Sec+ Notes
incident response process
1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Document/Lessons learned
Layer 2 Tunneling Protocol (L2TP)
A VPN protocol that does not offer any encryption or protection so it is usually paired with IPsec.
Counter (CTR)
A block cipher mode of operation that both the message sender and receiver access a counter, which computes a new value each time a ciphertext block is exchanged.
Measured Boot
A boot attestation procedure in which the computer's firmware logs the boot process so it can be sent to a trusted server to assess the security.
Block Cipher
A cipher that manipulates an entire block of plaintext at one time.
Access Control List (ACL)
A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.
Cipher Block Chaining Message Authentication Code (CBC-MAC)
A component of CCMP that provides data integrity and authentication.
Simultaneous Authentication of Equals (SAE)
A component of WPA3 that is designed to increase security at the time of the handshake when the key is being exchanged.
forward proxy
A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.
adversary tactics, techniques, and procedures (TTP)
A database of the behavior of threat actors and how they orchestrate and manage attacks.
port TAP (test access point)
A device that transmits the send and receive data streams simultaneously on separate dedicated channels so that all data arrives at the monitoring tool in real time.
fusion center
A formal repository of information from enterprises and the government used to share information on the latest attacks.
Diamond Model of Intrusion Analysis
A framework for examining network intrusion events that uses four core interconnected elements that comprise any event.
Extensible Authentication Protocol (EAP)
A framework for transporting authentication protocols that defines the format of the messages.
Software-defined visibility (SDV)
A framework that allows users to create programs in which critical security functions that previously required manual intervention can now be automated.
unified endpoint management (UEM)
A group or class of software tools has a single management interface for mobile devices as well as computer devices.
NIST Risk Management Framework (RMF)
A guidance document designed to help organizations assess and manage risks to their information and systems.
SED (Self Encrypting Drive)
A hard drive with a circuit built into the disk drive controller chip that encrypts all data to the magnetic media and decrypts all the data from the media automatically.
attestation
A key pair that is "burned" into a security key during manufacturing and is specific to a device model that can verify authentication.
MITRE ATT&CK
A knowledge base of attacker techniques that have been broken down and classified in detail.
NIST Cybersecurity Framework (CSF)
A measuring stick against which companies can compare their cybersecurity practices relative to the threats they face.
software-defined network (SDN)
A network that virtualizes parts of the physical network so that it can be more quickly and easily reconfigured.
Simple Network Management Protocol (SNMP)
A popular protocol used to manage network equipment that is supported by most network equipment manufacturers.
stapling
A process for verifying the status of a certificate by sending queries at regular intervals to receive a signed time-stamped response.
Cipher Block Chaining (CBC)
A process in which each block of unencrypted text is XORed with the block of cipher text immediately preceding it before it is encrypted using the DES algorithm. Difficult to break
Online Certificate Status Protocol (OCSP)
A process that performs a real-time lookup of a certificate's status.
Secure Real-time Transport Protocol (SRTP)
A protocol for providing protection for Voice over IP (VoIP) communications.
IPSec
A protocol suite for securing Internet Protocol (IP) communications: Provides authentication (Auth header), confidentiality(Encapsulating Security Protocol ESP), and key management
Domain Name System Security Extensions (DNSSEC)
A protocol that adds additional resource records and message header information for improved security.
reverse proxy
A proxy that routes requests coming from an external network to the correct internal server.
European Union General Data Protection Directive (GDPR)
A regulation regarding data protection and privacy in the European Union and the European Economic Area (EEA).
Hardware Security Module (HSM)
A removable external cryptographic device
Endpoint detection and response (EDR)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats and response to threats
SSAE SOC 2 Type II
A standard for reports on internal controls report that reviews how a company safeguards customer data and how well those controls are operating.
SSAE SOC 2 Type III
A standard for reports on internal controls that can be freely distributed. (same as SOC II, only distribution is different)
IEEE 802.1x
A standard, originally developed for wired networks, that provides a greater degree of security by implementing port-based authentication. Authentication for WPA2
Protected EAP (PEAP)
An EAP method designed to simplify the deployment of 802.1x by using Microsoft Windows logins and passwords.
Security Assertion Markup Language (SAML)
An Extensible Markup Language (XML) standard that allows secure web domains to exchange user authentication and authorization data.
Rule-Based Access Control
An access control scheme that can dynamically assign roles to subjects based on a set of rules defined by a custodian.
Role-Based Access Control (RBAC)
An access control scheme that is considered a more "real-world" access control that based on a user's job function within an organization.
Discretionary Access Control (DAC)
An access control scheme that is the least restrictive, giving an owner total control over objects.
Mandatory Access Control (MAC)
An access control scheme that is the most restrictive by assigning users' access controls strictly according to the custodian's desires.
Attribute-Based Access Control (ABAC)
An access control scheme that uses flexible policies that can combine attributes.
Bluesnarfing
An attack that accesses unauthorized information from a wireless device through a Bluetooth connection.
DLL injection
An attack that inserts code into a running process through a DLL to cause a program to function in a different way than intended.
Cyber Kill Chain
An exploitation framework that outlines the steps of an attack in an integrated and end-to-end process like a "chain."
RADIUS
An industry standard authentication service with widespread support across nearly all vendors of networking equipment.
Cloud Security Alliance (CSA)
An organization whose goal is to define and raise awareness of best practices to help secure cloud computing environments.
X.500
Directory services standard: LDAP/AD
Requests for comments (RFCs)
Documents that are authored by technology bodies employing specialists, engineers, and scientists who are experts in those areas.
Electronic Code Book (ECB)
Encryption technique: mode is the most basic approach: the plaintext is divided into blocks, and each block is then encrypted separately. DONT USE b/c repetition
Cryptoperiod
Length of time that a key is valid for use
Purple Team
Made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
The encryption protocol used for WPA2 that specifies the use of a general-purpose cipher mode algorithm providing data privacy with AES.
x.509
The most widely accepted format for digital certificates as defined by the International Telecommunication Union (ITU).
Stream Cypher
This is designed to encode streams of bytes instead of blocks
shimming
Transparently adding a small coding library that intercepts calls made by a device and changes the parameters passed between the device and the device driver.
ISO 27002
a code of practice for information security management within an organization and contains 114 control recommendations.
ISO 27001
a standard that provides requirements for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive assets so that they remain secure. These assets include the people, processes, and IT systems used to manage risk
TACACS+
authentication service commonly used on UNIX devices that communicates by forwarding user authentication information to a centralized server. The current version of the Terminal Access Control Access Control System (TACACS) authentication service.
The Galois/Counter (GCM)
both encrypts plaintext and computes a message authentication code (MAC) to ensure that the message was created by the sender and that it was not tampered with during transmission
ISO 31000
contains controls for managing and controlling risk.
ISO 27701
extension to ISO 27001, is a framework for managing privacy controls to reduce the risk of privacy breach to the privacy of individuals.
Unified threat management (UTM)
is a device that combines several security functions. These include packet filtering, antispam, antiphishing, antispyware, encryption, intrusion protection, and web filtering.
Center for Internet Security (CIS)
is a nonprofit community-driven organization. 2 frameworks: The CIS Controls are controls for securing an organization and consist of more than 20 basic and advanced cybersecurity recommendations. The CIS Benchmarks are frameworks for protecting 48 operating systems and application software.
Cloud Controls Matrix
is a specialized framework (meta-framework) from CSA of cloud-specific security controls. These controls are mapped to the leading standards, best practices, and regulations regarding cloud computing and are generally regarded as the authoritative source of information (reference architecture) about securing cloud resources.
White team
referees - enforces the rules of the penetration testing
