SY0-501 1 - 6
Common use cases (for cryptography) (9)
- Low power devices - Low latency - High resiliency - Supporting confidentiality - Supporting integrity - Supporting obfuscation - Supporting authentication - Supporting non-repudiation - Resource vs. security constraints
Hashing algorithms (4)
- MD5 - SHA - HMAC - RIPEMD
Geographic considerations (5)
- Off-site backups - Distance - Location selection - Legal implications - Data sovereignty
PKI Concepts (6)
- Online vs. offline CA - Stapling - Pinning - Trust model - Key escrow - Certificate chaining
Data roles examples
- Owner - Steward/custodian - Privacy officer
Certificate-based authentication (4)
- PIV/CAC/smart card - IEEE 802.1X
wireless security Methods (5)
- PSK vs. Enterprise vs. Open - WPS - Captive portals
Testing Risk Assessment (2)
- Penetration testing authorization - Vulnerability testing authorization
Incident response process (6)
- Preparation - Identification - Containment - Eradication - Recovery - Lessons learned
Asymmetric Algorithms (8)
- RSA - DSA - Diffie-Hellman - Groups - DHE - ECDHE - Elliptic curve - PGP/GPG
Types of actors (6)
- Script kiddies - Hacktivist - Organized crime - Nation states/APT - Insiders - Competitors
General security policies (2)
- Social media networks/applications - Personal email
Multifactor authentication examples (5)
- Something you are. - Something you have. - Something you know. - Somewhere you are. - Something you do
Things Cryptography supports
- Supporting confidentiality - Supporting integrity - Supporting obfuscation - Supporting authentication - Supporting non-repudiation
Account types (5)
- User account - Shared and generic accounts/credentials - Guest accounts - Service accounts - Privileged accounts
Wireless Cryptographic protocols (4)
- WPA - WPA2 - CCMP - TKIP
Types of certificates (10)
- Wildcard - SAN - Code signing - Self-signed - Machine/computer - Email - User - Root - Domain validation - Extended validation
cryptography algorithms for Obfuscation (3)
- XOR - ROT13 - Substitution ciphers
which format is used to transfer public keys on Windows?
.cer file format (transfers which key)
PKCS #12 file name
.p12 file
PKCS #7 file name
.p7b file
which format is used to transfer private keys on Windows?
.pfx file format (transfers which key)
Symmetric encryption Key strength
128 bit and larger
AES
128-bit block cipher. 128-, 192-, and 256-bit keys
Twofish
128-bit block size, key sizes up to 256. no patent, is in the public domain
SHA-1 (2)
160-bit digest. Retired for most US Gov use
MD5 concerns (2)
1996 Collisions found. 2008 Researchers created CA certificates that appeared to be legit when MD5 is checked.
NFC
2 way close wireless communication
AP band selection and bandwidths: 2.4 GHz
2.4 GHz not over lapping channels 1,6,11. 20MHz throughput
SHA-1 concerns
2005 collisions found.
Asymmetric encryption Key strength
3,072 bits and larger
Problem with DES (2)
56 bit keys, easy to brute force with today's tech
Blowfish (4)
64-bit block cipher, variable length key (32 to 448 bits). No known way to break the full 16 rounds of encryption. not limited by patents.
ALE example
7 laptops stolen a year (ARO) x $1000 (SLE/asset value) = $7,000 (example of)
Staging Environment
A "production like" environment to run performance tests and test usability and features.
USB blocking (2)
A DLP on a workstation that blocks use of USB. prevents exfiltrating of data and downloading of malicious data off of USB
permanent (persistent) agent (3)
A NAC agent that is installed on a client. It checks the client for health. Periodic updates may be required
RAT (e.g)
A Trojan horse that sets up a backdoor to allow many other malware to install e.g. keyloggers, screenshots/videos, copy files.
Exploitation frameworks
A basic framework that already has built-in mechanisms to deliver a payload and have it execute. All it requires is the exact code to insert to complete the exploit.
Diffie-Hellman key creation process (3)
A combines A's private key with B's available public key. B combines B's private key with A's available public key. the two created keys are identical symmetric keys.
Diffie-Hellman (2)
A key exchange asymmetric algorithm that transfers symmetric keys over insecure channels. Does not itself encrypt or authenticate.
Authentication issues (3)
A lapse in any part of the authentication process can open the entire network: weak passwords, not enough authentication factors. may allow wrong people access and right people blocked. MFA also means more chances for problems
What environments are WAFs often used?
A major focus of Payment Card Industry Data Security Standard (PCI DSS)
(Digital certificate) Serial Number
A number uniquely identifying the certificate within the domain of its CA
Metasploit
A penetration-testing tool with thousands of known exploits that can be used together to test a system
Whaling
A phishing attack that targets high-profile targets like CEO.
Nonce
A random or pseudo-random number that is used once in a cryptographic communication.
replay attack
A replay of information captured over the network to make the bad guys seem like the original users.
Out-of-band response
A response sent by IPS set for passive monitoring that is outside of the traffic flow to stop the transfer of malicious traffic
ROT13
A substitution cipher that rotates characters 13 places.
Layer 3 switches (2)
A switch and a router in same device. Switch port set to run on layer 2 and router ports on layer 3
Aggregation switches
A switch that provides connectivity for several other switches and the core of the network.
Program virus
A virus attached to or associated with an application
Thick AP
AP that handles most of the wireless tasks while switch has no control or management of the functions of the AP
Thin AP
AP that is less intelligent and expensive and is centrally managed from the switch its connected to.
ALE
ARO x SLE
Man-in-the-Middle
ARP poisoning by sending users ARP requests to update their ARP tables to send data to the bad guy who forwards it to the router.
Authorization
Access someone has based on their identification and authentication.
Round robin and affinity are referred to this type of load balancing
Active/active load balancing
AES history of implementation
Added to FIPS in 2001. took 5 years to standardize this replacement for DES
GPS tagging (Geo tagging) (ie)
Adds location to document metadata. i.e. adds GPS coordinates to taken photos and videos, etc
Rule Based Access Control (RBAC)
Administrator creates ACLs for objects and system enforces the rules.
Best choice for removing Malware from a system if no backup option
Advanced malware tools
Benefits of SDN (4)
Agile: changes can be made very quickly and rolled out automatically. managed centrally. orchestration. Open standard (vendor neutral)
ISA
Agreement used by the US Federal Government to define security controls.
Ad Hoc examples (2)
AirDrop. contact sharing apps
types of wireless crackers (2)
Aircrack-ng Suite, Fern
Bluesnarfing (2)
Allowed attackers to take files from Bluetooth-enabled devices especially if they knew the name of the file. Patched in 2003
IPSec (Internet Protocol Security)
Allows layer 3 encryption, authentication, confidentiality, and integrity/anti-replay between sites
watering hole attack (2, ie)
An attack method that infects sites that a group is likely to trust and visit. could be websites or local coffee shops, etc. Tends to infect all visitors while waiting for specific ones.
Zero-day attack
An attack that exploits a vulnerability that has not been detected or published.
archive bit
An attribute of a file that shows whether the file has been backed up since the last change.
EAP (2)
An authentication framework. WPA and WPA2 use five types as authentication mechanisms.
BCRYPT is an extension of which library?
An extension of the UNIX crypt library.
Rainbow tables (2)
An optimized, pre-built set of hashes that can be searched to match hashes in seconds if that password is on that table. Need different tables for different hash methods.
ways to configure full device encryption (2)
Android: strong/ stronger/ strongest. apple iOS has similar functionalities
Baseline Deviation (3)
Any changes to the norm: identify and send alerts immediately. Document everything well. Posture assessment can be done on VPN and disallow access if mismatches
central app clearinghouses (3)
Apple App store. Google Play. Microsoft Store
Multipurpose proxies (3 eg)
Application proxies that understand how to proxy many applications: HTTP, HTTPS, FTP, etc
Logs and events anomalies
As you build extensive logs on a SIEM from many different sources and begin correlating all the data, you can start extensive analyzing and spotting logs and events that deviate from the norm more easily.
Web Incident Category
Attack executed from a website or web-based application
Improper usage Incident Category
Attack resulting from a violation of AUP
Personnel issues: Insider threats (and concern)
Authenticated users have more free reign: not as much security inside. bigger problem if rights and permission greater then necessary
use a salt and password to create a hash is an example of what cryptography use case?
Authentication (Common use cases example)
Something you do
Authentication factor based on someone's personal way of doing things.
Secure token (2)
Authentication mechanism that is added to clients when they authenticate. it is provided with each request to the server where its validated.
Principles of social engineering (7)
Authority, Intimidation, Consensus, Scarcity, Familiarity, Trust, Urgency
Examples of Security Automation (4)
Automate: Functional security tests. test against known vulnerabilities. Penetration testing. Test application with unexpected input.
Automation/scripting (3)
Automated courses of action. Continuous monitoring. Configuration validation
FDE (3)
Automatically encrypts entire Drive: data and OS. requires a password to access. often built-in to OS
GPG is available for what OS?
Available for: Linux, Windows, MAC OS, Many others
full backup
Backup that copies all files from a system.
(Backup) Distance (2)
Balancing act between recovery (scale of disaster) and accessibility (travel for staff). unique requirements e.g. specialized printers, bandwidth availability
Accidental/"friendly" DoS (3 eg)
Bandwidth Overload ie gigabyte download over DSL. Layer 2 loop without STP. building breaks ie waterlines
Downloadable Exploitation frameworks (3)
BeEF - The Browser Exploitation Framework Project. RouterSploit: Router Exploitation Framework. Metasploit: Build your own vulnerability tests or use modules in existing exploit databases.
Fighting WPS
Best practice to not use it. too many vulnerabilities
False negative best practice
Best to update latest signatures before scans.
CCMP (3)
Block cipher mode. uses 128-bit keys and 128-bit block sizes.
BYOD aka
Bring your own technology
On-boarding
Bringing in new hires or transfers into the organization.
Identification of an incident: incident indicators (4)
Buffer overflows attempts identified by IPS/IDS Malware identified by antivirus. Configuration change detected by host-based monitor. Network traffic deviates from norm.
Risk Transfer (2)
Buy insurance. mitigate risk to a third party
How does segmentation improve performance?
By segmenting high-performance application onto their own network will ensure the highest efficiency possible.
Private CA (2)
CA built in-house of medium-to-large organization. All network devices must be configured to trust the internal CA
Offline CA
CA that are taken offline, usually the root CA.
Reporting requirements/escalation Corporate / Organization contact examples
CIO. Head of Information Security. Internal response teams.
Industry-specific frameworks (2)
COBIT. ITIL
CYOD
COPE device that a user choses from options provided by the company.
Substitution Cipher example
Caesar Cipher (example of)
'CALL get_options'
Call command with name of stored procedure
network-based firewall can act as what other devices?
Can act as a VPN concentrators, Proxy, and router
How to create your own digital certificates. (#?)
Can be built into OS, e.g Part of Windows Domain services. 3-party options for Linux.
Weak security configurations (3)
Can be easily cracked. Give a false sense of security. Outdated, easy to decrypt or has known vulnerabilities
Cost of MFA (3 eg)
Can be expensive e.g. separate hardware tokens, specialized scanning equipment. or cheap e.g. free smartphone applications
Push notification services management
Can be managed locally or from MDM
Email encryption on Mail Gateways (4)
Can check email encryption on gateways since encryption is not always automatic. based on policy, check that policy applies to encrypt data for particular emails. force the encryption, send a password to the sender. or a text to recipient. emails that already have encryption process can be sent normally
Security concerns with Media gateway (3)
Can disable all voice communications, DoS. Make outbound calls: spam, malicious services. Listen to voice communication: Corporate espionage
What OS can Access violations occur in?
Can occur in any including some as simple as a credit card terminal
Special purpose embedded devices: Vehicles security concerns (2, e.g)
Can remotely monitor whats happening within that car. Can control internal electronics e.g. disable engine
Non-persistence: live boot media (2)
Can run OS and application instances from portable media. Moves the OS and application instances from place to place.
what happens next if everything works in test environment?
Can stage all that code and prepare it for production.
what can Protocol analyzers do with data?
Can store data over long periods and use analytics to see what happened to that data during that time frame.
How are IPS tested for effectiveness?
Can test catch/miss rates of false negatives with industry tests
Remote attestation (3)
uses centralized server to inventory the hardware and software on remote devices. It digitally signs and encrypts the results of that inventory with the TPM in that device. Before devices boot changes are identified based on previous inventory.
Elliptic curve (3)
uses curves and more smaller numbers than asymmetric encryption. smaller storage and transmission requirements. perfect for mobile devices.
ECC (2)
uses curves instead of large numbers. smaller keys.
What communication can be sent over SATCOM?
uses digital communication: voice and data
Infrastructure as a Service
uses hardware available in the cloud to run your own software.
Pulping (2 def)
uses large tank to remove ink off of paper to create recycled paper. reduces shredded paper to mash or puree (which may be a raw material to make paper)
Attribute-based access control (ABAC)
uses many different criteria to determine what kind of access a user may have.
Perfect forward secrecy
uses of temporary keys like Elliptic curve or Diffie-Hellman ephemeral for every session.
Email certificates (2)
uses recipient's public key to encrypt contents of emails. use own private key for digital signature on an email.
How IPS act as Application-aware security devices
uses subset of signatures for application specific vulnerabilities, less false positives
Key exchange
using asymmetric encryption to transfer symmetric keys.
Non-persistence: Revert to a known state
using snapshots to revert to previous configurations if current ones have problems.
Non-persistence: Rollback to a known good configuration
using snapshots to revert to previous configurations while keeping current data.
which Validation Point is fastest for checking data and why?
usually Client-side validation instead of server-side since it takes place on user's computer.
Onboarding (security procedures)
usually a formal process involving an induction or training process for the security of their role.
Social media security policies (3)
usually an extension of the code of conduct. balances the company requirements towards its use with allowing employees to take advantage of it. confidential information can only be shared by a company spokesperson for public comments.
Remote access VPN
usually built-in software to a remote device to communicate to VPN Concentrators
Reason for different time offsets (4)
usually determined by time zone settings on local devices. different file systems store timestamps differently: FAT stores time in local time. NTFS stores time in GMT
APT
usually done by government where they spent massive resources on constant attacks.
vulnerability scanning (4)
usually minimally invasive while gathering as much info on a system as possible without performing any exploits. Port scan to see open services and their versions. identify systems and security devices. test inside and outside of a system.
Certificate issues (4)
usually result when best practices not followed: have certificate signed by some one trusted. update certificates regularly. Applications must perform proper certificate checks. missing checks could allow MitM attacks to occur
Proper input validation
validate and check what is expected in that input field.
Configuration Validation (2)
validate configuration to e.g. application instance before going live and after by constantly using automated checks. comparing system configurations to a configuration file
Authentication
verifies the source of the data
How to verify unencrypted credentials?
verify with a packet capture, checks if data is readable and in the clear.
PEM (2)
very common format provided by CAs. ASCII format, letters and numbers, making it easy to transfer and email.
symmetric algorithm advantages
very fast to use and less overhead
Discretionary Access Control (DAC) security and concerns
very flexible. but very weak security since it relies on owner to set proper security
confidential data
very sensitive data that must be approved to view. (often PII)
IPSec standardization
very standardized: different manufacturer firewalls can be used on each side
dynamic analysis concerns
very time and processor resource heavy
virtualization on the enterprise-level
virtualization itself is the OS that other OS run on top of.
Host-based virtualization
virtualization on normal desktops
Script virus
virus that runs as a script in the OS or browser. Often attached to emails
Vulnerabilities due to Lack of vendor support (3)
vulnerabilities due to when vendors aren't diligent in their search for vulnerabilities and the providing of patches. This is an issue when the vendor has access to the code and isn't aware of the problem or care about fixing it. Big concern in IoT devices.
New threats/zero day
vulnerabilities that are newly discovered and not yet addressed by a patch.
non-credentialed scan
vulnerability scan from the outside with no access or authentications
(Vulnerability scan results) Identify Lack of security controls (3)
vulnerability scan results will inform if: No firewall. No anti-virus. no anti-spyware.
(Vulnerability scan results) identify Common Misconfigurations (2)
vulnerability scan results will inform if: Open shares. Guest access.
Identification of an incident: precursors (3)
vulnerability scan web server logs. Exploit announcements. Direct threats.
SAML disadvantage
was never designed for mobile apps.
DAP replacement
was replaced by a more lightweight LDAP that uses TCP/IP
Passive (security) tools
watch packets as traffic goes by and gives info on what may be happening inside of the traffic or on the client or server.
DLP
way to monitor traffic and stop loss of sensitive data
reason PAP has no encryption
we didn't require it on analog dial-up lines since there was no mechanism to grab that data.
Example of weak implementations (3)
weak encryptions. WEP - RC4 key can be recovered with enough packets. DES- small 56 bit keys.
UTM aka
web security gateways
Certificate chaining security and concerns
web server needs to be configured with the proper chain certificates or end user may receive an error.
Identification of critical systems
what computing systems, or IT services are required for these mission-essential business functions?
what does the log of the host-based firewall show?
what traffic was allowed or blocked
Collision
when 2 different plaintext come up with the same hash.
When is Remote wipe used? (2)
when a device is stolen. when someone leaves organization
End-of-life vulnerability
when a device or software is no longer in support from the vendor that stops security patches
False negative
when a vulnerability exists but the scan did not detect it.
dead code
when an application runs an executable, makes calculations to form these results which are not used anywhere else in the application.
Diffusion
when one character is changed of plaintext input, many characters changes in the ciphertext output.
Pinning
when the server's certificate or public key is hard-coded into the application. Application compares the certificate on the server to the hard-code one.
Misconfiguration/weak configuration
when there's a weak link or an open door somewhere in the system setup that some one on the outside can easily gain access to.
Proper error handling
when writing applications making sure error messages doesn't display more information then necessary.
Buffer overflow (3)
when written memory spills past its set allocated space and into other memory. May allow more access to system. Often it can cause crashes.
Buffer overflow (3)
when written memory spills past its set allocated space. It takes time to find one that is controllable and repeatable. Often it can cause crashes.
identification (2)
who some one claims to be. usually username.
the scope of a Tabletop exercise (4)
who to invite: internal discussion or local first responders and 3rd party. how big the disaster is. can give no details until exercise begins. can set limits on what information is available for the drill.
example of a everyday Faraday cage
window of microwave oven.
Jamming
wireless RF DoS that decreases the signal to noise ratio at the receiving device to the point where it can't hear the good signal.
WPA (3)
wireless encryption protocol that uses RC4 ciphers with TKIP. Used a larger IV. Every packet gets a unique 128-bit encryption key
wireless scanners/crackers (4)
wireless monitoring tools can capture packets across the network. (can try wireless attacks to see if AP susceptible to deauthentication attacks, rouge AP, etc.) wireless tools that find wireless network passwords/keys, find a WEP key, brute force a WPA/WPA2
Which replay attacks are easier to capture?
wireless replay attacks are more easier then wired
ANT/ANT+
wireless sensor network protocol that uses the 2.4 GHz ISM band
ANT/ANT+ security concerns (3)
wireless so same concerns: jamming. optional encryption so replay
XOR advantages
with a truly random key, the obfuscation results are theoretically unbreakable.
How Host-based firewall act as Application-aware security devices
work with OS to determine applications
Principles of social engineering: Urgency (2)
works alongside scarcity. Tries to make you act quickly without thinking
LDAP Standard was written by
written by the International Telecommunications Union (ITU)
Linux OS Update options (4)
yum apt-get rpm graphical front-ends
types of controls (8)
• Deterrent • Preventive • Detective • Corrective • Compensating • Technical • Administrative • Physical
Spam filter on a Mail Gateway (5)
Can white list emails from trusted senders. SMTP standards check: block anything that doesn't follow RFC standards. Perform rDNS on the sender's domain name to check that the email in the DNS server matches the sender's email. Tarpitting: intentionally slow down server conversations to make spammers give up. Recipient filtering-Block all inbound email not addressed to a valid recipient email address
Session Hijacking
Capturing session IDs or accessing cookies where the IDs are stored to gain access to the User's account.
Proximity Cards (3)
Cards to gain access to door locks or doors by moving card close to reader. Card is powered from the reader. Often used as an identifier that is compared to a larger database stored elsewhere
keyCertSign (5.)
Certificate standard extension used by a CA for certificate signing
keyAgreement (4.)
Certificate standard extension used for Diffie-Hellman key agreement
keyEncipherment (2.)
Certificate standard extension used for key exchange
dataEncipherment (3.)
Certificate standard extension used to make data confidential
cRLSign (6.)
Certificate standard extension used to sign a Certificate Revocation List
encipherOnly (7) decipherOnly (8)
Certificate standard extension used with the Diffie-Hellman key agreement
Fighting logic bombs (3)
Change control. Alert on changes like HIDS, Tripwire, etc. Constant auditing
OS secure configurations (secure configuration guides) (4)
Check and secure: Updates. User Accounts. Network access. Ongoing Monitoring and anti-virus and anti-malware
Fighting phishing (3)
Check for errors in the URLs, graphics, fonts, spelling. Don't give personal info over the phone. Don't click links to emails. go directly to the site yourself.
weak cipher suites (2 eg)
Ciphers that are easy to break and should be avoided. less than 128 bit keys. outdated hashes like MD5 with known collisions
LWAPP (2)
Cisco proprietary standard protocol that Wireless LAN controllers use to communicate with WAPs. allows to manage multiple AP simultaneously
PEAP created by (3)
Cisco, Microsoft, RSA Security
cloak & dagger (2)
Clickjacking on phones Android OS up to v 7.1.2. Invisible layer used to monitor keystrokes and record user input
Public cloud deployment model
Cloud available to everyone over the internet
Platform as a service (3)
Cloud handles servers, software, maintenance, and platform, and user handles development to get the software running. Building blocks are provided for development.
