Cybersecurity Final
Singularity
something peculiar or unique
Authentication
The process of verifying whether someone or something is who or what they say they are
Red & Blue Teams, Black & White Hats
A Red Team assessment is similar to penetration testing but targeted to determine specific detection and response capability. Pen tests try to uncover as many vulnerabilities as possible. Blue team attempts to defend the network from Red Team's attack while a White Team moderates. A black hat hacker is someone who is malicious whereas a white hat hacker is someone who is doing it for good and might be participating in the aforementioned red team attacks.
Security Operations Center (SOC)
A Security Operation Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
Attack Surface
A compilation of all attack vectors that a possible bad actor may try to use to enter a system. Essentially, this is simply all the points of entry that a possible hacker could use.
Outsourcing
A decision by a corporation to turn over much of the responsibility for production to independent suppliers.
Worm
A destructive computer program that bores its way through a computer's files or through a computer's network.
Virus
A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data
Trojan
A program disguised as a harmless application that actually produces harmful results.
Zero-Day Exploit
A vulnerability that is exploited before the software creator/vendor is even aware of its existence.
Defense in Depth
Also known as (DiD) Definition: a series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack.
Denial of Service Attack
An attack in which a very large amount of data is sent from a single computer in order to flood a network or system.
Intrusion Prevention Systems (IPS)
Any hardware or software mechanism that has the ability to detect and stop attacks in progress.
Ethical Hacking
Basically penetration testing. This involves the authorized hacking of a system in order to show the owners of that system where the kinks are in the armor of their security, so that they may be repaired before an actual hack occurs.
Multi-factor authentication
Use of several authentication techniques together, such as passwords and security tokens.
MITRE Common Vulnerabilities and Exposures
CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.
USB device (illegitimate)
Can destroy hardware by uploading/transferring malicious information
Industrial Control Systems (ICS)
Computer-based system that monitor and control industrial processes that exist in the physical world
CIA Triad
Confidentiality: only authorized users can access the data Integrity: data should be maintained in correct state and shouldn't be modified accidentally or with malicious intent Availability: Authorized users should be able to access data
Business Continuity Plan
Guidelines and arrangements for response to disruption of critical business functions, to restore and maintain operation.
SIEM
Security information and event management is a subsection within the field of computer security, where software products and services combine security information management and security event management. They provide real-time analysis of security alerts generated by applications and network hardware.
Polymorphic Malware
Malware code that completely changes from its original form whenever it is executed.
Risk Management
Management needs to set the basic criteria needed to manage information security risk, define the scope and boundaries, and establish the appropriate organizational structure to manage information security risk. The risk criteria are based on organizational objectives and external and internal contexts that may be derived from standards, laws, policies, etc.
Smishing
Phishing attacks committed using text messages (SMS).
Tailgating
Social engineering attack where hackers trick employees into giving them unauthorized access to their systems - can be online and in-person
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it.
STRIDE Threat Model (MIscrosoft)
Spoofing: An attack where you disguise a communication from a unknown source to appear as a trusted source. Can be done through email, ip address, address resolution protocol or Domain Name System (phishing), caller id,ip Tampering: When an attacker is able to tamper with the functionality of a program by changing or removing key elements Repudiation: Refers to when a hacker tries to cover their tracks after an attack, could be erasing IP logs or spoofing another users credentials Information Disclosure: When attackers aim at getting a hold of confidential information Denial of Service: DDOS - knocks out a system ability to be used - often used in blackmail/extortion Elevation of Privilege: When you log into a system you have a certain level of privilege that lets you perform functions and access information. A hacker might try to attack low level account in a system then use spoofing techniques to gain access to greater privileges.
Perimeter Test
The perimeter is the border between one network and another. A security perimeter can be defined as placing the necessary safeguards at the end of a privately owned network to secure it from hackers
Incident Response
The initial response to a computer-related event that seeks to verify an incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss.
Disruption - realized risk
The loss of service of a network or system, caused by an attack of some kind on the network.
Technical Controls
The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system
Key Loggers
They are software programs or devices designed to secretly monitor and log all keystrokes.
Third Parties
Threats that are created from third party systems. This could be supply chain attacks, third-party vendor errors, and regulation issues
Transport Layer Security (TLS) Protocol
Transport Layer Security, and its now-deprecated predecessor, Secure Sockets Layer, are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP.
