CompTIA Security+ Terminology review

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Physical controls

(Security) controls that impact the physical world. Examples of this include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.

Hoax

(n.) an act intended to trick or deceive, a fraud; (v.) to trick, deceive

How to enforce security of machine learning algorithms

- Understand the quality and security of source data - Work with AI and ML developers to ensure that they are working in secure environments and that data sources, systems, and tools are maintained in a secure manner - Ensure that changes to AI and ML algorithms are reviewed, tested, and documented. - Encourage reviews to prevent intentional or unintentional bias in algorithms - Engage domain experts wherever possible

For datacenters and other facilities, a good rule of thumb is to place datacenters at least how far apart?

90 miles

Staging Environment

A "production like" environment to test installation, configuration and migration scripts; performance testing, load testing, processes required by other teams, boundary partners, etc.

Initialization Vector (IV)

A 24-bit value used in WEP that changes each time a packet is encrypted.

Online CA

A CA that is directly connected to a network; most common; these are the subordinate intermediate CAs that the alternative CA uses the root certificate to create.

Offline CA

A CA that is not directly connected to a network; often used for root certificates, the top-level certificate for their entire PKI.

BPDU Guard

A Cisco switch feature that listens for incoming STP BPDU messages, disabling the interface if any are received. The goal is to prevent loops when a switch connects to a port expected to only have a host connected to it.

Netflow

A Cisco-developed means of reporting network flow information to a structured database; allows better understanding of IP traffic flows as used by different network applications and hosts.

DNS sinkhole

A DNS server that gives out a false result for a domain name.

journalctl

A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux.

head (command)

A Linux command that displays the first set of lines of a text file; by default, this command displays the first 10 lines.

chmod (command)

A Linux command used to change a mode or permissions for files.

cat (command)

A Linux command used to display (or concatenate) the entire contents of a text file to the screen.

tail (command)

A Linux command used to display lines of text at the end of a file; by default, this command displays the last 10 lines of the file.

NAC (Agent)

A NAC solution that installs and deploys onto a network so that it can produce secure network environments

NAC (agentless)

A NAC solution that subsides on the memory of a network and isn't installed on the systems, instead a machine requesting to join the network gets deployed with this solution to ensure the environment is secure

Certificate revocation list (CRL)

A PKI component which lists digital certificates that have been revoked

Common Vulnerability Scoring System (CVSS)

A SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity.

SIEM Correlation

A SIEM feature that searches the data acquired through SIEM aggregation to look for common characteristics, such as multiple attacks coming from a specific source; In a SIEM, the process of establishing a relationship between two variables, this is extremely useful because it can identify a large amount of malicious activity on networks much easier.

SIEM Rules

A SIEM quality that is essentially the heart of alarms, alerts, and correlation engines in a SIEM; preconfigured conditions that can use logic to determine if and when this quality will be activated, and then actions can trigger based on this.

Type 2 SOC report

A SOC report that provides the auditor's opinion on the operating effectiveness of controls; that is, the auditor actually confirms that the controls are functioning properly; this report goes further than its counterpart.

netstat

A TCP/IP command-line utility that shows the status of each active connection.

Measured boot

A UEFI firmware feature that logs the startup process. Antimalware software can analyze this to log to determine if malware is on the computer or or if the boot components were tampered with.

Always-on VPN

A VPN that allows the user to always stay connected instead of connecting and disconnecting from it.

Captive portals

A Web page that the user of a public-access network is obliged to view and interact with before access is granted.

Last Known Good Configuration

A Windows feature that starts the computer by using the registry information that was saved during the last shutdown; built in for the patching process, allowing a return to a checkpoint before a patch was installed.

P7B

A Windows-exclusive certificate that is stored in ASCII text format. The name of it is the same as the file extension.

Personal Information Exchange

A binary format of digital certificates commonly used by Windows systems. Stored in files with the .PFX or .P12 file extensions.

Fingerprint scanner

A biometric technology that can detect the unique patterns and swirls of an individual's finger.

Live boot media

A bootable operating system that can run from removable "lightweight" media like a thumb drive or DVD; allows you to boot a full OS that can see the hardware that a system runs on and that can typically mount and access drives and other devices (meaning repair efforts can be run from a known good, trusted operating system).

Command and control

A botnet sytem that operates in a client-server mode; they contact central control systems, which provide commands and updates, and track how many systems are in the botnet.

Switching Loop prevention

A broad term for a method of preventing switching loop or bridge loop problems. Both STP and RSTP prevent this.

Internet of Things

A broad term that describes network-connected devices that are used for automation, sensors, security, and similar tasks; bring a large number of security and privacy concerns

Route security

A broad term that describes the basis of communicating between networks and the need to understand that protocols connect these various networks for important functionality.

USB OTG

A cable used to connect mobile devices to other devices. It is one of many methods that you can use to connect a mobile device to external media.

Trusted Platform Module

A chip designed to secure hardware by storing encryption keys, digital certificates, passwords, and data specific to the host system for hardware authentication

Transposition cipher

A cipher that rearranges the order of characters in a message; involves transposing or scrambling the letters in a certain manner

Right-to-audit clause

A clause where the auditor can audit without notice; alerts vendors that the company reserves the right to audit the vendor's books at any time.

Serverless Architecture

A cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers.

IaaS

A cloud computing model that allows an organization to rent access to hardware in a self-managed platform.

XaaS (Anything as a Service)

A cloud computing model that can work with a combination of other models: SaaS, IaaS, PaaS

PaaS

A cloud computing model that provides cloud customers with an easy-to-configure operating system and on-demand computing capabilities.

SaaS

A cloud computing model where the vendor hosts the software online and users access and use the software over the internet.

ISO 27001

A code of practice for implementing an information security management system, against which organizations can be certified.

ISO 27002

A code of practice for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".

ISO 27701

A code of practice that is an extension to ISO 27001 and is a framework for managing privacy controls to reduce the risk of privacy breach to the privacy of individuals.

ISO 31000

A code of practice that provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk.

Baseline configuration

A collection of security and configuration settings that are to be applied to a particular system or network in the organization.

Security orchestration, automation, and response (SOAR)

A collection of software solutions and tools that allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.

Memdump

A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps.

traceroute/tracert

A command on many computer operating systems that discovers the IP addresses, and possibly host names, of the routers used by the network when sending a packet from one computer to another.

PowerShell

A command-line interactive scripting environment that provides the commands needed for most management tasks in a Windows Server 2012/R2 environment.

netcat

A command-line tool used to connect to remote systems.

nmap

A command-line tool used to scan networks. It is a type of network scanner.

dd (utility)

A command-line utility for Unix, Unix-like operating systems and beyond, the primary purpose of which is to convert and copy files.

theHarvester

A command-line utility for gathering results from open source intelligence queries.

route (command)

A command-line utility that allows you to display and make changes to the local IP routing table of the computer.

curl (command)

A command-line utility that can be used to obtain a Web page from a Web server.

ipconfig/ifconfig

A command-line utility that displays all the network configurations of the currently connected network devices and can modify the DHCP and DNS settings.

dnsenum

A command-line utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization.

Tcpreplay

A command-line utility that replays packets saved to a file back through a network adapter.

ping/pathping

A command-line utility used to determine if a host is reachable on an Internet Protocol network.

nslookup/dig

A command-line utility used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information

Tcpdump

A common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

RAID

A common solution that uses multiple disks with data either striped or mirrored to ensure that data is not corrupted or lost; ensures that one or more disk failures can be handled by an array without losing data

Point-to-multipoint

A communications arrangement in which one transmitter issues signals to multiple receivers. The receivers may be undefined, as in a broadcast transmission, or defined, as in a non-broadcast transmission.

Images

A complete copy of a system or server, typically down to the bit level for the drive.

SIEM Sensors (component of dashboard)

A component that is often deployed to gather additional data; typically software agents, although they can be a VM or even a dedicated device; gather useful data for the SIEM and may either forward it in its original form or do some preprocessing to optimize the data before the SIEM ingests it.

Unified threat management

A comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software

Kerberos

A computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner

Master Service Agreement (MSA)

A contract where parties agree to the terms that will govern future actions. This makes future services and contracts easier to handle and define; provides an umbrella contract for the work that a vendor does with an organization over an extended period of time.

Test environment

A controlled environment established to test products, services, and other configuration items.

Legal hold

A court order to maintain data for evidence; a notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations.

Communication plan

A critical IR plan that outlines roles, such as who should communicate with the press or media, who will handle specific stakeholders, and who makes the final call on the tone or content of the communications.

SSH

A cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Secure Shell (SSH) Protocol

A cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users.

FTK imager

A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed.

Point-to-point

A data transmission that involves one transmitter and one receiver; single sender and single receiver.

Hardware Security Module

A dedicated cryptographic processor that provides protection for cryptographic keys.

Air gap

A design that physically separates network segments, thus preventing network connectivity; require data to be physically transported

Virtual desktop infrastructure (VDI)

A desktop operating system running within a virtual machine (VM) running on a server.

Disaster recovery plan

A detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood; focuses on natural and man-made disasters that may destroy facilities, infrastructure, or otherwise prevent an organization from functioning normally.

Signage

A deterrent control that acts to prevent those who might casually violate the rules shown, not those actively seeking to bypass the security controls an organization has in place

Continuous integration

A development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early.

Corporate owned, personally enabled (COPE)

A device agreement that an organization creates that is similar to the traditional corporate-owned model, but the primary difference is that the employees are free to use the device as if it was their personally owned device.