TKIP (3)
Combines a secret root key with the IV. adds a sequence counter to prevent replay attacks. implements a 64-bit Message Integrity Check.
DevOps (3)
Combines development, Operations and QA into one team. Emphasis on automation and monitoring. shrink deployment cycles.
Common Criteria for Information Technology Security Evaluation aka
Common Criteria (or CC)
X.500 Attribute CN
Common Name. identifies the person or object
Where are Evil twins commonly found
Common in location not using 802.1X like hotels and coffee shops
Where secure tokens is used
Commonly used in federations, can be provided by 3rd party.
Logic Bomb (4)
Computer code that lies dormant until it is triggered by a predefined event. usually causes massive damage. Time bombs wait for a date or time. Antivirus can't detect it.
Places DLP implemented (3)
Computer-Endpoint DLP, Data in use. On Network- Data in motion. On server- Data at rest
Secure Ad Hoc Topology (4)
Configure these settings through MDM: allow/disable this feature. allowed with right credentials. limited to certain apps
Flood guard (3)
Configures a maximum number of source MAC addresses on an interface to prevent a DoS with MAC addresses. Maintains a list of every source MAC address Once maximum is exceeded port security activates which is usually to disable the port by default, can filter instead
the data looking different after going through a PGP key is an example of what?
Confusion (example)
USB OTG (2)
Connect multiple mobile devices directly together. Mobile device acts as both a host and storage device.
TPM Persistent memory
Contains hard-coded keys inside the hardware that were burned in during production.
COBIT stands for
Control Objectives for Information and Related Technology
Media gateway (2 e.g.)
Converts between PSTN and VoIP. e.g. ISDN to Ethernet with VoIP, SIP to H.323, etc
Which deployment model offers the most security?
Corporate-owned deployment model
URL hijacking examples
Could be typos, brandjacking, different top-level domains (.org/.com)
X.500 Attribute C
Country. The country's 2-character ISO code (such as c=US or c=GB)
AH
Created by combining the IP header and data with a hash: MD5, SHA-1, SHA-2 provides authentication and integrity Original Packet: IP Header/Data Mode: New IP Header/AH Header/IP Header/Data
X.500 Attribute usual order from root to Leaf object (7)
DC, C, ST, L, O, OU, CN
Secure version of DHCP
DHCP has no built-in security
Email DLP (3)
DLP between emails using local appliance or cloud-based, inbound or outbound Inbound: blocks keywords, identifies forgeries, quarantines email messages Outbound: stops fake wire transfers, W-2 transmissions, employee information, social security, etc
Cloud-based DLP (3)
DLP between the users and the internet: block custom defined strings. Manages access to URLs. blocks viruses and malware
Zones/topologies (8)
DMZ. Extranet. Intranet. Wireless. Guest. Honeynets. NAT. Ad hoc
secure protocol(s) for Domain Name Resolution
DNSSEC
Who is responsible for signing off on the compliance of data?
Data owner (responsible for)
(Backup) Location Selection: data sovereignty (1, 2 eg, 1)
Data that resides in another country is subject to its laws, e.g. Legal monitoring and court orders compliance laws may prohibit the moving of data out of the country.
Data-in-transit aka
Data-in-motion (aka)
(Digital certificate) Valid From / Valid To
Date and time during which the certificate is valid.
Standard operating procedure examples (3)
Day-to-day processes and procedures for: New user account creation. Backup data storage requirements. Encryption key requests
AKA layered security
Defense-in-depth (aka)
fighting watering hole attacks (ie)
Defense-in-depth. Have as many security methods layered on top of one another as possible. Updated antivirus, IDS, firewalls, etc
Darik's boot and Nuke (DBAN)
Deletes for good everything on an entire hard drive
Mircosoft SDelete
Deletes for good everything on individual files or folders
DES creation
Developed between 1972 and 1977 by IBM for the NSA
Fighting Buffer overflows
Developers need to perform bounds checking to confirm information fits perfectly into the space that's been allocated.
DDoS mitigator (4)
Device that can resist a DDoS attack or minimize the impact. Cloud-based - internet provider or reverse proxy service. On-site tools - DDoS filtering in a firewall or IPS. Positioned between user and the internet.
SSL/TLS decryptor (2)
Device that sits between 3rd party and user, decrypts data, checks for anything malicious and re-encrypt it. Decryption is allowed based on certificate trust with the site
Application-aware security devices (3)
Devices that can identify traffic based on an application: Network-based Firewalls IPS Host-based firewall
Misconfigured devices (3)
Devices that: Default username and password. Outdated software with known vulnerabilities. running debug or maintenance code which provides additional information to users than normally available
What do routers connect? (2)
Different subnets. Different network types: LAN,WAN, copper, fiber
Mobile Device Hotspot/tethering security
Disable on MDM to prevent a device from becoming a rouge AP.
Pixie Dust
Discovered in 2014. poorly encrypted WPS PIN can be received and brute forced offline in less then 30 min
Access control found in most OS
Discretionary Access Control (DAC)
Special purpose embedded devices: Aircraft/UAV security concerns
DoS could damage the aircraft and others on the ground.
Business Impact Analysis (4)
Document the critical business functions. Impact of their loss. How long it will be impacted. Calculate if disaster recovery is a good investment
Incident analysis resources examples (4)
Documentation, network diagrams, baselines, critical file hash values
Do stateless firewalls keep track of sessions?
Doesn't keep track of sessions
Mesh trust model concerns
Doesn't scale well.
X.500 Attribute DC
Domain Component. Components of the object's domain e.g. DC= com
dig stands for?
Domain Information Groper.
fighting hoaxes (3)
Don't believe anything on the internet Verify, Check the source, hoax-slayer.net, snopes.com Spam filters
Fighting Trojans (3)
Don't run unknown software. Antivirus that have its signature can stop it even if the user tries to run it. Keep and restore from backup
MS-CHAP best practice
Don't use it. Better to use L2TP, IPsec or some other VPN technology
FDE security
Drive stays encrypted even if lost or moved to another computer.
Driver behind RADIUS Federation. (2)
Driven by eduroam (education roaming) Educators can use their normal authentication when visiting a different campus.
Driver Manipulation (2)
Drivers are privileged code trusted by the OS so it a convenient place to embed malicious software. Could be used to monitor video, keyboard, mouse
Original XSS
Due to early browser security flaws, information could be shared between sites if both of those sites were open as windows in your browser.
when archive bit clears and doesn't
During full and incremental backups. doesn't clear for differential
EMI/EMP concerns (2)
EMI leakage. injecting signals into EMI
Round robin scheduling (1 eg, 2 types)
Each server is selected in turn e.g. 1st set of traffic goes to server a, 2nd to server B etc. weighed-prioritize certain servers to receive more load. dynamic-monitor server load and distribute to the server with the lowest use
advantage of Hierarchical CA
Easier to deal with the revocation of an intermediate CA than a root CA.
ESI stands for?
Electronically Stored Information
Personal issues: Personal emails (2)
Emails sent from work imply endorsement by the organization. use company resources, may attach sensitive info
Type I hypervisor aka (2)
Embedded hypervisor. Native hypervisor.
BYOD (2)
Employee uses their own device for personal and corporate use simultaneously. Needs to meet company's requirements. e.g. same OS
Fighting Evil Twins (2)
Encrypt communications. HTTPS/VPN
WiFi mobile security
Encrypt data to fight data capture and MITM
Secure coding techniques: encryption
Encrypt source code, data in motion and data at rest.
confidentiality
Encrypted data
Fighting session hijacking (2)
Encryption end to end: Firefox extension: Force-TLS, Encryption part way: local wireless encrypted. VPN (OpenVPN, VyprVPN)
ECB
Encryption mode that encrypts each block with the same key and block cipher encryption.
Privacy impact assessment (3)
Ensure compliance with privacy laws and regulations. What PII is collected and why. How the PII data will be collected, used, and secured.
Production environment
Environment where application is made live and rolled out to the user community.
Rack monitoring (3)
Environmental sensors. Webcams or security cams. Integrated with Enterprise monitoring systems that can detect temperature changes and motion.
EAL stands for?
Evaluation Assurance Level
collision security
Every plaintext should have a different hash associated with it
Hot site (4)
Exact replica of production system. Buy two of everything. applications and software are constantly replicated and updated. Flip a switch and can move entire production environment here.
Pwn2Own competition example of what?
Example of VM escape protection presented as a hacking competition to find vulnerabilities for some prizes.
Documented incident categories examples from the Computer Incident Handling Guide (6)
External/removable media. Attrition. (e.g. brute-force attacks) Web. Email. Improper usage. Loss or Theft of equipment
SDE (2)
FDE built-in to the circuitry of these drives. Doesn't require FDE OS software.
Hardware/firmware security (10)
FDE/SED. TPM. HSM. UEFI/BIOS. Secure boot and attestation. Supply chain. Hardware root of trust. EMI/EMP
SHA a part of
FIPS (hash standard)
secure protocol(s) for file transfers
FTPS SFTP
DEP (2)
Feature where OS works with CPU to allocate a section of memory for executables. Prevents Malware from executing in non-executable areas.
DES is part of
Federal Information Processing Standards (FIPS)
VM escape protection
Find and patch vulnerabilities to escape VMs.
What other devices can act as Site-to-Site VPN?
Firewalls
How to fight worms (2)
Firewalls and IPS/IDS can mitigate types with well-known signatures. Once they are inside they spread quickly and are hard to stop.
Defense in depth examples (9)
Firewalls. DMZ. Hashing and salting passwords. Authentication. IPS. VPN access. Card/badge access. Anti-virus and anti-malware. security guard
Camera properties (3)
Focal length-shorter is wider angle. Depth of field- see sharp images across large distances. Infrared-see in dark.
High resiliency (for cryptography)
For concerns of integrity use: Larger key sizes. Strong encryption. Hashing to check data integrity.
examples of input methods that should be checked for proper input validation (3)
Forms. command line. fields
Types of proxies (6)
Forward and reverse. Transparent and explicit. Application/multipurpose
ITIL
Framework that breaks down the IT life cycle: Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement
COBIT
Framework that focuses on regulatory compliance, risk management and aligning IT strategy with organizational goals.
Order of volatility (7)
From Most to least: 1. CPU registers, CPU cache. 2. Router table, ARP cache, process table, kernel statistics, memory. 3. Temporary file systems,~pagefile. 4. Disk. 5. Remote logging and monitoring data. 6. Physical configuration, network topology. 7. Archival media
backup/ restore times
Full High /Low Incremental Low/High Differential Moderate/moderate
location-based policies, location finding examples (3)
GPS- very accurate location on mobile devices. 802.11 wireless gives a regional view. IP address is not very accurate since it can give outside of country location.
ways to Domain hijacking (3)
Gain access by brute force, social engineering the owner or domain registrar, gain access to email that manages account, etc.
Domain hijacking
Gain access to the Domain registration usually to change domain information to a domain DNS controlled by the bad guys.
Privilege Escalation (4)
Gives higher-level access to a system then allowed. often due to a bug or vulnerability. commonly administrative so should be resolved quickly. access could be horizontal
Payment systems NFC is used in (3)
Google wallet. MasterCard partnership. Apple Pay
RFC 3227 (2)
Guidelines for Evidence Collection and Archiving. provides best practices for forensic data collection
What is referred to as an endpoint security agent?
HIDS/HIPS (referred to)
HMAC examples (2)
HMAC-MD5. HMAC-SHA1
Process of Hot and cold aisles
HVAC systems at the end of each isle. Cool air sent through the floor and up to the cold aisle. cool air pulled through the server racks and to the back of the servers and the hot aisle. Hot air rises up and recirculates into the HVAC.
RC4 concerns (3)
Had a "biased output": If the 3rd byte of the origonal state is zero and the second byte is not equal to two, then the second output byte is always zero.
What chemical used to be used for fire suppression but no longer and why?
Halon. No longer manufactured since it destroys the ozone.
Technical Controls (3 eg)
Hardware and software to keep things secure: Firewalls, AD authentication, disk encryption, etc
Few things that should be well documented to create a baseline (4)
Hardware, software, network traffic patterns, data storage
Reporting requirements/escalation (2)
Have a contact list ready for different incidents. Could be within organization, internal non-IT or external.
VM sprawl avoidance (2)
Have a formal process and document everything as you provision new systems. perform audits to determine if VMs need to be deprovisioned
Fighting Birthday attacks
Have larger hash output sizes to avoid collisions.
PHI
Health information associated with an individual
PHI examples (3)
Health status, health care records, payments for health care (example of which Data sensitivity labeling)
Lighting security (3)
Helps see everything on camera for non IR cameras. Light angles may be important for facial recognition. Avoid shadows and glare.
Hardware Security Module (3)
High-end cryptographic hardware used in large environments often to manage clusters of servers and many keys to protect. Can be a plug-in card to a proxy or firewall. secure key backup. can be an SSL accelerator
Implementations of Air gaps (2, 2 eg)
Highly secure networks. Industrial systems, e.g. SCADA, manufacturing
Preservation (3)
Holding on to forensic data for: current investigation. future investigations to view correlations. when new items of interest are discovered.
Remote access VPN aka
Host-to-Site VPNs (aka)
Load balancer scheduling and types
How load is scheduled to go behind a load balancer: Affinity. Round robin.
Reporting requirements/escalation: Internal non-IT contact examples
Human resources. Public affairs. Legal department
Switch port security (3)
IEEE 802.1X -Port-based Network Access Control (NAC) which doesn't allow access until user authenticates. Administratively disable your unused ports. Enable duplicate MAC address checking, stop spoofing
Spanning Tree Protocol standard
IEEE standard 802.1D
IPsec AH ESP Transport mode
IP Header/AH Header/ESP Header/Data/ESP Trailer/Integrity Check Value
Somewhere you are examples (2)
IP address. geolocation
Examples of changes done to Master Image before deploying (3)
IP addresses. firewall rules. licensing updates
Corrective examples (3)
IPS can block attacker. backups can mitigate a ransomware infection. a backup site can provide options during a storm (control example)
Anomaly-based
IPS/IDS creates a baseline for normal traffic flow and identifies malicious traffic based on what doesn't match the normal flow
Heuristics
IPS/IDS identifies traffic based on certain characteristics. Uses artificial intelligence.
Inline monitoring
IPS/IDS sits inline with all traffic passing through it before being allowed or denied
AAA framework (4)
Identification, Authentication, Authorization, and Accounting
Spanning Tree Protocol (2)
Identifies and prevents loops on switched networks by using blocked ports. Also prevents downtime by changing bridge configuration when a path is down.
Transitive Trust
If Domain A trusts Domain B, Domain B trusts Domain C, then Domain A trusts Domain C.
If hurricane destroys organization building and there's no backups to keep it running what main Impact example would this affect?
Impact: Reputation (example)
Where can a Cloud access security broker be integrated? (3)
Implemented as client software, local security appliances, or cloud-based.
WPA history (2)
In 2002, was a Short term replacement of WEP and its serious cryptographic weaknesses. TKIP had vulnerabilities and was deprecated in the 802.11-2012 standard
Securing Network address allocation against Rouge DHCP servers (3)
In AD, DHCP servers must be authorized. Some switches can be configured with "trusted" interfaces that allows DHCP distribution. Cisco calls this DHCP Snooping
Fire suppression (2)
In Data centers uses chemicals like (Dupont) FM 200. Can detect with smoke, flame or heat detector.
covertext
In Steganography, the container document or file that contains hidden info
Firewall: ACL (4)
In firewalls, set of rules that allow or deny traffic based on tuples. Look at rules from top to bottom can be general or specific rules At the bottom of the list, Implicit deny if no rules are matched
Untrained users (3)
In person training may be time consuming and expensive. but critical to security and likely less expensive than a breach. should be annually reinforced with tests and scenarios.
Functional security tests
In secure automation, checks that everything can login and logout properly and ensure the platform everything is running on is secure.
Where and for who is the information gathered by the Privacy impact assessment available?
In the written privacy statement available to the users.
Roles and responsibilities (for Incident Response) (7)
Incident response team. IT security management. Compliance officers. Technical staff. (help from the trenches) User community. Legal team. public relations. etc
Web server providers are an example of which cloud deployment model?
Infrastructure as a Service example
Internal threats
Insiders
SSL Accelerators are often integrated into which devices?
Integrated into load balancers
Cloud access security broker
Integrated to provide security policies to cloud-based applications.
Agentless NAC (3)
Integrated with Active Directory. Checks are made during login and logoff. Can't be scheduled
Man-made threats
Internal or external threats
Common Criteria for Information Technology Security Evaluation (4)
International standard that designates what security controls are implemented in an OS. common reference for US Federal Government. ISO/IEC 15408. Security control level referenced as EAL.
Secure Guest topology (2)
Internet access with no internal network access. Integrate captive portal.
what are cloud-based methods to mitigate DDoS? (2)
Internet provider or reverse proxies
(Account management) Account maintenance (3)
Involves: initial provision with standard password management, and group and permission assignment. periodic updates to passwords and audits to permissions. During Off-boarding disable accounts and archive user documents and encryption keys
Where is ANT/ANT+ most commonly used? (2 eg)
IoT devices such as fitness devices and heart rate monitors
Sandboxing
Isolated testing environment with no connection to the real world or production system.
How does HIDS/HIPS deal with encrypted data
It deals with decrypted data since it sits on our desktop
What kind of wireless service is ANT? (2)
Its neither 802.11 or Bluetooth. Its its own separate wireless service.
Password cracker tools (3)
John the ripper, Ophcrack or cloud based paired with rainbow tables
When did development of NTPsec begin?
June of 2015
fighting keyloggers (3)
Keep Antivirus/Anti-malware updated for prevention. Block unauthorized exfiltration at the firewall/monitoring software. Run standalone keylogging scanner
Fighting Botnet Malware (5)
Keep Antivirus/Anti-malware updated for prevention. Patch applications and OS. Run deep scans regularly. Monitor traffic. Host-based firewalls/IPS can block the Command and control center.
Protect against adware/spyware (4)
Keep Antivirus/Anti-malware updated for prevention. Watch what you install. Backups. Run different specialized scans on top of antivirus. e.g. Malwarebytes
How to fight rootkits (3)
Keep Antivirus/Antimalware updated for prevention. UEFI's Secure Boot prevents installation into OS. For removal need a very specific rootkit remover
Single sign-on options (2)
Kerberos for windows. 3rd-party options
Key management life cycle (6)
Key generation. Certificate generation. Distribution. Storage. Revocation. Expiration.
Key stretching aka
Key strengthening (aka)
PBKDF2
Key stretching library that is part of RSA public key cryptography standards
BCRYPT
Key stretching library that uses the Blowfish cipher to perform multiple rounds of hashing for passwords.
Examples of things with EMI leakage (4)
Keyboards, hard drives, network connections, video
secure protocol(s) for Directory services
LDAPS (non-standard) SASL
what layer is an AP?
Layer 2 since its a bridge
Reasons for IP spoofing (4)
Legitimate: Load balancing. Load testing. Malicious: ARP Poisoning. DNS amplification/DDoS
MAC filtering in AP (3)
Lets you limit certain physical hardware addresses onto the network. keeps neighbors out. easy to capture packets find which MAC allowed and spoof MAC address with free open-source software
Virtualization Segmentation (2)
Lets you separate networks in a virtual environment. Add routers and firewalls with the click of a button.
LWAPP stands for
Lightweight Access Point Protocol
EAP-FAST (2)
Lightweight and secure authentication protocol. Cisco's proposal to replace LEAP (used on WEP)
False rejection rate (FRR)
Likelihood that the biometrics of an authorized user will be rejected
Which device can perform health checks on servers?
Load balancer
X.500 Attribute L
Locality. Usually a city or area
Rack security (3)
Locks. Fences and gates.
Collision example in 1996
MD5
full device encryption security
MDM backups the keys to decrypt the devices
best practice with third-party app stores (3)
MDM can disable/enable access to an app store. or setup a white list for apps. deny any apps not business appropriate
SMS/MMS security (2)
MDM can enable or disable this completely. or during certain times or locations.
screen lock security (2)
MDM can force password requirements. can set policies for failed attempts
Password and PIN security (2)
MDM can initiate recovery process, usually a question. MDM can also decide level of security
Firmware OTA updates security
MDM can manage and push out updates after they test what effect it has on company applications
Mobile content management
MDM can secure access to data by managing the DLP on on-site content (e.g. Microsoft Sharepoint, file servers) and cloud-based storage
Mobile device Recording microphone security
MDM: disable or geo-fence
Ettercap (3)
MITM software. set the targets as the IP addresses of the router and the target to monitor. Captures caches.
Most recent Microsoft implementation of CHAP
MS-CHAP v2
Web-of-trust model (2)
Makes every one an authority. alternative to PKI.
(penetration testing concepts) Persistence (4)
Making sure to stay in the system once exploited. set up a backdoor. build user accounts to log in normally. change or verify default passwords
Behavior-based
Malicious action identified by the IPS/IDS based on certain actions like deleting files or changing server configurations
False Negative
Malicious traffic that is missed by the IPS/IDS
Signature-based
Malicious traffic that matches specific predefined signatures stored on IPS/IDS
Security incidents examples (documented types?) (4)
Malware on email attachments. DDoS attack from Botnet. Insiders steal info. User installs peer-to-peer software that allows external access to data.