Vishing
Voice phishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward. It is sometimes referred to as 'vishing' - a portmanteau of "voice" and phishing
Honeypot
Vulnerable computer that is set up to entice an intruder to break into it
Default Accounts
When an organization gives a user a temporary password/login that is often very simple and insecure. User is supposed to log on immediately and customize their password to make it stronger
Data Breach
When sensitive or confidential information is copied, transmitted, or viewed by an individual who is not authorized to handle the data.
Internet Service Provider (ISP)
a company that provides access to the internet for a monthly fee
Threat Actors
a participant (person or group) in an action or process that is characterized by malice or hostile action (intending harm) using computers, devices, systems, or networks
Spoofing
a technique intruders use to make their network or internet transmission appear legitimate to a victim computer or network
Vulnerability
a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness
Internet of Things (IOT)
a world where interconnected, Internet-enabled devices or "things" can collect and share data without human intervention
Faraday Cage
an EMP pulse-proof environment
Personally Identifiable Information (PII)
any data that can be used to identify, locate, or contact an individual
Social Engineering
hackers use their social skills to trick people into revealing access credentials or other valuable information
Malware
software that is intended to damage or disable computers and computer systems.
Chief Information Security Officer (CISO)
manages security for the organization's information systems and information
Rootkit
program that hides in a computer and allows someone from a remote location to take full control of the computer
SSL Certificates
small data files that digitally bind a cryptographic key to an organization's details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.
Spyware
software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.
Vulnerability Assessment
the process of identifying, quantifying, and prioritizing the vulnerabilities in a system
FAIR Risk Management
(Factor Analysis of Information Risk) FAIR underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable is a given event. This probabilistic approach is applied to every factor that is analyzed. The risk is the probability of a loss tied to an asset. In FAIR, risk is defined as the "probable frequency and probable magnitude of future loss." FAIR further decomposes risk by breaking down different factors that make up probable frequency and probable loss that can be measured in a quantifiable number.
Cyber Insurance Policies
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.
Router
A device that transfers data from one network to another in an intelligent way
Quantum Computing
A field of computer design using the principles of quantum mechanics in which a single bit of information can be not just a 0 or a 1 but in both states at the same time.
Certified Information Systems Auditor (CISA)
A globally recognized certification for appraising an IT auditor's knowledge, expertise, and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment; members have job titles like information systems auditor, consultant, information systems security professional, regulator, chief information officer, and internal auditor
Botnet
A group of computer controlled by a single user. These computers are hacked and control is gained usually through the use of a Trojan virus. These networks could contain several thousand computers in some cases, all under the control of the hacker. Once the computers have been hacked and are under the bad actor's control, then a botnet attack can be initiated against the target through something like a DDoS attack
Computer Emergency Response Team (CERT)
A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.
Air Gap
A maximum-security protocol, in which a computer is not connected to any network (wired or wireless). This type of protocol is one of the most secure possible, as the only way to transfer data to or from an air-gapped computer is through physical means (i.e. a flash drive). These types of computers have had any network connection capabilities disabled.
Public Key Encryption
A method of paired key encryption in which the key used to encrypt data is made available to anybody and its corresponding decryption key is kept secret.
Network Segmentation
A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.
Spear Phishing
A phishing attack that targets only specific users.
Disaster Recovery Plan
A plan that would be executed in the event of a disaster. This could be anything from a cyberattack, to a physical attack, or even a natural disaster. The plan would be developed beforehand and executed if necessary, should any type of disaster take place.
Programmable Logic Controllers (PLC)
A programmable logic controller or programmable controller is an industrial digital computer which has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability, ease of programming and process fault diagnosis. The original Stuxnet malware attack targeted the programmable logic controllers (PLCs) used to automate machine processes.
Proxy Server
A server that acts as an intermediary between a user and the Internet.
Master Boot Record
A small program that runs whenever a computer boots up.
Protected Health Information (PHI)
A subset of PII that is protected by the HIPAA Privacy Act of 1996 Information that can be used to identify an individual AND that relates to that individual's past, present, or future physical or mental health care or payments
Buffer Overflow
An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.
Phishing
An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information
Port Scanning
An attack were an attacker scans your systems to see which ports are listening in an attempt to find a way to gain unauthorized access/
Electromagnetic Pulse (EMP)
An electromagnetic pulse that renders electronic equipment temporarily or permanently disabled. This is done through a surge of electricity that fries nearby electronic devices.