Proximity reader

A device that uses RFID to query a badge without requiring it to be inserted or swiped through a magnetic stripe reader

Proxy servers

A device/computer that all other computers must go through before accessing the Internet; a server (computer or application) that acts as an intermediary for requests from clients seeking resources from other servers.

Token key

A dynamic changing key that is able to identify a user digitally; a something you have factor.

Continuity of Operations Planning

A federally sponsored program in the US that is part of the national continuity program. It defines the requirements that government agencies need to meet to ensure that continuity of operation scan be ensured; also defines how federal agencies build a complete DR and BC plan.

SSH File Transfer Protocol

A file transfer protocol that allows the encryption of transmissions using the Secure Shell (SSH) protocol; FTP that runs on an SSL/TLS-secured connection.

Content/URL filter

A filter used to limit specific types of content across the web to users.

Stateless firewall

A firewall that manages each incoming packet as a stand-alone entity without regard to currently active connections. These firewalls are faster their counterpart, but are not as sophisticated.

Pointer/object dereference

A flaw that results in a pointer given a NULL instead of valid value.

Quantum computing

A form of computing that uses the principles of quantum physics to represent data and perform operations on these data.

MAC filtering

A form of network access control to allow or block access based on the MAC address. It is configured on switches for port security or on APs for wireless security.

Impact assessment

A form of policy analysis that examines the likely effects or impacts of proposed or adopted policies. These may be environmental, social, economic, or other significant impacts.

Session Initiation Protocol (SIP) traffic

A form of protocol-based traffic that can include internet telephony, video conferencing and other forms of unified communications.

ZigBee

A form of wireless communications frequently used in security systems and heating and cooling control systems; designed for PANs like those founds in houses for home automation

Terms of agreement

A formal list of rules you agree to follow; also lists consequences you agree to accept for not following the rules.

Business Impact Analysis (BIA)

A formal process designed to identify the mission essential functions within an organization and facilitate the identification of the critical systems that support those functions.

Risk control assessment

A formalized approach to risk prioritization that allows organizations to conduct their reviews in a structured manner.

NIST CSF

A framework designed to assist organizations attempting to meet one or more of the following five objectives: - Describe their current cybersecurity posture - Describe their target state for cybersecurity - Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process - Assess progress toward the target state - Communicate among internal and external stakeholders about cybersecurity risk.

The Diamond Model of Intrusion Analysis

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim; describes a sequence where an adversary deploys a capability targeted at an infrastructure against a victim.

Data governance policy

A generic policy that defines who is responsible for the data, how it can be accessed, how it should be used, and how its integrity can be maintained; clearly states the ownership of information created or used by the organization.

Data classification policy

A generic policy that describes the classification structure used by the organization and the process used to properly assign classifications to data; policy that should describe the classifications, levels of control at each classification and responsibilities of all potential users including ownership

Data retention policy

A generic policy that outlines what information the organization will maintain and the length of time different categories of work product will be retained prior to destruction; a security policy that stipulates how long data is retained by the organization, based on the data type.

IP theft risks

A generic term for risks that occur when a company possesses trade secrets or other proprietary information which, if disclosed, could compromise the organization's business advantage.

Software compliance/licensing risks

A generic term for risks that occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk.

Magnitude

A generic term that refers to the impact that a given risk will have on an organization if it does occur; may be expressed a financial cost, although there are other possible measures.

Likelihood of occurrence

A generic term that refers to the probability that a risk will occur.

Risk matrix/heat map

A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholder; quickly summarizes risks and allows senior leaders to quickly focus on the most significant risks facing the organization.

Stored procedures

A group of SQL statements that execute as a whole, similar to a mini-program. Developers use stored procedures to prevent SQL injection attacks.

Honeynet

A group of honeypots in a network. Honeynets are often configured in virtual networks.

Red Team

A group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. The group's objective is to improve enterprise Information assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders in an operational environment.

Semi-authorized hackers

A hacker who finds a vulnerability, but doesn't take advantage of it (Gray Hat)

Jump servers

A hardened system on a network specifically used to access devices in a separate security zone.

Password keys

A hardware-based authentication device that stores passwords and helps prevent unauthorized logins and account takeovers.

NAT gateway

A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.

Pre-shared key

A key value that must be created and entered into the access point and all devices prior to the devices communicating with the access point.

MITRE ATT&CK

A knowledge base and framework of different attack techniques to understand and defend against an attacker; includes detailed descriptions, definitions, and examples for the complete threat lifecycle from initial access through execution, persistence, privilege escalation, and exfiltration.

Data breach notification laws

A law that varies by country/location and specifies the maximum time that can elapse before customers are notified of a data breach.

Cold aisle

A layout created by having the front of the equipment face toward the center of the aisle. Typically, these face air conditioner output ducts.

Hot aisle

A layout that has the back of the equipment face the aisle. Typically these face air conditioner return ducts.

Non-Disclosure Agreement (NDA)

A legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties

Access control list

A list attached or linked to a specific resource that describes users or user groups and the nature of permitted access

Penetration testing

A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers

Raspberry Pi

A low budget, single-board, pocket sized computer which is easy to program; can run a variety of different OSs; more likely to be found used for personal development or small-scale custom use

NIST RMF

A mandatory standard for federal agencies that provides a formalized process that federal agencies must follow to select, implement, and assess risk-based security and privacy controls; a risk-based approach to selection of security controls and considers effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, standards, or regulations.

Online backup

A means of backing up or storing data using the Internet; data is always available

Mandatory Access Control (MAC)

A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf; typically found in military settings

Mean Time Between Failures (MTBF)

A measure of the reliability of a system; the expected amount of time that will elapse between system failures.

Faraday cage

A metallic enclosure that blocks an electromagnetic field.

Filesystem permissions

A method for protecting files managed by the OS

Substitution cipher

A method of encryption and decryption in which each letter in the alphabet is replaced by another; a type of coding or ciphering system that changes one character or symbol into another; involves simply shifting all letters a certain number of spaces in the alphabet.

Computer-based training

A method of training that utilizes computer technology to enhance the acquisition of knowledge and skills

Protected Extensible Authentication Protocol (PEAP)

A method to securely transmit authentication information over wired or wireless networks. It uses server-side public key certificates to authenticate the server.

Port spanning/port mirroring

A method used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port.

Continuous delivery

A methodology that focuses on making sure software is always in a releasable state throughout its lifecycle.

Arduino

A microcontroller (not single-board) that includes a lower-power CPU with a small amount of memory and storage; provide I/O capabilities; often used for prototyping devices that interface with sensors, motors, lighting, etc; has a reduced attack surface because it does not have a wired/wireless network connection built into it

Choose Your Own Device (CYOD)

A mobile device deployment methodology where each person chooses their own device type.

Purple Team

A mode of penetration testing where red and blue teams share information and collaborate throughout the engagement.

Network segmentation

A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.

Intranet

A network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization

Wi-Fi Protected Access 2

A network security technology commonly used on Wi-Fi wireless networks. It's an upgrade from the original WPA technology, which was designed as a replacement for the older and less secure WEP; The final version of WPA agreed on by the Wi-Fi Alliance; it implements all aspects of the ratified 802.11i security standard and is mandatory in the Wi-Fi certification process.

VLAN

A network that can logically group several different computers together, or logically separate computers, without regard to their physical location. It is possible to create multiples of this with a single switch.

Nessus

A network-vulnerability scanner available from Tenable Network Security.

White Team

A neutral team of employees acting as observers, referees, and judges between the other teams in a penetration test or incident response drill.

System on a Chip

A new type of processor that integrates the functions of a processor, memory, and video card on a single chip

Center for Internet Security (CIS)

A non-profit organization that publishes information on cybersecurity best practices and threats. They also provide tools to help harden your environment and provide risk management; an industry organization that publishes hundreds of benchmarks for commonly used platforms.

Open Web Application Security Project

A nonprofit organization focused on improving the security of application software.

Time-based one-time password

A one-time password or code that expires after 30 seconds (or another short period of time)

HMAC-based One-Time Password

A one-time password that changes when a specific event occurs.

Password vaults

A password manager that creates a database for all credentials/passwords, everything is encrypted with personal and enterprise options

Active Reconnaissance

A penetration testing method used to collect information. It sends data to systems and analyzes responses to gain information on the target.

Passive Reconnaissance

A penetration testing method used to gather and collect information. It typically uses open-source intelligence.

Metasploit

A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits; includes rootkits that leverage languages such as Perl, Bash, and Python.

Access control vestibules

A physical control (also called a mantrap) that when a person opens one door, another door locks until the initial door is closed and locked too.

Hardware firewall

A physical filtering component that inspects data packets from the network before they reach computers and other devices on a network; a free-standing unit that does not use the resources of the computers it is protecting, so there is no impact on processing performance

Host-based firewall

A piece of software running on a single host that can restrict incoming and outgoing network activity for that host only.

Ping of Death

A ping that exceeds the maximum packet size and causes the receiving system to fail.

Business continuity plan

A plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption; focuses on keeping an organization functional when misfortune or incidents occur; in the context of IR processes, these plans may be used to ensure that systems or services that are impacted by an incident can continue to function despite any changes required by the IR process.

Incident response plans

A plan that describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system or network.

Clean desk space

A policy designed to ensure that all confidential or sensitive materials, either in paper form or electronic, are removed from a user's workspace and secured.

Acceptable use policy

A policy that a user must agree to follow in order to be provided access to a network or to the internet; a policy that provides network and system users with clear direction on permissible uses of information resources.

Subscriber Identity Module

A portable memory chip that holds the personal information of the item's account holder

Data masking

A privacy-enhancing technology that partially redacts sensitive information by replacing some or all of sensitive fields with blank characters. An example is replacing all but the last four digits of a credit card number with X's to render the card number unreadable.