Virus (2)
Malware that can replicate itself through a computer, file systems and the network by running an executable. Some run very simple functions and seem invisible.
Rootkits (3)
Malware that modifies the kernel of the OS to avoid being detected by antivirus/malware. often combined with other malware. Its invisible to the OS, Task Manager, antivirus/malware
Trojan Horse
Malware that pretends to be a harmless to make users run it.
Keylogger (2)
Malware that records keystrokes to a file and sends it to bad guys. Can also log and send clipboards, screen shots, instant messaging, and search engine queries.
Spyware (3)
Malware that spies on you. often steals personal info affiliated with fraud or clearing bank accounts. May install keyloggers.
Botnet (2)
Malware that waits for a command and control center for further instructions. Many work together usually for DDoS. Can be rented for this purpose.
The patching process (4)
Manage centrally: pick which patches to install, usually security related patches. test patches. tell management server when to deploy.
Improper certificate and key management (4)
Management should be planned and documented: kind of CA. CA content protection. How will intermediate CAs be created and managed. Validate and sign certificate process
Alternate business practices examples (3)
Manual transactions. Paper receipts. non-automated phone calls for transaction approvals.
WiFi-enabled MicroSD cards security
Manufacturer should implement strong security including security control to the API.
How is spyware usually installed
May be installed alongside other software or as fake security software.
Requirements for hypervisor to use virtualization
May need a CPU that supports virtualization
Special purpose embedded devices (3)
Medical devices. Vehicles. Aircraft/UAV
RADIUS Federation (2)
Members of one organization can authenticate to the network of another organization. Use their normal credentials.
vulnerability scanner tools (3)
Microsoft Baseline Security Analyzer, Tenable Nessus, Nikto, web based type
Built-in FDE into OS (3)
Microsoft Bitlocker. Apple FileVault. Linux Unified Key Setup (LUKS)
Examples of on-site data storage (2)
Microsoft Sharepoint, file servers
Windows similar PKCS #12 format (2)
Microsoft's .pfx format. Often referenced interchangeably
application servers aka
Middleware
Identify vulnerability best practice
Might be a good idea to work with the vulnerability detection manufacturer so they can update scan for specific environment
RAID 1 (3)
Mirroring. duplicates data for fault tolerances. requires twice the disk space.
low power devices (for cryptography)
Mobile Devices, portable systems that use less power by using: Smaller symmetric key sizes. Elliptic curve cryptography (ECC) for asymmetric encryption
DSA
Modifies Diffie-Hellman key exchange for digital signature use.
Why adware and spyware are such common malware (3)
Money: Steals bank info and personal info for identity fraud. Make money with their adds. Use bandwidth e.g. to mine for crypto-currency
Places that announce exploits (2)
Monthly Microsoft patch release, Adobe Flash update
What is the most common protocol use of IPSec?
Most use both AH and ESP together.
carrier unlocking security issues (2)
Moving to another carrier can circumvent MDM. preventing SIM unlock may not be possible on a personal device
(Account management) Group-based access control (2)
Moving users between groups can set account privileges based on the group. Being in multiple groups can add on permissions.
Removing Single point of failures examples (6)
Multiple/backup/redundant: internet providers. network infrastructure devices. (routers, switches) servers. power source. cooling devices/system. groups of people in different locations.
What minimizes the impact of IPv4 shortage?
NAT use
how to prevent vulnerabilities (3)
NIST National Vulnerability Database: http://nvd.nist.gov. perform regular scan with updated signatures. watch news: trade magazines, publication websites
SHA created by
NSA (created this)
Most common NTLM seen today
NT LAN Manager v2 challenge/response
Old and New authentication method on Windows
NTLM. today standard is Kerberos
secure protocol(s) for time synchronization
NTPsec
PII examples (4)
Name. date of birth. mother's maiden name. biometric info (example of which Data sensitivity labeling)
Model Validation (2)
Near the end of development verify if: the original requirements were met. the right product is being built.
Model verification (3)
Near the end of development verify if: the software is working properly. there are any bugs to address. the product is being built right
Rainbow tables examples
Need different tables for different hash methods. e.g. windows different from MySQL.
Standard operating procedure concerns (2)
Need to be well documented. some must comply with industry regulations.
OS Types (6)
Network Server Workstation Appliance Kiosk Mobile OS
Steganography tools (techniques) (3)
Network based: hide messages in TCP packets. Image based: embed message, invisible watermarks. Yellow dots from a printer can be used to tell what printer was used to print document as well as date and time it was printed
Examples of times to use proper error handling (3)
Network connection disappears or fails. server failure. database unavailable
How to spot a rogue system on your network (2)
Network scanner. Hard to hide from a layer 2 ARP
ways to capture data for replay attacks (3)
Network tap, ARP poisoning, 3rd party software to capture packets.
GCM uses (4)
Network traffic security e.g. wireless, IPsec web server encryption using e.g. SSH, TLS
Data-in-transit security (4)
Network-based: Firewalls, IPS, Encryption: TLS IPsec
low latency (for cryptography)
Networks with fast computation time that uses: Symmetric encryption, smaller key sizes.
fighting XSS (4)
Never click untrusted links on emails, texts, comments, etc. Disable JavaScript. (although this would prevent many websites from working) Keep browsers and applications updated. Have Developer validate input
fighting impersonation (3)
Never disclose personal and company info Verify through 3rd parties who they are. You can call back.
IPsec AH ESP Tunnel mode
New IP Header/AH Header/ESP Header/IP Header/Data/ESP Trailer/Integrity Check Value
Cryptomalware (2)
New generation of ransomware that encrypts all files excluding the OS so it can show a message on who and how to pay. It also usually encrypts online backups.
Nmap add-on
Nmap scripting engine (NSE): extend capabilities, vulnerability scans
Name of Network scanners (2)
Nmap/Zenmap, Angry IP Scanner
secure protocol(s) for Network address allocation
No "secure" version of DHCP. Can be secure with DHCP snooping and limit MAC addresses per interface.
Open system
No authentication password is required
Misconfigured AP (2)
No encryption Wireless access to allow remote management of the device.
OCSP concerns (2)
Not all browsers/apps support it, e.g. early internet explorer versions. Some support it but don't bother checking revocation.
RC4 uses
Not used. WPA2 moved to AES instead.
Mandatory Access Control (MAC) (2)
OS limits user access to objects by setting labels on the objects to decide their clearance level. administrator decides who gets access to what security level
Evaluation Assurance Level
OS trust level from lowest, EAL1, to highest, EAL7.
What are a few things configuration compliance scanners may check? (5)
OS version, installed applications, network settings, anti-virus/anti-malware settings and versions, server configurations, etc
security concerns with SATCOM (3)
OS vulnerabilities. Remote code execution. similar security issues to smartphones
RTOS (ie)
OS with a deterministic processing schedule managing non-trivial systems. doesn't wait on other processes.
Different software licenses (3 ie, 1)
OS, applications, hardware appliance different methods to license
Modern malware encrypts itself until it executes is an example of what cryptography use case?
Obfuscation (Common use cases example)
How is adware usually installed
Often included alongside other software installations.
Amplification (2)
Often used with DDoS to send smaller requests reflect off other services or devices to create a bigger attack. Takes advantage of protocols with little/no authentication or checks: NTP, DNS, ICMP
Implicit deny
On a firewall ACL if traffic matches no rules there is a final invisible rule that denies that traffic even if it wasn't add by the user
Remote access VPN (2)
On demand access from a remote device to a VPN concentrator some configured as always on
Uses for Captive portal
On guest networks, avoids unauthorized use of network and keeps employees off this network.
Resource vs. security constraints (3)
On-going battle. Browser support vs. supported encryption. Make sure browser supports encryption type. VPN software support vs. supported algorithms. Make sure VPN concentrator can support the clients being installed on workstations.
Data sanitation tools (4)
One overwrite is enough to make data unrecoverable. entire hard drives: DBAN. Individual files or folders: Microsoft SDelete. delete all caches and temporary files, copies in caches
Fighting IP spoofing (3)
Only certain range of IP should be associated with a subnet. Apply rules (firewall) to prevent invalid traffic, enable switch security
SAML (3)
Open standard for authentication and authorization. Authenticate through a third-party to gain access to local resources. XML based markup language
OAuth usually combines with
OpenID which handles the SSO authentication
Database security (4)
Options: may have access control around usernames, passwords and permissions. Can encrypt everything or individual fields. Data integrity prevents data loss due to server or hardware problems. Well written application can prevent SQL injections and other access to data.
X.500 Attribute OU
Organizational Unit. A unit or department within the organization
Process Management
Organizing The IT "product" to work best with the organization
IPSec Transport mode (2)
Original Packet: IP Header/Data Mode: IP Header/IPSec Header/Data/IPSec Trailer The IPsec header and trailer encrypts the data
IPSec Tunnel mode (2)
Original Packet: IP Header/Data Mode: New IP Header/IPSec Header/IP Header/Data/IPSec trailer The destination and the data are encrypted
Methods of Key exchange (5)
Out-of-band: Telephone, courier, in-person. In-band: Additional encryption, asymmetric encryption
Example of mandated segmentation
PCI compliance
PEAP implementations (3)
PEAPv0/EAP-MSCHAPv2, which authenticate to Microsoft's MSCHAPv2 databases.
Strong algorithm examples (2)
PGP AES
Web of trust example
PGP (digital signature signing example)
Ways to connect to WPS (4)
PIN on the AP. Push button on AP. NFC. USB (not used anymore)
WPS attacks (4)
PIN was 8 digit number that validated the first 4 digits (10,000 possibilities), then then next 3 digits (1,000) and the last digit was a checksum for a total of 11,000 possible combinations. use to have no slowdowns or lockouts. Walk up to access point. Pixie Dust- poorly encrypted PIN can be received and brute forced offline in less then 30 min
who digitally signs public key certificates?
PKI uses CA to sign. Web of trust uses other users.
Means of Session Hijacking (4)
Packet capture: Wireshark, Kismet. (over air) Exploits: Cross-site scripting. After session ID captured: Modify headers: Tamper, Firesheep, Scapy. Modify cookies: Cookies Manager+ (Firefox add-on)
Control Plane
Part of SDN that's responsible for the configuration of the device.
data plane
Part of SDN that's responsible for the hard work i.e. forwarding frame or providing firewall functionality
Secure Boot
Part of UEFI specification that has a set of know-good digital signatures that allow OS to boot if they match those signatures.
Different types of vulnerability exploits (4 eg)
Password brute-force. Social engineering. Database injections. Buffer overflows
Something you know examples (3)
Password. PIN. Pattern
Concern with patching OS
Patches can introduce problems with the OS or applications on the OS.
Security as a service (2)
Pay for the security you need in the cloud. scale up and down as needed
Reasons to Segment networks (4)
Performance. Security. Compliance. which also makes change control easier
Advantage of a Tabletop exercise (2)
Performing a full-scale disaster drill can be costly. Many of the logistics can be determined through analysis rather then a physical drill.
PKCS #12 standard and development
Personal Information Exchange Syntax Standard. Developed by RSA Security. now an RFC standard
Vishing
Phishing over the phone.
control diversity (for defense in depth) (3)
Physical. Administrative. Technical
Segmentation types (4)
Physical. Logical. (VLAN) Virtualization. Air Gaps
Backdoors (2)
Placed on your computer through malware to allow other malware to install. some software have these as unknown vulnerabilities.
SalesForce.com offers which cloud deployment model?
Platform as a service
Administrative controls (2 eg)
Policies and procedures everyone must follow for: on boarding and off boarding visitors. back up media handling
Key management (3)
Policies for: protecting physical and digital keys. Key generation. Key breaches. (unauthorized access to keys)
Some personnel issues (5)
Policy violation. Insider threat. Social engineering. Social media. Personal email
IEEE 802.1x aka
Port-based Network Access Control (NAC) (aka)
Lessons learned (5)
Post-incident meeting. Do it while memory of the incident is fresh. Find out what happened. Evaluate and fix incident response plans. Evaluate and add precursors.
Things VPN can check for Baseline deviation (3)
Posture analysis checks: antivirus version. signature version. OS patches
SCADA/ICS examples (3)
Power generation. refining. manufacturing equipment
Principles of social engineering: Authority (ie)
Pretends to be in charge or high position. ie CEO/help desk/police
Remote attestation security (2)
Prevent devices from booting if they do not match previous inventories. (If changes identified) Since it takes place in the hardware of computer it can stop whole boot process before OS is infected.
Anti-spoofing on routers (3)
Prevents bad guys from using someone else's address for MITM, DDoS, etc by: Filter reserved IP addresses, like RFC 1918 addresses, with ACL Enable Reverse Path Forwarding (RPF)
CER (3)
Primarily a Windows X.509 file extension. Can be encoded as binary DER format or as the ASCII PEM format. Usually contains a public key.
Types of virus (4)
Program virus. Boot sector virus. Script virus. Macro virus
Reason for Access violations (2)
Programming problem: application is pointing to the wrong part of memory. security problem: malware/3rd party application attempting to access restricted memory, try to cause DoS
NULL Pointer dereference (3)
Programming technique that references a portion of memory. what happens if that reference points to nothing? Application crash, debug info displayed, DoS
Places collectors can gather data to (4)
Proprietary consoles like IPS, firewalls. SIEM consoles have correlation engine to compare diverse sensor data. syslog servers
what data is often unique to an organization?
Proprietary data
Protected distribution aka (2)
Protected distribution system. (PDS) Protected cabling
ESP
Provides encryption for IPSec MD5, SHA-1 or SHA-2 for hash 3DES or AES for encryption New IP Header/ESP Header/IP Header/Data/ESP Trailer/Integrity Check Value
SFTP (2)
Provides file transfers over SSH. Provides file system functionality.
Authentication (2)
Proving you are who you say you are. done with passwords and other factors.
Provisioning when deploying an application (5)
Provision: web server, database server, middleware server, user workstation configurations, certificate updates, etc
Transparent proxy
Proxies that are invisible and unknown to users and no addition configuration needs to be done to take advantage of the proxy
Described as contactless smart cards
Proximity cards (description)
Microsoft and amazon cloud-based offering an example of which cloud deployment model?
Public cloud deployment model
(Digital certificate) Public Key
Public key and algorithm used by the certificate holder. (e.g. RSA, ECC(256 bits))
Asymmetric algorithm aka
Public key cryptography (aka)
S/MIME
Public key encryption and digital signing of mail content.
Distributed allocation
Puts critical assets, data and other systems in different locations to make harder to target and exploit an application instance.
Who would usually use sandboxing for code quality and testing and what would they test? (4)
QA can fuzz, overload, stress test and try to break environment without having to worry about harming the production environment.
access database examples for IEEE 802.1x (3)
RADIUS, LDAP, TACACS+
Combined RAID types and why?
RAID 0+1, RAID 1+0, RAID 5+1, etc. increases redundancy.
CAPWAP (2)
RFC open standard to manage WAPs from Wireless LAN controllers. based on LWAPP
versions of RIPEMD
RIPEMD-128. RIPEMD-160. RIPEMD-256 RIPEMD-320
secure version of RIPEMD
RIPEMD-160, no known collision issues
Motion detection alarms (2)
Radio reflection or passive infrared. Useful in areas not often in use
Compensating examples
Re-image or restore from backup. Hot site. Backup power system (control example)
Ways to provide redundancy and fault tolerance (5)
Redundant hardware components. (ie multiple devices) RAID. UPS. Clustering of servers. Load balancing
RAT aka
Remote Administration Tool
DarkComet
Remote access Trojan with many features including keylogger that captures all keystrokes
NFC Security Concerns (4)
Remote capture within 10 meters. Frequency jamming. Replay/MITM if not encrypted. stolen/lost device, make use of this
After-action reports (4)
Report after an exercise detailing: exercise scope and recovery objectives. Methodology. what did and didn't work. updates to procedures, tools.
Example of waterfall development (6)
Requirements, analysis, design, coding, testing, operations (hand off to operation team that adds it to production environment)
what is needed for emails to use S/MIME
Requires a PKI or a similar means to manage and provide keys.
Criteria examples for Attribute-based access control(6)
Resource info, IP address, time of day, desired action, geographical location, relationship to the data, etc
Data steward (3)
Responsible for data accuracy, privacy, and security. assigns sensitivity labels to the data. ensures compliance with any applicable laws and standards for data
Important physical signs (5)
Restricted areas. fire exits. warning signs e.g. chemical, construction. medical resources. information e.g. number to call for emergencies
how does SFTP provide file management (3)
Resumes interrupted transfers, directory listings, remote file removal, etc
Data roles
Roles with access to data based on their responsibility in the organization.
Reverse Path Forwarding (RPF) (2)
Router feature that makes sure the response to an inbound packet is returned the same way or it is dropped. Anti-spoofing measure
secure protocol(s) for Email (3)
S/MIME. STARTTLS on POP3 and IMAP. SSL/TLS
WiFi-enabled MicroSD cards
SD flash storage device that allows 802.11 Wifi file transfers from a camera to a computer without removing the card.
secure protocol(s) for routers and switches
SHH. SNMPv3. HTTPS (from a browser)
SIEM security reports
SIEM built-in feature that can build reports of weekly or even monthly collection of collected data into a single graphical view.
(SIEM data) correlation (eg)
SIEM feature that correlates different devices on the network. e.g. see someone log in from the firewall and access info on a server
log aggregation (7 eg)
SIEM feature that logs all info from many different devices on the network to one place: switches, routers, firewalls, servers, desktops, laptops, mobile devices, etc
Event deduplication (3)
SIEM feature that prevents duplicates of an event from filling the logs to focus on the real security event Flapping- timers to time how often an event occurred and write it as a single event occurring a number of times. SIEMs allows configurable suppression, define how events are handled, useful for automated responses
Automated alerting and triggers (2)
SIEMs can be automated to give alerts and respond to certain events or alerts (e.g. send you a text, call, email or/and automatically Open a ticket, reboot a device) User can mark exceptions and put them into the log
compliance mandates for off-site backups (3)
SOX. Federal Information Systems Management Act. (FISMA) HIPAA
secure protocol(s) for voice and video
SRTP
secure protocol(s) for Remote access
SSH
Domain validation (DV) (2)
SSL certificate owned by someone who has some control over a DNS domain. confirmed by the CA
Extended validation (EV) (2)
SSL certificate that gets additional checks to verify the certificate owner's identity. receives a green name on the address bar.
secure protocol(s) for Web
SSL/TLS = HTTPS
Cloud deployment models (7)
SaaS. PaaS. IaaS. Private. Public. Hybrid. Community
example of a safe Containment of an incident
Sandboxes can collect incidents.
Stages of deployment (5)
Sandboxing. Environments: - Development. - Test. - Staging. - Production
Examples of Regulatory Frameworks (3)
Sarbanes-Oxley Act. (SOX) Health Insurance Portability and Accountability Act. (HIPAA) Gramm-Leach-Bliley Act (GLBA)
Purging examples
Sdelete. DBAN
Fighting Dumpster Diving (3)
Secure garbage with fence and lock Shred, burn, pulp documents Look through trash to see there's sensitive material, consider training users if there is
File system security (3)
Security provided for files by most OS. uses ACL or lists of groups or users that are assigned rights and permission to particular files. access provided by file owner or centrally administrated. can have built-in encryption
Substitution Cipher
Security through obscurity where you substitute one letter for another
Single sign-on security
Seems like it requires only user name and password but allot of cryptography happens behind the scenes.
What Out-of-band response does passive monitoring IPS send?
Sends TCP (reset) frames
Security provided by segmenting a network (eg)
Separate who gets access to certain networks. e.g. users should not communicate directly to database servers
Hosted (Infrastructure) (2)
Servers are not in your building and likely owned by some one else. Usually in a specialized computing environment
Types of updates for patch management (3)
Service packs- large set of updates. Monthly updates. emergency out-of-band updates
Privileged accounts security (3)
Should not use these accounts for normal administration. Highly secure with strong passwords and MFA. scheduled password changes
New threats/zero day best practice
Should patch fast sometimes even with little to no tests
Digital signatures (2)
Signs message hashes with private key and can be verified with public key. Provides Authentication, non-repudiation and integrity.
SASL stand for?
Simple Authentication and Security Layer
WPS
Simple WiFi setup that had a design flaw
Memory/buffer vulnerabilities and types (5 types)
Since application are executing in memory, manipulating memory can manipulate application. Types include: Memory Leak. Integer overflow. Buffer overflow. Pointer dereference. DLL injection
what services can you disable on an application server?
Since application servers have very specific functionality you can disable all other services running on that device.
Hierarchical CA (2)
Single CA issues certificates to intermediate CAs. Distributes the certificate management load.
(PKI) trust models (5)
Single CA, Hierarchical, Mesh, Web-of-trust, Mutual authentication
Things Group Policy can administer
Sites, domains, OUs, groups, location, or any combination of AD administrative boundaries.
Something you have examples (4)
Smart card. USB token. Hardware or software tokens. Your phone.
Tokens and cards examples (4)
Smart card. USB token. Hardware or software tokens. phone.
MAC OS Update options (2)
Software Update. (old name) App Store
Google Mail is an example of which cloud deployment model?
Software as a service
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it.
Difference between MOA and MOU
Some consider MOA a step up of MOU but often they are used interchangeably.
WPA2 concerns
Some older hardware could not run this since it requires additional computing resources.
Personnel issues: Policy violation (2 eg)
Some one violates AUP, e.g. transfers info, visits a website not allowed, etc
camera systems security concerns
Some one with access over IP would know when people are around and what security is in place.
