Sec+ 601
Connect LAN segments together without collisions
Bridge, Router, Switch
Password Susceptible Attacks
Brute force, social engineering, dictionary, sniffing
Firewall default setting
By default, firewalls implicitly deny all traffic
Preservation order for forensic analysis
CACHE, RAM, Running processes, hard drives, backup media
Prioritization for forensic evidence gathering
CPU registers, Routing table, Temporary Files, Event logs, Backup Tapes
Volatile data order
CPU registers, memory, temporary files, remote monitoring data
priority for forensic evidence gathering
CPU registers, routing table, temporary files, event logs, backup tapes
Credential Harvesting
Can be accomplished using Phishing, smishing, SPAM/SPIM, malware, Paste sites (posting compromised accounts) The use of MITM attacks, DNS poisoning, phishing, etc. to amass large numbers of credentials (username / password combinations) for reuse.
Group policies
Can be used to manage server computers, users, client computers, and domain controllers. Enforces security settings for all computers on a network.
Root Certificate Authority (CA)
Certifies the public key pair of the root CA.
Anything as a Service (XaaS)
Cloud model that delivers IT as a service through hybrid cloud computing and works with a combination of SaaS, IaaS, PaaS, CaaS, DBaaS, and/or BPaaS
C2 Server
Command and Control Infrastructure, also known as C2 or C&C, is the set of tools and techniques that attackers use to maintain communication with compromised devices following initial exploitation
ad hoc
Communications mode that enables wireless devices to communicate directly.
Worm (malware)
Computer virus that replicates itself on disks, in memory and across networks.
CRL (Certificate Revocation List)
Contains a list of serial numbers for digital certificates that have not expired but a CA has specified to be invalid.
hot and cold aisles
Control airflow in the data center
Disk Mirroring
Copies the content written on one hard drive to the other hard drive. This will lower the Mean Time to Repair (MTTR) for a hard drive's data.
COPE
Corporate Owned and Personally Enabled
Corrective-Technical control
Corrects any issue that arises because of security breaches; Antivirus software and server images are included in this category.
data retention mandate
Create a separate daily backup archive for all applicable tax records
Prevent the use of removable devices
Create an operating system security policy to prevent the use of removable media
Virtualization
Creates multiple "virtual" machines on a single computing device. requires a lot of resources.
typo squatting
Creating domains that are based on the misspelling of another.
Cryptographic solutions: implementation vs algorithm
Crypto modules, Crypto service providers: Provide cryptographic services
Lightweight cryptography
Cryptographic algorithms with reduced compute requirements that are suitable for use in resource-constrained environments, such as battery-powered devices.
Diffusion
Cryptographic technique whereby a change of a single input bit results in a change of multiple output bits.
Cloud-based DLP
DLP solution that prevents sensitive data from leaving the cloud based storage of an organization
Fake telemetry
Deception strategy that returns spoofed data in response to network probes.
Acceptable Use Policy
Defines how users are allowed to employ company hardware.
trust model
Defines how various Certification Authorities (CA) trust each other. Also defines how the client of a given CA would trust the certificate from another CA.
Information Policy
Defines the sensitivity of company data and the proper handling of data
Qualitative Risk Analysis
Determining the impact of identified risks on the project and the probability they'll occur. Aligns risks in a priority order according to their effect on the project objectives.
geographic dispersal
Disperse technologies to different geographies in case of natural disasters
sideloading
Downloading an app from an unofficial third-party website.
(Storage Area Network)SAN to SAN replication
Duplicate data from one data center to another.
LDAP Data Interchange Format (LDIF)
Enables LDAP servers to exchange directory information.
PPP (Point-to-Point Protocol)
Enables a computer to connect to the Internet through a dial-in connection and enjoy most of the benefits of a direct connection.
Network Access Control (NAC) Policies
Ensure the customer devices have the appropriate security technologies configured on their devices before they connect to your wireless access point.
BitLocker To Go
Ensures that USB Flash Drives are protected by encryption.
fault tolerance
Ensures that you have the required number of components plus one extra to plug into any system incase of failure
error handling
Every input is validated against a range of acceptable values.
SSL/TLS Inspection
Examine outgoing SSL/TLS. Relies on trust, the browser trusts the devices that it's connecting to across the network and is able to perform encryption from end-to-end.
Web Application Firewall (WAF)
Examines user-input to a browser-based application, allows or denies traffic based on expected input.
SFTP (Secure File Transfer Protocol)
File transfer over SSH
application-level firewall
Firewall is most detrimental to network performance because it requires more processing per packet.
hardware firewall
Firewall that is purchased with a fixed number of interfaces available.
Python (Scripting)
General-purpose scripting language • Contains a ".py" file extension
OAuth 2.0
Grants an application limited access to a user's account on a 3rd party site.
TCP 80
HTTP (Hypertext Transfer Protocol).
Disk Backup
Hard drives are also a faster medium to use if you're writing or reading from that drive. And it's also a method that can be used with deduplication and compression of data, making for a more efficient set of backups.
RBAC (Role Based Access Control)
Has a low security cost because security is configured based on roles. It is also easier to implement than the other access control models.
GOST
Hash algorithm created by the Russians. Produces a fixed length output of 256bits.
SHA-1
Hashing algorithm that creates a message digest, which can be used to determine whether a file has been changed since the message digest was created. 160 bit hash
behavior based IDS
IDS. Looks for behavior that is not allowed and reacts accordingly.
Spoofing
IP addresses are cloned to gain access without authenticating. A person/program successfully pretend to be another person/program.
Heuristic
IPS technology uses artificial intelligence to identify attacks that have no prior signature.
ISO 31000
ISO Standard related to Risk Management
ISO 27701
ISO Standard that focuses on personal data and privacy
gait anaylsis
Identify a person based on how they walk
Software diversity
If an attacker finds a vulnerability in Windows 10, we'll need to update everyone's Windows 10 operating system to make sure that that vulnerability is patched. A unique approach to this type of problem is to create software that's different on everybody's workstation. This would mean that everyone would still be running Windows 10. But everyone's Windows 10 binaries would be slightly different from one machine to another. We refer to this as software diversity. We use different tricks in the compiler to change where the paths go during the compilation process. This means that the final binary file will be different every time you compile the application.
Resource policies
If managed improperly, which of the following would be most detrimental to access management of cloud-based storage resources?
Line-interactive UPS (uninterruptible power supply)
If the voltage is slowly diminishing on the line, the UPS can slowly ramp up the amount of power being provided by the batteries. So during brownouts or times when the voltage is not at optimal levels, the UPS can fill in the differences for the power source.
Passive Vulnerability Scan
Impacts and the host and network less than other scan types. Probing for weaknesses but not exploiting them.
An application team has been provided with a hardened version of Linux to use with a new application rollout, and they are installing a web service and the application code on the server. Which of the following would BEST protect the application from attacks?
Implement a secure configuration of the web service The tech support resources for many services will include a list of hardening recommendations. This hardening may include account restrictions, file permission settings, internal service configuration options, and other settings to ensure that the service is as secure as possible.
Data Control Language (DCL)
Implements security through access control and granular restrictions for databases.
Transit Gateway
In cloud computing, a virtual router deployed to facilitate connections between Virtual Private Cloud (VPC) subnets and VPN gateways. Connect VPC's with a Transit Gateway, connect users to VPC's
brute force attack: online/offline
In the online mode of the attack, the attacker must use the same login interface as the user application. In contrast, the offline mode of the attack requires the attacker to steal the password file first, but enables an unconstrained guessing of passwords, free of any application or network related rate limitations.
man-in-the-broswer (MITB)
Infects a vulnerable web browser and modifies online transactions. Similar to MITM. Executing code on the browser of the victim.
ISO 27002 Standard
Information security controls are the focus of the ISO standard
federation
Instead of maintaining your own database of usernames and passwords, you can use authentication information that's already contained at a different site. A way that you can allow someone to authenticate to your network, using credentials that are stored with a third party.
proxy
Intercept all browser requests and cache the results
stored procedure
Is a computer program stored in the database that is used to enforce business rules. SQL databases: A client sends detailed requests for data. Limit customer interactions.
MITRE ATT&CK Framework
Is a knowledgebase that contains points of intrusion, methods used for attackers to move around, and a list of security techniques to prevent future attacks. Consist of TAXII (sharing threat information) and STIX (format for presenting threat information)
Runbook
Is a set of steps required to complete a task. An example of a runbook would be the process of resetting a password, creating a website certificate, or backing up application data
Tokenization
Is a technique that replaces user data with a non-sensitive placeholder, or token. Is commonly used on mobile devices to purchase using a credit card without transmitting the credit card number.
Forensic Toolkit_(FTK) Imager
Is a third-party storage drive imaging tool and it can support many different drive types and encryption methods. Will not identify software vulnerabilities
data owner
Is accountable for specific data, and is often a senior officer of the organization. Responsible for determining access control using Discretionary Access Control (DAC)
Metasploit
Is an exploitation framework that can use known vulnerabilities to gain access to remote systems. Performs penetration tests and can verify the existence of a vulnerability
disaster recovery plan
Is created to ensure that your company is able to resume operation in a timely manner.