Virtual Private Network

A private data network that creates secure connections, or "tunnels," over regular Internet lines

Key escrow

A process in which keys are managed by a third party, such as a trusted CA.

GPS tagging

A process of adding geographical data to files such as pictures. It typically includes latitude and longitude coordinates of the location where the picture was taken or the file was created.

Containment

A process that leaves a system in place but works to prevent further malicious actions or attacks; frequently accomplished using firewall rules or similar capabilities to limit the traffic that the system can send or receive.

Version control

A process to keep track of what changes were made to what files so that a specific version can be referred to and improvements in multiple versions can be merged together.

Pulverizing

A process used to physically destroy items such as optical discs that aren't erased by a degausser; breaks devices down into very small pieces to prevent recovery

Bug bounty

A program run by a company that pays a significant reward to anyone who finds and reports problems (bugs) in their system.

Software firewall

A program that runs on a computer to allow or deny traffic between the computer and other computers to which it is connected

Compiler

A program that translates instructions or code into a language that can be read and understood by a computer.

Input validation

A programming process that verifies data is valid before using it.

SEAndroid

A project based on NSA's SELinux that develops onto Android devices to address a broad scope of system security issues, helps prevent malicious activity and has centralized policy configuration for all deployments.

Secure Real-time Transport Protocol (SRTP)

A protocol for providing protection (encryption, integrity, and anti-replay) for Voice over IP (VoIP) communications.

Post Office Protocol

A protocol that allows a computer to retrieve email from a server.

Dynamic Host Configuration Protocol

A protocol that allows dynamic IP address allocation so users do not have to have a preconfigured IP address to use the network

Layer 2 Tunneling Protocol

A protocol that combines PPTP and L2F; a tunneling protocol used to support virtual private networks or as part of the delivery of services by ISPs.

Domain Name System

A protocol that converts IP addresses into domains

Trusted Automated eXchange of Intelligence Information (TAXII)

A protocol that is intended to allow cyber threat information to be communicated at the application layer via HTTPS; specifically designed to support STIX data exchange

Online Certificate Status Protocol (OCSP)

A protocol that performs a real-time lookup of a certificate's status; an Internet protocol that obtains the revocation status of an X.509 digital certificate.

SSL

A protocol that provides security when communicating on the Internet

Internet Message Access Protocol

A protocol that resides on an incoming mail server. Similar to POP, but is more powerful. Allows sharing of mailboxes and multiple mail server access. The current version is ____v4.

Short message service

A protocol used by cellular providers to enable text messages to be sent from one mobile device to another.

IPSec

A protocol used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode.

TLS

A protocol used to encrypt traffic on the wire; the replacement for SSL and like SSL, it uses certificates issued by CAs.

Blockchain

A public digital ledger in which transactions made in bitcoin or another cryptocurrency are recorded chronologically and publicly; can store records in a way that distributes those records among many different systems located around the world and do so in a manner that prevents anyone from tampering with those records.

Time Of Check/Time Of Use

A race condition that occurs when a program checks access permissions too far in advance of a resource request

Threat maps

A real-time map of the computer security attacks that are going on at any given time.

TACACS+ (Terminal Access Control Access Control System+)

A remote authentication protocol which allows a remote access server to communicate with an authentication server to validate user access onto the network.

Warm site

A remote site that contains computer equipment but does not have active Internet or telecommunication facilities, and does not have backups of data.

Manual Code Review

A review that can be done in two ways: undirected and directed - undirected is essentially proofreading of code to oneself and directed is explaining the code to a team/group of people.

Qualitative Risk Assessment

A risk assessment that substitutes subjective judgments and categories for strict numerical analysis, allowing the assessment of risks that are difficult to quantify; a risk assessment that uses judgment to categorize risks. it is based on impact and likelihood of occurrence.

Quantitative Risk Assessment

A risk assessment that uses numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks; a risk assessment that uses specific monetary amounts to identify cost and asset value.

Risk mitigation

A risk management strategy of applying security controls to reduce the probability and/or magnitude of a risk; the most common risk management strategy.

Risk acceptance

A risk management strategy that boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk; may be warranted if the cost of mitigating a risk is greater than the impact of the risk itself.

Risk transference

A risk management strategy that shifts some of the impact of a risk from the organization experiencing the risk to another entity; the most common example is purchasing an insurance policy that covers a risk.

Risk avoidance

A risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize.

Risk and control self-assessment (RCSA)

A risk profile analysis process that identifies the risks, classifies each risk into clearly defined categories, and quantifies the risks with respect to the probability of occurrence and the impact on value and/or cash flows; a tool that allows an organization to understand its risks and their potential impact on the business. It is a formal exercise many organizations conduct annually.

Evil twin attack

A rogue wireless access posing as a legitimate wireless service provider to intercept information that users transmit

Iris scan

A scan of the colored portion of the eye, including all rifts, coronas, and furrows.

Non-Intrusive Scan

A scan that uses only available information to hypothesize the status of the vulnerability.

Protected cable distribution

A scheme that locks away or secures all the networking cables and prevents any type of emissions; also keep attackers from physically removing cables or plugging in additional cables; are most commonly used by utility companies.

Two-person integrity control

A scheme where two trusted staff members must work together to provide access - with dual keys, with passwords, or with two portions of an access control factor

File Transfer Protocol Secure

A secure version of the File Transfer Protocol optimized for file transfers. It uses SSL or TLS for security and uses port 990 or 21.

Lightweight Directory Access Protocol over SSL

A secure, open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

Deny List

A security configuration where access is allowed to any entity (software process, IP/domain, and so on) unless the entity appears on the (deny) list.

Allow list

A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on the (allow) list.

Virtual machine escape protection

A security protection that prevents a virtual machine from directly interacting with the host operating system.

Mobile application management (MAM)

A security strategy that administers and enforces corporate e-policies for applications on mobile devices.

Moisture detection

A sensor that can detect water leaks, dampness, or increased moisture levels.

Hot site

A separate and fully equipped facility where the company can move immediately after a disaster and resume business

Cold site

A separate facility that does not have any computer equipment, but is a place where employees can move after a disaster; provides only rudimentary services and facilities; have space, power, and often network connectivity, but they are not prepared with systems or data

Honeypot

A server designed to attract an attacker. It typically has weakened security encouraging attackers to investigate it.

Network attached storage

A server that is placed on a network with the sole purpose of providing storage to users, computers, and devices attached to the network

Multimedia Messaging Service (MMS)

A service offered by wireless companies that allows cell phone users to attach and send a variety of media to other users.

RAID levels

A set of RAID configurations that consists of striping, mirroring, or parity.

Hardware root of trust

A set of functions in the trusted computing module that is always trusted by the computer's operating system (OS).

Rootkit

A set of programs that enables its user to gain administrator level access to a computer without the end user's consent or knowledge.

Domain Name System Security Extensions

A set of specifications that provide authentication and other security mechanisms to DNS data.

Near Field Communication (NFC)

A set of standards primarily for smartphones and smart cards that can be used to establish communication between devices in close proximity.

MicroSD HSM

A small form-factor hardware encryption and security module that can be added to any mobile device with a MicroSD card slot.

Endpoint detection and response

A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats

Microservices/API

A software architecture that is composed of smaller modules that interact through APIs and can be updated without affecting the entire system.

Continuous deployment

A software development approach where an organization's developers release products, features, and updates in shorter cycles, when ready, rather than wait for centrally-managed delivery schedules.

OpenSSL

A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end; a widely used open-source implementation of the SSL/TLS protocol that was affected by the Heartbleed bug.

Data exposure

A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.

Quarantine

A solution which can place files in a specific safe zone until it can be determined whether they're safe to release or not.

Advanced Persistent Threat (APT)

A sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments

Web application firewall

A special type of application-aware firewall that looks at the applications using HTTP; A special type of firewall that looks more deeply into packets that carry HTTP traffic.

Functional recovery plans

A specific DRP for critical business functions.

Wi-Fi Protected Setup

A standard included on many WAPs and clients to make secure connections easier to configure

Wi-Fi direct/ad hoc

A standard that allows devices to connect without a wireless access point.

Wi-Fi Protected Access 3

A standard that offers improved data encryption over WPA2 and allows for Individual Data Encryption, whereby a laptop or other wireless device can create a secure connection over a public, unsecured Wi-Fi network.

Payment Card Industry Data Security Standard (PCI DSS)

A standard that provides detailed rules about the storage, processing, and transmission of credit and debit card information; not a law, but rather a contractual obligation that applies to credit card merchants and service providers worldwide.

File/code repositories

A storage area in which victims of an attack can upload malicious files and software code that can then be examined by others to learn more about these attacks and craft their defenses.

Simultaneous Authentication of Equals (SAE)

A strong authentication method used in WPA3 to authenticate wireless clients and APs and to prevent dictionary attacks for discovering pre-shared keys.

Certificate Signing Request (CSR)

A structured message sent to a certificate authority requesting a digital certificate.

Registration Authority (RA)

A subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users; performs certificate registration services on behalf of a CA.

Out-of-band management

A switch management option that provides on-site infrastructure access when the network is down or complete remote access in cases of connectivity failures on the network, such as via a cellular signal, in order to interface with a switch.

Switch Port Analyzer (SPAN)

A switch-specific tool that copies Ethernet frames passing through switch ports and send these frames out to specific port. The switch itself doesn't analyze these copied frames, it send frames out of the specific port to this.

Identity Provider (IdP)

A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

Network-Based Intrusion Detection System (NIDS)

A system for examining network traffic to identify suspicious, malicious, or undesirable behavior.

