as well as the technology stacks used by customers.
Safe
__________ are physical storage devices that are intended to impede unauthorized access to their protected contents. These come in a wide variety of shapes, sizes, and cost. The higher the level of protection from the physical environment, the better the level of protection against unauthorized access. These are not perfect; in fact, they are rated in terms of how long they can be expected to protect the contents from theft or fire. The better the rating, the more expensive it is.
Permission issues
__________ are problems associated with user permissions involving access and using resources. Periodic review of rights and permission is one of the more powerful security controls.
Wireless mice (peripherals)
__________ are similar in nature to wireless keyboards. They tend to connect as a human interface device (HID) class of USB. This is part of the USB specification and is used for these and keyboards, simplifying connections, drivers, and interfaces through a common specification.
Digital cameras (peripherals)
__________ are sophisticated computing platforms that can capture images, perform image analysis, connect over networks, and even send files across the globe directly from it into a production system any newsroom, for instance.
Non-disclosure Agreements - NDA
__________ are standard corporate documents used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties. These are frequently used to delineate the level and type of information, and with whom it can be shared. These can be executed between any two parties where one party wishes that the material being shared is not further share, forcing confidentiality via contract.
Vulnerabilities due to embedded systems
__________ are systems that are included within other systems. This term can apply to a stand-alone, single-purpose system designed to provide specific functionality to an overall system.
Data sanitization tools
__________ are tools used to destroy, purge, or otherwise identify for destruction specific types of data on systems. Before system can be retired or disposed of you need to sanitize the data needs. Tools such as Identity Finder are perfect for this.
Unencrypted credentials/clear text
__________ are unfortunately still a common security issue. When credentials are transferred from one machine to another, it is important to protect the transfer of this information from unauthorized observation. When info is sent between machines in cleartext or unencrypted form, the information being transmitted is subject to eavesdropping by any machine in the communication pathway. Maintaining security over credentials is essential to prevent their disclosure to unauthorized parties, and as such should never be transmitted across cleartext forms of communication in unencrypted form.
Password cracker
__________ are used by hackers to find weak passwords why would a system administrator use one? Same reason. Running your systems password lists through blank this provides two things: an early warning of a practical password, and peace of mind that your passwords are safe when you can crack any in a reasonable period of time.
Patch management tools
__________ assist administrators by keeping lists of the software on a system and alerting users when patches become available... there are tools to alert administrators when patches have not been updated in a timely fashion.
Fault tolerance
__________ basically has the same goal as high-availability--the uninterrupted access to data and services. It can be accomplished by the nearing of data and hardware systems. Should a "fault" occur, causing disruption in a device such as a disk controller, the mere system provides the requested data with no apparent interruption in service to the user. Certain systems, such as servers, are more critical to business operations and should therefore be the object of _________ measures.
Vulnerabilities due to lack of vendor support
__________ can become an issue at several different levels. The most obvious scenario is when the original manufacturer of the item, be it hardware or software, no longer offers support.
Improper error handling
__________ can lead to a wide range of disclosures. Errors associated with SQL statements can disclose data structures and data elements. Remote procedure call (RPC) errors can give up sensitive information such as filenames, paths, and server names. Programmatic errors can disclose line numbers that an exception occurred on, the method that was invoked, and information such as stack elements. Attacker can use this information to further their attack on a system, as the information typically gives them details about the composition and inner workings of the system that they can exploit.
User (types of certificates)
__________ certificates are just that -- certificates that that identify a user. They are an example of an end-entity certificate.
Extended validation (types of certificates)
__________ certificates are used for HTTPS websites and software to provide a high level of assurance as to the originator's identity. These certificates use the same methods of encryption to protect certificate integrity as do domain- and organization-validated certificates. The difference in assurance comes from the processes used by a CA to validate an entity's legal identity before issuance.
Wiping (data destruction and media sanitization)
__________ data Is the process of rewriting the storage media with a series of patterns of 1's and 0's. This is not done once, but is done multiple times to ensure that every trace of the original data has been eliminated.
Intermediate CA (components)
__________ function to transfer trust between different CAs. These CAs are also referred to as subordinate CAs because they are subordinate to the CA that they reference. FYI: Revocation of a certificate prevents use in the future.