Certificate Signing Request (CSR)
Is sent with the public key to the certificate authority. Once the certificate information has been verified, the CA will digitally sign the public key certificate.
Mean Time to Restore (MTTR)
Is the amount of time it takes to repair a component. If this time is too high, add another hard drive and implement disk mirroring.
ipconfig command
Issue this command with the /release switch to release your computers lease on the TCP/IP configuration that's received from the DHCP
Subordinate Certificate Authority (CA)
Issues certificates that have been issued by a root authority
Port Aggregation
Joining multiple network device ports together for increased bandwidth and redundancy.
AAA Framework: Accounting
Keeping logs of activities and resources used
Ephemeral keys
Keys that are used only once and then discarded
directory information tree (DIT)
LDAP entries are contained in a DIT. DIT is a structure that can be searched for directory information.
SCADA (supervisory control and data acquisition)
Large scale, distributed, measurement and control systems used to monitor or to control chemical, physical, or transport processes. To mitigate security risks implement: application firewalls, firmware version control, network segments, and Access Control Lists (ACL)
chmod
Linux command (change mode) is used to modify the access rights and permissions of files stored on the system. The chmod command is not used to create system images.
memdump command
Linux command that is used to make a copy of everything stored in local system memory. This dump of memory does not contain any local storage drive files.
LBFO
Load Balancing / Fail Over: Aggregate bandwidth, redundant paths
Malicious USB cable
Looks like a normal USB cable. OS identifies it as a Human Interface Device (HID). When plugged in, can start typing anything into the system to download/install malicious software, GPS tracking
Mobile Device Security Concerns
Low latency and low power devices.
SSL (Secure Sockets Layer) stripping
MITM attack that strips away SSL encryption. Strips S from HTTPS. Attacker intercepts/modifies data between victim and the target. Mitigations: 1. Use SSL. 2. Use HSTS (HTTPS Strict Transport Security. Forces clients/browsers to connect over HTTPS.
asymmetric encryption
MOST effective use of asymmetric encryption: Securely derive a session key Provides confidentiality because encryption protects the contents of a file The Diffie-Hellman process can combine public and private keys to derive the same session key on both sides of a conversation without sending that session key across the network.
VM replication
Maintain one VM, replicate to all others. Maintain copies anywhere in the world. Provides a backup if needed.
WEP/WPA Cracking
Mathematical algorithms are used to determine the pre-shared key used on the access point.
RADIUS Federation
Members of one organization can authenticate to the network of another organization.
Memory Vulnerabilities
Memory leak. Buffer overflow. Integer overflow. Pointer dereference. DLL injection
RAID 1
Minimum number of drives: 2 Striping: No Mirroring: Yes Parity Data: No a mirrored configuration where data is duplicated across multiple drives, and at least two drives are required to provide a duplicate copy. Since an exact replica of data resides on another drive, parity data is not required.
RAID 0 (striping)
Minimum number of drives: 2 Striping: Yes Mirroring: No Parity Data: No Since the data is not mirrored and parity data is not available, a single drive failure will result in loss of data. 0 redundancy
RAID 5
Minimum number of drives: 3 Striping: Yes Mirroring: No Parity Data: Yes a combination of striping and parity. Information is striped between at least three physical drives, and additional parity information is stored on one of the drives. If a single drive fails, the missing data will be recalculated from the parity information.
Packet Sniffing
Monitors the data passing through the network by using promiscuous mode.
DDoS (Distributed Denial of Service)
Multiple computers are infected with malware (malicious software) so that an attacker may coordinate them to send requests to a web server at the same time.
UDP 123
NTP (Network Time Protocol)
Defense in Depth
Network segmentation, air gaps, firewalls, and virtualization. Also called Layer Security.
Redundancy
Occurs when a task or activity is unnecessarily repeated
Escalation of privileges attack
Occurs when an attacker has used a design flaw in an application to obtain unauthorized access to the application.
Hash collision
Occurs when the hashing algorithm creates the same hash from different passwords
Weak encryption
Older encryptions such as DES and WEP should be updated to use newer and stronger encryption technologies.
legacy system
Older information systems that are often incompatible with other systems, technologies, and ways of conducting business. Incompatible legacy systems can be a major roadblock to turning data into information, and they can inhibit firm agility, holding back operational and strategic initiatives.
Multipart virus
One part of the virus in the boot sector and the other part on the hard drive
OAuth
Open Authorization standard. It is a common method for authorizing websites or applications to access information.
MITRE
Organization that manages federal funding for research projects such as Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE)
Partition Data
Partitioning the data on the file system is a way to improve the performance of the query when dealing with a large dataset in the Data lake. part of the file storage subsystem.
read-only memory (ROM)
Permanent storage; instructions are burned onto chips by the manufacturer.
SAE (Simultaneous Authentication of Equals)
Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.
Vishing
Phishing attacks committed using telephone calls or VoIP systems to collect confidential information.
Smishing
Phishing attacks committed using text messages (SMS).
cross-over error rate (CER)
Point where False Acceptance Rate (FAR) and False Rejection Rate (FRR) are equal.
IMAP4 (Internet Message Access Protocol, version 4)
Port 143
NetBIOS (Network Basic Input/Output System)
Ports 137-139. An older transport protocol used by Microsoft Windows systems for allowing applications on separate computers to communicate over a LAN.
Time to Live (TTL)
Primary loop protection on an IP network.
null pointer dereference
Programming technique that references a portion of memory. what happens if that reference points to nothing? Application crash, debug info displayed, DoS
Domain reputation
Protection for registered domains that provides monitoring and threat intelligence.
IPSec (Internet Protocol Security)
Protocol that digitally signs IP packet headers and encrypts and encapsulates packets. Implemented to create VPN's. Can work in tunnel/transport mode. Uses ESP and AH as security protocols for encapsulation.
MOSS (MIME Object Security Services)
Protocol that uses the signed and encrypted framework to apply digital signature and encryption services to MIME objects.
Public Cloud
Provides cloud services to just about anyone
WPA/WPA2-Enterprise
Provides security. Uses 802.1X authentication to have individual passwords for individual users Requires RADIUS server
WPA/WPA2 Personal
Provides security. Uses a 256-bit pre-shared key
Incident Response Process
Recognition, Verification, Classification, Containment, Analysis
VM Attacks
RedPill, Scooby Doo, LDT attacks. These attacks attempt to detect virtual servers and machines on a network.
PTZ - Pan Tilt Zoom
Refers to cameras that can move left and right, up and down, and get a closer or a wider view.
Implicit Deny
Rejecting access unless a condition is explicitly met. Default permission position in a secure network.
Deprovisioning
Removing a resource that is no longer needed. Removing applications, don't leave open holes and don't closed important ones, firewall policies must be reverted
Prevent Traffic Sniffing
Replace the hub with a switch. When switches are used, packets are only forwarded to the host for which the packet is intended for.
Pharming
Reroutes requests for legitimate websites to false websites
Server Hardening
Resolve the issues of banner information leakage, web services running from a privileged account, and inconsistencies with SSL certificates.
NAT router
Router acts as the interface between a LAN and the internet using one IP address.
SNMPv3 (Simple Network Management Protocol version 3)
Routing and switching management. A protocol used to monitor and manage network devices such as routers and switches. Gather metrics from routers at remote sites.
Warchalking
SSID and other authentication details regarding a wireless network are written down in a prominent public place.
Dynamic password
Same as a software-generated password. One time use passwords. Complex and hard to remember.
Internet Message Access Protocol (IMAP)
Secure e-mail
TKIP (Temporal Key Integrity Protocol)
Security protocol designed to replace Wired Equivalent Privacy (WEP) without requiring the replacement of legacy hardware.
Domain Validation Certificate
Server security certificate that is low cost, used by Web Admins to offer TLS to a domain.
Storage Area Network (SAN) replication
Share data between different devices. If one device fails, you can still work with the data.
Shimming
Shim databases are part of Microsoft Windows Application Capability Structure. Used to maintain combability with legacy applications. It uses additional code to modify the behavior of a driver. Filling in the space with malware.
Reply attack
Sniffing the wired or wireless network, this attack captures packets and puts them back on the wire. Packets can potentially be modified and retransmitted to look like legitimate packets. Sequencing (Placing information/actions in order) helps mitigate the effectiveness of this type of attack.
debugging hooks
Software code that is intentionally embedded in the software during the development process to allow the developer to bypass the regular access/authentication.
PUPs (Potentially Unwanted Programs)
Software commonly installed during the process of installing desired software. While not inherently dangerous, it often does not add value for the user. Commonly downloaded by Trojan Horse software.
Fuzzers
Software tools that find and exploit weaknesses in web applications.
closed/proprietary intelligence
Someone else has already compiled the threat information, for sale.
Malicious flash drive
Start a command prompt and start typing anything into the system to download/install malicious software.