Rights management

A system of data protection at the file level that uses various forms of permissions, rules, and security policies.

File integrity monitors

A system that detects any changes within the files that may indicate a cyberattack.

Global Positioning System (GPS)

A system that determines the precise position of something on Earth through a series of satellites, tracking stations, and receivers.

Directory services

A system that enables network resources to be viewed as objects stored in a database. This database can then be divided and distributed among different servers on the network. An example of directory services includes LDAP or Microsoft Active Directory.

UPS

A system that provides battery or other backup power options for short periods of time

Cyber Kill chain

A systematic outline of the steps of a cyberattack, introduced at Lockheed Martin in 2011.

Rainbow table

A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.

Prepending

A technical method used in social engineering to trick users into entering their username and passwords by adding an invisible string before the weblink they click

Network Address Translation (NAT)

A technique that allows private IP addresses to be used on the public Internet; translates the private IP address to a public address for routing over the Internet

Obfuscation/camouflage

A technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.

Secure Sockets Layer (SSL) stripping

A technique that involves removing the encryption between a client and a website.

Segmentation

A technique that is often employed before an incident occurs to place systems with different functions or data security levels in different zones or segments of a network.

Key stretching

A technique used to create encryption keys from passwords in a strong manner

Salting

A technique used to increase the strength of stored passwords. it adds additional bits (called salts) to each password prior to hashing and can help thwart brute force and rainbow table attacks.

Security Information and Event Management (SIEM)

A technology that allows for real-time analysis of security alerts generated by network hardware and applications.

Perfect forward secrecy

A technology where layers of encryption prevent nodes in the relay chain from reading anything other than the specific information they need to accept and forward the traffic; a property of public key cryptographic systems that ensures that any session key derived from a set of long-term keys cannot be compromised if one of the keys is compromised at a future date.

Data custodian

A term for individuals or teams who do not have controller or stewardship responsibility but are responsible for the secure safekeeping of information. For example, a data controller might delegate responsibility for securing PII to an information security team.

Data processor

A term for service providers that process personal information on behalf of a data controller. An example is a credit card processing service for a retailer.

Narrowband

A term that refers to communications channels that have low bandwidth (slower communication); generally have less noise and thus better range and sensitivity

data sovereignty

A term that refers to the legal implications of data stored in different countries. It is primarily a concern related to backups stored in alternate locations via the cloud.

Order of volatility

A term that refers to the order in which you should collect evidence; documents what data is most likely to be lost due to system operations or normal processes.

Insider Threat

A threat to an organization that comes from employees, contractors, and anyone else that may have willingly been given insider knowledge.

Time stamp

A time value that is associated with a data value, often indicating when some event occurred that affected the data value.

Phishing simulations

A training or simulation that helps employees recognize phishing emails.

Certificate Authority (CA)

A trusted third-party organization or company that issues digital certificates

SYN flood

A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service.

Machine learning

A type of artificial intelligence that leverages massive amounts of data so that computers can improve the accuracy of actions and predictions on their own without additional programming.

Snapshot

A type of backup that captures the full state of a system or device at the time the backup is completed; common for VMs

Extended validation certificates

A type of certificate issued by a CA; they provide a higher level of assurance and the CA takes steps to verify that the certificate owner is a legitimate business before issuing the certificate.

Field Programmable Gate Array

A type of computer chip that can be programmed to redesign how it works, allowing it to be a customizable chip; is not an embedded system alone - needs to be integrated as one component of an embedded system or as the program processor inside of one.

USB

A type of connection used to attach devices such as flash drives, scanners, cameras, and printers to a computer.

Stateful firewall

A type of firewall that inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, this firewall permits that traffic.

server-side execution and validation

A type of input validation that indicates that the code runs on the server, such as a web server.

Active/active load balancing

A type of load balancing where all servers are active and load balancer can use any of the servers at any time.

Active-passive load balancing

A type of load balancing where some servers are active and others on standby. A standby is used if an active fails, and it takes the previously active server offline until its repaired.

Zero trust network

A type of network segmentation where no traffic is authorized. Each user and machine must validate or verify who they are before accessing resources.

Forward Proxy Server

A type of proxy server that acts as middleman between clients and servers, making requests to network servers on behalf of clients. Results are sent to the proxy server, which then passes them to the original client.

Reverse Proxy Server

A type of proxy server that acts on behalf of its servers, which gathers information from its associated servers, and hands that information to the clients.

SCADA

A type of system architecture that combines data acquisition and control devices, computers, communications capabilities, and an interface to control and monitor the entire architecture.

Containers

A type of virtualization that allows for shared operating systems for more resource savings and faster execution

Remote access VPN

A user-to-LAN virtual private network connection used by remote users.

Bandwidth monitors

A utility designed to measure network bandwidth usage over time; the higher it is the more resources are being used, hence slower systems.

Quality of Service

A variety of techniques that control the flow of network traffic, improve transmission speeds, and improve real-time communications traffic

sFlow

A vendor-neutral industry standard for traffic analysis and data exporters at layer 2 of the OSI reference model.

Site-to-site VPN

A virtual private network in which multiple sites can connect to other sites over the Internet.

Zero-day exploit

A vulnerability that is exploited before the software creator/vendor is even aware of its existence.

Binary

A way of representing information using only two options (0 and 1).

Cross-Site Scripting (XSS)

A web application vulnerability. Attackers embed malicious HTML or JavaScript code into a web site's code, which executes when a user visits the site.

Aggregators

A website or software application that gathers together information from a variety of internet sources.

Secure Multipurpose Internet Mail Extensions

A widely accepted protocol for sending digitally signed and encrypted messages.

Disassociation attack

A wireless attack in which false de-authentication or disassociation frames are sent to an AP that appear to come from another client device, causing the client to disconnect.

NFC

A wireless technology that lets your mobile device communicate over very short distances, such as when paying for goods on wireless payment devices.

Business Partnership Agreement (BPA)

A written agreement defining the terms and conditions of a business partnership; exists when two organizations agree to do business with each other in a partnership.

Privacy notice

A written explanation of how the company handles and shares your personal financial information.

Chain of custody

A written record of all people who have had possession of an item of evidence; simple sign-off and documentation forms; each time the drive, device, or artifact is accessed, transferred, or otherwise handled, it is documented.

Name 3 Layer 2 attacks

ARP poisoning, MAC flooding, MAC cloning

Examples of personnel policies important to organizational security

Acceptable use policy Job rotation Mandatory vacation Separation of duties Least privilege Clean desk space Background checks Non-disclosure agreement Social media analysis Onboarding Offboarding User training

Card cloning

Act of using acquired information from a skimmer that can be made into a duplicate card, most commonly found when duplicating gift cards; can't duplicate chips, only magnetic strips

Vertical Scalability

Adding resources to one machine to accommodate additional work; requires a more powerful system or device

SSH keys

Additional authentication method that SFTP uses to ensure that data is secure

Advisories and bulletins

Advisories and bulletins provide detailed updates on cyber threats. They are usually updated weekly.

Two types of Network access control implementations

Agent and agentless

Symmetric key algorithms

Algorithm that uses the same key to perform both encryption and decryption; sender encrypts with the shared secret key and the receiver decrypts with it.

Asymmetric key algorithms

Also known as Public Key Algorithms; each user has two keys: a public key which is shared with all users and a private key which is a secret and only known to the user.

rsyslog

Alternative 'rocket-fast' version of syslog; useful when speed is necessary; supports extremely high message rates, secure logging via TLS, and TCP-based messages as well as multiple backend database options.

Integrity measurement

An "attestation mechanism" designed to ensure that an application is running only known and approved executables.

Privacy Enhanced Mail

An ASCII text format of digital certificates; normally stored in files with the .PEM or .CRT extensions.

Extensible Authentication Protocol-FAST

An EAP protocol developed by Cisco; used in wireless networks and point-to-point connections to perform session authentication. Its purpose is to replace the LEAP (lightweight extensible authentication protocol).

Extensible Authentication Protocol-TTLS

An EAP protocol that extends TLS.; the client can, but does not have to be authenticated via a CA-signed PKI certificate to the server.

Inline sensor

An IDPS sensor that is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor; intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall.

Passive sensor

An IDPS sensor that monitors the traffic via a copying process, so the actual traffic does not flow through or depend upon the sensor for connectivity

IEEE 802.1x

An IEEE standard for port-based network access control (PNAC) on wired and wireless access points.

Virtual IP address

An IP address that can be shared by a group of routers.

Authentication Header

An IPSec component that provides connectionless integrity and the authentication of data. It also provides protection versus replay attacks.

Encapsulating Security Payload

An IPSec component that provides the same services as AH but also provides confidentiality when sending data.

Managed service provider

An IT service where the customer dictates both the technology and operational procedures, and an external party executes administration and operational support according to a contract.

arp

An Internet protocol and command-line utility used to map an IP address to a MAC address.

Structured Threat Information eXpression (STIX)

An XML structured language for expressing and sharing threat intelligence; originally sponsored by the US Department of Homeland Security.

Security Assertion Markup Language (SAML)

An XML-based standard used to exchange authentication and authorization information.

Role-Based Access Control (RBAC)

An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization

Rule-Based Access Control

An access control model that can dynamically assign roles to subjects based on a set of rules defined by a custodian.

Attribute-based access control (ABAC)

An access control model that grants access to resources based on attributes assigned to subjects and objects.

Log reviews

An activity conducted to ensure privileged users are not abusing their privileges; this activity would be used to detect anomalies on a network

War flying

An activity consisting of using an airplane and a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect Wi-Fi wireless networks.

