Principals of cybersecurity Chap 7-12

Blacklists

A blacklist is used to document hosts, TCP or UDP port numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file extensions, that have been associated with malicious activity. Blacklists, also known as hot lists, typically allow IDPSs to block activity that is highly likely to be malicious, and may also be used to assign a higher priority to alerts that match blacklist entries. Some IDPSs generate dynamic blacklists that are used to temporarily block recently detected threats (e.g., activity from an attacker's IP address).

transposition cipher

A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. Also known as a permutation cipher.

Vernam Cipher

A cryptographic technique developed at AT&T and known as the "one-time pad," this cipher uses a set of characters for encryption operations only one time and then discards it.

project scope

A description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan.

packet sniffer

A device or program that monitors network communications and captures data.

request for proposal (RFP)

A document specifying the requirements of a project, provided to solicit bids from internal or external contractors.

Diffie-Hellman key exchange

A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption.

message authentication code (MAC)

A key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest.

bull's-eye model

A method for prioritizing a program of complex change; it requires that issues be addressed from the general to the specific and focuses on systematic solutions instead of individual problems.

Change Control

A method of regulating the modification of systems within the organization by requiring formal review and approval for each change.

difference analysis

A procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline of systems and services).

Alarm clustering and compaction :

A process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm. This consolidation reduces the number of alarms, which reduces administrative overhead and identifies a relationship among multiple alarms.

padded cell system

A protected honeypot that cannot be easily compromised.

Secure Sockets Layer (SSL)

A security protocol developed by Netscape to use public-key encryption to secure a channel over the Internet.

Secure Multipurpose Internet Mail Extensions (S/MIME)

A security protocol that builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail.

Link Encryption

A series of encryptions and decryptions between a number of systems, wherein each system in a network decrypts the message sent to it and then reencrypts the message using different keys and sends it to the next neighbor. This process continues until the message reaches the final destination.

projectitis

A situation in project planning in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts in the project management software than accomplishing meaningful project work.

Mantrap

A small room or enclosure with separate entry and exit points, designed to restrain a person who fails an access authorization attempt.

plenum

A space between the ceiling in one level of a commercial building and the floor of the level above. The plenum is used for air return.

milestones

A specific point in the project plan when a task that has a noticeable impact on the plan's progress is complete.

Secure Hash Standard (SHS)

A standard issued by the National Institute of Standards and Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file.

Privacy-Enhanced Mail (PEM)

A standard proposed by the Internet Engineering Task Force (IETF) that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures.

polyalphabetic substitutions

A substitution cipher that incorporates two or more alphabets in the encryption process.

monoalphabetic substitution

A substitution cipher that only incorporates a single alphabet in the encryption process.

intrusion detection systems (IDS)

A system capable of automatically detecting an intrusion into an organization's networks or host systems and notifying a designated authority.

Thresholds

A threshold is a value that usually specifies a maximum acceptable level, such as x failed connection attempts in 60 seconds, or x characters for a filename length. Thresholds are most often used for anomaly-based detection and stateful protocol analysis.

certificate authority (CA)

A trusted third-party agency that is responsible for issuing digital certificates.

message digest

A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient's locally calculated hash of the same message. If both hashes are identical after transmission, the message has arrived without modification. Also known as a hash value.

closed-circuit television (CCT)

A video capture and recording system used to monitor a facility.

fully distributed IDPS control strategy

An IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component

centralized IDPS control strategy

An IDPS implementation approach in which all control functions are implemented and managed in a central location.

partially distributed IDPS control strategy

An IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies.

Site policy awareness

An IDPS's ability to dynamically modify its configuration in response to environmental activity. A so-called dynamic IDPS can adapt its reactions in response to administrator guidance over time and the local environment

Vigenère cipher

An advanced type of substitution cipher that uses a simple polyalphabetic code.

False positive

An alert or alarm that occurs in the absence of an actual attack.

Trap-and-trace

An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.

Bit stream cipher

An encryption method that involves converting plaintext to ciphertext one bit at a time.

Block Cipher

An encryption method that involves dividing the plaintext into blocks or sets of bits and then converting the plaintext to ciphertext one block at a time.

symmetric encryption

An encryption method whereby the same key is used to encode and to decode the message

True attack stimulus

An event that triggers an alarm and causes an IDPS to react as if a real attack is in progress

False attack stimulus

An event that triggers an alarm when no actual attack is in progress.