Universal Serial Bus - USB (connection methods)
__________ has become the ubiquitous standard for connecting devices with cables. It usually works without the user needing to add drivers or configure software.
Printers/MFDs (peripherals)
__________ have CPUs and a lot of memory. The primary purpose of this is to offload the printing from the device sending the print job to the print queue. Modern these now come standard with a bidirectional channel, so that you can send a print job to it and it can send back information as to job status, its status, and other items. Multifunction devices (MFDs) are like these on steroids. They typically combined printing, scanning, and faxing all into a single device.
Recovery
__________ in a digital forensic sense is associated with determining the relevant information for the issue at hand--simply stated, recover the evidence associated with an act. But what if the act is not precisely known? For example, suppose a sales manager for a company quits and goes to work with the competitor. Because she is a sales manager, she has had access to sensitive information that would benefit the new employer. But how do you know whether she took sensitive information with her? And even if she did, are you determined for purposes of _________ which information she took, and where to look for?
Advanced malware tools
__________ include tools such as Yara, a command-line pattern matcher that looks for indicators of compromise in a system. Yara assists security engineers in hunting down malware infections based on artifacts that the malware leaves behind in memory.
Infrared - IR (connection methods)
__________ is a band of electromagnetic energy just beyond the red end of the visible color spectrum. It has been used in remote-control devices for years. It is now used in keyboards, wireless mice, and mobile devices. It cannot penetrate walls and it can be seen by all in range.
Mean Time To Repair - MTTR
__________ is a common measure of how long it takes to repair given failure. This is the average time, and may or may not include the time needed to obtain parts. Is calculated as follows: = total downtime / number of breakdowns
Mean Time Between Failures - MTBF
__________ is a common measure of reliability of the system and is an expression of the average time between system failures. The time between failures is measured from the time the system returns to service until the next failure. This is an arithmetic mean of a set of system failures. = (Start of downtime - start of uptime) / number of failures
Cloud storage
__________ is a common term used to describe computer storage provided over a network. One of the characteristics of this is transparency to the end-user. This improves usability of this form of service provisioning. This offers much to the user: improvements in performance, scalability, flexibility, security, and reliability, among other items. These improvements are a direct result of the specific attributes associated with how these are implemented. Use of these services is already becoming mainstream with ordinary users through such services as Apple iCloud, Microsoft OneDrive, and Dropbox. These are easy to use, easy to configure, and provide the basic services desired with minimal user difficulty.
Scalability
__________ is a design elements that enables the system to accommodate larger workloads by adding resources either making hardware stronger, scale up, or adding additional notes, scale out. This term is commonly used in server farms and database clusters, as these both can have scale issues with respect to workload. Both elasticity and _________ have an effect on system availability and throughput, which can be significant security- and and risk-related issues.
Subject Alternative Name - SAN (types of certificates)
__________ is a field (extension) in a certificate that has several uses. In certificates for machines, it can represent the fully qualified domain name (FQDN) of the machine; for user, it can be the user principal name (UPN); or in the case of an SSL certificate, it can indicate multiple domains across which the certificate is valid.
Single sign-on (SSO)
__________ is a form of authentication that involves the transferring of credentials between systems. As more and more systems are combined in daily use, users are forced to have multiple sets of credentials. This makes things easier.
Domain validation (types of certificates)
__________ is a low trust means of validation based on an applicant demonstrating control over a DNS domain. It is typically used for TLS and has the advantage that it can be automated via checks against a DNS record. It offers very little assurance that the identity has not been spoofed, for the applicant need not directly interact with the issuer.
Key stretching
__________ is a mechanism that takes what would otherwise be weak keys and "stretches" them to make the system more secure against brute force attacks. It involves increasing the computational complexity by adding iterative rounds of computations, rounds that cannot be done in parallel. The increase in computational workload becomes significant when done billions of times, making attempts to use a brute force attack much more expensive.
Separation of duties
__________ is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone. This means that the level of trust in any one individual lesson, and the ability for any individual to cause catastrophic damage to the organization is also lesson. An example might be in an organization in which one person has the ability to order equipment, but another individual makes the payment. An individual who wants to make unauthorized purchases for his own personal gain would have to convince another person to go along with the transaction.