Memorandum of Understanding (MOU)

An agreement between two or more parties to enable them to work together that is not legally enforceable but is more formal than an unwritten agreement; an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings.

End of life/End of service life agreement

An agreement between two parties that ensures an orderly transition or outlines what steps will be taken when a vendor relationship ends or the vendor is discontinuing a product or service on which the organization depends.

HMAC algorithm

An algorithm that implements a partial digital signature; it guarantees the integrity of a message during transmission, but it does not provide for nonrepudiation

Elliptic-curve cryptography

An algorithm that uses elliptic curves instead of prime numbers to compute keys; based on the fact that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is difficult to the point of being impractical to do so.

syslog-ng

An alternative to syslog that provides enhanced filtering, direct logging to databases, and support for sending logs via TCP protected by TLS.

Integer overflow

An application attack that attempts to use or create a numeric value that is too big for an application to handle. Input handling and error handling thwart the attack.

Authentication applications

An application that functions by accepting user input, and if the user input is correct, it can pass the appropriate credentials to the system requesting authentication.

Certificate pinning

An approach to verifying a certificate by instructing browsers to attach a certificate to a subject for an extended period of time. When sites do this, the browser associates that site with their public key. This allows administrators or users to notice and intervene if a certificate unexpectedly changes.

Indicators of Compromise (IoCs)

An artifact observed on a network or in operating system that with high confidence indicates a computer intrusion; represents intrusion signature; IDS can be tuned to watch for the signature to prevent future compromise

Media access control (MAC) cloning

An attack in which an attacker falsifies the factory-assigned MAC address of a device's network interface

Brute force attack

An attack on passwords or encryption that tries every possible password or encryption key.

Smurf attack

An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.

Domain hijacking

An attack that changes the registration of a domain name without permission from the owner.

Address Resolution Protocol (ARP) poisoning

An attack that convinces the network that the attacker's MAC address is the one associated with an allowed address so that traffic is wrongly sent to the attacker's machine

Impersonation

An attack that creates a fictitious character and then plays out the role of that person on a victim.

Privilege Escalation

An attack that exploits a vulnerability in software to gain access to resources that the user normally would be restricted from accessing.

UDP floods

An attack that sends a large number of UDP packets to random ports on the victim's system. The system will notice that no application listens at that port and reply with an ICMP destination unreachable packet. If a large enough number of UDP packets are sent, the victim will be forced to send numerous ICMP packets in response, overwhelming the system.

ICMP floods

An attack that sends massive numbers of ICMP packets, with each requesting a response; require more aggregate bandwidth on the side of the attacker than the defender has, which is why a DDoS via ICMP may be attempted; sometimes referred to as ping floods

Media access control (MAC) flooding

An attack that sends numerous packets to a switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch. If this is successful, the switch will change state to failopen mode.

Uniform Resource Location (URL) redirection

An attack that sends unsuspecting web users to untrusted sites.

DNS poisoning

An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.

Christmas Tree attack

An attack that uses an IP packet with every option turned on for the protocol being used. Used to conduct reconnaissance by scanning for open ports and a DoS attack if sent in large numbers

OpenID

An authentication protocol that works across participating sites; an open standard and decentralized authentication protocol.

Knowledge-based authentication

An authentication technique that requires the user to provide a pre-established piece or several pieces of information that he/she knows.

Collector

An automated sensor that gathers actual state data. Part of the collection system.

Full tunnel VPN

An encrypted connection used with VPN's in which all of the traffic from the user is encrypted once they connect to the VPN.

Split tunnel VPN

An encrypted connection used with VPN's that only encrypts traffic going to private IP addresses used in the private network.

Hypertext Transfer Protocol Secure

An encrypted form of information transfer on the Internet that combines HTTP and TLS

Block cipher

An encryption method that operates on "chunks" of a message and applies the encryption algorithm to an entire message chunk at the same time; An encryption method that encrypts data in fixed-sized blocks.

Stream cipher

An encryption method that takes one character and replaces it with another; operates on one character or bit of a message at a time

Counter-mode/CBC-MAC protocol

An encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard.

hping

An enhanced Ping utility for crafting TCP and UDP packets to be used in port-scanning activities.

Hybrid cloud

An environment that includes two or more private, public, or community clouds, but each cloud remains separate and is only linked by technology that enables data and application portability

Private cloud

An environment that serves only one customer or organization and can be located on the customer's premises or off the customer's premises.

Development Environment

An environment used to create or modify IT services or applications.

Capture the flag (CTF)

An exploit-based exercise simulating an attack; programs that pit technologists against one another in an attempt to attack a system and achieve a specific goal, such as stealing a sensitive file.

Certificate stapling

An extension to the OCSP that relieves some of the burden placed upon CAs by the original protocol; instead of the end user being responsible for contacting an OCSP server to verify the certificate's validity, the web server contacts the OCSP server itself and receives a signed and timestamped response from the OCSP server, which it then attaches, or staples, to the digital certificate.

Radio Frequency Identification (RFID)

An identification method that uses electronic tags and labels to identify objects wirelessly over short distances

Cloud security alliance

An industry organization focused on developing and promoting best practices in cloud security.

Unified Extensible Firmware Interface (UEFI)

An interface between firmware on the motherboard and the operating system; improves on legacy BIOS processes for booting, handing over the boot to the OS, and loading device drivers and applications before the OS loads.

Challenge Handshake Authentication Protocol (CHAP)

An older three-way authentication handshake that is accomplished during the initial authentication and may be repeated anytime after the link has been established; a weak authentication protocol that has been replaced by the Extensible Authentication Protocol (EAP).

Common Vulnerabilities and Exposures (CVE)

An online list of known vulnerabilities (and patches) to software, especially web servers. It is maintained by the MITRE Corporation.

OAuth

An open source standard used for authorization with Internet-based single sign-on solutions.

IPFIX

An open standard based on NetFlow 9 that many vendors support; a standard format for exporting router-based information about network traffic flows to data collection devices

NXLog

An open-source alternative to syslog and commercially supported syslog centralization and aggregation tool that can parse and generate log files in many common formats while also sending logs to analysis tools and SIEM solutions.

Autopsy (utility)

An open-source forensic suite with broad capabilities.

Real-Time Operating System

An operating system that reacts to current events and actions occurring around it; used when priority needs to be placed on processing data as it comes in, rather than using interrupts for the OS or waiting for tasks being processed to be handled before data is processed.

Restoration order

An order of what needs to be in place and operational first in the case of a disaster; decisions that balance the criticality of systems and services to the operation of the organization against the need for other infrastructure to be in place and operational to allow each component to be online, secure, and otherwise running properly.

International Organization for Standardization (ISO)

An organization that publishes a series of standards that offer best practices for cybersecurity and privacy.

Mandatory vacation

An organizational policy that serves a similar purpose as job rotation; this practice forces employees to take annual vacations of a week or more consecutive time and revoking their access privileges during that vacation period.

Job rotation

An organizational practice that takes employees with sensitive roles and moves them periodically to other positions in the organization. The motivating force behind these efforts is that many types of fraud require ongoing concealment activities., which makes it harder to accomplish if an employee does not remain in the same role for an extended period of time.

Plaintext/Cleartext

An original message or file that has not yet been encrypted

Rogue access point

An unauthorized AP that allows an attacker to bypass many of the network security configurations and opens the network and its users to attacks.

Push notifications

Any content sent to a mobile device that a customer must opt in to receive from a marketer.

Key exchange

Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.

Three options for reconfiguring endpoint security solutions

Application allow list, application deny/block list, quarantine filter

Thirteen implementations that can be done using MDM

Application management Content management Remote wipe Geofencing Screen locks Push notifications Passwords and PINs Biometrics Context-aware authentication Containerization Storage segmentation Full device encryption

Wireshark

Application that captures and analyzes network packets; a popular packet sniffer.

Standard Naming Convention

Applying consistent names and labels to assets and digital resources/identities within a configuration management system.

Resource policies

Assigning permissions to cloud resources; can be difficult since the cloud is always running.

Volume-based network DDoS attacks

Attacks that focus on the sheer amount of traffic causing a DoS condition; some rely on amplification techniques that leverage flaws or features in protocols and services to create significantly more traffic than the attacker sends

Protocol-based DDoS attacks

Attacks that focus on the underlying protocols used for networking

Three As that compose the framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.

Authentication, authorization, and accounting

Automated Courses of Action

Automated scripts that give a basis for secured configuration with a secured template. Can be configured to accommodate for constant changes or can be launched on a specific schedule.

Vulnerability scans

Automated tools designed to identify whether a given system possesses any well-known vulnerabilities.

Five deployment models used by organizations for devices

BYOD, COPE, CO, CYOD, VDI

Cloud backup

Backup method in which files are backed up to the cloud as they change; long-term archival storage models that are used for data that is unlikely to be needed; examples are Amazon's Glacier and Google's Coldline

Differential backup

Backup that copies all changes made since the last full backup

Full backup

Backup that copies all data from a system.

Incremental backup

Backup that copies only the changed data since the last backup.

Offline backup

Backups that need to be retrieved from a storage location before they can be accessed; not done over the Internet.

Honeyfile

Bait files intended for hackers to access. The files reside on a file server, and the server sends an alarm when accessed.

Facial scan

Biometric control that compares a picture of a face to pictures stored in a database

Retina scan

Biometric laser scan of the capillaries which feed the retina (blood vessel pattern).

Gait analysis

Biometric mechanism that identifies a subject based on movement pattern.