Alert or alarm

An indication or notification that a system has just been attacked or is under attack. IDPS alerts and alarms take the form of audible signals, e-mail messages, pager notifications, or pop-up windows

standby or offline UPS

An offline battery backup that detects the interruption of power to equipment and activates a transfer switch that provides power from batteries through a DC to AC converter until normal power is restored or the computer is shut down.

Plaintext or Cleartext

An original message or file that has not yet been encrypted

Zero day vulnerabilities

An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss.

evidentiary material (EM)

Any information that could potentially support the organization"s legal or policy based case against the subject.

Resources

Components required for the completion of a project, which could include skills, personnel, time, money, and material.

transport mode

In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.

certificate revocation list (CRL)

In PKI, a published list of revoked or terminated digital certificates.

registration authority (RA)

In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions. ,

digital forensics .

Investigations that involve the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well-defined methodologies but still tends to be as much an art as a science.

tunnel mode

Mode that IPSec protocols can work in that provides protection for packet headers and data payload.

Digital certificates

Public-key container files that allow PKI system components and end users to validate a public key and identify its owner.

successors

Tasks or action steps that come after the specific task at hand.

predecessors

Tasks or action steps that come before the specific task at hand.

Digital Signature Standard (DSS)

The NIST standard for digital signature algorithm usage by federal information systems. DSS is based on a variant of the ElGamal signature scheme.

Work Factor

The amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message.

external monitoring domain

The component of the maintenance model that focuses on evaluating external threats to the organization's information assets.

internal monitoring domain

The component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization.

parallel operations

The conversion strategy that involves running the new system concurrently with the old system.

Keyspace

The entire range of values that can be used to construct an individual key.

False negative

The failure of an IDPS to react to an actual attack event.

attack surface

The functions and features that a system exposes to unauthenticated users. . As a general design goal, security practitioners seek to reduce the attack surface of each system to minimize the potential for latent defects and unintended consequences to cause losses.

intrusion detection and prevention system (IDPS)

The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology.

Key or Cryptovariable

The information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in a mathematical algorithm or the knowledge of how to manipulate the plaintext. Sometimes called a cryptovariable.

intranet vulnerability assessment

The intranet vulnerability assessment process is designed to find and document selected vulnerabilities that are likely to be present on the internal network of the organization.

Algorithm

The mathematical formula or method used to convert an unencrypted message into an encrypted message. This sometimes refers to the programs that enable the cryptographic processes.

Confidence value

The measure of an IDPS's ability to correctly detect and identify certain types of attacks.

footprinting

The organized research and investigation of Internet addresses owned or controlled by a target organization. the process of collecting publicly available information about a potential target

Evasion

The process by which attackers change the format and/or timing of their activities to avoid being detected by an IDPS.

Tuning

The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives.

Alarm filtering :

The process of classifying IDPS alerts so they can be more effectively managed

gap analysis

The process of comparing measured results against expected results, then using the resulting "gap" as a measure of project success and as feedback for project management.

Decryption

The process of converting an encoded or enciphered message (ciphertext) back to its original readable form (plaintext). Also referred to as deciphering

Code

The process of converting components (words or phrases) of an unencrypted message into encrypted components.

protocol stack verification ,

The process of examining and verifying network traffic for invalid data packets—that is, packets that are malformed under the rules of the TCP/IP protocol.

Steganography

The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists.

Cryptography

The process of making and using codes to secure information.

Cryptanalysis

The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption.

nonrepudiation

The process of reversing public-key encryption to verify that a message was sent by the sender and thus cannot be refuted. ,

maintenance model

The recommended maintenance model is based on five subject areas or domains: External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review

Site policy

The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.

Ciphertext or Cryptogram

The unintelligible encrypted or encoded message resulting from an encryption.

Class C fires:

These fires are caused by energized electrical equipment or appliances. Class C fires are extinguished with nonconducting agents only. Carbon dioxide, multipurpose dry chemical, and Halon fire extinguishers are ideal for these types of fires. Never use a water fire extinguisher on a Class C fire.

Class K fires:

These fires are fueled by combustible cooking oil and fats in commercial kitchens. These fires are classified as Class F in Europe and Australasian environments. These fires require special water mist, dry powder, or CO 2 agents to extinguish.