Diffusion
__________ is a principle that the statistical analysis of plaintext and ciphertext results in a form of dispersion rendering one structurally independent of the other. In plain terms, a change in one character of plaintext should result in multiple changes in the ciphertext in a manner that changes in ciphertext do not reveal information as to the structure of the plaintext.
Confusion
__________ is a principle to affect the randomness of an output. The concept is operationalized by ensuring that each character of ciphertext depends on several parts of the key. This places a constraint on the relationship between ciphertext and the key employed, forcing an effect that increases entropy.
Pulping (data destruction and media sanitization)
__________ is a process by which paper fibers are suspended in a liquid and recombine into new paper. If you have data records on paper, and you shred the paper, this process removes the in by bleaching, and recombine all the shred into new paper, completely destroying the physical layout of the old paper.
Perfect forward secrecy
__________ is a property of a public key system in which a key derived from another key is not compromised even if the originating key is compromised in the future. This is especially important in session key generation, where the security of all communication sessions using the key may become compromised; if this is not in place, then past messages that had been recorded could be decrypted.
Supporting non-repudiation (common use cases)
__________ is a property that deals with the ability to verify that a message has been sent and received so that the sender (or receiver) cannot refute sending (or receiving) the information. EX: Private key holder relationship. It is assumed that the private key never leaves the possession of the private key holder. Should this occur, it is the responsibility of the holder to revoke the key.
Supporting authentication (common use cases)
__________ is a property that deals with the identity of a party, be it a user, a program, or a piece of hardware. Cryptographic functions can be employed to demonstrate authentication, such as the validation that an entity has a specific private key, associated with a presented public key, proving identity.
Remote Authentication Dial-In User Service - RADIUS
__________ is a protocol that was developed as an AAA protocol. It was submitted to the IETF as a series of RFCs. The IETF AAA Working Group has proposed extensions to this and replacement protocol called diameter. This is designed as a connectionless protocol utilizing User Datagram Protocol (UDP) as its transport-level protocol. Connection type issues, such as timeouts, are handled by this application instead of the transport layer. This utilizes UDP ports 1812 for authentication and authorization and 1813 for accounting functions. This is a client/server protocol.
Software Defined Networking - SDN
__________ is a relatively new method of managing the network control layer separate from the data layer, and under the control of computer software. This enables network engineers to reconfigure the network by making changes via a software program, without the need for re-cabling. This also allows for network function deployment via software, see you could program a firewall between two segments by telling the _______ controllers to make the change. They then feed the appropriate information into switches and routers to have the traffic pattern switch, adding the firewall into the system. _______ is relatively new and just beginning to make inroads into local networks, but the power it presents to network engineers is compelling, enabling them to reconfigure networks at the speed of a program in executing change files.
Shibboleth
__________ is a service designed to enable single sign-on and federated identity-based authentication and authorization across networks. It began in 2000, has been through several revisions inversions, but is yet to gain any widespread acceptance. It is a web-based technology that is built using SAML technologies. It uses the HTTP/POST, artifacts, and attribute push profiles of SAML, including both identity provider (IdP) and service provider (SP) components to achieve its goals. As such, it is included by many services that use SAML for identity management.
Near Field Communication - NFC (connection methods)
__________ is a set of wireless technologies that enables smartphones and other devices to establish radio communication when they are within close proximity to each other, typically a distance of 10cm (3.9in) or less. EX: Apple Pay
Bluetooth (connection methods)
__________ is a short-range, low-power wireless protocol that transmits in the 2.4 GHz band, the same band used for 802.11. The concept for this short-range (approx. 32 feet) wireless protocol is to transmit data in personal area networks (PANs). Current version is 4, 4.1, and 4.2 with a speed of 24 Mbps.
OpenID Connect
__________ is a simple identity layer on top of the O/Auth 2.0 protocol. This allows clients of all types, including mobile, JavaScript, and when-based clients, to request and receive information about authenticated sessions and end-users. It is intended to make the process of proving who you are easier, the first step in the authentication-authorization latter. To do authorization, a second process is needed, and this is commonly paired with OAuth 2.0. It was created for federated authentication that lets a third-party, such as Google or Facebook, authenticate your users for you, by using accounts that the users already have.