Four categories of security locks

Biometrics, electronic, physical, cable

Two major categories of modern ciphers/cipher suites

Block and stream

Five options for secure data destruction

Burning, shredding, pulping, pulverizing, degaussing

Examples of sources of information acquisition

CPU cache, ephemeral data, RAM, Swap and pagefile information, files and data on a disk change, OS, mobile devices, firmware, snapshots, network traffic and logs, artifacts (devices, printouts, media, etc.)

2 examples of vulnerability databases

CVE (Common vulnerabilities and exposures) U.S. National Vulnerability Database (NVD)

Two simple examples of substitution ciphers

Caesar cipher and ROT13

Motion recognition cameras

Cameras that activate when motion occurs

Object detection cameras

Cameras that can detect specific objects, or they have areas that they watch for changes

Examples of user training methodologies

Capture the flag, gamification, phishing simulations, computer-based training, role-based training

Redundant NICs

Cards used to ensure connectivity in situations where a system's availability is important and multiple systems cannot be reasonably used.

Supervisory Control and Data Acquisition

Centralized systems which monitor and control industrial sites, or complexes of systems spread out over large areas; large systems that run power and water distribution or other systems that cover large areas

Self-signed certificates

Certificates signed by an organization for their employees; these certificates won't be trusted by the browsers of external users, but internal systems may be configured to trust the internal CA, saving the expense of obtaining certificates from a third-party CA.

What tools are available to search for rootkits?

Chkrootkit, rkhunter

Code reuse/dead code

Code that can be used for some future use, project, etc. Typically better to write clean code that can be minimally modified/refactored in the future.

Static codes

Codes that do not change over time.

Virtual machine sprawl avoidance

Combating VM sprawl through using different procedures.

Provisioning and deprovisioning

Commission/Decommission of assets from the time it is installed, until the time it is decommissioned and disposed.

Vulnerability databases

Common source of threat intelligence, researchers find vulnerabilities and upload them here because everyone needs to know about them.

Four critical incident response plans

Communication plan Stakeholder management Disaster recovery plan Business continuity plan

Cloud service providers

Companies that provide software, data storage, and other services via the internet

Third party data destruction services

Companies that will pick up and remove sensitive documents and media for shredding at their facility, or they will perform the same service on-site; your organization may opt for a thoroughly documented destruction process, including photos of the devices and per-device destruction certification depending on their security needs.

Industrial Control Systems

Computer based systems that monitor and control industrial processes that exist in the physical world; a broad term for industrial automation

Embedded systems

Computer system(s) hidden inside another device, such as a car engine management system, appliances, or industrial machinery

Digital certificates provide communicating parties with the assurance that the people they are communicating with truly are who they claim to be. They also provide assurance for the public keys of...

Computers/machines Individual users Email addresses Developers (code-signing certificates)

On-premise

Computing resources hosted locally in a company's data center or physical location.

Off-premise

Computing resources hosted remotely from a company's data center.

Cellular connection

Connection that provides high speed transmission over cell phone towers.

Infrared

Connection to a line-of-sight wireless network to access technologies, such as TV and other audiovisual equipment.

Storage area networks

Connects multiple storage devices on a separate high-speed network dedicated to storage (backup); can also be used as a means of replicating data, where it uses RAID to ensure that data is not lost.

Compensating controls

Controls designed to mitigate the risk associated with exceptions made to a security policy.

Detective controls

Controls that identify security events that have already occurred. IDS systems are an example of this.

Preventive controls

Controls that intend to stop a security issue before it occurs. Firewalls and encryption are examples of this.

Corrective controls

Controls that remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of this.

Deterrent controls

Controls that seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of this.

Secure cookies

Cookies that have the secure attribute set so that they can only be transmitted over a TLS encrypted session.

Virtualization

Creates multiple "virtual" machines on a single computing device; the practice of sharing or pooling computing resources, such as servers and storage devices.

Smart card authentication

Credit card-sized card with embedded integrated circuits that is used to provide identification security authentication.

Lightweight cryptography

Cryptographic algorithms with reduced compute requirements that are suitable for use in resource-constrained environments, such as battery-powered devices.

Threat feeds

Cybersecurity data feeds that provide information on the latest threats.

Operational technology DDoS

DDoS attacks that target the hardware and software that controls devices and systems in factories, buildings, powerplants, and other industries

Formats of digital certificates

DER, PEM, PFX, P7B

Three common symmetric cryptosystems

DES, 3DES, AES

Metadata

Data about other data; in the case of systems and services, this is created as part of files, embedded in documents, used to define structured data, and included in transactions and network communications, among many other places you can find it.

Three types of data policies every organization should have

Data classification, data governance, data retention

Mobile metadata

Data collected by phones and other mobile devices as they are used; includes call logs, SMS and other message data, data usage, GPS location tracking, cellular tower information, and other details found in call data records.

Web metadata

Data embedded into websites as part of the code of the website but is often invisible to everyday users; includes metatags, headers, cookies, and other information that help with search engine optimization, website functionality, advertising, and tracking, or that may support specific functionality.

7 common impacts of vulnerabilities

Data loss Data breaches Data exfiltration Identity theft Financial impact Reputation Availability loss

Five common privacy-enhancing technologies

Data minimization, data masking, tokenization, anonymization, pseudo-anonymization.

Email metadata

Data stored in the email about the email. Often this data is not even viewable in the email client application used to create the email. The amount of email metadata available for a particular email varies greatly depending on the email system.

Data in transit/motion

Data that is moving between computing nodes over a data network such as the Internet.

Data at rest

Data that is stored on electronic media.

East-west traffic

Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south); traffic that moves laterally between servers

Cloud controls matrix

Developed by the CSA as a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards.

Sensors

Devices that collect input from the environment and provide information that the CPU can respond to.

Fire suppression systems

Devices that help with resiliency by reducing the potential for disastrous fires

Federation

Different computing entities adhering to a certain standard of operations in a collective manner to facilitate communication.

7 types of threat vectors

Direct access Wireless Email Supply Chain Social Media Removable media Cloud

Port Security

Disabling unused application/service ports to reduce the number of threat vectors; a Cisco switch feature that limits the number of MAC addresses allowed to communicate through a particular port

Swap/page file

Disk space used to supplement physical memory; space on a hard drive used as a temporary location to store information when random access memory (RAM) is fully utilized.

RAID 6

Disk striping with double parity. Like RAID 5, but with more parity data, which is stored on another drive.

Load balancing

Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.

Separation of duties

Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.

Skimming

Double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use

Sideloading

Downloading an app from an unofficial third-party website.

Seven authentication protocols

EAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, IEEE 802.1X, RADIUS

Social media

Electronic media that allows people with similar interests to participate in a social network; a common element of influence campaigns

Four common types of metadata

Email, mobile, web, file

Horizontal scaling

Employ multiple computers to share workload; uses smaller systems or devices but adds more of them

Homomorphic encryption

Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.

Three main steps of certificate generation and destruction

Enrollment, verification, revocation

Next steps to take in notifying others of a breach

Escalation to key personnel involved in a cybersecurity incident response plan, and making a disclosure/notification to the public that aligns with the state's data breach laws.

SSL/TLS Inspection

Examine outgoing SSL/TLS. Relies on trust; the browser trusts the devices that it's connecting to across the network and is able to perform encryption from end-to-end; if this is broken then nothing will work.

Dynamic Code Analysis

Examining code after the source code is compiled and when all components are integrated and running; the analysis of the code as it is running.

Tabletop exercises

Exercises that simulate an emergency situation but in an informal and stress-free environment; team members are given a scenario and are asked questions about how they would respond, what issues might arise, and what they would need to do to accomplish the tasks they are assigned in the IR plan.

Stakeholder management plan

Explains how stakeholders will be identified along with their level of interest in the project and influence over the project. This is closely tied to the communications plan since stakeholders will need varying levels and frequency of information. Many SMPs will help with prioritization of which stakeholders will receive communications, what support they may need, and how they will be provided, with options to offer input or otherwise interact with the IR process, communications and support staff, or others involved in the response process.

Six types of security risks

External, internal, legacy systems, multiparty, IP theft, software compliance/licensing

ICS/SCADA systems are common in what environments?

Facilities management, industrial, manufacturing, energy, logistics

Efficacy rates

False acceptance rate (FAR) False rejection rate (FRR) Crossover error rate (CER)

Certificate attributes

Fields in an X.509 digital certificate that are used when parties negotiate a secure connection.

What kind of attack is commonly executed in PowerShell environments?

Fileless malware attacks, where PowerShell scripts are executed locally once a browser or plug-in is compromised

System logs

Files that store a variety of information about system events, including device changes, device drivers, and system changes; logs the events such as a system shutdown and driver failures

Application logs

Files that store actions performed by the application on the system. Often track items such as attempts to access the application, errors generated from the application, etc.; logs the events for the operating system and third-party applications.

VoIP/Call manager logs/SIP logs

Files that store information about calls that were placed as well as other events on a VoIP system.

Network/Security device logs

Files that store information about routers and switches with configuration changes, traffic information, network flows, and data captured by packet analyzers like Wireshark.

Authentication logs

Files that store information determining when an account was logged into and may also show privilege use, login system or location, incorrect password attempts, and other details of logins and usage that can be correlated to intrusions and misuse.

DNS logs

Files that store information on DNS queries to the server, including the source IP address of the request and the domain name of the destination IP address; these logs can show attackers gathering information, provide information that shows what systems may be compromised based on their DNS requests, and show whether internal users are misusing organizational resources.

Web logs

Files that store information such as requests to a web server and related events; these logs can help track what was accessed, when it was accessed, and what IP address sent the request; since requests are logged, these can also help identify attacks, including SQL injection and other web server and web application-specific attacks.