Class B fires:

These fires are fueled by combustible liquids or gases, such as solvents, gasoline, paint, lacquer, and oil. Class B fires are extinguished by agents that remove oxygen from the fire. Carbon dioxide, multipurpose dry chemical, and Halon fire extinguishers are ideal for these types of fires.

Class D fires:

These fires are fueled by combustible metals, such as magnesium, lithium, and sodium. Class D fires require special extinguishing agents and techniques.

Class A fires:

These fires involve ordinary combustible fuels such as wood, paper, textiles, rubber, cloth, and trash. Class A fires are extinguished by agents that interrupt the ability of the fuel to be ignited. Water and multipurpose dry chemical fire extinguishers are ideal for these types of fires.

log file monitor (LFM)

Using an LFM, the system reviews the log files generated by servers, network devices, and even other IDPSs, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred. This attack detection is enhanced by the fact that the LFM can look at multiple log files from different systems

Cipher

When used as a verb, the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components or vice versa (see decipher and encipher); when used as a noun, the process of encryption or the algorithm used in encryption, and a term synonymous with cryptosystem.

digital malfeasance

a crime against or using digital media, computer technology, or related components

Exclusive OR operation (XOR)

a function within Boolean algebra used as an encryption function in which two bits are compared. If the two bits are identical, the result is a binary 0; otherwise, the result is a binary 1.

asymmetric encryption( public-key encryption )

a type of cryptographic based on algorithms that require two keys -- one of which is secret (or private) and one of which is public (freely known to others).

Honeypots

are decoy systems designed to lure potential attackers away from critical systems. In the industry, they are also known as decoys, lures, and flytraps. When several honeypot systems are connected together on a network segment, it may be called a honeynet . A honeypot system or honeynet subnetwork contains pseudo-services that emulate well-known services, but it is configured in ways that make it look vulnerable to attacks. This combination is meant to lure attackers into revealing themselves—the idea is that once organizations have detected these attackers, they can better defend their netw

Hash functions

are mathematical algorithms used to confirm the identity of a specific message and confirm that the content has not been changed.

Air-aspirating detectors

are sophisticated systems that are used in high-sensitivity areas. They work by taking in air, filtering it, and moving it through a chamber that contains a laser beam. If the laser beam is diverted or refracted by smoke particles, the system is activated.

port scanners

are tools that can either perform generic scans or those for specific types of computers, protocols, or resources

attack protocol

attack protocol A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.

Anomaly-based detection (or behavior-based detection )

collects statistical summaries by observing traffic that is known to be normal. This normal period of evaluation establishes a performance baseline over a period of time known as the training period. Once the baseline is established, the IDPS periodically samples network activity and uses statistical methods to compare the sampled activity to the baseline. When the measured activity is outside the baseline parameters—exceeding the clipping level —the IDPS sends an alert to the administrator

deliverables

completed document or program module that can either serve as the beginning point for a later task or become an element in the finished project

network-based IDPS (NIDPS)

consists of a specialized hardware appliance and/or software designed to monitor network traffic. The NIDPS may include separate management software, referred to as a console, and a number of specialized hardware and/or software components referred to as agents or sensors .

Ionization sensors

contain a small amount of a harmless radioactive material within a detection chamber. When certain by-products of combustion enter the chamber, they change the level of electrical conductivity within the chamber and activate the detector. Ionization sensors are much more sophisticated than photoelectric sensors and can detect fires much earlier, because invisible by-products can be detected long before enough visible material enters a photoelectric sensor to trigger a reaction

Thermal detection systems

contain a sophisticated heat sensor that operates in one of two ways.

Rate-of-rise sensors

detect an unusually rapid increase in the area temperature within a relatively short period of time. In either case, the alarm and suppression systems are activated if the criteria are met

Fixed-temperature sensors

detect when the ambient temperature in an area reaches a predetermined level—usually 135 to 165 degrees Fahrenheit, or 57 to 74 degrees Celsius

Active vulnerability scanners

examine networks for highly detailed information. An active scanner is one that initiates traffic on the network to determine security holes. An example of a vulnerability scanner is Nessus

signature-based detection

examines network traffic in search of patterns that match known signatures —that is, preconfigured, predetermined attack patterns.

substitution cipher

exchanges one value for another—for example, it might exchange a letter in the alphabet with the letter three values to the right, or it might substitute one bit for another bit four places to its left.