Example of compliance issues with personal email policies
Some organizations are legally required to prohibit personal email from a business account (example of)
NTLM vulnerabilities
Some systems store NTLM hash to provide backwards compatibility. vulnerable to credential forwarding attack, use credentials of one computer to gain access to another
Data owner (2)
Someone at executive level with administrative responsibility for the application and data. responsible for signing off on the compliance of data
Tuples examples
Source IP, Destination IP, port number, time of day, application, etc
Role-based awareness training
Specialized training that is customized to the specific role that an employee holds in the organization.
ways to harden a system (3)
Specific guides: Check Manufacturer's site. Internet Interest Groups. General-purpose guides
Separation of duties (2)
Split knowledge. Dual control
Kerberos timeline
Standard since the 1980s. Microsoft started using it in Windows 2000 and compatible with all Windows after that.
X.500 Attribute ST
State. A state, province, or county within a country.
SAST stands for?
Static Application Security Testing
How antivirus deals with viruses (2)
Stops it from downloading or executing and quarantines it to a separate part of storage. The signature list needs to be constantly updated since thousands of new viruses released every day.
RAID 0 (3)
Striping data across many drives without parity. High performance. no fault tolerance
RAID 5 (3)
Striping with Parity. fault tolerant. requires additional disk for redundancy
IEEE 802.1x authentication process (7)
Supplicant tries to communicate. Authenticator sends EAP-request to supplicant asking if new authentication. Sup sends Username in a EAP-Response. Auth checks with server. If valid server asks if user can speak privately which is passed to sup. Sup sends credentials. Server validates and allows access to network.
EAP-TTLS
Supports other authentication protocols in a TLS secure tunnel.
IEEE 802.1x: Authenticator (2)
Switch or wireless access point between the supplicant and authentication server. Sometimes has authentication server builtin to it.
Securing Network address allocation against DHCP Starvation Attack (2)
Switches can be configured to limit the number of MAC addresses per interface. Disables an interface when multiple MAC addresses are seen
Session keys (2)
Symmetric keys sent over by client using server's public key. Server decrypts it using its private key.
Reporting requirements/escalation: External contact examples
System owner. law enforcement. US-CERT (if working for US Government)
Load balancer features (6)
TCP offloading. SSL offload. caching. QoS. Content switching. (balance applications differently between servers) manage load between servers
WPA concerns
TKIP has vulnerabilities and was deprecated.
One of the more common OTP methods used by Google, Facebook, Microsoft
TOTP (uses)
Hardware root of trust Examples (2)
TPM. HSM
Cross-site request forgery
Takes advantage of the trust a web application has for the user by getting the user to click on an email link to unknowingly send the bad guy's request as if sent by the user.
IP spoofing
Taking some one else's IP or pretending to be an IP outside the network.
What environment does quality assurance check for bugs?
Test environment
Sarbanes-Oxley Act (SOX)
The Public Company Accounting Reform and Investor Protection Act of 2002. established sweeping auditing and financial regulations for public companies. helps protect shareholders, employees and the public from accounting errors and fraudulent financial practices.
(Digital certificate) Version
The X.509 version supported (V1, V2, or V3)
(Digital certificate) Signature Algorithm
The algorithm used by the CA to sign the certificate.
Cryptanalysis
The art of cracking encryption
DoS
The forced failure of a service.
(Digital certificate) Issuer
The name of the CA, expressed as a Distinguished Name (DN).
(Digital certificate) Subject
The name of the certificate holder, expressed as a Distinguished Name (DN).
carrier unlocking (2)
The process of unlocking a phone from a cellular provider after certain amount of payments or times used. Can be illegal to lock in certain countries.
Crossover error rate (3)
The rate at which FAR and FRR are equal. Adjust sensitivity to equalize both values. A lower rate indicates a more accurate biometric system.
X.509
The standard format for digital certificates.
data exfiltration (2)
The unauthorized transfer of data outside an organization. usually made easy when our networks are high-speed and allow people walk in and remove data through USB or DVD, etc
Passive monitoring
The use of an IPS as a network tap/ port mirror (SPAN) to examine a copy of the traffic can't block traffic only alert
How worms are usually installed
They go through the network and infect systems with known vulnerabilities
How are false Positives identified
Time consuming to research and resolve all the signatures
(Incident Response) Exercise (5)
Time to test your Incident responsive teams. have well-defined rules of engagement. Usually a very specific scenario. Might be a Table top exercise. Document and discuss the response.
Fighting Jamming
To overwhelm good signal the bad signal must be close. fox hunting- use directional antenna and attenuator to locate source.
Fighting tailgating (4)
Train users on policies and to ask questions Visitor Policy: Visitors be required to wear badges Mechanical doors for 1 person per scan, mantraps, airlocks that remember if a person is already in.
Principles of social engineering: Familiarity
Tries to get you to like them so you want to do things for them
Sandboxing use during the development process (2)
Try some code and implement new systems without effecting production environment. Incremental development.
Reasons for MAC spoofing (4)
Try to circumvent MAC-based ACL. Bypass a WiFi address filter. Can be done for legitimate reasons: Internet provider expects a certain MAC address. Certain applications require a particular MAC address
Integer overflow
Trying to put a very large number in a small allocated area that causes the rest of the number to spill over and usually have some effect the application.
what is Blowfish's successor?
Twofish (succeeded what?)
Network OS
Type of OS that connects many devices over a network connection
Server OS
Type of OS that provides a particular service usually a server.
Typo squatting (2)
Type of URL hijacking where the URL is misspelled. Misspelling URLs can be sold, redirected to competitors, used as phishing site or drive-by downloads.
Worm
Type of malware that spreads quickly through the network without user help.
IV
Type of nonce that provides randomization for encryption
Explicit proxy
Type of proxy where computers need to be configured at the OS or browser to use the proxy to access the internet.
WannaCry (3)
Type of worm that: installs on networks with Microsoft SMB v1 vulnerability. exploits eternal blue software to install a backdoor that installs an updated version of this worm. encrypts the computer and demands bitcoin payment for decryption while continuing to spread through the network.
UTM (11)
URL filter/content inspection Malware inspection Spam filter CSU/DSU Router, Switch, Firewall IDS/IPS Bandwidth shaper VPN endpoint logs with filters
Things seen on a WAF log
URL, Attack Name, logged or denied, etc
Misconfigured content filters (2)
URLs may not be specific enough to provide blocking Some protocols may not be filtered, e.g. https
AES uses (2)
US Federal Government standard. WPA2
Types of Jamming (5)
Unintentional: Interference like Microwave oven, fluorescent lights Intentional: malicious Constant, random bits / constant, legit frames random times for data sent reactive, done when some one tries to communicate
UAV stands for?
Unmanned Aerial Vehicle
Unauthorized software (4)
Untested software and may contain: malware, spyware, ransomware. Conflicts: May conflict with organization's mission-critical software. Licensing, all software must be legal. Ongoing support: creator of the software provide constant updates, security patches, versions. policy to make sure everything is updated
(Account management) auditing best practice
Usage and permission auditing and time-of-day restrictions can be automated: receive alerts and logs of issues to resolve.
Authentication tools used for RADIUS Federation (3)
Use 802.1x as the authentication method. RADIUS on the backend. EAP to authenticate.
Mobile Application management (2)
Use MDM to add and manage application whitelisting to devices. New application have to be checked and updated to the list
Mobile Device Camera use security (2)
Use MDM to disable use. or use geofencing.
Recovery (for forensics) (2)
Use Strategic intelligence and counterintelligence gathering to strengthen security based on forensic data gathered.
IEEE 802.1X Certificate-based authentication
Use certificate stored on devices to gain access to the network.
Supply chain security (3)
Use trusted vendors. make sure bought devices were not previously connected to the internet. verify that hardware and firmware is genuine.
Where OAuth is used
Used in Twitter, Google, Facebook, LinkedIn, and more
examples of places LDAP is used (3)
Used in: Windows Active Directory. Apple OpenDirectory. OpenLDAP. etc
Where is LDAP used? (3 e.g)
Used on: Windows Active Directory. Apple OpenDirectory. OpenLDAP, etc
Code signing certificate security
User's OS checks and validates that the software hasn't been modified. user can stop application execution and contact developer
Access control models (5)
Users receive rights based on these: - MAC - DAC - ABAC - Role-based access control - Rule-based access control
Kerberos security
Uses Mutual authentication between client and server to protect against MITM and replay attacks.
SSL VPN (4)
Uses SSL/TLS over tcp 443 to run from a browser or a light VPN client to other VPN devices across many OS. Almost no firewalls issues. No VPN clients, digital certificates or shared passwords (like IPSec) required
How is NFC used as an identity system?
Uses access token in phone to identify yourself
how does DNSSEC add authentication and integrity?
Uses public key cryptography: DNS records are signed by a trusted third party. Signed DNS records are stored in the DNS that can be compared to received digital signatures.
Secure Honeynet Topology
Using many honeypots to attract bad guys.
How a botnet is usually installed
Usually installed by email link, Trojan horse or vulnerability in the OS or an application.
Online CA
Usually the intermediate CA that distributes the load of issued certificates.
(Digital certificate) Extensions (4 eg)
V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage.
Logical Segmentation (3)
VLANs logically separate Networks on one switch. Need a router to connect them.
Data owner examples (2)
VP of Sales owns the customer relationship data. Treasurer owns the financial information
Off-site backups (3)
Vaulting. E-vaulting. can be organizationally owned or 3rd-party.
Parties that have access to extranets
Vendors, suppliers
DNSSEC (3)
Verifies responses: Origin authentication. data integrity
Digital certificate fields (8)
Version, Serial Number, Signature Algorithm, Issuer, Valid From / Valid To, Subject, Public Key, Extensions
VMI stands for?
Virtual Mobile Infrastructure
Security CASB provides (4)
Visibility- see who is using what apps. Compliance. Threat prevention. Data security- encryption and DLP
Problem with WEP
Vulnerabilities found with RC4 ciphers and initialization vectors
Embed system vulnerabilities (2)
Vulnerabilities in every day devices that have OS which users don't have access to and are rarely to never updated. Most of them have internet access making them convenient for hackers
firewalls that block SQL injection
WAF
deprecated algorithms examples (2)
WEP DES (56 bit keys)
examples of Weak security configurations (5)
WEP, had vulnerable RC4 and IV. WPA. DES, 56 bit keys. 3DES, SHA1 had hash collisions
(WPA-)Enterprise aka
WPA-802.1x
(WPA-)PSK (2)
WPA2 with a preshared key. Everyone uses the same 256-bit key.
High availability security
Watch for single points of failures.
Development life-cycle models (2)
Waterfall. Agile
service account examples (2)
Web server, database server, etc
Server OS examples (2)
Web server. Database server
Things to separate with Distributed allocation (5)
Web servers. Database servers. Middleware. security devices. monitoring systems
Location of logs for DEP
Windows Event Viewer
OS Update options (8)
Windows Update. Windows Server Update services (WSUS) from a central console. Mac OS- Software Update, App Store. Linux- yum, apt-get, rpm, graphical front-ends
Windows OS Update options (2)
Windows Update. Windows Server Update services (WSUS) from central console
Kerberos
Windows network authentication protocol that uses SSO to gain access to everything, no need to re-authenticate.
Group Policy (2)
Windows policies that allow you to provide administrative and security rules to the OS of all systems globally. linked to AD administrative boundaries.
Examples of Role-based access control uses
Windows uses it in Windows Groups
OS that support Secure Boot (5)
Windows. Linux Fedora. openSUSE. Ubuntu. Apple uses their own EFI implementation
WPA2
Wireless encryption protocol that used AES for data confidentiality and CCMP for authentication and access control.
Peripherals security can be applied to (7)
Wireless keyboards. Wireless mice. Displays. WiFi-enabled MicroSD cards. Printers/MFDs. External storage devices. Digital cameras
Secure Wireless Topology (2)
Wireless work network that: should be internal and separate from guest networks. have secure authentication.
LDAP standard
X.500 standard
How to get back the original plaintext from an XOR ciphertext?
XOR the ciphertext again with the same key.
Non-persistent (reflected) XSS attack (3)
XXS attack that allows script to be injected in website input/search boxes that would be emailed as links to victims. The script would perform functions like sending credentials, session IDs or cookies to the bad guys. The script embedded in the URL executes in the victim's browser window.
Directional antennas examples (2)
Yagi, parabolic
On-premise (infrastructure) (2)
Your servers are in your data center. All applications are on local hardware
split knowledge
a Separation of duties where no one person has all the details
Raspberry Pi 3 (2)
a SoC controlled by a Broadcom BCM 2837 chip. Has a controller unit (chip) for the USB and Ethernet interfaces.
Vulnerability and Penetration testing authorization
a best practice since this removes all legal liability from testing. can determine how invasive you are allowed to be.
Certificate chaining (2)
a chain of trust listing all certs between the server and the root CA. starts with SLL certificates, then chain certificates, and ends with Root CA certificate
Exit interviews (2)
a common tool used by HR to gather statistics and track changes. Its a formal process and statistical record keeping.
Snapshots (2)
a complete backup of an OS during a specific date and time. can be taken by the hypervisor in a virtual environment.
Waterfall development model
a development model that follows sequential design process
Agile Development Model (3)
a development model where allot of tasks are performed at once to get code created as quickly as possible to have a starting point. involves customer collaboration. can make changes very quickly.
AUP
a document signed by users that identifies what is and isn't appropriate on a organization's network.
False Positive on IPS
a false alarm or mistaken identity of an intrusion.
DEP
a function in certain OS that sets aside sections of memory for executable software to run
Dictionary attack (2)
a method to determine passwords by using common words first. most common word lists online
How to update an immutable system?
a new iteration has to be deployed.
Salt
a nonce that randomizes a password hash.
Order of restoration (2)
a predefined list by the organization management of applications and their priority to be restored. priority may change during different parts of the year.
Open proxy (e.g)
a proxy owned by a third party commonly used to circumvent existing security controls. e.g. get around URL filtering.
Reverse proxy (2 eg)
a proxy that takes inbound traffic from the internet to internal services usually a server or multiple servers
Evil twin (2)
a rogue access point configured exactly the same way as an existing network. can overpower the existing access point and have all users connect to the bad guy's access point.
Dual control
a separation of duties where both people must be present to perform a business function
Standard operating procedure
a set of step-by-step instructions compiled by an organization to help workers carry out complex routine operations
Secret algorithm (2 def)
a shared symmetric key that needs to be replaced if discovered. algorithm that is kept private which is discouraged since experts can't test for flaws or weaknesses.
UEFI/BIOS
a standard implementation in manufacturer's hardware that connects computer's firmware and OS.
password length
a strong password is at least 8 characters.
Phishing
a technique to gain personal information through social engineering and/or spoofing.
Code quality and testing: Sandboxing
a test environment that that looks and works exactly like production environment.
Application cells/containers
a virtualization space that uses just the right resources to run an application instead of launching an entire VM.
Macro virus
a virus that are part of macros associated with documents like spreadsheets or word processing applications.
Heartbleed
a vulnerability discovered in April 2014, where an OpenSSL flaw put the private key of affected web servers at risk.
False positive
a vulnerability identified that doesn't exist
nikto
a vulnerability scanner designed to scan and find info on web servers
Platforms, networks and OS RADIUS supports (3)
a wide variety of platforms and devices. available on almost any server OS. on anyone's network, not just dial-in.
Disassociation (2)
a wireless attack that removes a wireless device from the network by taking advantage of 802.11 management frames and their lack of encryption and authentication. sends a constant wave of disassociation frames to a device
BPA
a written agreement that details the relationship between business partners, including their obligations toward the partnership.
EMI leakage
ability to listen in on EMI emissions on different devices to recreate user keystrokes, video, etc.
Rogue access point (2)
access points plugged in to a network to bypass authentication. Can also be enabled by wireless sharing in an authenticated OS.
shared account
account that can be used by more than one person
service accounts
accounts used exclusively by services running on a computer
Privileged accounts (2)
accounts with elevated to complete access to one or more systems. Often used to manage hardware, drivers, and software installation
Provisioning application software security
add security components to OS, application
DLL injection
adding malicious library, and manipulating OS or application to reference the library and bad guy's code.
context-aware authentication (3 eg)
adding or combining context for additional authentication: where you normally login. (IP) where you frequent. (GPS info) devices normally paired with (Bluetooth). and others
"Noah's Ark" of networking
adding pairs of systems and devices to maintain the uptime and availability
Continuing education (security procedures)
additional training as security environments change.
SRTP (2)
adds AES to encrypt voice/video flow. adds HMAC-SHA1 to add authentication, integrity, and replay protection
Refactoring examples (7)
adds NOP instructions, Loops, pointless code strings, reorder functions, modify application flow, reorder code and insert unused data types
Infrastructure as code security
adds cloud based security tools by automation along with the infrastructure devices.
Role-based access control (2)
administrator provides access based on the role of the user in the organization. additional rights implicitly given to groups within groups.
example of Privileged accounts (2)
administrator, root
Who adverse actions affect
affects applicants and can affect existing employees
How to check integrity of a file downloaded online
after download take a hash of the file and compare to online posted hash value.
CSR
after the creation of a key pair, the sending of the public key to the CA to be signed.
SLA
agreement between two parties that dictates the minimum level of services would be required
Disassociation command
aireplay-ng -0 100 -a BSSID of WAP -c Mac Address of target wlan0mon
DEP aka for AMD (2?)
aka Enhanced Virus Protection, (NX) no-execute page-protection
SCADA aka
aka ICS
DEP aka
aka No-eXecute bit
SLL offload aka
aka SLL termination
DEP aka for Intel
aka XD bit (eXexcute Disable)
Disassociation aka
aka deauthentication
low-severity vulnerability aka
aka informational/low priority vulnerability
access violations aka
aka segmentation fault
Session Hijacking aka
aka sidejacking, cookie hijacking
server-side validation
all checks of data occur on the server.
Incremental Backup Recovery process
all incremental backups since the last full backup and the full backup
Active/active load balancing
all servers are active and load balancer can use any of the servers at any time. (Round robin and affinity are referred to this type)
What updates are required for a newly installed OS?
all service packs and security patches
How HIDS/HIPS protects a system
allow/deny traffic based on signatures
NFC (4)
allows 2-way close wireless communication. used in payment systems. bootstrap for other wireless like Bluetooth pairing. Uses access tokens usually builtin to our mobile devices for encrypted payments
Single sign-on
allows access to everything on a network with a single authentication.
NTP
allows all devices to automatically sync their clock with an accuracy of better than 1 millisecond apart if sync on local time source
VM escape vulnerability
allows bad guys to break out of VM containers and interact with the host OS or hardware.
WiFi Direct/Ad hoc security concerns
allows bad guys to more easily connect to users
Corporate-owned deployment model Security
allows corporate data to not mix with personal
camera systems (2)
allows for 24/7 monitoring in home or office. These days recorders and camera communicate through TCP/IP
Cloud (Infrastructure) (2)
allows for entire application instances to be created and torn down on-demand. resources are available as needed (so you don't have to pay for extra hosting and time)
Push notification services
allows information to be pushed onto a mobile device screen without input from the user
SNMPv3
allows management of network devices that includes: confidentiality. Integrity. Authentication
Mobile Device Hotspot/tethering (2)
allows phone to become a wireless router for other devices. may require additional charges and data costs from provider
host availability (eg)
allows the implementation of cloud elasticity to build up and scale down lots of resources e.g. new server deployed with few mouse clicks.
SDN
allows to orchestrate and automate everything done in the networking environment.
Hypervisor (2)
allows virtualization. allocates memory, CPU, security and other resources required for VMs.
ad hoc mode
allows wireless devices to be manually configured to connect directly to each other without an AP.
WiFi Direct
allows wireless devices to use a discovery method to connect directly to each other without an AP
Capture system image security (5)
allows you to manipulate a copy of drive data without effecting original. use a bootable device to make a copy without effecting drive. remove the physical drive to prevent data overwrites. hardware write blocker can let you read but not write to a drive. data may be backed up on tapes
How to properly add Remote wipe function to a device (3)
already enabled when you add a device to an MDM. make user agree to policy when adding. or configure it using a set of credentials
Data-in-use concerns
always decrypted so CPU can use it. bad guys can pick the info out of RAM
Site-to-site VPN tunnel(2)
always on tunnel some disable the tunnel after certain amount of non-use and rebuild once new traffic passes
Forward proxy (2)
an "internal proxy" commonly used to protect and control user access to the internet. Provides URL filtering (disallowing visiting some sites)
Trusted OS (2)
an OS that is EAL compliant. EAL4 is the most accepted minimum level. (EAL7 the highest)
Adverse action (2 def)
an action that denies employment based on the background check. can also deny employment, credit, insurance, or some other benefit, due to consumer, credit, or criminal history.
Birthday attack
an attack that discovers collisions through brute force that can also be used to match a different hash being used for validation
Known-plain text attack(KPA) (2)
an attack where attacker has encrypted data and some of the plaintext referred to as the crib that may determine what the rest of the plaintext is. or determine the encryption/decreyption method, secret keys, etc.
RADIUS
an authentication protocol that centrally authenticates for many different systems across the network.
Impact: Reputation
an event can cause status or character problems
pass the hash
an exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
Object identifiers (OID) (2)
an identifier mechanism for naming any object, concept, or "thing" with a globally unambiguous persistent name. standardized by the International Telecommunications Union (ITU) and ISO/IEC.
Tailgating and ways (3)
an unauthorized individual enters a restricted-access building by following an authorized user. Dress like a common 3rd-party. do smoke breaks with employees try walking in with hands full of donuts
Directional antennas (2)
antennas that allow you to focus signals in a single direction to go longer distances. Performance measured by dB gain. dB is doubled every additional 3 dB
Mission-essential functions examples (4)
any functions to keep the business running: payroll. accounting function. manufacturing facility.