Dump files

Files that store information that shows the state of memory and the system at the time of a crash. If the crash occurred because of an attacker or exploit, or if malware or attack tools were on the system, these files may contain those artifacts.

Examples of biometric authentication methods

Fingerprint scan, retina scan, iris scan, facial scan, voice recognition, vein scan, gait analysis

Configuration changes to consider for remediation or containment

Firewall rule changes, MDM changes, DLP tool changes, content/URL filtering capabilities, updating or revoking certificates

Next-generation firewall

Firewall technology based on packet contents as opposed to simple address and port information.

Custom firmware

Firmware that is written by users to own and run on their own mobile devices.

WinHex

Forensics tool for Windows that allows collection and inspection of binary code in disk and memory images.

On-path attack

Formerly known as a man in the middle attack; occurs when the attacker redirects the victim's traffic without their knowledge.

Two types of proxy servers

Forward and reverse

Four types of backups

Full, incremental, differential, snapshot

Regulations that affect risk posture

GDPR, Sarbanes-Oxley Act (SOX), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI) and Data Security Standard (DSS), FERPA, GLBA, data breach notification laws

Quality Assurance (QA)

Gathering and evaluating information about the services provided as well as the results achieved and comparing this information with an accepted standard

Legacy systems risks

General term for risks associated with using a legacy system. These outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against un-patchable vulnerabilities.

Publishers of benchmarks/secure configuration guides

Government agencies, vendors, industry groups

Hacktivists

Hackers who are driven by a cause like social change, political agendas, or terrorism

Self-Encrypting Drive (SED)

Hard drives that encrypt all of the contents held within using encryption keys that are maintained independently from the CPU of the housing computer.

Load balancers

Hardware devices that are designed to split a particular network load across multiple servers; these make multiple systems or services appear to be a single resource

USB data blocker

Hardware plug to prevent malicious data transfer when a device is plugged into a USB charging point.

Two major categories of scalability

Horizontal and vertical

(Incident response) simulations

IR exercises that can include a variety of types of events, such as individual functions or elements of the plan, or only target specific parts of an organization. They can also be done at full scale, involving the entire organization in the exercise.

Four crucial ISO standards for cybersecurity

ISO 27001, 27002, 27701, 31000

Vein Recognition

Identifying uniqueness through blood vessels.

Transport mode

In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.

Tunnel mode

In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination.

SIEM Sensitivity

In a SIEM, the quality of being quick to detect or respond to slight changes, signals, or influences (important data); this data can be controlled/limited by setting thresholds, filter rules, and use other methods of managing this quality of the SIEM.

What efforts should be made with vendors in regards to NDAs?

In additional to employees, vendors may have access to sensitive information about your organization. Vendor agreements should also include NDA terms, and organizations should ensure that vendors ask their own employees to sign NDAs if they will have access to your sensitive information.

Transit gateway

In cloud computing, a virtual router deployed to facilitate connections between VPC subnets and VPN gateways; a network hub that acts as a regional virtual router to connect networks.

Time offset

In forensics, identifying whether a time zone offset has been applied to a file's time stamp; the amount of time added to or subtracted from Coordinated Universal Time (UTC) to arrive at the current local time.

Corporate-owned

In this traditional deployment model, the organization purchases devices and issues them to employees.

Intelligence fusion

In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.

Personally Identifiable Information (PII)

Includes any information that uniquely identifies an individual person, including customers, employees, and third parties.

Data steward

Individuals who carry out the intent of the data controller and are delegated responsibility from the controller.

Data owner

Individuals, normally managers or directors, who have responsibility for the integrity, accurate reporting and use of computerized data.

Script Kiddies

Inexperienced, usually young hackers who use programs that others have developed to attack computer and network systems and deface Web sites.

Government information

Information maintained by the organization that may be subject to other rules, including the data classification requirements of the US government.

Documents organizations commonly include in their information security library

Information security policy Acceptable use policy Data governance policy Data classification policy Data retention policy Credential management policy Password policy Continuous monitoring policy Code of conduct/ethics Change management/change control policies Asset management policies

Unclassified

Information that does not meet the standards for classification under the other categories; information in this category is still not publicly released without authorization; a US government "classification."

Financial information

Information that includes any personal finance records maintained by the organization.

Protected Health Information (PHI)

Information that includes medical records maintained by healthcare providers and other organizations that are subject to HIPAA.

Closed-Source (Proprietary) Intelligence

Information that is obtained through private sources and disseminated through paid-for subscription or membership services.

Open-Source Intelligence (OSINT)

Information that is readily available to the public and doesn't require any type of malicious activity to obtain.

Secret

Information that requires a substantial degree of protection. The unauthorized disclosure of this information could reasonably be expected to cause serious damage to national security; a US government classification.

Confidential

Information that requires some protection. The unauthorized disclosure of this information could reasonably be expected to cause identifiable damage to national security; a US government classification.

Top secret

Information that requires the highest degree of protection. The unauthorized disclosure of this information could reasonably be expected to cause exceptionally grave damage to national security; a US government classification.

Three different states of risk

Inherent risk, residual risk, risk appetite

Fuzzing

Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation

Two types of NIDS sensors

Inline and passive

client-side execution and validation

Input validation that is performed by the user's web browser.

Benchmarks/secure configuration guides

Instructions that have been developed over years that are designed to give organizations the best and most secure configurations for a particular system; get down into the nitty-gritty details of securely operating commonly used systems.

Cybersecurity insurance

Insurance that protects an organization by monetary compensation in the event of a successful cybersecurity attack.

4 sources for threat hunters

Intelligence fusion Threat feeds Advisories and bulletins Maneuver

Disaster types to have documented in a DRP

Internal and external risks from both environmental and man-made disasters.

4 attributes of threat actors

Internal/External Level of sophistication/capability Resources/funding Intent/motivation

Identity fraud

Involves the unauthorized use of another person's personal data for illegal and/or financial benefit

Why is PowerShell so easy to leverage attacks on?

It allows remote and local execution, network access, and many other capabilities; in addition, it is available by default on Windows systems and is often not carefully monitored

Four issues with symmetric key cryptography

Key distribution is a major problem; does not implement nonrepudiation; algorithm is not scalable; key must be regenerated often

Examples of documentation/evidence produced by digital forensics

Legal holds, video, admissibility, chain of custody, timelines of sequence of events, tags, reports, event logs, interviews

Two factors used to evaluate risk

Likelihood of occurrence and magnitude of the impact

Certificate chaining

Linking several certificates together to establish trust between all the certificates involved; the use of a series of intermediate CAs.

grep (command)

Linux command for searching and filtering input. This can be used as a file search tool when combined with ls.

logger (command)

Linux utility that writes data to the system log.

Security logs

Logs the events such as successful and unsuccessful user logins to the system; logs that are considered the primary source of log data.

Three major attack frameworks

MITRE ATT&CK, Diamond Model of Intrusion Analysis, Lockheed Martin's Cyber Kill chain

Commonly used agreements between organizations and third parties

MSA, SLA, MOU, BPAs

Four key metrics used in a BIA

MTBF, MTTR, RTO, RPO

What kind of attack is commonly executed in VBA environments?

Macro viruses

Continuous monitoring

Maintaining ongoing awareness to support organizational risk decisions.

Unauthorized hackers

Malicious hackers that violate security for personal gain (Black Hat)

Cryptomalware

Malware that encrypts the user's data; also called ransomware.

Seven examples of specialized embedded systems

Medical systems, smart meters, vehicles/aircraft, drones/AVs, VoIP systems, MFPs, surveillance systems

File metadata

Metadata that describes interesting properties about the files that are not related to the main content of the file; information about a file that can include the creation, modified and last access dates, and also the user who created the file

Edge computing

Method of optimizing cloud computing systems by performing some data processing on a set of linked servers at the edge of the network, near the source of the data.

RAID 10

Mirroring and striping data; a combination of RAID 1 and RAID 0; data is striped across two or more drives and then mirrored to the same number of drives

RAID 1

Mirroring data; all data is copied exactly to another drive or drives

Rich Communication Services (RCS)

Mobile device communication which can convert a texting app into a live chat platform and supports pictures, videos, location, stickers, and emojis.

Two types of security camera capabilities

Motion recognition and object detection

Six security constraints of embedded systems

Much lower computational/electrical power; may not connect to a network/ineffective range; inability to patch; authentication is likely impossible; can be effectively very high cost; may rely on implied trust

RADIUS Federation

Multiple organizations operating in the same vertical want to provide seamless wireless access for their employees as they visit the other organizations; should be implemented if all the organizations use the native 802.1x client on their mobile devices.

Common name

Name that clearly describes the certificate owner (e.g., "certmike.com"

Subject alternative names

Names that allow you to specify additional items (IP addresses, domain names, and so on) to be protected by the single certificate

Two types of radio frequency systems

Narrowband and wideband

The three types of DDoS attacks

Network, application, and operational technology (OT)

Thin client

Networking system whereby client computers rely on servers to perform their processing tasks.

Extensible Authentication Protocol (EAP)

Not an authentication mechanism in itself but instead defines message formats. 802.1X would be the authentication mechanism and defines how this is encapsulated within messages; a framework for transporting authentication protocols that defines the format of the messages.

Race conditions

Occur when the security of a code segment depends upon the sequence of events occurring within the system

Three main methods used to exchange secret symmetric keys

Offline distribution, public key encryption, Diffie-Hellman

Virtual machine

One or more logical machines created within one physical machine; the apparent machine that the operating system presents to the user, achieved by hiding the complexities of the hardware behind layers of operating system software.