Hashing implementation
Store a password on an authentication server
SESAME (Secure European System for Applications in a Multi-vendor Environment)
Supports Single Sign-On (SSO) to the network. Provides role based distributed access control using digitally signed Privilege Attribute Certificates, with optional delegation of access rights. Supports full cryptographic protection of exchanges between users and remote applications.
Skipjack
Symmetric algorithm. Designed by NSA for the clipper chip - a chip with built in encryption. Uses an 80 bit key
Syslog
System Log. A central log collector integrated into SIEM.
Key Distribution Center (KDC)
System for granting authentication in Kerberos. The most important component for Kerberos. Used to store, distribute, and maintain cryptographic session keys.
Microsoft SQL Server Port
TCP 1433
Telnet (Telecommunication Network)
TCP 23. Remote console login to network devices
SMTP (Simple Mail Transfer Protocol) Port
TCP 25
RDP (Remote Desktop Protocol) Port
TCP 3389
Remote Desktop Protocol (RDP)
TCP 3389
PPTP (Point-to-Point Tunneling Protocol)
TCP/UDP 1723
Adversarial artificial intelligence (AI)
Tainted training for Machine Learning (ML). A ML environment has to be fed data (trained) over and over so that it can learn and grow its understanding of that dataset. Tainted information will taint the outcome. Threat modeling: How would an attack feed this tainted data?
ofuscation
Take perfectly readable code and turn it into nonsense. The computer understands the obfuscated code.
ANT
Technology developed by Garmin, used in wearable devices. Susceptible to eavesdropping, interception, and impersonation.
Multimedia Message Service (MMS) install
Text messages that prompt to install an application will link to the App Store version of the application.
ISO 27001
The ISO standard is the foundational standard for Information Security Management Systems (ISMS).
KEK (Key Encryption Key)
The KEK, encrypts the Data Encryption Key, which is used to encrypt and decrypt data.
Quantum bit (qubit)
The basic unit of information in a quantum computer. These bits are not 1s, and they're not 0s, but instead, they exist somewhere in the middle between 1 and 0. They are effectively a 0 and a 1 at the same time.
Active Directory (AD)
The centralized directory database that contains user account information and security for the entire group of computers on a network. Provides Single Sign-On (SSO)
metadata of a file
The data and time the file was created
Dipole Wireless Antenna
The earliest, simplest, and most widely used antenna with a radiation pattern shaped like a doughnut
Improper Error Handling
The error messages display sensitive or private information that give the user too much data.
non-persistent XSS attack
The injected script is not persisted or stored, but rather is immediately executed and passed back via the web server. User clicks a link, script embedded in URL executes in user's browser.
Time of Check/Time of Use (TOC/TOU) Attacks
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
Wardriving
The practice of driving around and locating open wireless access points. To prevent this attack: 1. Configure network to use authenticated access only 2. Change the default SSID 3. Disable SSID broadcast 4. Configure network to use WPA/WPA2
Log aggregation
The practice of gathering up disparate log files for the purposes of organizing the data in them and making them searchable.
Normalization
The process of applying rules to a database design to ensure that information is divided into the appropriate tables. Ensures that attributes in a database table depend only on the primary key.
Recertification
The process of examining a user's permissions and determining if they still need access to what was previously granted.
Persistent XSS attack
The script is permanently stored on the web server or some back-end storage. This allows the script to be used against others who log in to the system.
High Availability (HA)
The service should always be on and available
containerization
The storage segmentation of containerization keeps the enterprise apps and data separated from the user's apps and data. During the offboarding process, only the company information is deleted and the user's personal data is retained.
Bluesnarfing
The unauthorized access of information from a wireless device through a Bluetooth connection.
Data Exfiltration
The unauthorized transfer of data outside an organization, such as social media.
virtual machine sprawl
The widespread proliferation of VMs without proper oversight or management
Online UPS (uninterruptible power supply)
This UPS is always online and always providing power to your devices. And if the power does go out, there's no switching process, because you're already on battery power. Also called the double conversion.
System on a Chip (SoC)
This is a single chip containing all the computer circuits an embedded device such as a microwave needs to control it. (Raspberry Pi)
isolation mode
This mode ensures that wireless clients can only communicate with the wireless access point and not with other wireless clients.
TOTP
Time-based One-Time Password
man-hours
To justify the expenses of the forensics investigation.
TAXII
Trusted Automated eXchange of Intelligence Information (TAXII) standardizes the automated exchange of cyber threat information
Smurf Attack
Type of DoS attack. Victim's IP address is spoofed and (Internet Control Message Protocol (ICMP) (PING)) messages are broadcast to a computer network. All the hosts on a network are PINGed and replies flood in. The target PC will be slowed down to the point of it being unusable. Mitigation: Disallow computers from responding to ICMP requests. Configure routers to not forward broadcasts.
Proximity detector
Type of IDS. Emits a measurable magnetic field while in use, measure it and sound an alarm if disrupted, use to protect specific object
Time of Check (TOC)
Type of Race Condition. The attacker is able to gain access prior to an authentication check. Inserts code/alters authentication to disrupt normal authentication process. Attacker could remain logged in with old credentials.
Snapshot Backup
Type of backup primarily used to capture the entire operating system image including all applications and data
software firewall
Type of firewall. Adding interfaces is easy.
SNMP (Simple Network Management Protocol) Port
UDP 161
TACAS Port
UDP 49
domain name system (DNS) protocol
UDP 53
TFTP (Trivial File Transfer Protocol)
UDP 69
L2TP (Layer 2 Tunneling Protocol)
UDP Port 1701
Unsecured root accounts
Unprotected accounts that give unfettered access to all resources.
memory leak
Unused memory is not properly released and causes the system to crash. Typically an unintentional consumption of memory.
Pivot Attack
Use a compromised system to attack another system.
Weak Cipher Suites
Use of older or less robust cryptographic algorithms allows for a very fast brute force attack of the password hashes. These encryption algorithms should not be used: RC4, Triple-DES, NULL
PFX (Personal Information Exchange) certificate
Used by Microsoft and contains both public and private keys. Original file extension for the X.509 certificate.
Base64-encoded X.509
Used by: PB7 PFX P12
Privacy Enhanced Mail (PEM) certificates
Used for Unix/Linux servers and can be read in a text editor.
NTPsec (Network Time Protocol Secure)
Used for security on time synchronization.
Keyed-Hash Message Authentication Code (KHMAC)
Used to digitally sign packets that are transmitted on IPSec connections
WTLS (Wireless Transport Layer Security)
Used to encrypt traffic for smaller wireless devices.
scanning tool
Used to perform a vulnerability test
VDE (Virtual Desktop Environment)
Users access virtual desktops hosted remote servers
3DES (Triple DES)
Uses 48 rounds of computation.
shibboleth
Uses SAML (Security Assertion Markup Language), which defines security authorizations on webpages as opposed to web page elements in HTML. Also a Single Sign-On (SSO) system.
PRNG (Pseudo Random Number Generator)
Uses a symmetric algorithm to generate a number that is "random enough". used in AES, DES, and Blowfish
Multi-sourcing
Using several suppliers for a particular product. A way to ensure that your application will stay up and running and available, regardless of the status of any individual cloud provider.
Influence campaigns
Using social engineering to sway attention and sympathy in a particular direction.
input validation
Validate input entered at the client side and/or server side before it's processed. Mitigate attacks such as - Cross Site Scripting (XSS) - SQL Injection attacks - Secure Coding Frameworks - OWASP - CERT
SHA256
Verifies that the file was not corrupted during the file transfer
digital signature
Verify a sender's identity. Provides proof of a message's origin.
Armored Virus
Virus includes protective code that prevents examination of critical elements, such as scans by anti-virus software.
Honeypot
Vulnerable computer that is set up to entice an intruder to break into it
Simultaneous Authentication of Equals (SAE)
WPA3 (Wi-Fi Protected Access 3) enhances the PSK (Pre-Shared Key) authentication process by privately deriving session keys instead of sending the key hashes across the network
Suppress a fire with wood/paper products
Water and Soda Aicd
Initialization vector (IV) attack
Weaker encryption had short IV's that would repeat quickly. Attacker can sniff packets, derive the IV, then gain access.
virtual machine escape
When a user (or malware) is able to break out of a VM's isolation (or lack thereof) and gain access to the hosting computer.
Explicit Deny
When an administrator sets a rule that denies a specific type of traffic access through a firewall, often within an ACL.
Multipath I/O
When connecting network devices such as network drives, often will configure multiple links in the network to provide redundancy if one part of the network was to fail.
Separation of Duties
When user accounts are created by one employee and user permissions are configured by another employee.
Media Access Control (MAC) Filtering
Will limit which devices can connect to the wireless network. If a device is filtered by MAC address, it will be able to see an access point but it will not be able to connect
passphrase password
Word or phrase used to authenticate a user.
Homomorphic Encryption (HE)
You can perform calculations on data, in its encrypted form, and save the results as encrypted data, the entire time never having decrypted any of that information.
Private Cloud
a cloud that is owned and operated by an organization for its own benefit
peripheral device
a component, such as a monitor or keyboard, that connects to the computer through data port. could be infected with malware: Wi-Fi enabled MicroSD cards, external storage devices, and digital cameras.