Incident analysis resources
anything that helps understand what the normal operating is of the environment
code signing (3)
application code is signed by the developer's private key. A trusted CA signs the developer's public key. provide integrity and confirms who publisher was.
third-party libraries and SDKs concerns and security (2)
application features vs. unknown possibly insecure code base. (application development speed vs security) need to test library security.
Banner (3)
application information that tells everything about itself. used to communicate between the client and server so everyone knows who's communicating with who. Its usually invisible to users and behind the scenes.
Code signing certificate
application is digitally signed by the developer.
ASLR (2)
application would execute in different places in memory at different times. prevents a buffer overrun at a known memory address
Ways host-based firewalls can restrict traffic
application, tcp/udp port number
Immutable systems
applications (services or even images?) that can't be modified after being deployed into production.
Privileged user examples (3)
area manager. someone who creates reports from data. someone who handles user and password changes.
Key strength security
as our computing powers grow, these have to be larger and larger.
Key management life cycle: certificate generation
associate a key to a user or device
RSA
asymmetric algorithm that uses two large prime numbers
what kind of encryption does code signing use?
asymmetric encryption
Email Incident Category
attack executed from an email or attachment
Downgrade attack
attack that forces the systems to use weaker security.
Persistent (stored) XSS attack
attack that lets bad guys store a script on a file or message and anyone who views the page will be infected with that script
(WPA-)Enterprise
authenticates users individually with an authentication server
Unencrypted credentials (2, 4 eg)
authentication done in cleartext, unencrypted. don't send with unencrypted protocols either: Telnet, FTP, SMTP, IMAP
Somewhere you are
authentication factor based on geographical location.
Something you are (2)
authentication factor that usually uses biometric authentication stored in a mathematical representation.
Something you have
authentication factor you carry with you.
PAP
authentication found in legacy OS that communicates in the clear
things static code analyzer can't find (2)
authentication issues. insecure cryptography.
CHAP (3)
authentication protocol that was encrypted and authenticates using a three-way handshake. challenge-response occurs periodically behind the scenes during connection.
TACACS+
authentication protocol that was released by Cisco as an open standard.
WiFi-enabled MicroSD cards security concerns (2)
authentication vulnerabilities easy to exploit over WiFi. 3rd party can write an application to access API resulting in data leakage or data loss.
stress testing options (2)
automate existing individual workstations. simulate large workstation loads.
Disablement (3)
automatic result when too many failed login attempts. can also be forced by administrator. better this then deleting since important data could be lost.
fuzzing options (3)
available in different platforms and languages, etc. CERT Basic Fuzzing Framework (BFF)
MTTR
average time to restore a system once it fails
Proper error handling security
avoid default messages, write own error messages.
differential backup
backup that copies all files since the last full backup
Incremental backup
backup that copies all files since the last incremental backup.
Advantage of Key stretching
bad guy would have to brute force each hash spending allot of time.
Geolocation security concerns
bad guys can track you and your phone.
Principles of social engineering: Intimidation (ie)
bad things may happen if you don't help, payroll checks won't be processed, etc.
Content switching
balance applications differently between servers
Moat is an extreme example of?
barricades/bollards
counterintelligence gathering
based on data gathered on the attacker try to determine: what or who they are. attacker's habits that can identify them later
fighting shoulder surfing (2)
be aware of surroundings Privacy filters
Strategic intelligence/ counterintelligence gathering: Active logging
best practice is to log as much info as you can. This will have tracked every step attacker took (log everything, don't just automate increased logs when attack starts)
shared accounts security
best practice not to use these accounts
Backup utilities best practices
best practice: complete coverage, fast recovery
Best choice for removing Malware from a system
best recovery is to delete and restore from a good backup
AP signal strength security (3)
best to set as low as possible to limit signal to just inside the building. testing and study may be required. Consider receiver: High-gain antenna can hear more
black box
blind pentest where tester knows nothing about the systems and has to build maps and logically figure out what types of system there are
CTR (counter) (3)
block cipher mode that acts like a stream cipher. a counter and nonce (IV?) is encrypted then XORed by the plaintext. plaintext can be any size since its part of XOR i.e. 8 bits for streaming.
Faraday cage
blocks electromagnetic fields.
Asymmetric algorithm generation (2)
both keys are created at the same time using randomization, prime numbers, etc. Public key is made public and private key is kept private.
MOA example
both sides agree to promote and support the joint use of their facilities (is an example of)
Zeus/Zbot malware (2)
botnet malware used to clean out bank accounts. commonly combined with Necurs rootkit for hard detection and removal.
DNS amplification DDoS
botnets receive commands to send requests to open DNS resolvers for large DNS keys or other large info. they spoof the sender of the request as their target instead of themselves.
switches
bridges traffic in hardware known as ASIC forwards based on MAC addresses
Attrition Incident Category example
brute-force attacks
things static code analyzer can find (2)
buffer overflows. database injections
traceroute
builds a router map from one device to a destination. (tracert on windows)
Sensors (2)
built-in into devices to gather metrics. integrated into switches, routers, servers, firewalls, etc.
Mobile Device Payment methods (3 standards)
builtin function that uses NFC to pay with phones. Apple Pay Android Pay Samsung Pay
(Backup) Location Selection: legal implications (2)
business regulations vary between states. personnel must have passports and clear immigration if site outside the country.
Personal email security policies (4)
business use or a mix of business and personal. prohibit disruptive or offensive use. compliance issues. document organisation's definition of personal email e.g. Google Mail
Advantage of change management for risk management (2)
by implementing it: more uptime and availability. decreases risks to entire organization
Cable locks security concerns
cable can be cut so its a short term solution.
Mirai botnet examples (4)
cameras, routers, doorbells, garage door openers, etc
How does Orchestration aid in provisioning? (2, eg)
can automatically add or remove application instances based on whats needed e.g. during night. can add or remove security as well
Key escrow reasons
can be a legitimate business arrangement.
Are Smart cards contact or contactless?
can be both
Signal strength on an AP
can be configured based on how much power is used by the AP
Record time offset (5)
can be done directly from the OS. kept in Windows Registry. document time zone, daylight saving time and any other time change information.
shoulder surfing (methods 3)
can be done with webcams or binoculars, reflections off windows
pseudo-random number generation issues
can be duplicated if the same starting seed is used
PKCS #12 security
can be password protected since it transfers a private key
how is Infrared used? (2)
can be used for file transfers and to control devices that are IR accessible
printer/MFD security concerns (3)
can be used for reconnaissance i.e. log files for all activity, address books for who received a fax. can print without authentication if security circumvented. may retrieve copies of printed documents from spooling files.
Mobile Device Payment methods security concerns
can be used maliciously if authentication is bypassed
Version control security concerns
can be used to see previous version of confidential data even if current version deleted.
RPO examples (2)
can bring the system back online with a minimum amount of a few days worth of data but can't access a year's worth of archives. can bring a system online but provide availability only to a certain group of people.
capture video (for forensics) (3)
can capture video status on screen for forensics. also use security cameras. and phone
Injecting signals into EMI (2)
can change data captured on sensors. can input info into keyboard input.
Rooting/Jailbreaking security concerns (2)
can circumvent security features e.g. MDM policies. sideload apps without an app store
examples of Geofencing (2)
can disable cameras when inside the office. allow authentications if that device is in a particular area, prevent access if device located in a different country.
Application server secure configurations (3)
can disable unnecessary services. OS/security updates. limit file permission and access
PGP (3)
can encrypt and digitally sign email. asymmetric encryption (RSA) (and symmetric). used as commercial software. owned by Symantec.
Stored procedures concerns and security
can gain access to info in the database if SQL requests are modified by someone. Apps most secure if they don't use any SQL queries and only these.
How Network-based Firewalls act as Application-aware security devices
can identify traffic from Microsoft SQL server, Facebook, Twitter, YouTube, etc can be 1000s of applciations
What else can HIDS/HIPS detect? (eg)
can inform on activity in the OS. e.g. moved or modified file
Subscription services security (3)
can limit IP addresses where subscription might come from. set up certificates to establish trust. set up public key configuration for encryption.
how far can you limit access on an application server
can limit application server to only communicate to the database server and web server.
Display security concerns (2)
can reconstruct images on screen by listening to EM signals. no authentication or checks for firmware updates, can log info onto screen or ransomware.
TPM Versatile Memory (2)
can store encryption keys. can store configurations of current hardware to check for hardware changes over time.
Wearable technology IoT security concerns (3)
can track our location, where is that data stored? who has access to that data?
Mobile Device External media security concerns
can transfer data from a computer using a mobile device using SD flash memory, USB/lightning drives and walk it out of the building
HVAC security concerns
can turn off air conditioning or heating to make temperature too uncomfortable to work, DoS.
Viewing and converting different file formats (2)
can usually convert between file formats. OpenSSL and similar applications can read and display the certificates in many different formats
Where can you find Patch management tools on Windows?
can view in control panel > programs or all control panel items > programs and features > Installed Updates
Faraday cage security and concerns (2)
can't block all signal types. blocks mobile calls so have emergency call contingency.
Perfect forward secrecy security
can't decrypt traffic with private keys.
WiFi mobile security concerns (3)
capture data. MITM. Frequency interference from 2.4/5 ghz
tcpdump (3)
capture packets from the command line in Unix/Linux OS, available for Mac OS X. apply filters, view in real-time. (saved in pcap format so it can be loaded in a protocol analyzer later)
WinDump (3)
capture packets from the command line in Windows. apply filters, view in real-time. (saved in pcap format can be loaded in a protocol analyzer later)
Screenshots (for forensics)
capture the state of the screen
Banner grabbing
capturing a banner using Netcat, Nmap, telnet, nc, etc to view the application info: Name, version of software, server, etc
VDI development (ie)
centralized app development: no need to write application for different platforms, write application for one platform and any one who access it with ( ) has access to the app.
How can you tell what traffic was allowed on a host-based firewall?
centralized log shows what traffic was allowed or blocked
Containment of an incident concerns
certain malware monitor for connectivity and if connection is lost they delete, encrypt or damage everything.
User certificate
certificate associated with a user that acts as an additional authentication factor
(OCSP) stapling (2)
certificate holder verifies own status instead of CA. CA digitally signs the status info.
USB token
certificate on USB device
Smart card security (2)
certificate on the card identifies cryptographically. used with MFA like PIN or fingerprint.
Wildcard domain
certificate that applies to all server names in a domain.
SAN (3)
certificate that support many different domains. extension to an X.509 certificate. lists all additional DNS names associated with the cert
Machine/computer certificate (3)
certificate used to authenticate a devices onto a network. Can be checked on a VPN connection. management software can validate end devices.
Intermediate certificate aka
chain certificate (aka)
Ephemeral keys best practices (2)
change once a day or multiple times a day. need to be unpredictable random values.
MAC spoofing
changing MAC address allowed by most drivers.
Refactoring (2)
changing how malware looks every time it's downloaded to bypass signature-based antivirus. process of changing a software system in such a way that it does not alter the external behavior of the code yet improves its internal structure.
barricades/bollards
channel people through specific points and prevent larger objects from passing through
Web server secure configuration (4)
check and secure: Info: Banner info, directory browsing. permissions: web server running from a non-privileged account, file permissions properly configured. Configure SSL. Log files
Memory management security (3)
check and validate all user data input. make sure data going into memory matches buffer sizes. double check built-in functions of programming languages.
Data exposure security
check every step of all input and output processes.
Provisioning when deploying software to workstations (2)
check for malicious code. verify security of the workstation.
Why would you try wireless attacks on your own network?
check if your AP are susceptible to such attacks like rouge AP and deauthentication attacks etc
(Account management) Usage auditing and review
checking how resources are being used and stored, and if the systems and applications are secure.
(Account management) Permission auditing and review
checking that every one has the correct permissions. often done with scheduled recertification
(Account management) Time-of-day restrictions
checking whether some one is in certain area or accessing certain resources during times those areas and resources shouldn't be accessed
sfc /scannow (2)
checks and repairs core OS files. Provides a log of all the things that pass and that were repaired
File integrity check
checks if malware has modified the core OS and repairs if it has.
Configuration compliance scanner and other ways it is implemented
checks to see if devices meet minimum security configurations that comply with internal requirements for an organization or industry regulations. May be an ongoing audit: monitors changes, can integrate with login process or/and VPN connection
HIPAA non-compliance penalties (2 listed)
class 6 felony Fine up to $50,000 or up to 1 year in prison. Class 4 Felony up to 250,000 and/or up to 10 years in prison.
private data aka (3)
classified. restricted. Internal use only
difference between clear text and plaintext
clear text is readable data transmitted or stored "in the clear". (unencrypted) plaintext is input put into a coding process to create ciphertext.
SSO process with Kerberos
client sends a ticket granting ticket (TGT) to a KDC or ticket granting service. KDC provides the client the service ticket. Service ticket is used to authenticate to all the other services on the network
Types of Alarms (3)
closed or open circuits. Motion detection. Duress- trigger by person.
Air system HVAC takes advantage of (2)
closed-loop recirculating and positive pressurization system. Internal air is recycled and additional air is pushed out, preventing outside contaminants
Infrastructure as code
cloud-based network devices (and technology stacks) that are deployed by automation based on what application need.
compiled code (4)
code where: the source code is unseen. the application is an executable complied from the source. it's for a very specific OS and CPU. during compilation logical bugs can be identified.
Race conditions
coding problem that doesn't take into account of multiple things happening simultaneously.
ECDHE
combination of ECC and Diffie-Hellman Key exchange.
Secure NAT Topology (2)
combined with a stateful firewall for security. alone its not a security mechanism. (bad guy know how to circumvent)
HMAC (2)
combines a hash with a secret key. provides data integrity and authenticity.
GCM (2 def)
combines counter mode with Galois authentication. provides data authenticity (integrity)
Geofencing
combines geolocation and MDM policies to restrict or allow features when in a particular area.
DSA uses on mobile devices
combines with elliptic curve cryptography (ECC) to create ECDSA for minimal resource use.
netstat -b
command: shows active connection and windows binary that was used to create that connection
netstat -a
command: shows all active connections on an individual machine
netstat -n
command: shows all active connections on an individual machine without the resolved names, only IP addresses
arp -a
command: view table with MAC to IP addresses, ARP table
What is pass the hash commonly associated with?
commonly associated with the Microsoft NTLM protocol.
BPA commonly found
commonly seen between manufacturers and resellers
what devices commonly use USB OTG?
commonly seen on android devices
Preparation for an incident (5)
communication methods and who to contact. understand handling hardware and software. Incident analysis resources. Incident mitigation software. Policies for incident handling
COPE
company buys the device for the user to be used as both a corporate and personal device
XOR
compare 2 inputs when the bits are the same the output is 0, when they are different output is 1.
Hash uses (3)
compare store passwords without knowing what the actual password is. (confidentiality) verify document or download is the same as original. (integrity) digital signature (authentication, non-repudiation and integrity)
CBS stands for
component based servicing
pseudo-random number generation
computer generated that approximates true randomness using a starting seed number.
random number generation
computer generated that usually includes some type of natural input
removable media control concerns
concern of portable media like USB and portable drives from infecting systems or exporting data.
Mandatory Access Control Labels (4)
confidential. secret. top secret. etc
How to add encryption to a webserver?
configure SSL: manage and install certificates
Network Infrastructure Devices secure configurations (4)
configure authentication off a back-end known good database, with access for the system administrators. change defaults. Check with manufacturer for rare but important updates
OS secure configurations (4)
configure to automatically stay updated with latest patches. Delete and re-image compromised systems. changes go through change management. Perform regular integrity checks
Fighting Permission issues (3)
confirm permission on initial configuration. Have a process in place for changes and updates. perform periodic audits
Impact
considerations when building a business impact analysis.
Subscription services
constant automated subscription each with its own method of updating
Honeypot concerns
constant battle to discern real from fake
(Account management) recertification
constant checking that users have the correct privileges assigned to their account.
Continuous integration (3)
constant security checks during development as code is added on. bare minimum is a documented security baseline. Large-scale security analyze during testing.
Automation/scripting: Continuous monitoring
constantly checking for particular events to be able to automatically respond.
PKCS #12
container format for storing X.509 certificates in a single file. binary. often used to transfer a private and public key pair. (along with intermediate certs too) can be password protected
X.500 Directory tree objects (1, 3 eg, 1, 4 eg)
container objects e.g. country, organization, organizational units inside the container objects are leaf objects: Users, computers, printers, files.
Security of Security as a service (2)
continuous monitoring. anti-virus/malware constantly updated without deploying new updates.
Compensating (control)
control that doesn't prevent an attack up but restores using other means.
Detective (control) (2)
control that identifies and records any intrusion attempts. may not prevent access.
Technical controls (2)
controls implemented using systems to limit or prevent an event. OS controls
Administrative controls
controls that determine how people act
Physical controls
controls that physically separate people from our systems
Principles of social engineering: Consensus (ie)
convince based on what's normally expected Co-worker gave me this last week
Passive tap
copies signal and sends to analysis tool.
Capture system image (2)
copy the contents of a storage drive. done with software imaging tools.
code reuse
copying code from one application to another when there is a common process used in both applications and its easier then making code from scratch.
Mobile Device Camera use security issues (3)
corporate espionage, inappropriate use, very hard to control
Correlation engine (2)
correlates data gather together by collectors. Found on SIEMs.
reason for carrier locking (2)
cost of phone may come out of monthly payments. provider needs to recoup the cost of the phone.
examples of company assets AUP covers (4)
covers: Internet use, telephones, computers, mobile devices, etc
Key management best practice.
create a good set of policies.
Digital certificate creation process (4)
create a key pair, send the public key to the CA to be signed, CA performs checks to verify ownership of domain and web server, provides a digital signature and possibly some additional features
Key management life cycle: key generation
create a key with the requested strength using the proper cipher
Account management:On-boarding
create an account with proper permissions and access by adding them into their proper groups or departments.
what year was PGP created?
created in 1991
Blowfish history
created in 1993. One of the first secure ciphers not limited by patents.
Mesh trust model
cross-certifying CAs.
Master Image
customized image of an ideal server deployment which requires some configuration specific to the server being deployed.
Injection
data added by a user into a data stream where the application isn't checking the input and gets unexpected output.
VDI
data and application run on remote servers separate from the mobile device.
RFID attacks (4)
data capture: view communication, replay attacks Spoof the reader, write own data to the tag that is sent back to original device. Jam signal. default decryption keys on google
Open-source intelligence (OSINT)
data collected from publicly available sources to be used in an intelligence context
cloud storage
data is available anywhere, anytime, on any device with a network connection.
VDI security (2)
data is stored in a secure, centralized area. If a device is lost no data is lost along with the device.
Web server security concerns (2)
data leaks. server access
Email storage being required to be kept for years back is an example of?
data retention (example)
Data owner (2)
data role of someone accountable for specific data. often a senior officer
PII
data that can be used to identify an individual.
Data-at-rest
data that is on a storage device.
Proprietary data (2)
data that is the property of an organization. may also include trade secrets
Data-in-transit
data transmitted over the network
Injection examples
data types include HTML, SQL, XML, LDAP, etc.
private data (2)
data with restricted access. may require non-disclosure agreement to access.
(Account management) Off-boarding
deactivate the account rather than delete it since deleted accounts may delete important data.
Risk Mitigation (1, e.g.)
decrease the risk level e.g. by investing in security systems
service account security (2)
define access for specific services. determine best policy for password updates
what policies can be set by the MDM for failed password attempts? (3)
delete all the data. completely lock the phone and require input from security team to unlock. slow down the process to prevent brute force.
Blacksheep (3)
designed to combat firesheep, use to be used to monitor session ID traffic on Facebook. no longer valid since Facebook uses HTTPS.
ARP
determines the MAC address with the IP address
Network scanner (5)
determines what services and OS are running on a remote device. scan for open ports. scan an IP address or range of IP to identify many devices. Visually map the network. (eg Zenmap) Good way to spot a rogue system
IPS rules (4) (#, how customized) (what about them is most time consuming?)
determines what to do when certain vulnerabilities are found: Block, allow, sent alert, etc Thousands of rules Rules can be customized by group or individual rules Takes allot of time to make rules and sort out the noise and false positives
Secure coding techniques: obfuscate. and why?
developers take perfectly readable code and give user nonsense code that performs exactly the same as the original. make difficult to find security holes.
failing posture assessment (2)
device is sent to quarantined network with just enough access to fix issues. Once resolved retest
Wireless LAN controller (5)
device that centrally manages all WAPs. Deploys new AP. performance and security monitoring. configure and deploy changes to all sites. report AP use. Usually a proprietary system based on the AP being used
fuzzer
device that randomly sends info into the inputs of applications.
Proxy (useful for? 4)
device that sits between users and the external network, receives the user requests and sends the request on their behalf. Useful for caching, access control, URL filtering, content scanning, etc
Network Infrastructure Devices
devices that run behind the scenes that keep our networks running but user's don't directly interact with. (switches, routers, firewalls, IPS, etc)
modes of operation
different ciphers to chose from for block ciphers
shared accounts security concerns (3)
difficult to audit, know who was working. every one shares same resources. password management becomes difficult.
fencing security (3)
difficult to cut or knock over. High. Razor wire
password reuse (2)
difficult to do. systems remember password history and require unique passwords.
Disadvantage of change management for risk management
difficult to implement since formal process can slow down change process.