Digital Device
Any device that contains a computer or microcontroller. This could be anything from a digital clock to a smartphone. The opposite of this would be something such as an analog clock or a record player, without any form of computer control.
Information
Data converted into a meaningful and useful context
Data/Information Classification
Data has no meaning Information is meaningful data. Data doesn't depend on information but information depends on data. It is analyzed data..
Risk
Degree of uncertainty of return on an asset; in business, the likelihood of loss or reduced profit.
Script Kiddies
Inexperienced, usually young hackers who use programs that others have developed to attack computer and network systems and deface Web sites.
Control
Internal controls are processes that mitigate risk and reduce the chance of an unwanted risk outcome.
Dark Web
Internet content that can't be indexed by Google and other search engines.
Cybersecurity
It is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption of the services they provide. A strong cybersecurity system has multiple layers of protection spread across computers, devices, networks, and programs.
Kevin Mitnick
Known for hacking in late 90's. "White-Hat" hacker.
Host-based vs. Network-based defense
Network Based Firewall filters traffic going from Internet to secured LAN and vice versa, a host based firewall is a software application or suite of applications installed on a single computer and provides protection to the host.
Operational Resilience
Operational resilience is the ability of an organization to continue to provide business services in the face of adverse operational events by anticipating, preventing, recovering from, and adapting to such events
Patches and Patch Management
Patch management is the process that helps acquire, test, and install multiple patches on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining what patches are the appropriate ones
Hactivism
Political, social, or religious activism taken online; sometimes called cyberterrorism.
Encryption
Process of converting readable data into unreadable characters to prevent unauthorized access.
General Data Protection Regulation (GDPR)
Proposed set of regulations adopted by the European Union to protect Internet users from clandestine tracking and unauthorized personal data usage.
Cloud (private, public, hybrid)
Public cloud is cloud computing that's delivered via the internet and shared across organizations. Private cloud is cloud computing that is dedicated solely to your organization. Hybrid cloud is any environment that uses both public and private clouds.
Cybersecurity Attack Stages
Reconnaissance Hackers begin by researching you or your company online—gathering names, titles, and email addresses of people who work for the organization. The whole point of this phase is getting to know the target. They identify one person to target and then plan their avenue of attack. Weaponization In this phase, the hacker uses the information that they gathered in the previous phase to create the things they will need to get into the network. This could be creating believable Spear Phishing emails that look like they are from a known vendor or other business contact or fake web pages. But the sole purpose is to capture your user name and password, or to offer you a free download of a document or something else of interest. Delivery Phishing e-mails are sent to the people researched, or Watering Hole web pages are posted to the Internet and the attacker waits for all the data they need to start rolling in. Exploitation As usernames and passwords arrive, the hacker tries them against web-based e-mail systems or VPN connections to the company network. If malware-laced attachments were sent to a business, then the attacker remotely accesses the infected computers. The attacker explores the network and gains a better idea of the traffic flow on the network, what systems are connected to the network and how they can be exploited. Installation If someone were to click on a link to a phishing email, the malicious software takes root or the malware inadvertently downloads. In this phase the attacker makes sure that they continue to have access to the network and can stay in the system as long as they need to. Command & Control Once the malicious code has been installed, the hacker now has access to the entire network or administrator accounts. They can look at anything, impersonate any user on the network, and for instance, can even send emails from a CEO of a company to all its employees. At this point they are in control. They can lock you out of your entire network if they want to. Action on objective Now that the hacker is in control, they can extract whatever information they've been targeting. This could be stealing information on employees, customers, product designs, or they can start messing with the operations of a company. The hacker may sell the numbers on the dark web, file fake tax returns, or use them to apply for credit or new identities.
Risk Register
Risk registers are a widespread utility among many cybersecurity professionals that allow practitioners to track and measure risks in one place. This type of reporting can quickly help align your teams to the initiatives that matter and can save an organization valuable resources, time and labor. As shown below, your risk register should include: Risk Description: Describe the risk being measured and how it threatens the organization. Cause: The event or trigger that causes the risk to happen. Result or Impact: The impact your organization faces if the risk occurs. Likelihood: How probable the risk is to happen to your company. Outcome: How detrimental the risk can be if it happens. Risk Level: How high of a priority the risk is to your organization based on your risk matrix. Cost: Expense to mitigate the risk or minimize its impact as much as possible. Mitigation Actions: What actions were taken to mitigate the risk.