Embedded Firewall
a firewall that is integrated into a router
SASL (Simple Authentication and Security Layer)
a framework that many different application protocols can use to be able to communicate securely. LDAP uses SASL for this and it can communicate using Kerberos, client certificates, and other methods as well.
Storage Area Network (SAN)
a high-speed network with the sole purpose of providing storage to other attached servers
HMAC (Hash-Based Message Authentication Code)
a message authentication code that uses a cryptographic key in conjunction with a hash function
Cryptographic Attacks
a method for circumventing the security of a cryptographic system by finding a weakness in a code, cipher, cryptographic protocol or key management scheme
Hybrid Warfare
a new term used to describe a strategy that deliberately mixes elements and techniques of conventional warfare (e.g., national uniforms, heavy weapons) and unconventional warfare (e.g., guerrilla, paramilitary, information, or cyber war) as a way to coerce adversaries while avoiding attribution and retribution
Credentialed Scan
a scan that uses the credentials of an internal account
802.1x
a standard for port-based network access control (NAC). When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials. This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back-end authentication server is a centralized user database such as Active Directory. Should be configured on the wireless access points. Deploy this to allow remote employees to connect to internal resources via RADIUS.
Virtual Private Cloud (VPC)
a subset of a public cloud that has highly restricted, secure access
Diamond Model
a way to standardize the attack reporting and the analysis of the intrusions.
Mandatory Access Control (MAC)
allows access based on the security level assigned to an object. Only users with the object's assigned security level or higher may access the resource.
EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security)
allows the use of multiple authentication protocols transported inside of an encrypted TLS tunnel. This allows the use of any authentication while maintaining confidentiality with TLS
Quantum Key Distribution (QKD)
allows us to send our encryption keys across the network to the other side without the worry of someone being able to intercept that key somewhere in the middle. We would send that random string of qubits, which was effectively our encryption key, across that quantum network channel.
uninterruptible power supply (UPS)
an alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down.
EIGamal
an asymmetric public key encryption algorithm based on the Diffie-Hellman key agreement.
software development kits (SDK's)
application code written by someone else, might not be secure
USB data blocker
are physical USB cables that allow power connections but prevent data connections. With a USB data blocker attached, any power source can be used without a security concern.
Spraying password attack
as applying the same password to multiple user accounts in an organization to secure unauthorized access to one of those accounts. If the first few tries don't work, moves onto next account, avoids alerts.
Role-Based Access Control (RBAC)
assigns rights and permissions based on the role of a user. These roles are usually assigned by grou
macros
automate functions within an application.
AAA Framework: Authorization
based on your identification and authentication, what you are authorized to access
Cloud Access Security Broker (CASB)
can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use (A list of applications in use). Other common CASB functions are the verification of compliance with formal standards and the monitoring and identification of threats (Verification of encrypted data transfers).
dig (domain information groper) command
can be used to perform a reverse-lookup of the IPv4 address and determine the IP address block owner that may be responsible for this traffic. details about the attacker's location
Address resolution protocol (ARP) command
can be used to view the local ARP cache. The cache contains a lookup table containing IP addresses and their associated MAC (Media Access Control) address. If an engineer pings a device on the local network and then views the ARP cache, they will see the MAC address that was resolved during the ARP process
netcat command
can read or write information to the network. can be used to create an open connection on a device or to access a connection on a remote machine.
grep command
can then be used to search through the file for a specific string of text
netstat command
can view inbound and outbound statistics for all connections to a device
cloud redundancy
cloud connections are slower, cloud costs have low entry point, data storage requires more security
Community Cloud Deployment Model
cloud service that is set up for a community that has shared concerns
GCM (Galois Counter Mode)
combines counter mode with Galois authentication. This provides us with a way to not only encrypt data very quickly but make sure that we can authenticate where the data came from
Attribute-based access control (ABAC)
combines many different parameters to determine if a user has access to a resource. Goes beyond username/password, evaluates the time of day and location of logons.
managed security service providers (MSSPs)
company that provides security management services for subscribing clients
Service Integration and Management (SIAM)
consolidate the view of all of the different services into one single management interface. This is the next step when you begin deploying these different application instances to multiple providers.
Recovery Time Objective (RTO)
define a set of objectives needed to restore a particular service level
Infrastructure as a Service (IaaS)
delivers hardware networking capabilities, including the use of servers, VM's, networking, and storage, over the cloud using a pay-per-use revenue model
OSINT (Open Source Intelligence)
describes reconnaissance gathering from publicly available sources. Information about domain names and IP address would be easily retrieved from a query to a public DNS (Domain Name System) server
Single Loss Expectancy (SLE)
describes the financial impact of a single event. Multiplying asset values by the Exposure Factor (EF)
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)
does not provide a mechanism for using multiple authentication types within a TLS tunnel
Skimming
double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use
Certificate pinning
embeds or "pins" a certificate inside of an application. When the application contacts a service, the service certificate will be compared to the pinned certificate. If the certificates match, the application knows that it can trust the service. If the certificates don't match, then the application can choose to shut down, show an error message, or make the user aware of the discrepancy. An SSL proxy will use a different certificate than the service certificate, so an application using certificate pinning can identify and react to this situation
PEAP (Protected Extensible Authentication Protocol)
encapsulates EAP within a TLS tunnel, but does not provide a method of encapsulating other authentication methods.
Encapsulation Security Protocol (ESP)
encrypts the data that traverses the VPN. In IPsec (Internet Protocol Security) transport mode, the IP header is not encrypted and is used for routing. In tunnel mode, both the original IP header and data are encrypted and encapsulated within a separate IP header
Two-Phase Commit
ensures that the entire transaction is executed to ensure data integrity
Full Disk Encryption (FDE)
everything written to the laptop's local drive is stored as encrypted data. If the laptop was stolen, the thief would not have the credentials to decrypt the drive data.
Forensics evidence
evidence that is acceptable for court proceedings: A bit-level copy of the disks assists in the forensics investigations. Making a copy at the sector level to cover every part of the area that can store user data.
full backup
exact copy of an entire database
router
forward traffic between separate IP subnets or VLANs. Operate on the Network layer of the OSI model to route packets.
penetration testing process
initial exploitation, lateral movement, persistence, pivoting
code injection attack
input includes code that is then executed by the attacked system
General Data Protection Regulation (GDPR)
is a European Union regulation that governs data protection and privacy for individuals in the EU.
Secure Boot
is a UEFI BIOS boot feature that checks the digital signature of the bootloader. The Trusted Boot process occurs after Secure Boot has completed
Risk Acceptance
is a business decision that places the responsibility of the risky activity on the organization itself.
EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake Authentication Protocol v2)
is a common implementation of PEAP (Protected Extensible Authentication Protocol)
Remote Authentication Dial-In User Service (RADIUS) protocol
is a common method of centralizing authentication for users. Instead of having separate local accounts on different devices, users can authenticate with account information that is maintained in a centralized database. Server: 192.168.0.4 Port: 1812
Service Level Agreement (SLA)
is a contract that specifies the minimum terms for provided services. It's common to include uptime, response times, and other service metrics in an SLA
OpenSSL
is a cryptography library that is commonly used to support SSL/TLS encryption on web servers.
chain of custody
is a documented record of the evidence. The chain of custody also documents the interactions of every person who comes into contact with the evidence. Refers to strict formal procedures for evidence.
Hardware Security Module (HSM)
is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices.
jump server
is a highly secured device commonly used to access secure areas of another network. The technician would first connect to the jump server using SSH or a VPN tunnel, and then "jump" from the jump server to other devices on the inside of the protected network. This would allow technicians at an MSP (Managed Service Provider) to securely access devices on their customer's network
Kerberos
is a network authentication protocol that provides single sign-on and mutual authentication using cryptographic "tickets" for the behind-the-scenes authentication process. The Authentication Service (AS) authenticates users and provides TGT. Port 88
MTBF (Mean Time Between Failures)
is a prediction of how often a repairable system will fail.
LEAP (Lightweight Extensible Authentication Protocol)
is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features include dynamic WEP keys and mutual authentication (between a wireless client and a RADIUSserver)
Wireshark
is a protocol analyzer, and it can provide information about every frame that traverses the network. From a security perspective, the protocol decode can show the exploitation process and details about the payloads used during the attempt.
mitigation
is a strategy that decreases the threat level. This is commonly done through the use of additional security systems and monitoring, such as an NGFW (Next-Generation Firewall).
shell script
is a text file containing a list of commands or constructs for the shell to execute. It may contain any command that can be entered on the command line.
Scanless
is a utility that can perform a port scan using a proxy service.