Security Assertion Markup Language - SAML
__________ is a single sign-on (SSO) capability used for web applications to ensure user identities can be shared and are protected. It defined standards for exchanging authentication and authorization data between security domains. It is becoming increasingly important with cloud-based solutions and with Software-as-a-Service (SaaS) applications as it ensures interoperability across identity providers.
Application whitelisting
__________ is a technology that marks files as safe to run on a system based upon their hash values. On Windows machines you can use a tool called applocker.
IEEE 802.1X (authentication protocols)
__________ is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router. It is commonly used on wireless access points as a port-based authentication service prior to admission to the wireless network. __________ over wireless uses either IEEE 802.11i or EAP-based protocols, such as EAP-TLS or PEAP-TLS.
Asset management
__________ is an important fundamental security task, so much so that it is at the top of the top 20 common security controls. Understanding what hardware and software you have in the enterprise, where it is specifically located, and how it is configured is the foundation for many security elements. Maintaining accurate records can be challenging in an ever-changing IT environment, yet it remains an important task. It is also important to understand the patch state of all the assets, and keep this up to date as well.
OAUTH (Open Authorization)
__________ is an open protocol that allows secure, Tolkien-based authorization on the Internet from web, mobile, and desktop applications via a simple and standard method. It is used by companies such as Google, Facebook, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites. The first version was developed by a Twitter engineer as part of the Twitter OpenID implementation. The second version which is not backward compatible, has taken off with support from most major web platforms. Its main strength is that it can be used by an external partner site to allow access to protected data without having to re-authenticate the user. It was created to remove the need for users to share their passwords with third-party applications, instead substituting a token. Version to expand this into also providing authentication services, so it can eliminate the need for OpenID.
Burning (data destruction and media sanitization)
__________ is considered one of the gold-standard methods of data destruction. The typical method is to shred the material, even plastic discs and hard drives, and then put the shred in an incinerator and oxidized the material back to-based chemical forms.
Vulnerabilities due to end-of-life systems
__________ is defined as when the system has reached a point where it can no longer function as intended. This status can be reached for many reasons, such as lack of vendor support, a failure to instantiate on newer hardware, or incompatibility with other aspects of a system.
Custom firmware (Enforcement and monitoring for:)
__________ is firmware for a device that has been altered from the original factory settings. This firmware can bring added functionality, but it can also result in security holes. This firmware should be used only on devices that do not have access to critical information.
Distinguished Encoding Rules - .DER (certificate formats)
__________ is one of the Abstract Syntax Notation One (ASN.1) encoding rules that can be used to encode any data object into a binary file. A _________ file contains binary data and can be used for a single certificate.
Continuous integration (Secure DevOps)
__________ is the DevOps manner of continually updating and improving the production code base. By using high levels of automation, and safety nets of automated backup routines, __________ allows the DevOps team to test an update even a very minor changes without a lot of overhead. This can make DevOps more secure reducing interaction errors and other errors that are difficult to detect and time-consuming to track down.
Microsoft Challenge Handshake Authentication Protocol - MSCHAP
__________ is the Microsoft variant of CHAP. Microsoft has created two versions of CHAP, modified to increase its usability across their product line. The first version of this, has been deprecated and dropped in Windows Vista. The current standard is version 2 which was introduced with Windows 2000. Version 2 offers mutual authentication, verifying both users in an exchange. It also offers improved cryptographic support including separate cryptographic keys are transmitted and received data.
Elasticity
__________ is the ability of a system to dynamically increase the workload capacity using additional, added-on-demand hardware resources to scale out. If the workload increases, you scale out by adding more resources, and, conversely, when demand wanes, you scale back by removing unneeded resources. This can be set to automatically occur in some environments, where the workload at a given time determines the quantity of hardware resources being consumed. ___________ is one of the strengths of cloud environments, as you can configure them to scale up and down, only paying for the actual resources you use. In a server farm that you own, you pay for the equipment even when it is not in use.
Database security
__________ is the application of security functions, who can access what, inside a database system. It is a significant concern for many enterprises, as the data in the databases represents valuable information assets. Major database engines have built-in access control provisions and encryption capabilities. Access control is managed by name users and defined permissions, all managed inside the database system.