Screenshots security
difficult to reproduce, even with a disk image
BYOD security issues (2)
difficult to secure such a device: need to protect both types of data. need a policy for when a device is sold or traded
SoC Security
difficult to upgrade, usually replace entire hardware.
Which is more advanced dig or nslookup?
dig
Non-Repudiation Common use cases example
digital signature (example of this Common use case)
DSA is part of what and when was it added?
digital signature standard for FIPS since 1993.
Certificate Standard extension (9)
digitalSignature (0) nonRepudiation (1) keyEncipherment (2) dataEncipherment (3) keyAgreement (4) keyCertSign (5) cRLSign (6) encipherOnly (7) decipherOnly (8)
How would some one try to tap fiber?
direct taps
Parabolic antenna
directional antenna that has curved front that focuses the signals coming in to a single point, the feed horn.
Yagi antenna
directional antenna with high gain
Lockout
disable an account after too many incorrect password attempts.
Disabling unnecessary accounts in OS (4 eg)
disable guest, root, mail,etc. disable interactive logins for accounts used as services
disabling unnecessary services(2)
disable service not being used to limit vulnerabilities. requires allot of research.
Things to consider disabling for least functionality (4)
disable: printer installation. changing system time. taking ownership of file system objects. deny log on as a service
IEEE 802.1x (3)
disallows access until authentication process is complete. Used with an authentication protocol (eg PEAP) to access a centralized database (eg Radius)
Personnel issues: Social media
disclosing meaningful company info by post.
Physical taps (2)
disconnect a link, put this in the middle to capture data from the network. Can be active or passive
Deprovisioning
dismantling and removing an application instance.
Examples of well-defined rules of engagement during an Exercise (2)
do not touch production systems. only focus on test systems
Witness interviews (for forensics) (3)
document quickly as people may not be around later and memories fade. gather many to add evidence and correlate stories. witnesses don't always recognize information as valuable so seek out witnesses and ask right questions
MOA
document where both sides agree to objectives that's usually not legally enforceable.
Proper input validation security (3)
documenting all input methods. checking and correcting all input. use a fuzzer- device that randomly sends info into the inputs of applications.
static code analyzer concerns (2)
doesn't identify everything. allot of false positives needs sorting
symmetric algorithm disadvantages
doesn't scale well
Somewhere you are disadvantages (2)
doesn't work with IPv6. geolocation not perfect identifier of location
Private CA advantages
don't have to purchase each individual CA from a 3rd party.
Deprovisioning security (3)
don't leave any open holes or close important holes. remove firewall rules for removed app. remove or move data from the removed app to different place
Table top exercise
don't perform an actual exercise. everyone simply discusses what the steps might be.
Integrity measurement (3)
done by testing application against a well-documented secure baseline. should be performed often. Failures require immediate corrections.
preventive examples (3)
door locks. security guard. firewall. (control example)
Example of times to deploy Incident Response Exercises
during scheduled update session done: annually semi annually etc
Downgrade attack example
e.g. 1995 FREAK attack forced weaker public keys
Vulnerable business process example
e.g. 2016 Dridex malware used to steal Swift credentials
New threats/zero day example
e.g. WannaCry 2017, patch available since 2014.
Open door examples found during Active Reconnaissance (2)
e.g. enabled guest account, default passwords, etc.
Shimming example
e.g. get around UAC by pretending to be older version of windows with Compatibility mode aka Application Compatibility Shim Cache
Automated alerting and triggers examples (5)
e.g. send you a text, call, email or/and automatically Open a ticket, reboot a device
Logs and events anomalies example
e.g. try to take advantage of vulnerabilities for plugins that don't even exist on the network.
Block ciphers security (3)
each block is encrypted or decrypted independently. uses symmetric encryption. encryption depends on modes of operation.
CBC (3)
each plaintext block is XORed with the previous ciphertext block, which is then encrypted with the block cipher and key for the next ciphertext. Use IV for first block
Distributed allocation security
easier to add security between all the separated components.
MS-CHAP (and v2) security concerns
easy to brute force DES key to decrypt the NTLM hash.
Uses for containerization
easy to delete company data while retaining personal data when leaving organization.
Mobile Device Payment methods security
enable/disable with MDM to limit liabilities of your organization.
PEAP (2)
encapsulates EAP in a TLS tunnel. Uses certificate on the server.
RSA uses (5)
encrypt, decrypt, digital signatures. Website site encryption, digital rights management
Block ciphers (3)
encrypted fixed length groups. often 64-bit or 128-bit. Pad to bring up to minimum level.
SSH
encrypted terminal communication, replaces telnet
IV uses
encryption ciphers, WEP, older SSL implementations
Stream cipher (4)
encryption that is done one bit or byte at a time. High speed. low hardware complexity. symmetric encryption for less overhead.
ECC uses (5)
encryption, digital signatures, pseudo-random generators, ECDSA, on mobile devices, more
Data-at-rest security (5)
encryption: Full disk, database, file or folder-level apply permissions: ACLs, authorized users can access
SSL/TLS (2)
encrypts all communication in browser. uses public key encryption
EAP-TLS (4)
encrypts authentication to web servers. strong security. Wide adoption across wireless network types. Support from most of industry
SSL/TLS in emails
encrypts mail in browser.
client-side validation
end-user's app makes all checks of data.
integrity
ensures no tempering of data
Test environment (2)
environment where code is put together and seen if it would run in a similar environment that production systems run in. QA tests for bugs here.
Supply chain assessment (4)
evaluate coordination between groups e.g. 3rd parties. identify areas of improvement. optimize IT systems supporting the operation. Document the business process changes to increase efficiency
Default configuration (eg)
every application and network device has a default login and user name that should be changed. e.g. Mirai botnet takes advantage of defaults and is open source
Change Management security (2)
every change has a security component that should be evaluated whether installing security patches or application updates. Change in one location can effect security in other places so whole application flow must be tested.
GPS tagging security concerns (2)
every document may contain this type of info making a user easy to track. especially if posted to social media.
what happened to all the certificates affected by the Heartbleed vulnerability? (2)
every web server certificate was replaced. older certificates were moved to the CRL
Single CA
everyone receives their certs from one authority
Chain of custody (3)
everyone who touches evidence, documents that they did. evidence is labeled and cataloged. sealed to prevent tampering.
Logs to physical controls (2)
everything can be logged from physical locations: entering parking, identification upon building entry, badge access to doors. to correlating with digital access: allowing logging into a console while in a certain room.
Malwarebytes
example of Advanced Malware Tool
An application is accepting zip codes from a certain country. Thus it only allows entries X characters long with a letter in the X column. This is an example of what?
example of proper input validation
Metasploit (2)
exploitation framework. Build your own vulnerability tests or use modules in existing exploit databases.
Health Insurance Portability and Accountability Act (HIPAA)
extensive health care standards for storage, use, and transmission of health care info
Methods to take Screenshots (4)
external capture with digital camera or phone. Internal capture with Print Screen key or third party utility
Honeypot (2)
fake system that usually attracts bad guy's automated machines to record their recon. Can make entire virtual worlds.
MFD security concerns
faxed and scanned images can be saved locally and accessed.
Router ACLs (3)
feature of routers used to allow and deny traffic, configure NAT or for QoS functions. Configured on the ingress or egress of an interface. evaluate on certain criteria: Source IP, Destination IP, TCP port numbers, UDP port numbers, ICMP
Geolocation
feature on a mobile device to find its location within feet using GPS, triangulation of signals, etc.
Remote wipe
feature that allows remote removal of all data from a mobile device from any location
Physical controls examples (3)
fences, locks, mantraps (control example)
PKCS #7 (3)
file format that contains certificates and chain certificates. no private keys. stored in ASCII format
client-side validation security
filters legitimate input from genuine users.
Packet filters (2)
filters traffic based on inbound and outbound rules. usually found on a device or server rather then network appliance.
vulnerability scanner test type? How it tests
finds vulnerabilities from e.g. missed patches. active test but minimally invasive. Gathers as much info about the OS as possible and users go through it after to sort priorities
Something you are examples (3)
fingerprint, iris scan, voice print
What system is usually integrated with HVAC and why?
fire alarm system so HVAC doesn't provide additional oxygen to feed the fire and limit its impact.
what are on-site tools to mitigate DDoS? (2)
firewall or IPS
stateless firewall
firewall that acts as a packet filter inspecting every packet inbound and outbound against an ACL regardless of past history
application-based firewall
firewall that decodes and analyzes every packet to tell what application is going by.
WAF
firewalls between web clients and web servers that deny unexpected or unauthorized input.
network-based firewall
firewalls configured to filter by TCP/UDP port number
Do stateful firewalls keep track of sessions?
firewalls that keep track of active sessions
stateful firewall
firewalls with ACL that has session tables that registers the destination and source IP and ports and keeps track of that session. Everything within that valid flow is allowed.
Misconfigured firewall (2)
firewalls with rules that provide too much access. often difficult to audit since allot of organization have thousands of rules
Custom firmware
firmware installed by jailbreaking/rooting a device to gain access to the OS.
Privacy threshold assessment (3)
first step in the compliance process. identifies business processes that are privacy-sensitive. determines if a privacy impact assessment is required
hard-coded
fix (data or parameters) in a program in such a way that they cannot be altered without modifying the program.
NTPsec
fixed a number of vulnerabilities by cleaning up the code base
AP band selection and bandwidths: 5 GHz
for 20 MHz throughput 36 through 64 (8 non-overlapping total, every 4) available 68 through 96 not available 100 to 165 available (17 non-overlapping total) combine channels for 40, 80 and 160 MHz
How can you ensure there is no tampering of evidence? (2)
for physical evidence, we catalog and seal it. for digital evidence, we use a hash.
MOU
formal agreement between two parties a stage above a gentlemen's agreement but not a signed contract or legally binding.
change management
formal process for managing change to avoid downtime, confusion and mistakes.
Threat actor
formal term for bad guy aka malicious actors
DER
format specifically design for X.509 certificates. binary format, not human-readable
PEM uses
format supported on many different platforms, applications, OS
802.11 management frames (2)
frames that make everything work: find AP, manage QoS, associate/disassociate with AP. invisible to the user.
white box
full disclosure pentest of OS, network and services. Usually jumps straight to exploiting
Brute force attack Offline (2)
gain access to the file containing the hashed passwords. large computational resources needed to calculate passwords and try matching them to stored passwords.
Rooting
gaining access to Android OS
Jailbreaking
gaining access to Apple iOS.
intrusive scan
gather info and test to see if vulnerabilities exist without taking advantage of them.
Protocol analyzer (3) what can it find? (2)
gathers packets and presents them in plain English. Over the air or the network. sometimes built into the device, no additional software needed. Identify unknown traffic. Verify packet filtering and security controls.
collectors
gathers the data from the sensors to one place.
Where random number generation is used (2)
generate keys, salted hashes, etc
Hardware or software tokens
generate pseudo-random authentication codes for MFA.
shared account aka
generic account (aka)
Initial exploitation (2)
getting into the network. usually the most challenging part
Network traffic and logs (2)
good for capturing forensic information especially IPS which are specialized for looking for attacks. Some organizations store Raw network data, exact recording of network communication.
Nation states/APT (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)
governments, experts in hacking usually focused on national security always external highest sophistication: attack military organizations, security sites, financial control
Cyber-incident response teams (3)
group that may or may not be part of organizational structure. deployed for events determined by organization. handles security incident response, analysis and reporting.
tuples
grouping of ACL rules
shared account examples (2)
guest account. anonymous login
general purpose guides
guides from people who who gone through the process of creating secure configuration (hardening) for a system.
Hacktivist (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)
hacker with a mission/goal: political agenda or social change often external pretty sophisticated: specific hacks, DoS, release private info, web site defacing,etc Limited funding but some crowd source
Something you do examples (2)
handwriting. Typing technique, delays between keystrokes
VM sprawl concerns
hard to deprovision VMs if you do not know which applications they relate to.
loop prevention (2)
hard to troubleshoot but easy to resolve. Spanning Tree Protocol prevents this
Infrastructure as a Service aka
hardware as a service (HaaS aka)
Key stretching example
hash a password, hash the hash of that password, continue
Digital signature process (5)
hashes plaintext. encrypts hash with private key. sends encrypted hash with plaintext. receiver will decrypt hash with public key. compare that hash to a hash of received plaintext.
Key generation policies (2)
have a formal process for when some one is given access to an area or a key. 3rd party or management usually signs off on this.
Change management for risk management (5)
have clear policies for change: know when it occurs. duration of occurrence, installation processes, fallback procedures
deprecated algorithms
have design flaws, vulnerabilities
Role-based awareness training security (2)
have detailed documentation and records in case problems occur. apply it for third-parties as well
Posture assessment (6 eg, 1)
health check for BYOD devices, checks for: Malware on device, updated anti-malware, unauthorized applications, corporate applications, mobile device, disk encrypted, available for all OS
Special purpose embedded devices: Medical devices examples (2)
heart monitors. insulin pumps
Example of a connection NFC can bootstrap
helps the pairing process for Bluetooth between a mobile device and an accessory
high availability vs redundancy
high availability means always available but redundant systems may need to be powered on.
weak algorithms
how easy it is to brute force these
ARO
how often a threat might occur in a single year.
SMS/MMS
how we send text messages, video, audio, pictures on phones
commercial CA (3)
hundreds that can be used to digitally sign certificates. built-in to the browser. can be used to purchase web site certificates.
Type I hypervisor
hypervisor that runs as its own OS run directly from hardware.
examples of where RTOS is used (3)
industrial equipment. anti-lock brakes on automobiles. military environments
Security Automation
inexpensive implementation of constant security tests that can be set to run automatically starting early on in the development process.
Dumpster diving (2)
info may be thrown out during certain timings. Bad guys may learn these timing to gather info. legal in the US unless local restriction or private property.
Passive Reconnaissance (6)
information gathering phase before pentesting using open sources like: social media. corporate web site may say where offices and data sites are located. online forums, Reddit. social engineering. dumpster diving. Business organization that work with the target
XSS (2)
inject different scripts to websites to have that information be replayed to different users. takes advantage of web application development errors and the trust a user has for a site
Examples of use of third-party libraries and SDKs
input desired values into a 3rd party library which can provide a graphical gauge with a value.
sideloading
installing apps without an app store usually with a jailbroken/rooted device.
Smart card (2)
integrates with devices. may require a PIN
cloud storage in the enterprise security (3)
integrates with enterprise authentication. can be 2 factor authentication (2FA) Strong encryption required.
Self-signed (2)
internal certificates that don't need to be signed by a public CA but by internal CA. install CA certificate/trust chain on all devices
License Compliance Violation (2)
invalid licence can make application stop working, or work part of the time which is an issue with data integrity
Clickjacking
is a technique that tricks users into clicking on a malicious link by adding the link to a transparent layer over what appears to be a legitimate web page.
Data exposure security concerns (2)
is data being displayed on screen to others? is it encrypted across the network and where its stored?
RPO
is the maximum targeted period in which data loss might be acceptable
DLP best practice
it can sit on many locations so can consolidate all DLP logs to see what occurred during say a file transfer
SATCOM security
keep all software on these devices updated to the latest version
Master Image security (2)
keep the image updated with security patches, OS updates, service updates. Requires allot of time to test that changes don't effect applications.
public key encryption (3)
keeps a private key on the server. uses asymmetric encryption to transfer symmetric session keys. Symmetric encryption creates a secure fast connection.
Accounting (4)
keeps track of resources used: login time, data sent and received, logout time
SCADA/ICS security (2)
kept on a private segmented network usually with no internet access. tight controls and security.
Proximity Cards examples
keycard door access, library cards, payment systems
Cryptographic keys
keys added to ciphers to encrypt plaintext.
Ephemeral keys
keys that need to be changed often.
IoT Home automation security concerns (2)
know when we are home or not. gaining access can potentially gain access to whole house.
Software as a service security
know which security is available in the cloud.
KeySniffer
known vulnerability that allows capture and injection of key strokes and mouse movements.
Vulnerable business process (2)
lack of checks and balances. If the business can be taken advantage of, it will be
Examples of devices that use IEEE 802.1X for Certificate-based authentication (4)
laptops, device storage, separate physical device, or mobile device
HVAC (2)
large complex systems in large enterprises requiring experts in thermodynamics, fluid mechanics and heat transfer to implement. Usually managed centrally.
Distributed Denial of Service
launch a botnet army to bring down a service by overloading the bandwidth.
fighting refactoring
layered approach: update signatures, block known malicious URLs, back up often
interoperability agreements
legal agreements with 3rd-parties when outsourcing services and data to ensure security and control meets organisation requirements
NDA
legal contract that must be signed by employees and third parties to prevent the use and dissemination of confidential information.
Mobile device Recording microphone concerns
legal liabilities different in every situation and state.
Examples of carefully controlled conditions to gain access to keys stored for Key escrow (2)
legal proceedings, court orders
Legal hold (4)
legal technique to keep any data associated with a legal proceeding. hold notification tells what and how much data is preserved. ESI stored in separate repository. may include ongoing preservation of new data created.
Background checks concerns
legalities of what can be done vary by country.
MTBF security (2)
lets us plan for failures. gives us an idea of what we might be able to do to prevent failures
SIEM dashboard (2)
lets you collapse event logs into graphics or charts. break out immediately occurring events, etc
Active tap
lets you switch between many connections and provide additional boost of signal to passing traffic.
How a logic bomb is usually installed
likely left by an insider with administrative privilege.
Mobile Device External media security (2)
limit data written to removable drives. or disable function on MDM
OS least functionality
limit the OS to what is need for users or group.
External storage devices security concerns (2)
limited authentication on these devices to view files, concern if lost or stolen. easy to exfiltrate data
Limits to port mirrors (2)
limited based on: what the switch can handle. the amount of bandwidth that can be sent to the analysis tool.
clean desk policy security
limits the exposure of sensitive data to third parties.
Online vs. offline CA advantages
limits the scope of compromised certificates.
Security advantage of Least privilege on accounts
limits the scope of malicious behavior
Patch management tools
list of all OS and security patches installed on the computer.
cross-referenced online vulnerabilities (2)
list of vulnerabilities found National Vulnerability Database: http://nvd.nist.gov/ and Microsoft Security Bulletins: http://www.microsoft.com/technet/security/current.aspx
Dynamic round-robin scheduling (2)
load balancer scheduling that monitors server load and distribute to the servers with the lowest use. If one server more loaded it uses others first
Weighed round-robin scheduling
load balancer scheduling that prioritizes certain servers to receive more load
Affinity scheduling (2)
load balancer scheduling where each user or application instance is stuck to the same server mainly due to many applications requiring communication to the same instance. tracked trough IP address or session IDs
Active/passive load balancing (3)
load balancing where some servers are active and others on standby. Uses a standby if an active fails. takes the active offline until its repaired.
screen lock (2 eg)
lock on mobile devices that requires passwords. e.g. numbers or letters
security against USB on mobile (2)
locked devices don't allow USB connections, enable auto-lock. be aware that phones can connect through USB as storage devices.
CBS (2)
log file of a sfc scan, ( ).log
Anti-virus log
log of how many virus stopped or URLs blocked
Application Whitelisting logs
logged to the Operating system's centralized log.
Non-regulatory example
logging and sharing malicious IP and URLs with others
SIEM (4)
logs the security events of all the devices across the network. provides security alerts from real time info. Has long term storage and log aggregation. data correlation, links diverse data types. forensic analysis- gather details after event.
Fighting Disassociation (3)
long patch cable. perform a packet capture to confirm its happening. mostly been patched
Identification of an incident
look for precursors or incident indicators.
what is the objective for dynamic analysis (3 eg)
looking for out of the ordinary results: application crash. server error. exception to normal operation of the application.
dig
lookup info from DNS servers: canonical names, IP addresses, Domain names from IP addresses. (more advanced then nslookup)
nslookup OS? uses?
lookup info from DNS servers: canonical names, IP addresses, cache timers. Windows and POSIX-based (already builtin to Linux and mac os) Deprecated (use Dig)
Methods of SATCOM (2)
low earth orbit satellite. geostationary satellite
Goal of redundancy and fault tolerance (2)
maintain uptime and availability of organization. ensure hardware, software and systems keep running after failures occur.
Qualitative risk assessment visual example (3 eg, 4 eg)
make a graph of risk factors e.g. Legacy Windows clients, Untrained Staff, No Anti-Virus Software, and categories of risk associated with those e.g. Impact, ARO, Cost of Controls, Overall Risk.
Key stretching
make a key stronger by performing multiple processes
weak algorithms security
make keys so long that is impractical to brute force.
Obfuscate
make something normally understandable very difficult to understand. (Camouflage)
Obfuscation examples (2)
make source code difficult to read without changing its functionality. Steganography
Architecture/design weaknesses (7)
make sure locks on all doors on the network like: Ingress. VPN. Third-party access. Internal controls. Account access. Front door access. Conference room access
credential management (2)
make sure passwords are stored on the server. audit to make sure communication is encrypted.
how can you secure log files on a web server?
make sure they're enabled: can monitor, access and view all files.
Principles of social engineering: Trust
make you feel safe to give info to
Obfuscation
making something more difficult to understand
Adware (2)
malware that displays advertisements to the user, commonly in a web browser. May cause performance issues over the network.
External threats
man-made threats from outside the organisation.
Memory management
management of memory so it is not taken advantage of.
Role examples for Role-based access control
manager, director, team lead, project manager, etc
data custodian (3)
manages the access rights to the data. implements security controls defined by the steward. is sometimes the same person as the data steward
Identification of an incident concerns (2)
many detection sources with different levels of detail and perception. which are legit threats?