Diffie-Hellman
is an algorithm used for two devices to create identical shared keys without transferring those keys across the network.
redundancy
is an important part of network design for preventing disruption of network services by minimizing the possibility of a single point of failure.
service account
is commonly used by local services on a system, but service accounts are not generally enabled for interactive logins. Web servers, database servers, and other local servers use service accounts.
integrity measurement
is designed to check for the secure baseline of firewall settings, patch levels, operating system versions, and any other security components associated with the application. These secure baselines may vary between different application versions
SOAR (Security Orchestration, Automation, and Response)
is designed to make security teams more effective by automating processes and integrating third-party security tools.
data protection officer (DPO)
is responsible for the organization's data privacy. The DPO commonly sets processes and procedures for maintaining the privacy of data.
Mean time to failure (MTTF)
is the expected lifetime of a non-repairable product or system.
Annual Loss Expectancy (ALE)
is the financial loss over an entire 12-month period.
Annualized Rate of Occurrence (ARO)
is the number of times an event will occur in a 12-month period.
Pre-Shared Key (PSK)
is the shared password that this network administration would like to avoid using in the future
tcpdump command
is used to capture and store network packets. The tcpdump utility does not create images from stored data.
Authentication Header (AH)
is used to hash the packet data for additional data integrity
Split knowledge
limits the information that any one person would know. In this example, having knowledge of part of the process would not have helped with processing the financial transfer.
on premise redundancy
local network is faster, purchasing your own storage is expensive, local data is private
Data Custodian
manages access rights and sets security controls to the data
data steward
manages access rights to the data. In this example, the IT team would be the data steward
Data Processor
manages the operational use of the data, but not the rights and permissions to the information
minimize the opportunity for embezzlement and fraud
mandatory vacations
Traceroute
maps each hop by slowly incrementing the TTL (Time to Live) value during each request. When the TTL reaches zero, the receiving router drops the packet and sends an ICMP (Internet Control Message Protocol) TTL Exceeded message back to the original station.
Intrusion Prevention System (IPS)
monitors network traffic for exploit attempts such as buffer overflows, cross-site scripting, SQL injections, or other known exploits. If an exploit attempt is identified in the traffic flow, the IPS will block the traffic and prevent the attack.
job rotation
moves employees through different job roles as part of their normal work environment. This policy limits the potential for fraud and allows others to cover responsibilities if someone is out of the office.
Edge Computing
moving processing and data storage away from a centralized location to the "edges" of a network. The applications that are running and the decisions being made from the data created by these applications are all occurring on the local system and don't have to go out to the internet.
Cloud-Based Security
no physical access to data center, 3rd party may have access to data
aggregation switch
not best placed in a perimeter network because they are best used to connect other switches together.
Owner
of an object is the one who controls access in a discretionary access control model. The object and type of access is at the discretion of the owner, and they can determine who can access the file and the type of access they would have
on-premise security
on-site IT team
Split Tunnel
only encrypts traffic destined for the VPN's private network.
objective identifiers (OID)
optional extensions for X.509 certificates. validate the address information of the certificate owner.
Risk Matrix
or risk heat map, is often presented as a graphical chart comparing the likelihood of risk with the consequence.
Security orchestration, automation, and response (SOAR)
orchestration: connect many tools together automation: handle security tasks automatically response: make changes quickly
End-to-End Encryption
packets are encrypted once at the original encryption source and then decrypted only at the final decryption destination. Trust comes from Certificate Authorities (CA)
command and control
part of entrenchment (gain unsuspected, sustained access to a system): Installation of remote admin tools, tools built to hide themselves from the OS
port scan
pings a packet of data to the port; if a reply is received, then the port is open
Pulping
places the papers into a large washing tank to remove the ink, and the paper is broken down into pulp and recycled. The information on the paper is not recoverable after pulping.
Trusted Boot
portion of the startup process verifies the operating system kernel signature and starts the ELAM (Early Launch Anti-Malware) process
infrastructure as code (IaC)
process of using definition and configuration files to provision and manage data centers. this process can be automated through scripts.
system integration risk
professional installation and maintenance, physical/virtual access to data
Rootkit
program that hides in a computer and allows someone from a remote location to take full control of the computer. Modifies files in the Kernel of OS.
Attestation
prove the hardware is really yours, a system you can trust
AAA Framework: Authenticaion
prove who you say you are - PW + other authentication factors
Mobile Device Management (MDM)
provides a centralized management system for all mobile devices. From this central console, security administrators can set policies for many different types of mobile devices.
Tracert (traceroute)
provides a summary of hops between two devices. In this example, tracert can be used to determine the local ISP's IP addresses and more information about the physical location of the attacker
S/MIME (Secure/Multipurpose Internet Mail Extensions)
provides a way to integrate public key encryption and digital signatures into most modern email clients. This would encrypt all email information from client to client, regardless of the communication used between email servers. Defined in Request for Comments (RFC) 2632/2634.
Network Attached Storage (NAS)
provides access to a large storage array that's connected over the network. We also refer to a NAS as file-level access. This means if you need to change any portion of a file on that NAS, you have to rewrite the entire file on that device. This may not be a problem if these are very small files, but if you need to change or modify part of a very large file, it will require overwriting the entire file on the NAS.
Self-Encrypting Drive (SED)
provides data protection of a storage device using full-disk encryption in the drive hardware
Cloud Security Alliance (CSA)
provides documents for implementing and managing cloud-specific security controls.
protocol analyzer
provides information regarding traffic flow and statistical information on the network
salt
random data added to a password before hashing. Rainbow tables will not work.
redundant site
redundant facilities can enable you to recover in the event of a catastrophic loss.
Open permissions
refers to provisioning data files or applications without differentiating access rights for user groups
air gap
removes all connectivity between components and ensures that there would be no possible communication path between the test network and the production network.
quantum communication
send information over a quantum network, and on the other side, we're able to tell if anyone was monitoring that conversation. This is especially useful if you want to distribute encryption keys.
DNS Sinkhole
server that gives out a false result for a domain name. will resolve an internal IP address and can report on all devices that attempt to access the malicious domain. Can identify all computers on the company network infected with a specific malware variant.
Spyware
software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.
Payment Card Industry Data Security Standard (PCI DSS)
specifies the minimum security requirements for storing and protecting credit card information. Perform regular audits and vulnerability scans to ensure compliance.
provisioning
supplying servers, configurations, software/network security
disk striping
technology that enables writing data to multiple disks simultaneously in small portions called stripes. these stripes maximize use by having all of the read/write heads working constantly. different data is stored on each disk and isn't automatically duplicated (not fault tolerant)
Confidentiality
the act of holding information in confidence, not to be released to unauthorized individuals
dump file
the file that stores the contents of a memory dump.
brute force attack
the password cracker tries every possible combination of characters
key escrow
the process of storing a copy of an encryption key in a secure location. Use a secondary decryption key
Symmetric Encryption
the same key is used to encode and decode. used in AES, DES, and Blowfish. Faster than asymmetric.
dual control
two persons must be present to perform a business function. In this example, one of the employees is out of the office and dual control would not be possible.
Over-The-Air (OTA) updates
updates are commonly provided from the carrier and are not part of mobile app installations.
Electronic Code Book (ECB)
use a single encryption key and perform exactly the same encryption for every block in the series. For example, we'll start with some plain text, we'll use our symmetric key to be able to encrypt that data, and we'll end with some ciphertext. Then we'll grab the second block of information, we'll perform the same encryption using the same encryption key, and we'll have some ciphertext as the output.
Key stretching/key strengthening
used to ensure that a weak key is not victim of brute force attack. hash a password, hash the hash of a password. bcrypt library - generate hashes from passwords PBKDF2
Thethering
uses a mobile phone as a communications medium to the Internet, and it does not have any relationship to the apps that are installed on the mobile device
active-passive load balancer
uses a secondary server, which remains on standby until the load on the primary server reached a critical point
CTR (Counter Mode)
uses an incremental counter to be able to add randomization to the encryption process. With this mode, we start with the incremental counter and then we encrypt that counter with the block cipher encryption. After that encryption has been done, we will perform the exclusive or to the plain text to finally create the ciphertext.
RFID (radio frequency identification)
uses radio signals to communicate with a tag placed in or attached to an object
Elliptic Curve Cryptography (ECC)
uses smaller keys than non-ECC encryption and has smaller storage and transmission requirements. These characteristics make it an efficient option for mobile devices. Requires fewer resources compared to RSA.
Invoice Scams
using fraudulent invoices to steal from a company
tape backup
using magnetic tape for storing duplicate copies of hard disk files.
non-credentialed scan
vulnerability scan from the outside with no access or authentications
diameter
was created to deal with Voice over IP (VoIP) and wireless services. address new technologies that RADIUS was not designed to handle.
signature-based IDS
watches for intrusions that match a known identity or signature. All attack signatures are kept in a signature database.
tail command
will display the information at the end of a file.
head command
will display the information at the start of a file
curl (Client URL) command
will retrieve a web page and display it as HTML at the command line.
VLANs (Virtual Local Area Networks)
will segment a network without requiring additional switches. can be used to ensure that internal access to other parts of the network is controlled and restricted.
Registration Authority (RA)
works with the certificate authority to identify and authenticate the certificate requester. verifies the entity requesting the certificate.