Security through obscurity
__________ is the concept that security can be achieved by hiding what is being secured. This method alone has never been a valid method of protecting secrets, but that does not mean that this concept does not have a role in security. It should not be relied on as a singular method of protection.
Tethering (Enforcement and monitoring for:)
__________ is the connection of a device to a mobile device that has a means of accessing a network for the purpose of sharing the network access. Connecting a mobile phone to a laptop so that the laptop can use the phone to connect to the Internet is an example of this.
Key strength
__________ is the core of the strength of a cryptographic function. A larger key has more entropy and adds more strength to an encryption. Because different algorithms use different methods with a key, direct comparison of __________ between different algorithms is not easily done. Some cryptographic systems have fixed key lengths, such as 3DES which uses 168 length, while others such as AES have multiple lengths, AES-128, AES-192, and AES-256. DES uses 56, and Blowfish uses between 32 and 448.
Record time offset (Data acquisition)
__________ is the difference in time between the system clock in the actual time. To minimize this, most computers think their time over the Internet with an official time source. Files and events logged on a computer will have timestamp markings that are based on the clock time on the machine itself. Is a mistake to assume that this clock is accurate. To allow the correlation of timestamp data from records inside the computer with any external event, it is necessary to know any time offset between the machine clock the actual time. When collecting forensic data is vitally important to collect the __________ so that local variations in time can be corrected.
Obfuscation
__________ is the masking of an item to render it unreadable yet still usable. Consider source code as an example. If the source code is written in a manner that it is easily understood, then its functions can be easily recognized and copied. __________ is the process of making the code unreadable by adding complexity at the time of creation. This "mangling" of code makes it impossible to easily understand, copy, fix, or maintain. An example is the soring of password hashes. If the original password is hashed with the addition of a salt, reversing the stored hash is practically not feasible, making the key information, the password, _________(ed).
Integrity measurement
__________ is the measuring and identification of changes to a specific system away from an expected value. From the simple changing of data as measured by a hash value to the TPM-based integrity measurement of the system boot process and attestation of trust, the concept is the same. Take a known value, perform a storage of a hash or other key value, and then, at time of concern, recalculates and compare.
Privacy-enhanced Electronic Mail - .PEM (certificate formats)
__________ is the most common format used by certificate authorities when issuing certificates. It comes from RFC 1422 and is a Base64 encoded ASCII file that begins with -----BEGIN CERTIFICATE-----, followed by the Base64 data, and closing with -----END CERTIFICATE-----. This file supports multiple digital certificates, including a certificate chain. A _________ file can contain multiple entries, one after another, and can include both public and private keys. Most platforms, however such as web servers, expect certificates and private keys to be in separate files. The ________ format for certificate data is used in multiple file types, including _______, .CER, .CRT, and .KEY files. If you need to transmit multiple certificates, or a certificate chain, use this format for encoding. It can carry multiple certificates, whereas DER can only carry a single certificate.
Shredding (data destruction and media sanitization)
__________ is the physical destruction by tearing an item into many small pieces, which can then be mixed, making reassembly difficult if not impossible. Important papers should be __________, and important in this case means anything that might be useful to a potential intruder or dumpster diver.
Sideloading (Enforcement and monitoring for:)
__________ is the process of adding apps to a mobile device without using the authorized store associated with the device. It only works on Android devices. The downside is that without the vendor app store screening, one is at a greater risk of installing malicious software in the guise of a desired app.
Stapling (concepts)
__________ is the process of combining related items to reduce communication steps. An example is that when someone requests a certificate, __________ sends both the certificate and OCSP responder information in the same request to avoid the additional fetches the client would have to perform during path validations.
Baselining (Secure DevOps)
__________ is the process of determining a standard set of functionality and performance. This is a metrics-driven process, where later changes can be compared to this to gauge their impact on performance and other variables. If a change improves the elements in this in a positive fashion, then a new one can be established. If the new values are of lesser quality, that a decision can be made as to accept the changes or change the __________.