Competitors (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)
many motives: DoS, espionage, harm reputation, competitive advantage to this (unethical) High level sophistication significant funding Intents: DoS during an event steal customer lists corrupt manufacturing databases take financial info
Proper error handling security concerns (2)
may allow bad guys to find and take advantage of vulnerabilities. default messages can give info on how application was created or the platform its running on.
Where may AUP be documented?
may be documented in an employee's Rules and Behavior
organization log policies (2)
may need formal process to collect and archive log info. may fall under privacy laws
Captive portal security (2)
may require additional authentication factors. can remove access after certain amount of time or on logout.
Adverse action requirement
may require extensive documentation.
In most organisations, Elasticity is integrated with what?
may require orchestration to automate this process e.g. scaling up and down during different times of day.
Hash aka
message digest (aka)
RIPEMD (2)
message digest created to help with Integrated Broadband Communications in Europe. Performs similar to SHA-1
NAT uses (2)
minimizes IPv4 shortages. a security through obscurity.
What secure configurations should be added to OS user accounts? (2)
minimum password lengths and complexity. Limit capabilities to just what they need.
Investing in security is what type of risk response technique?
mitigate (example)
Grey box
mix of black and white box pentest. Some details given to pentesting team. Up to them to gather additional details
hybrid cloud deployment model
mix of public and private cloud
Mobile Device External media
mobile phones can connect to computers acting as mobile storage devices.
DNS poisoning (2)
modifying the DNS server to send users to incorrect sites. can also be done by modifying the client host file.
SLE
monetary loss of a single event.
Strategic Intelligence (2)
more data that is collected and stored, the easier it is to create a strategy for future protection. make policy changes and process changes based on data gathered.
Impact: Life
most import goal is to make sure everyone is safe.
WPA2 history (3)
most modern encryption for wireless network introduced in 2004. AES replaced RC4. CCMP replaced TKIP.
Personnel issues: Social media security
most organisation have a policy to prevent this often a centralized function around a marketing team
Geolocation security (2)
most phones can disable this function. MDM can require it enabled to track all company assets.
password history (2)
most systems should be set to remember previous passwords used. best to keep passwords unique.
Detective examples (2)
motion detector. IDS/IPS (control example)
random number generation input examples (3)
mouse movements, atmosperic noise, lava lamp
SoC
multiple components and most of the processing running on a single chip with some supporting devices like interfaces surrounding the chip.
Failover security
must be documented in both directions, including the revert back to primary location.
SSID (2 eg) and security (2)
name of the wireless network broadcast by the AP: Netgear, default best to change defaults so they don't describe manufacturer. some disable SSID broadcasting but this is not a security feature since this can be determine by a packet capture.
IoT Home automation
nearly all devices can be connected to wifi at home.
Key escrow security (3)
need clear process and procedures for managing keys. need to be able to trust your 3rd-party and their security. May have carefully controlled conditions to gain access to keys.
SLA examples (2)
network access from a 3rd party may require: a certain uptime. a response time and management of any problems.
Nmap (4)
network mapper- learn more about the network devices across network. port scan: find devices and identify open ports. OS scan: finds what OS is on a device without logging into the device. service scan:name, version, details. (Nmap scripting engine (NSE): extend capabilities, vulnerability scans)
SCADA/ICS (2)
network that centrally controls large pieces of equipment in real time. often used in manufacturing or power distribution.
DMZ
network zone where public has access to public resources but not the internal network
Memory management security concerns (3)
never trust data input. buffer overflows. some built-in function in a programming language are insecure
ABAC is often referred to
next generation of authorization
Dissolvable agents (3)
no installation required. runs during the posture assessment e.g. authentication process. Terminates and removed from device when no longer required
3DES uses
no longer used. replaced by AES.
Immutable system security (2)
no minor updates over time prevent new security issues. can redeploy full previous iterations.
Self-signed advantages (2)
no need to purchase trust for devices that already trust you. provides trust within an organization.
Single point of failure security and concerns
no practical way to remove them all. Invest in the right systems in the right place in the organisation to keep it running as much as possible.
Non-regulatory (3)
no rule or law for compliance, just best practices. law may be in the works. may create value for yourself or others
Password complexity (4)
no single words. no obvious passwords. (dog's name) mix upper and lower case. use special characters but don't replace o with 0 or t with 7.
Qualitative loss (1,eg)
non-monetary business impact e.g. lost laptop can mean lost time for employee to work and provide services to customers.
Qualitative risk assessment (3)
non-monetary business impact. ask opinions about the significance. Display visually with traffic light grid, scale of one to ten, etc.
LDAPS
nonstandard implementation of LDAP over SSL
security issues with 3rd-party apps (2)
not all apps secure: vulnerabilities, data leakage
Air gaps security concerns
not disabling removal media can have some one walk the data between networks.
Something you are disadvantages
not foolproof
biometrics security (2)
not the most secure authentication factor. MDM can enable/disable this function
Resource exhaustion (2)
occurs when the resources required to execute an action are entirely expended, preventing that action from occurring. The most common outcome is DoS.
SSL Accelerators
offloads the SSL handshake off of web servers.
SSL Accelerator (2)
offloads the SSL handshake process, which uses asymmetric encryption, from the web servers to this hardware. Encryption may end here and continue to the web servers using in the clear HTTP
Stream cipher security
often combined with IV since we often send duplicates of info.
Special purpose embedded devices: Medical devices security concerns
often use older OS
NTLM
old Windows authentication method using a domain name, user name and password hash
places to keep a public key
on a public key server available to everyone usually retrieved with an email address.
places HOTP used
on hardware or software tokens
omnidirectional antenna (2)
one of the most common antenna types that distributes signal evenly on all sides. No ability to focus the signal
MDM (3)
one pane of glass to remotely manage all mobile devices. Sets policies, create partitions, force screen locks and PINs
Split knowledge example
one person has half of a safe combination and some one else has the other
Application Whitelisting: Path
only allows application in certain folders to run
Application Whitelisting: Network zone
only allows applications to run from a particular zone or IP address scheme for a network.
Application Whitelisting: Certificate (eg)
only allows digitally signed application from certain publishers. e.g. only allow applications developed by Microsoft by only allowing a particular signed certificate.
Application Whitelisting: Application hash
only applications that match a hash can execute
Email certificates advantages
only receiver can decrypt contents of email with their private keys. digitally signing provides non-repudiation and integrity for emails.
OpenPGP (3)
open standard. RFC 4880. Implemented as software called GPG
shiboleth
open-source software that implements SAML to provide federated SSO.
Mirai botnet (3)
open-source software that takes advantage of default configurations. takes over IoT devices. 60+ default configs
Private cloud deployment model
organization creates and hosts private clouds with local data center available internally.
data retention (2)
organization decide how much data is kept around for how long and how often its kept. may have legal requirements like storing certain data and how its stored (e.g. encrypted)
COPE security (3)
organization keeps full control of the device. usually managed from MDM. Information is protected by policies and can be deleted at any time
Password expiration
organizations can require passwords to be changed every 90, 60, 30 or in critical systems 15 days.
security concerns with the original 802.11 management frames
original frames unprotected with no encryption, authentication or validation and thus vulnerable to disassociation attacks
RIPEMD issues
original had collisions discovered in 2004.
SMS/MMS security concerns (2 + eg)
outbound data leaks, financial disclosures, inbound notifications, phishing attempts
Firmware OTA updates (2)
over the air updates for mobile device OS. can be simple security patches or entire OS updates.
Open proxy security concern
owner of these proxies can add malicious code to responses.
Linux iptables
packet filter in the kernel.
ISM band
part of the 2.4 GHz range reserved for Industrial, scientific, and medical.
what standard is USB OTG?
part of the USB 2.0 standard
Federation authentication process (3)
password and account info is not shared: authentication process is passed to third-party. third-party validates authentication and provides the clearance back to the original site.
Reason password management is challenging on shared accounts (2)
password changes must be informed to every one who shares that password. constant password changes can leave yellow sticky note paper trails
credential management concerns (2)
passwords must not be embedded in the application or stored on the client. Authentication traffic should not be seen.
TOTP (2)
passwords on tokens created with a secret key and a time stamp made by NTP. Timestamp increments every 30 seconds.
HOTP (2)
passwords on tokens used once for a session or authentication attempt and never again. created with a secret key and an incremental counter
NFC implementations (3)
payment systems. Bootstrap for other wireless. Identity system
places to keep a private key
personal key should be kept private.
Spear phishing
phishing customized for targeting specific groups or individuals.
example of software tokens
phone can have software based tokens or just SMS message for additional authentication.
places Fingerprint scanner is used
phones, laptops, door access
Hardware root of trust
physical hardware designed to be difficult to circumvent since code can't change it and security functions do not work without it.
Air gaps
physically separate network with no way to have devices communicate with each other.
antenna placement
place so signal covers all points with different non-overlapping frequencies side by side.
Containerization
placing all company data in a virtual contained area separate and inaccessible from personal data.
other places for firewalls
placing between users and data in data center.
change management process (6)
plan for a change. estimate the risk associated with the change. have recovery plan ready. test before making change. document, get approval and schedule. make change.
Single point of failure
points like outages or downtime to a particular service
PKI (4)
policies, procedures, hardware, software, and people used to manage digital certificates. encapsulates the process of creating, distributing, managing, storing and revoking certificates. Also refers to the binding of public keys to people or devices. Its based on trust created by a CA.
clean desk policy (3 ie)
policy that when you leave your desk, nothing is on top of your desk i.e. paperwork, turned on computer, any seen data.
Captive portal (2)
pop up on a browser asking for username and password for network access. Access table that recognizes a lack of authentication redirects user to this page.
port mirrors aka (2)
port redirection. SPAN (Switched Port ANalyzer)
Background checks aka
pre-employment screening
Background checks (3)
pre-employment screening that allows to: verify applicant's claims. discover criminal history. discover workers compensation claims, shows injuries and illness that worker filed that effect job.
MTBF
predicted time between two failures
Hash (2)
present data as a short string of text. impossible to recover the original message, i.e. one-way trip
Impersonation (4)
pretend to be someone else. can be in person or over the phone. Gather information to become familiar with the organization. can try using higher rank, becoming familiar, throw technical details around
Shimming
pretending to be software-based middleman to get around security.
Pinning security (2)
prevents MITM. if certificates don't match, application can shutdown or show an error message.
How does DLP manage content for mobile devices? (3)
prevents copy/paste of sensitive data. ensures data is encrypted. can set policies from a MDM
DLP (3 eg)
prevents loss of sensitive data: social, credit card #, medical records, etc
Advantage of Nonce
prevents replays during logins since a new number would be used each time.
DAP
previous version of LDAP that ran on the OSI protocol stack.
Screen filters aka
privacy filters (aka)
Intranet
private company network used by employees with internal or VPN access.
Improperly configured accounts (2)
process issue where accounts may be: abandoned and unnecessary, no longer needed. given unneeded administrative access. best practice should prevent admin login accounts unless on a server console.
Asset management (5)
process, usually automated to Identify and track computing assets. allows faster response to security problems. keep an eye on the most valuable assets: both hardware and data. Track licenses and make sure they are updated. keep all devices up to date (patches, antimalware signatures)
Organized crime threat actors (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)
professionals motivated by money almost always external very sophisticated: best hacking money can buy organized: one hacks, one manages exploits, sells data, customer support, etc
honeypot options
projecthoneypot.org/, honeyd
certificate of destruction
proof by a 3rd party that they destroyed your media and data.
Fighting Race conditions
proper checks and validation must be performed
Physical safe security (2)
protect against elements: fire, water. have contingency for lost keys/combinations
Protected distribution (4)
protected fiber and copper with conduits often made of sealed metal. Prevents copper and fiber taps. prevents cutting wires. Periodic visual inspection.
server-side validation security
protects against malicious activity done away from user interfaces.
Backup utilities protects against (4 eg)
protects from downtime, malware, ransomware, server defacement, etc.
Why is Host-based firewalls required for laptops and mobile devices?
protects on unfamiliar and open networks.
LDAP
protocol for reading and writing directories over an IP network.
LDAP (ie)
protocol for reading and writing directories over an IP network. i.e. it organizes large numbers of services into structured databases.
OpenID (and what it combines with)
protocol that provides SSO authentication. Usually combines with OAuth for authorization between applications
OAuth
protocol that provides resource authorization
External storage devices security
provide encryption in case loss or stolen
Importance of physical signs
provides clear and specific instructions e.g. for visitors.
netstat OS?
provides different views for what the statistics are for network communications on a particular device, available for many OS
GCM advantages (3)
provides encryption and authentication at the same time. minimum latency. minimum operation overhead
Provisioning
providing or making something available usually involves adding many other things to make something fully operational
Application proxy (3)
proxies that understand how applications operate. they proxy whole applications on user's behalf. Might understand one application like HTTP or many applications
Public key certificate
public key combined with a digital signature for added trust.
when was MD5 published?
published 1992
Year Diffie-Hellman was published
published in 1976
RSA publication history (3)
published in 1977. first practical use of public key cryptography. Now released into the public domain
Network Infrastructure Devices OS
purpose built embedded OS with limited, non-detailed user access.
Secure cabinets/enclosures (2)
put racks side by side and locked. provide ventilation.
EMI/EMP security (1) and where its found (3)
put shielding in place. military installations. places that deal with national security. highly secure networks
Fighting Privilege Escalation (4)
quickly patch and update software. Update anti-virus/anti-malware since they can stop some known vulnerabilities even if system isn't patched. DEP will not allow vulnerabilities in non-executable areas to run. ASLR would prevent bad guys from focusing on specific memory addresses
DAP
ran on the OSI protocol stack. (was replaced by a more lightweight LDAP that uses TCP/IP)
Built-in Features on a TPM (6)
random number generator. key generator. persistent memory with unique burned-in keys. versatile memory for storing keys and hardware configurations. password protected. Protected against Dictionary Attacks
Nonce number examples (3)
random or pseudo-random number. can be a counter
clear text
readable data transmitted or stored "in the clear" (unencrypted)
low-severity vulnerability
real vulnerability identified but most often not a high priority.
Normalization
refers to organizing the tables and columns to reduce redundant data and improve overall database performance.
Gramm-Leach-Bliley Act (GLBA)
regulation of disclosure of privacy info from financial institutions. i.e. requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how that information is used.
NT LAN Manager v2 (NTLM) challenge/response (3)
relatively insecure MD4 password hash. HMAC-MD5 hash of username and server name. Variable-length challenge that uses timestamp, random data, and Windows domain name
NFC security concerns (5)
remote capture within 10 meters. Frequency jamming. relay/replay attack, MITM. loss of device can be used
purging
remove data partly or completely from a device
dead code security
remove dead code to reduce opportunities for security problems.
Eradication (3)
remove malware. disable breached user accounts. fix vulnerabilities (or is this recovery?)
Advantages of Secure token
removes overhead from servers. easier to scale then server-based authentication.
Fighting adware
removing adware may be challenged by the adware itself as it displays adds for fake removal software that may add more adware.
MD5
replaced MD4. 128-bit hash value
Wireless Replay attack
replays packets captured over the air.
802.1X (2) prevents what?
require authentication for every one who wants to use resource on network. NAC. Helps prevent rogue access points
Capturing IV (4)
required to crack a WEP password. requires thousands. could take all day capturing it over the air or can be collected by replaying a ton of ARPs. Capturing takes time. crack is fast.
Mandatory vacations
requirement to go on vacation a certain number of times or amount of time during the year
Full tunnel
requires all traffic run to a VPN concentrator before it can access 3rd party websites
Off-site backups security (2)
requires extensive protection, usually by compliance.
Perfect forward secrecy concerns
requires more computing power. legacy systems and browsers can't communicate over encrypted channel to servers that support this.
Rooting/Jailbreaking process
requires replacing the OS of the device with their own custom firmware that has OS access.
Requirements for Federation
requires trust between organizations.
Advanced Malware Tools best practice (2)
research best anti-malware and recovery tools possible. better to stop and prevent infection
Cryptanalysis real world use
researchers are constantly trying to find weaknesses in ciphers.
In-band response
response from Inline IPS to drop immediately any malicious identified traffic
Privacy officer (2)
responsible for all the organization's data privacy. sets policies, implements processes and procedures
Recovery (3)
restore from good backups. or rebuild from scratch. large-scale rebuilding may take months and have phases.
Host-based firewall (2)
restricts access to device. prevents programs on device from accessing network
Impact: Property
risk to buildings and assets
what are Network scanners good at finding?
rogue systems
Job rotation
rotating employees to different jobs and responsibilities in an organization.
examples of systems RADIUS can authenticate to (6)
routers, switches, firewalls. server authentication. remote VPN access. 802.1X network access
Backup utilities (3)
rsync: real-time file sync. regular partial backups: hourly incremental backups. Full backups: file, system images.
Script kiddies (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)
runs pre-made scripts to find vulnerabilities without much knowledge of what's happening usually external not very sophisticated no formal funding motivated by ego, the hunt
php is what kind of code?
runtime code (example)
SATCOM
satellite communication from remote locations and natural disaster sites
WinDump file format
saved in pcap format can be loaded in a protocol analyzer later
tcpdump file format
saved in pcap format so it can be loaded in a protocol analyzer later
credentialed scan
scan that uses a legitimate user name and password access to try to get around the existing security
Identify vulnerability
scanners looks through a well defined list of known vulnerabilities based on what it sees in that system.
Iris scanner
scans texture or color of the eye
Retinal scanner
scans the unique capillary structure in the back of the eye
Fighting Rogue access point (2)
schedule a periodic survey. Use some 3rd party tool like WiFi Pineapple. Configure 802.1X (NAC)
full device encryption
scrambles all data to protect content even if the device is lost or stolen
Security through obscurity examples (5)
secrecy of design. substitution cipher, e.g. ROT13 SSID broadcast suppression, MAC filtering
Development environment
secure environment where code can be written and moved to a sandbox for additional testing.
Extranet
secure private network where trusted 3rd parties authenticate to have access to certain resources but not the internal network
Key management life cycle: storage
securely store and protect against unauthorized use
Administrative controls examples (2)
security policies. Standard operating procedures (control example)
Steganography
security through obscurity that hides a message in an image.
Digital camera security concerns (2)
seen as removable storage device when plugged into comp over USB so same removable media concerns. firmware can be compromised and viewed.
Physical Segmentation (2)
segmentation of networks using separate physical devices. Need a switch or router to connect them
Segmentation aka (2)
segregation, isolation
Cross-site request forgery example
send transfer request to a bank when clicking a link to send money to the bad guy.
PAP authentication process
send username and password to PAP server. If it matches you gain access
Vaulting
send your backup media to an outside storage facility
dynamic analysis
sending random input into an application to see what it will do.
SYN Flood (4)
sends a large number of SYN requests (the first step in creating a new TCP connection). After this the attacker ignores the ACK which is sent back from the server and simply sends another SYN. The goal is to overload the server with huge number of open TCP connections so the server will not be able to respond to valid traffic from normal users. results in a DoS.
Wireless keyboard and mice security concerns (3)
sends data using proprietary protocol to computer unencrypted. data can be captured similarly to keyloggers. Inject keystrokes and mouses movements to control computer remotely.
Bluejacking (4)
sends unsolicited messages to mobile devices. can be associated to address book "Hi, world! Add to contacts?" 10 meter range. Updated and doesn't occur
How effective is an Out-of-band response? (2)
sent after-the-fact and may not be fully stopped UDP doesn't allow a reset for this mode
Mutual authentication trust model
server and client both trust each other's certificates.
good place to implement Lockout and why?
service accounts to prevent Brute force attacks.
Ephemeral key example
session key (example of)
Automated Courses of Action (2)
set of automated responses to problems that were predicted. common in cloud-based infrastructure maintenance.
Secure baseline of a deploying application (5)
set of baselines defining exactly how the application should perform: Firewall settings, patch levels, OS file versions. may require constant updates
Things MDM can set policies for? (3)
set policies on applications, data, camera, etc
carrier unlocking security
set policies on what people are able to do with mobile devices and carriers
Least Privilege on Accounts
set rights and permissions on user accounts to the bare minimum of what they need.
Group policy Security control (4 eg)
set rules in the OS: can limit minimum or maximum password lengths. require smart card to authenticate. maximum security log size. Enforce user login restrictions
Community cloud deployment model
several organization share the same resources over a cloud
File integrity check for windows
sfc
Password recovery
should not be a trivial process since this is a good opportunity for social engineering
Hash concerns
should not have collisions.
Large-scale recovery (1, 2 eg,1, 2 eg)
should start with quick, high-value security changes. e.g. patches, firewall changes. Later phases involve "heavy lifting" and take more time e.g. Infrastructure changes and large-scale security roll-outs.
ifconfig (2)
shows IP, MAC, network adapter info, etc. Linux interface configuration.
ipconfig (2)
shows IP, MAC, network adapter info, etc. Windows TCP configuration
Screen filters
shows whats on the screen to only the person right in front of the monitor.
Pentest (vs vulnerability reason to?)
simulate an attack against a device. different from vulnerability scanning in that it tries to exploit the vulnerabilities. could be compliance mandate done regularly by 3rd party
VDI updates
since application are managed centrally no need to update all mobile devices.
NTP vulnerabilities
since no security features, its exploited as amplifiers in DDoS
Application servers
sits in the middle of web servers and databases that provides programming languages, runtime libraries, etc.
Brute force attack Online (2)
slow process. after multiple login attempts process may slow down or lockout
RFID (3)
small chips for tracking. RF powers tag and ID is transmitted back. Some tags are always on
DES concerns
small key makes it easy to brute force today
CAC card
smart card used US Department of Defense. has a picture, identification information and certificate.