Guest Network
would allow access to the Internet but prevent any access to the internal network. The captive portal would prompt each guest for authentication or to agree to terms of use before granting access to the network
Virtual Desktop Infrastructure (VDI)
would allow the field teams to access their applications from many different types of devices without the requirement of a mobile device management or concern about corporate data on the devices.
SOHO router
• An all-in-one device • Modem, router, switch, wireless AP, firewall, etc. Default configurations are a vulnerability.
802.11 management frames
• Frames that make everything work • You never see them • Important for the operation of 802.11 wireless 802.1Q Trunk: Sends frame over trunk link
Kernel drivers
• Zeus/Zbot malware • Famous for cleaning out bank accounts • Now combined with Necurs rootkit • Necurs is a kernel-level driver • Necurs makes sure you can't delete Zbot • Access denied • Trying to stop the Windows process? • Error terminating process: Access denied
LDAP (Lightweight Directory Access Protocol)
"Address book" of user accounts used to authenticate users. Identifies levels of access and group memberships. A communications protocol that defines how a client can access information, perform operations, and share directory data on a server. TCP/389.
AIS
(Automated Indicator Sharing) An initiative from the U.S. Department of Homeland Security that enables the exchange of cybersecurity threat indicators. All systems must be able to communicate using STIX and TAXII specifications.
MSP
(Managed service providers) A third party that manages aspects of a system under some form of service agreement. Also a cloud service provider.
NFC
(Near Field Communication) A protocol, based on RFID, that defines how a network uses close-range radio signals to communicate between two devices or objects equipped with NFC technology. Can be used by an attacker to steal data from a nearby device.
RFC
(Request for Comments) A document published by the IETF that details information about standardized Internet protocols and those in various development stages.
SSRF
(Server-Side Request Forgery) An attack that takes advantage of a trusting relationship between web servers. Attacker finds vulnerable web application, sends request to web server, web server performs request on behalf of attacker.
SDN
(Software Defined Networking) using a central control program separate from network devices to manage the flow of data on a network
VBA
(Visual Basic for Applications) refers to a programming language you can use to create macros. It is a descendant of the BASIC programming language that is used in all Office products, as well as some other types of software.
XSRF
(cross-site request forgery) An attack that uses the user's Web browser settings to impersonate the user. Requires the victim to have recently visited the target website and have a valid cookie. Posting on FB from your account. Occurs when unauthorized commands are executed on a Web server by a trusted user. Mitigation: Validate both the client and the server side.
SDV
(software defined visibility) A visibility infrastructure what Software-Defined Networking (SDN) is to a network infrastructure. This allows us to deploy next-generation firewalls, intrusion prevention, web application firewalls, and other security devices while at the same time being able to understand exactly what type of data is flowing between all of these systems.
Methods of port security
1. Ensuring wiring closets are locked - Ensures rogue devices cannot be plugged into the network 2. Ensure TCP/UDP ports are managed 3. Ensure MAC addresses of connected devices are monitored
Change Control Process
1. Make a formal request 2. Analyze the request 3. Record request 4. Submit for approval 5. Make changes 6. Submit results
white team
1. The group responsible for refereeing an engagement between the Red Team and Blue Team. In an exercise, the White Team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise
international data encryption algorithm (IDEA)
128-bit encryption
multifactor authentication (MFA) factors and attributes
3 Factors are something you know, something you have, and something you are. Attributes would be somewhere you are, something you can do, something you exhibit, and someone you know.
Birthday Attack
A Brute-force attack that searches for any two digests that are the same (hash collisions). Given enough time, two independent sources could yield the same hash. Using the birthday paradox example, the more people in a room will result in a higher % of 2 people having the same birthday.
Common Access Card (CAC)
A Department of Defense (DoD) smart card used for identification for active-duty and reserve military personnel along with civilian employees and special contractors.
dd command
A Linux command that is commonly used to create an image of a partition or disk
MAC address
A Media Access Control address is a hardware address that uniquely identifies each node on a network. First 3 bytes is the manufacturer (Organizationally Unique Identifier (OUI)), last 3 bytes is the serial number.
Remote Access Trojan (RAT)
A Trojan that also gives the threat agent unauthorized remote access to the victim's computer by using specially configured communication protocols. The ultimate backdoor.
Trusted Platform Module (TPM)
A chip on the motherboard of the computer that provides cryptographic services. Full disk encryption (FDE) can use the burned-in TPM keys to verify that the local device hasn't changed, and there are security features in the TPM that will prevent brute-force or dictionary attacks against the full disk encryption login credentials.
Block Cipher
A cipher that manipulates an entire block of plaintext at one time. 64-bit or 128-bit blocks. And if the input into this block cipher doesn't match 64 or 128 bits, we'll often add padding onto that to fill in any of those short blocks. Like stream ciphers, block ciphers also commonly use symmetric encryption so that they can encrypt as quickly as possible with a minimum of overhead.
Access Control List (ACL)
A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource. Should be deployed on the routers. Will improve network security by confining sensitive data traffic to computers on a specific subnet.
thin client
A client that relies on another host for the majority of processing and hard disk resources necessary to run applications and share files over the network.
Serverless Architecture
A cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers.
Platform as a Service (PaaS)
A cloud service in which consumers can install and run their own specialized applications on the cloud computing network. Deploy web servers, databases, and developmental tools in a cloud.
Function as a Service (FaaS)
A cloud service model that supports serverless software architecture. Applications are separated into individual, autonomous functions. Remove OS from equation.
BASH (Bourne-Again SHell)
A command shell and scripting language for Unix-like systems. bastion host A server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.
logic bomb
A computer program or part of a program that lies dormant until it is triggered by a specific logical event.
Embedded System
A computer system with a dedicated function within a larger electrical or mechanical system. Built with the single function in mind.
Transmission Control Protocol (TCP)
A connection-oriented protocol that establishes connections between end-points. Provides guaranteed delivery of packets. To prevent a security breach, do not prevent all inbound TCP connections.
User Datagram Protocol (UDP)
A connectionless oriented protocol with no guarantee of delivery.
Internet Protocol (IP)
A connectionless protocol used to move data around a network. Routing packets between networks.
plaintext attack
A cryptographic attack in which the attacker produces ciphertext and then sends it through a decryption process to see the resulting plaintext, which provides clues to the encryption key used. Advanced Encryption Standard (AES) is not vulnerable to this type of attack.
Redundant Array of Independent Disks (RAID)
A data storage that uses multiple hard drives to share or replicate data among the drives. Many configurations can continue to operate if a drive fails.
directory service
A database stored on the network itself that contains information about users and network devices.
static code analyzer
A debugging tool that reads the source code but does not run the code. Looks for memory allocation commands have corresponding deallocation commands.
Delphi Technique
A decision-making technique in which group members do not meet face-to-face but respond in writing to questions posed by the group leader.
Load Balancer
A dedicated network device that can direct requests to different servers based on a variety of factors. Configure a group of redundant web servers
VPN concentrator
A device that aggregates VPN connections. Cannot be placed wherever they are needed in the network. Should be placed in the perimeter network near the gateway.
multifunction device (MFD)
A device that offers multiple functions (such as printing, scanning, and faxing) in a single unit.
power distribution unit (PDU)
A device that provides multiple power sources. Also have monitoring capabilities. So they can report back if there are any type of power problems.
blockchain ledger
A digitized, public ledger of all cryptocurrency transactions. Can be used to track or verify components, digital media, votes, or other objects.
Sector Wireless Antenna
A directional antenna with a circle measured in degrees of arc radiation pattern
Yagi wireless antenna
A directional antenna with high gain and narrow radiation pattern
fog computing
A distributed cloud architecture that allows us to send information into the cloud for processing without requiring that all of this data be consolidated in one single place. This means that any data that our IoT device needs to make local decisions can stay local on that device. It doesn't need to go into the cloud. Between local device and the cloud.
Refactoring
A driver manipulation method. Developers rewrite the code without changing the driver's behavior. A different program each time it is downloaded, will not match any signatures. Fix bugs, patch code, tighten security without changing the functionality.
NIC teaming
A feature that allows multiple network interfaces to work in tandem to increase available bandwidth and provide load balancing and fault tolerance without a load balancer.
Subject Alternative Name (SAN)
A field in the certificate domain that allows you to stipulate additional information, such as IP address and hostname.
Fileless virus
A fileless virus uses legitimate programs to infect a computer. Efficient at avoiding anti-virus protection.
Next-Generation Firewall (NGFW)
A firewall that combines firewall software with anti-malware software and other software that protects resources on a network. Mitigation.
Pointer/object dereference
A flaw that results in a pointer given a NULL instead of valid value and throws an exception error that results in the application crashing. Perhaps crashing to a command prompt or seeing information about the system. - Can be leveraged for a DoS attack - Remote code execution - C/C++ or any language that uses pointers is vulnerable
Software as a Service (SaaS)
A form of cloud computing where a firm subscribes to a third-party software and receives a service that is delivered online. Deploys suite of applications.
Structured Threat Information eXpression (STIX)
A framework for analyzing cybersecurity incidents.
Personal Identity Verification (PIV)
A government standard for smart cards that covers all government employees.