Data execution prevention - DEP
__________ is the protection of specific memory areas as nonexecutable in Windows system. It prevents attackers from changing the operation of a program through code injection into a data storage location and then subsequently executing the code. Should a system detect a DEP violation, the OS will kill the program.
Data retention
__________ is the storage of data records. One of the first steps in understanding this in an organization is the determination of what records require storage and for how long. Among the many reasons for keeping data, some of the most common are for purposes of billing and accounting, contractual obligation, warranty history, and compliance with local, state, and national government regulations, such as IRS rules.
Data-in-use
__________ is the term used to describe data that is stored in a non-persistent state of either RAM, CPU caches, or CPU registers. Attacks such as RAM scraping malware are occurring in recent years. Intel's Software Guard Extensions (SGX), promise a future where sensitive data can be protected from all other processes on a system, even those with higher levels of authority, such as root.
Distributive allocation
__________ is the transparent allocation of requests across a range of resources. When multiple servers are employed to respond to load, this handles the assignment of jobs across the servers. When the jobs are state full, as in database queries, the process ensures that the subsequent requests are distributed to the same server to maintain transactional integrity. When the system is stateless, like Web servers, other load-balancing routines are used to spread the work. __________ directly addresses the availability aspect of security on a system.
Improper input handling
__________ is the true number one cause of software vulnerabilities. This is the root cause behind most overflows, injection attacks, and canonical structure errors. EX: Cross-site scripting (XSS) and cross-site request forgery (XSRF)
Infrastructure as code (Secure DevOps)
__________ is the use of code to build systems, rather than manually configuring them via normal configuration mechanisms. It is a way of using automation to build out systems, reproducible, efficient and is a key attribute of enabling best practices in DevOps. The objective is to avoid having developers write applications and tossed them overall the implementers, the ops team, and expect them to make the applications work in the environment. As systems have become larger, more complex, and interrelated, interconnecting developer input and production input has created an environment of ________, a version of infrastructure as a service.
Satellite Communications - SATCOM (connection methods)
__________ is the use of terrestrial transmitters and receivers and satellites in orbit to transfer the signals. In rural or remote areas, such as in the wilderness or at sea, it is one of the only options for communications.
Challenge Handshake Authentication Protocol - CHAP
__________ is used to provide authentication across a point-to-point link using PPP. In this protocol, authentication after the link has been established is not mandatory. It is designed to provide authentication periodically through the use of a challenge/response system sometimes described as a three-way handshake. The initial challenge which is a randomly generated number is sent to the client. The client uses a one-way hashing function to calculate what the response should be and then sends this that. The server compares the response to what it calculated the response should be. If they match, communication continues. If the two values don't match, then the connection is terminated. This mechanism relies on a shared secret between the two entities so that the correct values can be calculated.
Supporting integrity (common use cases)
__________ of data is needed in scenarios such as during transfers. __________ can demonstrate that data has not been altered. The use of message authentications codes (MACs) supported by hash functions is an example of cryptographic services supporting __________>
Weak security configurations
__________ refer to the choice of a set of configuration parameters associated with a software application or operating system that results in greater than necessary security risk. EX: Allowing users to choose weak passwords and allowing users unlimited password tries without locking the account are legitimate options, although ill-advised choice. Either of these choices would result in a weak security configuration of the OS.
Captive portals (methods)
__________ refers to a specific technique of using an HTTP client to handle authentication on a wireless network. Frequently employed in public hot spots, this opens a web browser to an authentication page. This occurs before the user is granted admission to the network. The access point uses this simple mechanism by intercepting all packets and returning the web page for login. The actual web server that serves up the authentication page that can be in a walled-off section of the network, blocking access to the Internet until the user successfully authenticates.
External media (Enforcement and monitoring for:)
__________ refers to any item or device that can store data. From flash drives to hard drives, music players, smartphones, even smart watches, if it can store data, it is a pathway for data exfiltration. Develop a policy that determines where these devices can exist and where they should be banned.
Group-based access control (general concepts)
__________ refers to managing access control using groups of users rather than user by user. This can be much more efficient and less prone to error in large enterprises. Underprivileged management, a group is a collection of users with some common criteria, such as need for access to a particular dataset or group of applications.