PIV card
smart card used by the US Federal Government. has a picture, identification information and certificate.
User certificates examples (2)
smart cards, digital access cards on a device or computer.
where is Infrared used? (3)
smartphones, tablets, smartwatches to control entertainment center.
examples of where Version Control is found. (4)
software development. OS. wiki software. cloud-based file storage
GPG (2)
software implemented by OpenPGP as an open standard. compatible with commercial PGP.
Antivirus
software that runs in OS that looks for viruses trying to download and execute.
Stress testing
software that simulates one to thousands of users to see what results of the application reaching its limit.
port mirrors (2)
software-based tap that is built-in to network switches that can send copies of traffic to an analysis tool. limited functionality.
Replay attack vs cryptography (2)
some algorithms more susceptible if no salt, no session ID tracking, no encryption. some have countermeasures: Kerberos has time stamps that discards anything past it TTL.
Legal issue with data destruction
some data cannot be destroyed and may have to be stored offsite instead.
Impact: Safety
some environments are too dangerous to work
Track man-hours (and expenses) (3)
some incidents can use massive resources all at once or over long period. be as accurate as possible. may be required for restitution in a legal environment.
Wireless keyboard and mice security
some manufacturers implement AES encryption to protect from wireless capture and injection.
Role-based awareness training: Systems administrator
some one who enables the use of the applications and data.
How to fight ransomware and Crypto-malware (4)
some ransomware can be fake and removed without harming data. Crypto-malware needs a key that only the bad guy has and payment methods are untraceable. This can be recovered from using offline backups. Also update antivirus/malware, OS and applications.
Key escrow
someone else holds your decryption keys i.e. private keys are in the hands of a 3rd-party.
executive user (2)
someone responsible for the overall use of the application. Evaluates goals and makes decisions for future use of data.
System owner (3)
someone who makes decisions about the overall operation of the application and data. defines security policies and backup policies. manages changes and updates
Role-based awareness training: User (2)
someone who uses applications day to day. has the least privileged access to the application
Privileged user
someone with additional application and data permissions.
Insiders (Internal/external, Level of sophistication, Resources/funding, Intent/motivation)
sophistication may not be advanced but has institutional knowledge: understand the network and hardware locations and may have access to many of those systems extensive resources since they work there.
Runtime code (3)
source code is viewable. code instructions execute when app is run. no way to check for errors before app is run.
Advanced Malware Tools
specialized removal and recovery tools for systems already infected.
How to embed and read text from an image
specialized stenography software
Active Reconnaissance (5)
stage of pentest where locating open doors to your target without trying to exploit them. Usually done with vulnerability scan. ping scans, port scans. DNS queries. OS scans, use OS fingerprinting. service scans, version scans
Syslog
standard method for message logging across diverse systems to send to a central logging receiver usually on a SIEM
X.500
standard that allows LDAP to communicate with different OS and technologies
HIPS/HIDS implementation old and new
started as a separate application. Now integrated into anti-virus or anti-malware suites ("endpoint" products)
Most firewalls these days are this type.
stateful firewall
Type of authentication, Token based authentication uses.
stateless authentication
where is the OSCP status stored and stapled? (2)
status info is stored on the certs holder's server. it is "stapled" into the SSL/TLS handshake.
Where TACACS+ is used
still exclusively used with Cisco systems but can use open standard to connect into Cisco Infrastructure.
places air gaps are used (4)
stock market networks. Power systems/SCADA. On airplanes. Nuclear power plant operations
Ways antivirus software stops viruses (3)
stop downloads. prevent execution. prevent visit of a known bad URL
Risk avoidance
stop participating in high-risk activity
External storage devices
storage outside the computer that's very portable and convenient for moving large files.
WORM (2)
storage that can't be changed, good for storing long term data like SIEM logs (e.g. DVD-R)
Third-party app stores (2)
stores to allow installation of 3rd party apps. may not include central app clearinghouses.
RC4 (3)
stream cipher. part of WEP standard, Part of SSL but removed from TLS.
(Backup) Location Selection (2)
subject to different legal implications and data sovereignty
Caesar cipher
substitution cipher where every letter is substituted with another at a fixed position.
Time synchronization for SIEM (2)
synchronizing all clocks on all network devices to compare time stamps of events. can use NTP.
high availability
systems are always available and always on at any time.
Malicious Ways to DoS (3 eg)
take advantage of a design failure or vulnerability. Being hit by too much traffic. turning off the power to a building
Stored procedures
take long SQL requests and stores them on the database. Use call command with name
SASL (2 eg)
takes existing protocols like LDAP and provides authentication using many different methods e.g. Kerberos or client certificate, etc.
what port does LDAP run on?
tcp/udp 389
Cable locks
temporary security for laptops that connects a cable to a standard reinforced notch connector found on most laptops. the cable can be tied down e.g. to the leg of a table.
Ping (3)
test availability, round-trip time. uses ICMP. one of your primary troubleshooting tools
Workstation OS
the OS type used by users at their desks.
Failover
the act of moving business process to a recovery site.
dissemination
the action or fact of spreading something, especially information, widely.
non-repudiation
the assurance that someone cannot deny the validity of something.
platform
the basic hardware (computer) and software (operating system) on which software applications can be run.
Templates (2)
the basic structure of an application instance configured with a web server and database server, certificates, etc. requires more configuration specific to the application instance which can be automated as well.
Data-in-use
the data in the memory.
fighting cross-site request forgeries (2)
the developer should make sure the application validates the users properly. Application should have anti-forgery techniques added like a cryptographic token and encryption.
Differential Backup Recovery process
the differential backup and the full backup.
Alternate processing sites
the disaster recovery sites that business processes failover to until the primary location recovers.
confusion (2)
the encrypted data is drastically different than the plaintext. no discernible patterns to recognize the plaintext.
Improper error handling (5 eg)
the error messages that are not properly modified by the developer and tend to display: too much detail. network information. memory dump. stack traces. database dumps
MTTF
the expected lifetime of a non-repairable product or system
the pivot
the foothold point to a network that once set up, its easy to move through the network since security inside is limited
Mission-essential functions
the functions of the organization that should take priority in restoring during recover e.g. after a hurricane.
Key strength
the larger these are, the harder to brute force them
False acceptance rate (FAR)
the likelihood that an unauthorized user will gain access with biometrics that don't belong to them.
CRL (2)
the list of revoked certificates. maintain by the CA.
RTO (2)
the maximum amount of time it can take to restore a system after an outage. must be back to a particular service level
Password cracker (4)
the means to try to crack a hash of a password. It involves first somehow obtaining the password hashes files. No salt or weak hash is easy to brute-force. Rainbow tables if these hashes previously brute forced (cloud, John the ripper, Ophcrack)
asset value
the monetary cost of an asset.
Application Whitelisting (2)
the practice allowing specifically named application on an OS. Often built-in to the OS management
Steganography (2)
the practice of concealing a file, message, image, or video within another file, message, image, or video. Also data in other data e.g. data in TCP packets.
Tarpitting
the practice of slowing the transmission of e-mail messages sent in bulk as a means of thwarting spammers
SLL offload
the process a SSL accelerator uses to offload the asymmetric SSL handshake from the web server.
OS fingerprinting
the process of determining the operating system used by a host on a network without having to authenticate to the system
Supply chain
the process of getting a product or service from the supplier to the customer.
Patch management
the process of regularly applying patches to software for system stability and security fixes.
Root certificate (3)
the public key certificate that identifies the root CA. It issues other certificates. should be highly secure
Impact: Finance
the resulting financial cost during an incident
Principles of social engineering: Scarcity (2)
the situation will not be this way for long. adds a timer to resolve fake problem.
Exploiting Vulnerabilities (2) (and reasons to be careful: 3)
the stage after recon where you try to take advantage of exploits. ultimate test of security. can cause DoS and data loss during production hours. Buffer overflows can cause instability. Gain privilege escalation
Version Control
the tracking of changes that lets you revert to a previous version
RTOS security concerns
there shouldn't be anything that embeds into these to prevent them from being always available.
Printers/MFD
these days printers can have scanners, fax, network connection, local storage, etc
On-boarding IT agreements
things to be signed when bringing in a new person like employee handbook or separate AUP.
Hoaxes
threats that don't actually exist and tend to waste time or deceive to take money.
CHAP authentication process
three-way handshake: client sends username to server. server sends a challenge message. Client responds with a password hash calculated from the challenge and the password. Server compares received hash with stored hash.
USB OTG security and concern
too convenient. can disable with MDM
ECB use
too simple for most use cases
static code analyzer (2)
tool to find security vulnerabilities in source code. gives options for alternative code.
Split tunnel
traffic going to the corporate network runs through a tunnel while all other traffic runs its normal routes.
cellular security concerns (3)
traffic monitoring. location tracking. worldwide access to a mobile device
loop (2)
traffic sent between 2 switches connected together will go back and forth forever since no counting mechanism on MAC layer. Brings down network fast
Incident response team
trained response team that deals with security incidents
Platform as a service security
trained security professionals manage the security and controls of the data in the cloud
Elasticity
trait of cloud that lets you add new resources and scale down as needed.
Man-in-the-browser (3)
trojans or malware acts as a proxy in the computer to send traffic to the bad guy from between the browser and the computer. Traffic is unencrypted on the computer. They can replay traffic of bank logins later.
How is communication trusted between sites (3)
trusted CA sign web server's encryption certificate that the web site payed for. CA validated identify before signing: DNS record, phone call etc. User browser checks signature and compares it to its list of trusted CA
TPM
trusted hardware on a motherboard in charge of supporting cryptographic functions.
Dual control examples (2)
two keys open a safe and each located on a different person. Or two keys to launch a missile.
Collision
two messages having the exact same hash.
Asymmetric algorithm (4)
two or more mathematically related keys. private key. public key which is seen by every one. Only private key can decrypt public key.
Kiosk OS
type of OS found in Public devices and tightly locked down.
Appliance OS (2)
type of OS that is purpose built, and minimal. often unseen by user.
brandjacking
type of URL hijacking where a brand name associated with a URL is claim by malicious users.
deterrent
type of control that discourages an intrusion attempt.
public data
unclassified data with no restrictions on view
some results of stress testing (3)
unintended error messages. application details and versions displayed to the user. kernel and memory dumps (crashes)
Wiping (2)
unrecoverable removal of data on a storage device. Usually overwrites the data storage locations multiple time with 1s and 0s.
Provisioning when deploying Network security (3)
update secure VLAN config, add firewall rules, update VPN access
Site-to-Site VPNs
use VPN Concentrators or firewalls to encrypt communicate across the internet.
symmetric algorithm
use a single shared key for both encryption and decryption.
Best Validation Point to use
use both server-side and client-side.
Biometrics (2)
use face or fingerprint as authentication. some apps require this authentication
ECC advantages
use less CPU cycles on mobile devices and less battery.
Secure Wireless Topology Authentication (3)
use normal login credentials with 802.1X standard. integrated with existing name services. No shared passwords
Group policy Administrative control (4 eg)
use of group policy to limit what people can do in an OS: remove Add or Remove Programs. prohibit changing sounds. Allow font downloads. Only allow approved domains to use ActiveX without prompt
Take hashes (for forensics) (3)
use on digital info and again later to confirm values match. MD5 128 bit hash, chance of duplication is 1 in 2^128. CRC 32 bit hash
Shredding/pulverizing (2)
use physical machinery to destroy media. can be done with a drill or hammer.
DER uses (2)
used across many platforms. Often used with Java certificates.
AUP security (2)
used by an organization to limit legal liability. should be well documented to give good reason as to why some one is dismissed.
Mail gateways (4)
used by organisations to filter unsolicited mail inbound and outbound, on-site or cloud-based. blocks phishing attempts. anti-virus. DLP
OCSP (2)
used by the browser to check the certificate revocation. sent via HTTP.
Diffie-Hellman uses (3)
used for Perfect Forward Secrecy. Ephemeral Diffie-Hellman (EDH or DHE). Combine with ECC for ECDHE.
data retention security
used for version controls. recover from virus infections that are not identified immediately.
Hot and cold aisles (2)
used in most data centers to cool systems. Hard or soft walls separate them.
HMAC uses (2)
used in network encryption protocols: IPsec. TLS
HSM Environments (3)
used in very large environments with lots of web servers to secure and keys to store and backup. often found clustered together and with redundant power supplies. also used to offload CPU overhead from other devices
Non-persistence: Snapshots
used to capture a point in time of particular configuration, application instance, or data.
Non-persistence
used to describe application instances on how they can be built up and torn down in a matter of moments.
Use of third-party libraries and SDKs
used to extend the functionality of a programming language
Crypto modules (2 def)
used with API when developing applications to generate cipher text. a set of hardware, software, and/or firmware that implements cryptographic functions
Version control security
useful for seeing how and when files were modified.
advantage of wiping
useful when you need to reuse or continuing using the media.
(Account management) location-based policies (2 eg)
user access can be based on location, e.g. restrict application use to only when near the office. or block IP addresses from other countries.
Corporate-owned deployment model
user device that company owns and controls and is not for personal use
Infrastructure as a Service Security
user is responsible for the installation, management and security of the data
IEEE 802.1x: supplicant
user workstation
(Account management) Standard naming convention (6)
usernames shouldn't conflict. same username should be used across multiple systems. should be consistent naming across all users. names should not describe role or status as these change. Persistent for duration of employment. memorable but not recognizable.
Secure POP/IMAP
uses STARTTLS extension to encrypt with SSL
resources to allow full device encryption
uses a lot of CPU cycles
Software as a service
"on-demand software" where application and data is in the cloud and no development or maintenance is necessary from user ends.
netcat (5)
"read" and "write" to the network without using their normal clients. Listen on a port number. transfer data. scan ports and send data to a port. can run as a shell (backdoor) to a remote device by making it listen to a port. (alternatives: Ncat.)
SYNful Knock
(Discovered in sept 2015) a malicious firmware that infected hundreds of Cisco routers allowing backdoor access.
What access do user accounts not have?
(account that have) no privileged access to OS
Agreement types
- BPA - SLA - ISA - MOU/MOA
Threat assessment (4)
- Environmental - Manmade - Internal vs. external
SHA256 hash bits and characters
256 bits. 64 hexadecimal characters
Risk Acceptance
A business decision to take a risk
Corrective (control)
A control that mitigates damage of an attack.
Microsoft CryptoAPI
Application developers write to this to bridge the application and the Crypto service provider (CSP).
Ways to Application Whitelist (4)
Application hash. Certificate. Path. Network zone
application-based firewall (aka 4)
Application layer gateway stateful multilayer inspection deep packet inspection Next generation firewall
MS-CHAP
Authentication protocol used on Microsoft's PPTP
Reasons to DoS (2)
Competitive advantage. Smokescreen for some other exploit e.g. DNS spoofing attack
Documented incident types/category definitions (2)
Computer Incident Handling Guide available from NIST. can make your own that makes sense for organization.
WORM example
DVD-R
Problem with SHA-1
Hash collisions - many collision attacks identified
HTTPS
Implements SSL/TLS
ITIL formerly called
Information Technology Infrastructure Library
LDAPS stands for?
LDAP Secure.
netcat alternative
Ncat
ways to research which services can be disabled (2)
Online, manufacturer's website. Trial and error.
X.500 Attribute O
Organization. The name of the organization
Discretionary Access Control (DAC)
Owner of files decides who gains access to files.
FTPS
Provides file transfers over SSL
OAuth was created by
Twitter, Google and others
Brute force attack
Use every combination of letters, characters and number to determine a password
Improper input handling (2, 3 eg)
When a programmer doesn't validate that all of the data passed into an application, a hacker can inject malicious data and cause SQL injections, buffer overflows, DoS, etc. Takes work to find input that's malicious
DHCP Starvation Attack (2)
When a spoofed MAC address is constantly requesting DHCP addresses from a DHCP servers. This will quickly cause the server to run out of IP addresses.
System sprawl/undocumented assets (2)
When an organization adds more servers or systems to the network without properly documenting their maintenance requirements. These systems can be forgotten and result in becoming a vulnerability or pivot points.
Memory Leak
When memory is allocated and never released after it's finished being used. It grows and eventually uses all available memory causing an application or system crash
URL hijacking
When traffic going to a site is hijacked for malicious use.
PKCS #7 uses (3)
Wide platform support: Windows Java Tomcat
Software packages to build Private CA (#?)
Windows Certificate Services, OpenCA
removable media control
Windows Event Log can log files copied/removed to portable media.
preventive (controls)
a control that keeps people away from your systems.
Federation
allows authentication using a third-party account.
COBIT created by
created by ISACA
Something you are advantages
difficult to change
E-vaulting
electronically backup data to an outside storage facility
Tabletop exercise
gather the key players and talk through a simulated disaster.
not-intrusive scan (eg)
gathering info without trying to exploit vulnerabilities. e.g. packet capture
Type II hypervisor
hypervisor that runs on top of existing host OS i.e. Windows, Linux, Mac OS X, etc.
Salt advantages (2)
identical passwords have different hashes. if password database is breached can't correlate any passwords
Risk register (2)
identify, document and find solutions to risks associated with each step of a project. Monitor the results. record of information about identified risks (ISO definition)
Capturing IV example
ie Airodump can be used to capture packets.
VM escape protection concerns (i.e)
if allowed to break out of VM, the user can have control of host and other guest VMs. i.e. Full control of that virtual world.
password expiration benefit to security
if credentials are made available to some one else, constant change would limit the scope of their access.
code reuse security issues
if the original code has vulnerabilities copied code spreads them.
ECB concerns (2)
if the plaintext is the same, the ciphertext will be the same. i.e. No randomization
(Account management) Group-based access control security and concerns
implicit permission from multiple groups can conflict with one another. Make sure users have correct access for their job role.
Mandatory vacations security
important in high-security environments to rotate others through the job and potentially locate fraud.
Insider threats security
important to assign just the right amount of rights and permission for their job
Difference between hash and encrypted data
impossible to recover the original message from a hash.
Permission issues (2)
improper protection that leaves a door wide open. a simple oversight but huge vulnerability
Alternate business practices (2)
in case normal practices are disrupted during disasters have backup practices. These must be documented and tested before a problem occurs.
Where is Wifi Direct commonly found?
in home devices
How would some one try to tap copper?
inductive tap
Fighting Rainbow tables
salt hashes
fighting replay attacks/pass the hash
salt or encryption
(OCSP) stapling advantage
scales well.
degaussing
sends a magnetic field through a device to destroy data and electronics.
Active (security) tools (3 eg)
sends traffic to a device and watches the results: Query a login page. try a known vulnerability. check account access
cookies (3)
small information stored on comp by browser used for tracking, personalization, session management. These are non executable. Not generally a security risk.
windows traceroute
tracert
Mobile OS
type of OS designed for touch screen phones and tablets.
SHA-2
up to 512 -bit digest.
3DES
uses 3 different keys to encrypt, then decrypt, then encrypt again.
DES
uses 64-bit block cipher. Used a 56 bit key.
Quantitative risk assessment
usually calculated with ALE
Automated Courses of Action example
when a storage drive begins to get full can automate storage drive to clear out some space.
PPP authentications
• CHAP • PAP • MSCHAP
fuzzing aka
(aka) dynamic analysis
deterrent examples (2)
(control example) warnings signs login banner
Rule Based Access Control (RBAC) examples (3)
(examples of) often used in firewalls. Lab network access only available between 9 AM and 5 PM. Only Chrome browsers can fill out a web form.
Crypto service provider
(mostly windows) software library that provides cryptography for applications (mostly development).
Access violations (2)
(segmentation fault) an error that occurs when a program tries to access restricted areas of memory. OS prevents this and usually crashes the program
Wildcard domain example
*.example.com * can be www. , www1, ftp, web server, etc.
Symmetric algorithms examples (6)
- AES - DES - 3DES - RC4 - Blowfish/Twofish
Risk response techniques (4)
- Accept - Transfer - Avoid - Mitigate
Key stretching algorithms (2)
- BCRYPT - PBKDF2
Data destruction and media sanitization (7)
- Burning - Shredding - Pulping - Pulverizing - Degaussing - Purging - Wiping
PKI Components (9)
- CA - Intermediate CA - CRL - OCSP - CSR - Certificate - Public key - Private key - Object identifiers (OID)
Cipher modes (5)
- CBC - GCM - ECB - CTR - Stream vs. block
Data acquisition (for forensics) (7)
- Capture system image - Network traffic and logs - Capture video - Record time offset - Take hashes - Screenshots - Witness interviews
Data sensitivity labeling and handling (6)
- Confidential - Private - Public - Proprietary - PII - PHI
Certificate formats (6)
- DER - PEM - PFX - CER - P12 - P7B
Roles that need Role-based awareness training (6)
- Data owner - Systems administrator - System owner - User - Privileged user - Executive user
Backup concepts
- Differential - Incremental - Snapshots - Full
Incident response plan (5)
- Documented incident types/category definitions - Roles and responsibilities - Reporting requirements/escalation - Cyber-incident response teams - Exercise
Wireless Authentication protocols (7)
- EAP - PEAP - EAP-FAST - EAP-TLS - EAP-TTLS - IEEE 802.1x - RADIUS Federation
Continuity of operations planning
- Exercises/tabletop - After-action reports - Failover - Alternate processing sites - Alternate business practices
Biometric factors (8 including "rates")
- Fingerprint scanner - Retinal scanner - Iris scanner - Voice recognition - Facial recognition - False acceptance rate - False rejection rate - Crossover error rate
Recovery sites
- Hot site - Warm site - Cold site
Impact examples (5)
- Life - Property - Safety - Finance - Reputation