Technology governance

guides how frequently technical systems are updated and how technical updates are approved and funded. Technology governance also facilitates communication about technical advances and issues across the organization.

line-interactive UPS

has a substantially different design than the previously mentioned UPS models. In line-interactive UPSs, the internal components of the standby models are replaced with a pair of inverters and converters.

standby ferroresonant UPS

improves upon the standby UPS design. It is still an offline UPS, with the electrical service providing the primary source of power and the UPS serving as a battery backup. The primary difference is that a ferroresonant transformer replaces the UPS transfer switch.

direct changeover

involves stopping the old method and beginning the new one. ( no overlap)

Penetration testing

is a level of sophistication beyond vulnerability testing. A penetration test, or pen test, is usually performed periodically as part of a full security audit. In most security tests, such as vulnerability assessments, great care is taken not to disrupt normal business operations, but in pen testing the analyst tries to get as far as possible by simulating the actions of an attacker

Secure HTTP (S-HTTP)

is an extended version of Hypertext Transfer Protocol that provides for the encryption of individual messages transmitted via the Internet between a client and server.

IP Security (IPSec)

is an open-source protocol framework for security development within the TCP/IP family of protocol standards. It is used to secure communications across IP-based networks such as LANs, WANs, and the Internet.

monitoring port , also known as a switched port analysis (SPAN) port or mirror port ,

is capable of viewing all traffic that moves through the entire device.

platform security validation (PSV)

is designed to find and document vulnerabilities that may be present because misconfigured systems are used in the organization.

Internet vulnerability assessment

is designed to find and document vulnerabilities that may be present in the organization's public network.

phased implementation

is the most common conversion strategy and involves a measured rollout of the planned system, with only part of the system being brought out and disseminated across an organization before the next piece is implemented.

vulnerability assessment and remediation domain

is to identify specific, documented vulnerabilities and remediate them in a timely fashion. This is accomplished by:

planning and risk assessment domain

is to keep lookout over the entire information security program, in part by identifying and planning ongoing information security activities that further reduce risk.

passive vulnerability scanner

listens in on the network and identifies vulnerable versions of both server and client software

intrusion

occurs when an attacker attempts to gain entry into an organization's information systems or disrupt their normal operations.

Project wrap-up

procedural task and assigned to a mid-level IT or information security manager. These managers collect documentation, finalize status reports, and deliver a final report and a presentation at a wrap-up meeting. The goal of the wrap-up is to resolve any pending issues, critique the overall project effort, and draw conclusions about how to improve the process for the future.

delta conversion online UPS

resolves this issue by incorporating a device known as a delta-conversion unit, which allows some of the incoming power to be fed directly to the destination computers, thus reducing the amount of energy wasted and heat generated.

whitelist

s a list of discrete entities that are known to be benign. Whitelists are typically used on a granular basis, such as protocol by protocol, to reduce or ignore false positives involving known benign activity from trusted hosts. Whitelists and blacklists are most commonly used in signature-based detection and stateful protocol analysis.

wireless vulnerability assessment

s designed to find and document vulnerabilities that may be present in the organization's wireless local area networks

Public key infrastructure (PKI)

systems are based on public-key cryptosystems and include digital certificates and certificate authorities (CAs

pilot implementation

the entire security system is put in place in a single office, department, or division before expanding to the rest of the organization. The pilot implementation works well when an isolated group can serve as the "guinea pig," which prevents any problems with the new system from dramatically interfering with the performance of the organization as a whole.

double conversion online UPS

the primary power source is the inverter, and the power feed from the utility is constantly recharging the battery, which in turn powers the output inverter.

stateful protocol analysis (SPA)

the system compares known normal or benign protocol profiles against observed traffic. These profiles are developed and provided by the protocol vendors

Fire suppression systems

typically work by denying an environment one of the three requirements for a fire to burn: temperature (an ignition source), fuel, and oxygen.

Photoelectric sensors

use infrared beams that activate the alarm when interrupted, presumably by smoke

flame detector

which detects the infrared or ultraviolet light produced by an open flame

pen registers

while pen registers are used frequently in law enforcement and antiterrorism operations to record outbound communications attributes.*