Data Loss Prevention - DLP
__________ refers to technology employed to detect and prevent transfers of data across an enterprise. It can detect account numbers, secrets, specific markets, or files. It needs to be able to observe the data, so if the channel is encrypted, __________ technology can be thwarted.
Credential management (account policy enforcement)
__________ refers to the processes, services, and software used to store, manage, and log the use of user credentials. __________ solutions are typically aimed at assisting end-users to manage their growing set of passwords. There are products that provide a secure means of storing user credentials and making them available across a wide range of platforms, from local stores to cloud storage locations.
Sandboxing
__________ refers to the quarantine or isolation of a system from its surroundings it has become standard practice for some programs with an increased risk surface to operate with in one, limiting the interaction with the CPU and other processes, such as memory. This works as a means of quarantine, preventing problems from getting out of this and onto the operating system and other applications on a system.
Qualitative (risk assessment)
__________ risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. This type of risk assessment usually involves the use of expert judgment, experience, or group consensus to complete the assessment.
Alarms
__________ serve to alert operators to abnormal conditions. Physical security can involve numerous sensors, intrusion alarms, motion detectors, switches that alert to doors being open, video and audio surveillance, and more. These are not simple; if a company has too many of these, especially false ones, then the operators will not react to the conditions as desired. Tuning these so that they provide useful, accurate, and actionable information is important if you want them to be effective.
Disable default accounts/passwords (Operating systems)
__________ should be such a common mantra for people that no systems exist with this vulnerability. This is a simple task, and one that you must do for any new system. If you cannot disable this--and there will be times when this is not a viable option--the other alternative is to change the password to a very long password that offers strong resistance to brute force attacks.
High resiliency (common use cases)
__________ systems are characterized by functions that are capable of resuming normal operational conditions after an external disruption. The use of cryptographic modules can support resiliency through as standardized implementation of cryptographic flexibility.
Network mapping (Network scanners)
__________ tools are another name for network standards. These are designed to create network diagrams of how machines are connected and then they stop there will network scanners can do additional task, such as identify systems, services, and open ports.
Steganography
__________, is an offshoot of cryptography technology. An example of this would be an invisible ink message placed on a document and hidden by innocuous text. Another example is a tattoo placed on the top of a person's head, visible only when the person's hair is shaved off. The encoding of this can be done in Least Significant Bit (LSB), which is a method of encoding info into an image while altering the actual visual image as little as possible.
Low power devices (common use cases)
__________, such as mobile phones and portable electronics, are ubiquitous and require cryptographic functions. Because cryptographic functions tend to take significant computational power, special cryptographic functions, such as elliptic curve cryptography are well suited for low-power applications.
Password length (account policy enforcement)
___________ Is critical to password-based security. The true strength of a password lies in its entropy or randomness. The higher the entropy or randomness, the greater the key space that must be searched or random matching. This coupled with complexity are the easiest way to increase entropy password.
Signs
___________ act as informational devices and can be used in a variety of ways to assist in physical security. These can provide information as to areas that are restricted, or indicate where specific precautions, such as keeping doors locked, are required. A common use of these in high-security facilities is to delineate where visitors are allowed versus security areas where escorts are required.
Exit interviews
___________ can be powerful tools for gathering information when people leave an organization. From a security perspective, the off-boarding process for personnel is very important. Employee termination needs to be modified to include termination of all accounts, including those enable on mobile devices.
Change management
___________ has roots in system engineering, where it is commonly referred to as configuration management. Most of today's software and hardware these derived from long-standing system engineering can iteration management practices. Computer hardware and software development have also evolved to the point that proper management structure and controls must exist to ensure the products operate as planned. It is normal for enterprise to have a Change Control Board to prove all production changes ensure the change management procedures are followed before changes are introduced to a system. Configuration control is the process of controlling changes to items that have been baselined. Configuration control ensures that only approve changes to a baseline are allowed implemented.
Password reuse (account policy enforcement)
___________ is a bad idea in that it reopens an exposure to an adversary who has previously obtained a password. Official guidance is passwords should not be reused for at least a year, and for at least a half dozen changes, whichever comes last.
Unified Threat Management - UTM
___________ is a marketing term used to describe all-in-one devices employed in network security. They typically provide a wide range of services, including switching, firewall, IDS/IPS, anti-malware, anti-spam, content filtering, and traffic shaping. These are typically located at the EDGE OF A NETWORK.