Secure Configuration
Secure configuration refers to security measures that are implemented when building and installing computers and network devices in order to reduce unnecessary cyber vulnerabilities. Security misconfigurations are one of the most common gaps that criminal hackers look to exploit.
Procedural Control
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information. Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
Cipher
Serves as the foundation for data protection privacy and national security issues. An algorithm (mathematical function) for performing encryption or decryption
SCADA
Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces (GUI) for high-level process supervisory management, while also comprising other peripheral devices like programmable logic controllers (PLC) and discrete proportional-integral-derivative (PID) controllers to interface with process plant or machinery.
Cybersecurity and Infrastructure Security Agency (CISA)
The CISA is a standalone U.S. federal agency, an operational component under Department of Homeland Security oversight. It was established recently in November 2018, when President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act The CISA leads the effort to enhance the security, resiliency, and reliability of the Nation's cybersecurity and communications infrastructure. It is essentially the Nation's risk advisor, working with partners to defend against today's threats, while collaborating to build more secure and resilient infrastructure for the future.
Internet Protocol (IP)
The network protocol that deals with the routing of packets through interconnected networks to the final destination
Attack Vector
The pathway or point of entry that a hacker can use to gain unauthorized access to a system or network
Cybersecurity Framework
There are 5 pillars or functions included in the Framework: Identify, Protect, Detect, Respond, Recover Identify: developing an understanding of the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts Protect: outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event Detect: enables timely discovery of cybersecurity events Ensuring anomalies in a system or network are detected, and their potential impact is understood Respond: the actions taken regarding a detected cybersecurity incident The Respond Function supports the ability to contain the impact of a potential cybersecurity incident, while also mitigating or preventing an expansion of an attack Recover: supports timely recovery to normal operations to reduce the impact from a cybersecurity incident
DMZ
This type of security which places an organization's less secure or exposed services in their own bubble, away from the more important databases and services that the organization may have. This is done so that if by some chance one of these more vulnerable resources is compromised, the hacker will not be able to gain access to the more secure and important networks. In other words, the less vulnerable services are put in a separate network from the more important services.
Advanced Persistent Threats (APTs)
This type of threat is one which is usually conducted by a nation-state, or by an advanced group of hackers. This type of attack involves the hacker gaining access to their target and then lurking inside the network/system and slowly mining data and gathering information. As the name suggests, the attack is persistent, so this type of attack is a slow spread, similar to what we learned about during the Equifax Case Study.
Certified Information Systems Security Professional (CISSP)
a certification sought by IT professionals; hiring organizations often look for candidates who have passed the CISSP exam because candidates with the CISSP credential are sufficiently knowledgeable about cybersecurity to be able to pass the certification exam, and have hands-on experience and, potentially, formal CISSP training.
Intrusion Detection System (IDS)
a computer program that senses when another computer is attempting to scan or access a computer or network
Firewall
a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
Hacker
a person who uses computers to gain unauthorized access to data.
Hotspot
a physical location where people can access the Internet, typically using Wi-Fi, via a wireless local area network (WLAN) with a router connected to an Internet service provider.
Data Loss Prevention (DLP)
a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users System ensures compliance with HIPAA, FERPA, and other governmental cyber safety standards.
Signature
a signature is a typical footprint or pattern associated with a malicious attack on a computer network or system. This pattern can be a series of bytes in the file (byte sequence) in network traffic. It can also take the form of unauthorized software execution, unauthorized network access, unauthorized directory access, or anomalies in the use of network privileges.
File Integrity Monitoring (FIM)
an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted "baseline."
Cyber Risk
risk of financial loss, disruption or damage to the reputation of an organization resulting from the failure of its information technology systems
Protocols
technical rules governing data communication
NIST Framework
the Framework provides a common taxonomy and mechanism for organizations to: 1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; 5) Communicate among internal and external stakeholders about cybersecurity risk
Nonrepudiation
the assurance that someone cannot deny the validity in something. It is widely used in information security to refer to a service, which provides proof of the origin and integrity of the data
Operating System
the software that supports a computer's basic functions, such as scheduling tasks, executing applications, and controlling peripherals.
Risk Analysis
•This process will provide the basis to evaluate risks and make decisions about how to treat risks. The process includes estimating risks.