Man-in-the-middle (MITM) attack
A hacker placing himself between a client and a host to intercept network traffic; also called session hijacking.
Phreaker
A hacker who manipulates the public telephone system to make free calls or disrupt services.
WEP (Wired Equivalent Privacy)
A key encryption technique for wireless networks that uses keys both to authenticate network clients and to encrypt data in transit. Requires a 40-bit or 104-bit key.
XML (Extensible Markup Language)
A language used by many databases for inputting or exporting data. XML uses formatting rules to describe the data.
Watering Hole Attack
A malicious attack that is directed toward a small group of specific individuals who visit the same website.
Pretty Good Privacy (PGP)
A method of encrypting and decrypting e-mail messages. Uses a web of trust to validate public key pairs, web of trust between the users.
Banner Grabbing
A method used to gain information about a remote system. It identifies the operating system and other details on the remote system. An attacker could exploit this information. Can use to identify information to stop an exploit.
Microservice Architecture
A microservice architecture means that your app is made up of lots of smaller, independent applications capable of running in their own memory space and scaling independently from each other across potentially many separate machines.
Omni Wireless Antenna
A multi-directional antenna that radiates radio wave power uniformly in all directions in one plane with a radiation pattern shaped like a doughnut
NFV (Network Functions Virtualization)
A network architecture that merges physical and virtual network devices.
DHCP (Dynamic Host Configuration Protocol)
A network service that provides automatic assignment of IP addresses and other TCP /IP configuration information. (UDP 67, 68)
Nessus
A network-vulnerability scanner
NAC (Network Access Control)
A networks server that ensures that all network devices comply with an organization's policy.
Initialization Vector (IV)
A nonce that is selected in a non-predictable way.
HOTP (HMAC-based one-time password)
A one-time password that changes when a specific event occurs.
Pass the hash
A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.
Static password
A password that is the same for each login. Gernated by the user.
WEP key
A password which is exchanged between a wireless device and a router on routers using Wired Equivalency Privacy (WEP) security.
VM Sprawl Avoidance
A phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where the administrator can no longer manage them effectively. A policy for developing and deploying VMs must be established and enforced.
spear phishing
A phishing attack that targets only specific users.
Business Continuity Plan
A plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption
Offline UPS (uninterruptible power supply)
A power supply that provides continuous voltage to a device by switching virtually instantaneously to the battery when it detects a loss of power from the wall outlet. Upon restoration of the power, the standby UPS switches the device back to AC power.
Cipher Block Chaining (CBC)
A process in which each block of unencrypted text is XORed with the block of cipher text immediately preceding it before it is encrypted using the DES algorithm.
formatting a disk
A process of preparing a disk so that data can be saved to it and read from it.
Configuration Management
A process that ensures that the descriptions of a project's products are correct and complete.
FPGA (Field Programmable Gate Array)
A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture.
Trojan
A program disguised as a harmless application that actually produces harmful results. Attackers can sneak their software onto your system.
RTOS (real time operating system)
A program with a specific purpose that must guarantee certain response times for particular computing tasks, or else the machine's applications is useless. (Found in many types of robotic equipment). Processes data with little to no latency.
SCP (Secure Copy Protocol)
A protocol that allows files to be copied over a secure connection.
Spanning Tree Protocol (STP)
A protocol that enables switches to detect and repair bridge loops automatically. The primary loop protection on an Ethernet network.
Secure Sockets Layer (SSL)
A protocol that provides authentication and encryption, used by most servers for secure exchanges over the Internet. Superseded by Transport Layer Security (TLS). Secures messages between the Application and Transport layer.
OCSP (Online Certificate Status Protocol)
A protocol used by the browser to check the revocation status of a certificate. The certificate holder can verify their own status and avoid client Internet traffic by storing the status information on an internal server and "stapling" the OCSP status into the SSL/TLS handshake
POP3 (Post Office Protocol version 3)
A protocol used from retrieving email from a mailbox on the mail server. TCP 110
FTP (File Transfer Protocol)
A protocol used to move files and folders over a network or the Internet. Ports 20, 21
SMB (Server Message Block)
A protocol used to share files, serial ports, printers, and communications devices, including mail slots and named pipes, between computers. TCP 445
ICMP (Internet Control Message Protocol)
A protocol used to test and report on path information between network devices.
application proxy
A proxy service that connects programs running on internal networks to services on exterior networks by creating two connections; one from the requesting client and another to the destination service
Transparent Proxy
A proxy that does not require any configuration on the user's computer.
Virtual Private Network (VPN)
A public network, such as the internet, is used to allow secure communication between companies that are not located together. Transports encrypted data. 2 protocols to create a VPN: PPTP, L2TP
Wireless Site Survey
A radio frequency (RF) site survey is the first step in the deployment of a Wireless network. Ensures that no unauthorized access points are established.
Threat maps
A real-time map of the computer security attacks that are going on at any given time.
switch log
A rogue access point would be difficult to identify once it's on the network, but at some point the access point would need to physically connect to the corporate network. An analysis of switch interface activity would be able to identify any new devices and their MAC addresses
Antispoofing
A router function, where the application compares incoming/outgoing IP address to a ACL.
SSH (Secure Shell Protocol)
A secure terminal will use this protocol. TCP/22 Access your switch using a Command Line Interface (CLI) terminal screen. Secure remote access. Uses a secure channel to connect a server and client.
SRTP (Secure Real-Time Transport Protocol)
A security profile for RTP that adds confidentiality. Used to secure VoIP traffic. Talk with customers on scheduled conference calls.
TLS (Transport Layer Security)
A security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection. Encrypt network traffic.
SIEM (Security Information and Event Management)
A security system that attempts to look at security logging and events throughout the organization. (central repository). Contains the Write Once Read Many (WORM) feature.
hot site
A separate and fully equipped facility where the company can move immediately after a disaster and resume business
cold site
A separate facility that does not have any computer equipment, but is a place where employees can move after a disaster. Takes a long time to bring online for disaster recovery. Not available for testing.
warm site
A separate facility with computer equipment that requires installation and configuration
Application Programming Interface (API)
A set of software routines that allows one software system to work with another.
Baseline Configuration
A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
DES (Data Encryption Standard)
A shared-key encryption algorithm that uses a 56-bit encryption key to encode data in 64-bit blocks. Symmetric/Private key encryption algorithm.
Monolithic Application
A single-tier application running on a single computer. Contains all decision making processes.
DMZ (demilitarized zone)
A small section of a private network that is located between two firewalls and made available for public access. Only Port 80 should be open on internet side of the DMZ firewall. The firewall will only allow HTTP traffic to enter the DMZ.
Cipher Lock
A smart lock is a type of cipher lock. Allows you to program a unique code for each user.
bastion host
A system that is hardened to resist attacks. Every firewall should be hardened.
NIDS (Network intrusion detection system)
A system that monitors network traffic and alerts for unauthorized activity. Does not analyze encrypted data. Low maintenance.
Prepending
A technical method used in social engineering to trick users into entering their username and passwords by adding an invisible string before the weblink they click. Used in data URL phishing. Adding usernames to social media posts to make them seem more personal.
Captive Portal
A technical solution that forces wireless clients using web browsers to complete a process before accessing a network. It is often used to ensure users agree to an acceptable use policy or pay for access.
Buffer Overflow
A technique for crashing by sending too much data to the buffer in a computer's memory. Example of improper input handling. To prevent: Write a well written program.
Warflying
A technique hackers use to locate insecure wireless networks while flying around
Quantum computing
A technology that applies the principles of quantum physics and quantum mechanics to computers to direct atoms or nuclei to work together as quantum bits (qubits), which function simultaneously as the computer's processor and memory.
Write Once Read Many (WORM)
A technology to write data onto a storage medium and which does not permit changes. SIEM feature that allows collection of various events that are flagged.
PowerShell script
A text file of PowerShell commands that can be executed as a batch.
Network Address Translation (NAT)
A transparent firewall between networks that allows multiple internal computers to share a single Internet interface and IP address.
Certificate Authority (CA)
A trusted third-party agency that is responsible for issuing digital certificates. Implementation: Trust a website without prior contact with the site owner
Downgrade Attack
A type of attack that forces a system to negotiate down to a lower-quality method of communication. The attacker then exploits the lesser security control. Happens more with legacy systems. Often used with MITM attacks.
HIPS (host-based intrusion prevention system)
A type of intrusion prevention that runs on a single computer, such as a client or server, to intercept and help prevent attacks against that one host.
Replay Attack
A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network. The attacker needs to capture the original non-encrypted content.
differential backup
A type of partial backup that involves copying all changes made since the last FULL backup.
incremental backup
A type of partial backup that involves copying only the data items that have changed since the last incremental (partial) backup.
Rainbow Table Attack
A type of password attack where an attacker uses a set of related plaintext passwords and their hashes to crack passwords. Result of a weak cipher suite.