Pulverizing (data destruction and media sanitization)
___________ is a physical process of destruction using excessive physical force to break an item into unusable pieces. These are used on items like hard disk drives, destroying the platters in a manner that they cannot be reconstructed. A more modern method of this is the use of encryption. The data on the drives encrypted in the key itself is destroyed.
Key exchange
___________ is the central foundational element of a secure symmetric encryption system. Maintaining the secrecy of the symmetric key is the basis of secret communications. In asymmetric systems, the key exchange problem is one of key publication. Because public keys are designed to be shared, the problem is reversed from one of secrecy to one of publicity. Diffie-Hellman is an example of this. DH depends on two random numbers, each chosen by one of the parties and kept secret. DH can be performed in-band, and even under external observation, as the random numbers are never exposed to outside parties.
Biometrics
___________ is the measurement of biological attributes or processes with the goal of identification of a party possessing the measures. The most well known __________ factor is the fingerprint. Fingerprint readers have been available for several years in laptops and other mobile devices, and as standalone USB devices.
Security guards
___________ provide an excellent security measure, because these are a visible presence with direct responsibility for security. Other employees expect these to behave a certain way with regard to securing the facility. They typically monitor entrances and exits and can maintain access logs of who has entered and part of the building. In many organizations, everyone who passes through security is a visitor must sign the log, which can be useful in tracing who was at one location and why.
Quantitative (risk assessment)
___________ risk assessment is the process of objectively determining the impact of an event that affects the project, program, or business. This type of risk assessment usually involves the use of metrics and models to complete the assessment.
Fire suppression (environmental controls)
___________ systems are designed to provide protection against the damage from a fire that spreads in a facility. Because they are suppression systems, they don't prevent the fire from occurring per se, but they do stop it once it begins.
Executive users (Role-based awareness training)
____________ are a special type of user. Their business responsibility may be broad and deep, covering many levels and types of business functions. This work level of responsibilities may not translate directly to their needed computer access. Does the CIO, the highest IT level employee, require all the permissions of all their subordinates? The true answer is no, for they will not be performing state has their work. And should they on occasion need access, it can be granted at the time of need.
Account maintenance (general concepts)
____________ is the routine screening of all attributes for an account. It involves determining questions such as whether the business purpose for the account is still valid, whether the business process for a system account is still occurring, and whether the actual permissions associated with the account are appropriate for the account holder. Best practice indicates that this be performed in accordance with the risk associated with the profile.
Password history (account policy enforcement)
____________ refers to passwords previously used by an account. It is good security policy to prohibit reuse passwords, at least for a set number of passwords. In Windows, under local group policy, you can set three elements that work together to manage this: - Enforce password history: tells the system how many passwords to remember and does not allow the user to reusable password in that list. - Maximum password age: specifies the maximum number of days a password may be used before it must be changed. - Minimum password age: specifies the minimum number of days a password must to use before it can be changed.
Risk response techniques, avoiding (risk assessment)
____________ the risk can be accomplished in many ways. Although you can't remove threats from the environment, you can alter the systems exposure to the threats. Not deploying a module that increases risk is one manner of risk ___________.
Cloud access security broker - CASB
_____________ act as security policy enforcement points between cloud service providers and their customers to ensure that enterprise security policies are maintained as the cloud-based resources are utilized. They belong to the broader category of managed security service providers (MSSPs), which offers Security as a Service to organizations. _________ vendors provide a range of security services designed to protect cloud infrastructure and data. They act as security policy enforcement points between cloud service providers and their customers to enact enterprise security policies as the cloud-based resources are utilized.
Wi-Fi Protected Setup - WPS (methods)
__________is a network security standard that was created to provide users with an easy method of configuring wireless networks. Designed for home networks and small business networks, this standard involves the use of an 8-digit PIN to configure wireless devices. It consists of a series of EAP messages and has been shows to be susceptible to a brute force attack. A successful attack can reveal the PIN and subsequently the WPA/WPA2 passphrase and allow unauthorized parties to gain access to the network. Currently, the only effective mitigation is to disable WPS.