Crypto-malware
A type of ransomware that encrypts the user's data. The user cannot access their data unless they obtain the key by sending the attacker money.
evil twin
A type of rogue AP. An evil twin has the same SSID as a legitimate AP. Malicious.
configuration compliance scanner
A type of vulnerability scanner that verifies systems are configured correctly such as password control, patches applied, and firewall configurations
Remote Access VPN
A user-to-LAN virtual private network connection used by remote users.
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are re-created for each session.
VDI (Virtual Desktop Infrastructure)
A virtualization implementation that separates the personal computing environment from a user's physical computer.
Application Containerization
A virtualization method that allows an organization to run applications without launching an entire virtual machine. Also known simply as containerization.
macro virus
A virus that attaches itself to a document that uses macros. Can infect files that are written in the same language as the macro virus is written.
stealth virus
A virus that hides itself from antivirus software and from OS by remaining in memory
race conditions
A vulnerability that occurs when an ordered or timed set of processes is disrupted or altered by an exploit. A variable is accessed by several threads of an application.
WiFi Protected Setup (WPS)
A way to set up a secure wireless network by using a button personal identification number, or USB key to automatically configure devices to connect a network. A WPS PIN was designed to have only 11,000 possible iterations, making a brute force attack possible if the access point doesn't provide any protection against multiple guesses
Cookie Poisoning
A web server stores persistent settings on a web client in a text file called a cookie. In this attack, a cookie is changed to modify persistent data or the user that is associated with the cookie.
WPA (Wi-Fi Protected Access)
A wireless protocol that provides maximum security while providing support for older wireless clients.
Predictive Analysis
AI and machine learning: Detect breaches before they occur by learning algorithms constantly monitor, learn and evolve to detect new and emerging threats
controller-based WAP
Allows you to manage all WAP's in the network from a centralized location.
Reverse Proxy
Also called a surrogate proxy. Routes requests coming from an external network to the correct internal server
Anomaly-based detection
Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy. Most likely to produce a false alert.
Hyperlink Spoofing
Also referred to as Web spoofing, is used by an attacker to persuade the Internet browser to connect to a fake server that appears as a valid session.
IKE (Internet Key Exchange)
An IPsec protocol that uses X.509 certificates for authentication.
SAML (Security Assertion Markup Language)
An XML-based standard used to exchange authentication and authorization information between different parties.
Message Digest 5 (MD5)
An algorithm that produces a hexadecimal value of a file or storage media. Used to determine whether data has been changed.
Stream Cipher
An algorithm that takes one byte at a time. This allows us to encrypt very quickly because we can do this one byte at a time instead of using larger groups of data to encrypt at a single time. This also means that we would not need as complex a hardware or CPU infrastructure to be able to encrypt just a single byte of information.
Backdoor
An alternate method of accessing a system. Malware often adds a backdoor into a system after it infects it. If there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer and examine it for signs of a compromised system. Would allow an attacker to access a system at any time without any user intervention. If there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer and examine it for signs of a compromised system.
integer overflow
An application attack that attempts to use or create a numeric value that is too big for an application to handle. Input handling and error handling thwart the attack.
LDAP injection
An application attack that targets web-based applications by fabricating LDAP (Lightweight Directory Access Protocol) statements that are typically created by user input.
mantrap
An area between two doorways, meant to hold people until they are identified and authenticated. Will control access to the data center.
ECDSA (Elliptic Curve Digital Signature Algorithm)
An asymmetric system which relies on a private key in the authenticator and a public key that the host uses to verify the authenticator.
Collision Attack
An attack on a hash function in which a specific input is generated to produce a hash function output that matches another input.
Wireless jamming
An attack that causes all mobile devices to lose their association with corporate access points while the attack is underway
Domain Hijacking
An attack that changes the registration of a domain name without permission from the owner.
Request forgeries
An attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated.
XML injection
An attack that injects XML (Extensible Markup Language) tags and data into a database.
DLL injection
An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite DLL, inserting malicious code
Cross-Site Scripting (XSS)
An attack that injects scripts into a Web application server to direct attacks at clients. Mitigation: Implement input validation.
Dissociation attack
An attack that removes wireless clients from a wireless network. Type of DoS attack.
Bluejacking
An attack that sends unsolicited messages to Bluetooth-enabled devices.
DNS poisoning
An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.
Directory Traversal
An attack that takes advantage of a vulnerability so that a user can move from the root directory to restricted directories. The pair of dots in a file path (..) refers to the parent directory, so this example is attempt to move back two parent directories before proceeding into the /Windows directory. In a properly configured web server, this traversal should not be possible
Client-Side Request Forgery
An attack that takes advantage of an authentication "token" that a website sends to a user's web browser to imitate the identity and privileges of the victim.
session hijacking attack
An attack where the attacker exploits a legitimate session to obtain unauthorized access to an organization's network or services. Mitigation: Encrypt communications between the two parties.
SQL Injection
An attacker issues a SQL command to a web server as part of the URL or as input to a form on a company's website; web server might pass the command onto the database which then allows potentially anything to be done to the database - Bypass login screens - Return usernames/passwords - Cause the application to crash Example of improper input handling. Inputs should be checked for SQL injection symbols.
Media Access Control (MAC) flooding
An attacker sends a large amount of Ethernet frames into the Network Switch and fills up the MAC table (containing the MAC addresses when a server communicates on a port the Network Switch) and forces out the legitimate hosts off the MAC table.
Supply-chain attacks
An attempt to exploit a weakness/vulnerability in the process that produces a service.
OpenID Connect (OIDC)
An authentication layer that sits on top of the OAuth 2.0 authorization protocol. Provides the authentication in OAuth.
full tunnel
An encrypted connection used with VPNs. When a user is connected to a VPN, all traffic from the user is encrypted. Compare with split tunnel.
HTTPS (Hypertext Transfer Protocol Secure)
An encrypted version of HTTP. It uses TCP port 443. Accept customer purchases from your primary website. Protocol over TLS.
one-time pad (OTP)
An encryption method designed to be used only once.
Perfect Forward Secrecy (PFS)
An encryption method that ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. Implementation: Use a different encryption key for each session
Password Authentication Protocol (PAP)
An encryption technology in which a user's name and password are transmitted over a network and compared to a table. Security issues: clear text passwords, unencrypted credentials
copy backup
An exact duplicate of a system at a particular point in time. This may not allow you to keep different versions of a particular image in a single backup medium, but it is something that you're able to keep offsite and then be able to use later on if you need to restore that system.
FTPS (File Transfer Protocol Secure)
An extension of FTP that uses SSL or TLS encrypt FTP traffic. Some implementations of FTPS use ports 989 and 990. Protocol over TLS.
RC4 (Rivest Cipher 4)
An insecure encryption cipher that is still widely used. A stream cipher.
Insecure Protocols
An insecure protocol will transmit information "in the clear," or without any type of encryption or protection. Secure Shell (SSH) File Transfer Protocols (FTP) Simple Mail Transfer Protocol (SMTP) Internet Message Access Protocol (IMAP) Telnet
rogue access point (rogue AP)
An unauthorized wireless access point (WAP) installed in a computer network. Potential backdoor.
Standard Naming Convention
Applying consistent names and labels to assets and digital resources/identities within a configuration management system.
Cryptographic nonce
Arbitrary number - Used once - "For the nonce" - For the time being • A random or pseudo-random number - Something that can't be reasonably guessed - Can also be a counter • Use a nonce during the login process - Server gives you a nonce - Calculate your password hash using the nonce - Each password hash sent to the host will be different, so a replay won't work
RSA Algorithm
Asymmetric cryptography. Named after inventors Rivest, Shamir, and Adelman, RSA is a system for encrypting and decrypting a message using a pair of keys, both of which contain the product of two prime numbers. Protects messages traveling between 2 points.
on-path attack
Attack is often associated with a third-party who is actively intercepting network traffic. This entity in the middle would not be able to provide a valid SSL certificate for a third-party website, and this error, "Your connection is not private", would appear in the browser as a warning
Side Channel Attack
Attack that uses information (timing, power consumption) that has been gathered to uncover sensitive data or processing functions. Supporting high resiliency, such as using a highly resilient algorithm, would address the issue of data leakage from this attack.
resource exhaustion
Attack whereby a malicious user executes code or processes on a machine over and over until resources are exhausted. Denial of Service (DoS) or Distributed Denial of Service (DDoS) are examples of this type of attack
ARP (Address Resolution Protocol) Poisoning
Attacker sends out spoofed ARP messages onto a LAN to associate their machine with another host IP. Allows attacker to intercept data.
DHCP Starvation
Attacker uses all available DHCP addresses on DHCP server, leaving none for legit use
API attacks
Attackers look for vulnerabilities in this communication path: Data exposure, DoS, intercepted communication, privileged access, injection attacks, MITM
RFID attacks
Attacks against radio-frequency identification (RFID) systems. Some common RFID attacks are eavesdropping, replay, and DoS.
dictionary attack
Attempt to break a password by trying all possible words.
Quantitative Risk Analysis
Attempts to predict the likelihood a threat will occur and assigns a monetary value in the event a loss occurs.
AAA Framework
Authentication, Authorization, and Accounting