Continuous validation

Ongoing approvals of code.

7 common weak network configurations

Open permissions Unsecure root accounts Errors Weak encryption Unsecure protocols Default settings Open ports and services

10 sources of threat intelligence

Open-Source Intelligence (OSINT) Closed/Proprietary Vulnerability databases Public/private information-sharing centers Dark web Indicators of Compromise (IoC) Automated Indicator Sharing (ASI) Predictive analysis Threat maps File/code repositories

Examples of common platforms/vendor-specific guides that benchmarks are written about

Operating systems, web servers, application servers, network infrastructure devices

Mission essential functions

Operations that are core to the success of the business. (Revenue generating applications, billing applications, etc.); refers to functions that need to be immediately functional at an alternate site until normal operations can be restored.

How is asymmetric key encryption used?

Opposite and related keys must be used in tandem to encrypt and decrypt. If the public key encrypts a message, then only the corresponding private key can decrypt it, and vice versa

Data in processing

Organization of data for the purpose of producing desired information; involves recording, classifying, sorting, summarizing, calculating, disseminating and storing data.

Vulnerability scan output

Output that provides information as to the systems that are running, any additional services that are listening on the network, and what the known vulnerabilities are against each of those.

Firmware OTA updates

Over-the-air updates for mobile device firmware that keep them up to date. These are typically downloaded to the device from the internet and applied to update the device.

Types of information that organizations should store in their inventory

PII, PHI, financial information, government information

Potentially Unwanted Programs

PUP; Programs that may not be wanted by the user but are not as dangerous as other types of malware

Service Level Agreement (SLA)

Part of a service contract where the service expectations are formally defined; written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA.

Third-party updates

Patch updates for application and utility software.

Credential policies should be established for what groups/personnel?

Personnel (employees), third-party contractors, devices, service accounts, administrator/root accounts

Vishing

Phishing attacks committed using telephone calls or VoIP systems.

Smishing

Phishing attacks committed using text messages (SMS).

Retention policies

Policies that identify how long data is retained and how it will be disposed of; an important component for incident responders since it may determine how long the organization keeps incident data, how long logs will be available, and what data is likely to have been retained and thus may have been exposed if a system or data store is compromised or exposed.

Conditional access

Policies that, at their simplest, can be defined as if-then statements: if a user wants to access a resource, then they must complete an action.

Bollard

Posts or other obstacles that prevent vehicles from moving through an area

Six steps in the incident response cycle

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned

Six security control types

Preventive controls Detective controls Corrective controls Deterrent controls Physical controls Compensating controls

Principle of Scarcity

Principle (of social engineering) that makes something look more desirable because it may be the last one available

Principle of Trust

Principle (of social engineering) that relies on a connection with the individual they are targeting

Principle of Urgency

Principle (of social engineering) that relies on creating a feeling that the action must be taken quickly due to some reason or reasons

Technical controls

Procedural mechanisms that enforce confidentiality, integrity, and availability in the digital space. Examples include firewall rules, access control lists, intrusion prevention systems, and encryption.

Managerial controls

Procedural mechanisms that focus on the mechanics of the risk management process; examples include periodic risk assessments, security planning exercises, and the incorporation of security into the organization's change management, service acquisition, and project management practices.

Operational controls

Procedural mechanisms that include the processes that we put in place to manage technology in a secure manner. Thee include user access reviews, log monitoring, and vulnerability management.

Encryption

Process of converting readable data into unreadable characters to prevent unauthorized access.

Pseudo-anonymization

Process of replacing PII with simulated identifiers. Techniques include de-identification and data obfuscation.

Open source software

Program code made publicly available for free; it can be copied, distributed, or changed without stringent copyright protections.

Trojans

Programs that look useful, but actually cause damage to your computer

Public cloud

Promotes massive, global, and industrywide applications offered to the general public

General Data Protection Regulation (GDPR)

Proposed set of regulations adopted by the European Union to protect EU residents from clandestine tracking and unauthorized personal data usage.

Nonrepudiation

Provides assurance to the recipient that the message was originated by the sender and not someone masquerading as the sender

Least privilege

Providing only the minimum amount of privileges necessary to perform a job or function; a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.

Fog computing

Provisioning processing resource between the network edge of IoT devices and the data center to reduce latency.

Six information classification levels commonly used in businesses

Public, private, sensitive, confidential, critical, proprietary

Two analysis methodologies for risk assessments

Quantitative risk assessment and qualitative risk assessment

Remote Access Trojan

RAT; a type of malware that allows covert surveillance, a backdoor for administrative control and unfettered and unauthorized remote access to a victim's machine.

Two most common asymmetric cryptography algorithms

RSA and Elliptic curve

Wideband

Radio system that support higher data rate transmissions (faster communication)

Three examples of embedded systems

Raspberry Pi, FPGA, Arduino

Seven stages of the Cyber Kill chain

Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objective

4 types of penetration testing teams

Red, Blue, White, Purple

Offsite storage

Refers to an environmentally-controlled facility away from the computer/data center where paper copies or backup media are securely kept; can be owned by a company or managed by a third party service, like Iron Mountain.

Employee Onboarding

Refers to the tasks associated with hiring a new employee

Type 1 SOC report

Report that includes management's assertion and the auditor's opinion on the organization's effective design of controls.

Four biggest organizational consequences of privacy and data breaches

Reputational damage, identity theft, fines, IP theft

Host-based intrusion prevention system

Restricts unauthorized services and applications from running on the host machine; blocks known intrusion signatures

Three nonpersistent response controls

Revert to known state, last known-good configuration, live boot media

Five ways to harden host/application security solutions

Review open ports and services, registry, disk encryption, OS updates/boot security, patch management

Four types of risk management strategies

Risk acceptance, risk avoidance, risk transference, risk mitigation

Risk severity formula

Risk severity = Likehood x Impact

Purchasing cybersecurity insurance falls under which risk management strategy?

Risk transference

Multiparty risks

Risks that impact more than one organization; example is a power outage to a city block, because it affects all of the buildings on that block, or the compromise of an SaaS provider's database, which affects many different customers of the SaaS provider.

External risks

Risks that originate from a source outside the organization; an extremely broad category, including cybersecurity adversaries, malicious code, and natural disasters, among many other types.

Internal risks

Risks that originate from within the organization; includes malicious insiders, mistakes made by authorized users, equipment failures, and similar risks.

Robot sentries

Robots used to patrol the perimeter of a secure area.

Regulatory requirements

Rules or laws that regulate conduct and that the enterprise must obey to become compliant.

Two most common types of hash functions

SHA and MD5

Three categories of SOC assessment

SOC 1 engagements, SOC 2 engagements, SOC 3 engagements

The two most common ways of accessing monitoring data

SPAN or port tap

4 examples of protocol-based network DDoS attacks

SYN floods, Ping of Death, Smurf attack, Christmas Tree attack

Credentialed Scan

Scan in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network.

Non-credentialed scan

Scan that might be used in a black box or blind test when you have no knowledge of any system accounts; scans from the outside with no access or authentication.

Intrusive scan

Scans that combine verification of actual vulnerabilities by trying to exploit the vulnerability.

Application scan

Searches for known exploits within a piece of software.

Web application scan

Searches for known exploits within web applications.

War driving

Searching for wireless signals from an automobile or on foot using a portable computing device.

Gamification

Selective use of game design and game mechanics to drive employee engagement in non-gaming business scenarios.

Examples of IoT devices

Sensors, building and facility automation devices, wearables, smart devices (like appliances, cars)

Six common components of a SIEM dashboard

Sensors, sensitivity, trends, alerts, correlation/analysis, rules

Community cloud

Serves a specific community with common business models, security requirements, and compliance considerations; example would be health care systems

Public/private information-sharing centers

Sharing of data and intelligence whether public or private with other companies and people who "need to know". Typically consists of organizations with extensive resources and many times in the same market (such as fintech) and are working to help each other out and make sure everyone stays safe -- even though they're competitors, they have the same goal of protecting each other from threat actors and threats.

Syslog

Short for system logging protocol; a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them; used to send system log or event messages to a specific server, called a syslog server. It is primarily used to collect various device logs from several different machines in a central location for monitoring and review.

Four attributes that NIDS/NIPS examines to determine whether network traffic is safe or not

Signature-based, Heuristic/behavior, Anomaly, Inline/Passive

Checksums

Simple method used in symmetric key cryptography to ensured data integrity; a data transmission control that uses a hash of a file to verify accuracy

Six factors to consider before installing/configuring wireless networks

Site surveys, heat maps, Wi-Fi analyzers, channel overlaps, WAP placement, controller and access point security

Two types of VPNs

Site-to-Site and Remote Access.

Tokens

Small electronic devices that change user passwords automatically

Influence campaigns

Social engineering attacks that attempt to guide, adjust, or change public opinion, often waged by nation-states against their real or perceived foreign enemies

Password crackers

Software programs used to identify an unknown or forgotten password

Network access control

Software that controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements.

Proprietary software

Software that has been developed by a company and has restrictions on its use, copying, and modification.

Antivirus

Software that is specifically designed to detect viruses and protect a computer and files from harm

Anti-malware

Software that prevents attacks by a wide range of destructive, malicious, or intrusive programs

Voice recognition technology

Software that recognizes the words being said by the person dictating and converts speech to text; differs from speech recognition because voice recognition "learns" the voice of the dictator and is therefore more accurate.

sn1per

Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites.

Data Loss Prevention

Software which works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect

Data loss prevention

Software which works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect

Host-based intrusion detection system

Software-based application that runs on a local host computer that can detect an attack as it occurs

Broadcast storm prevention

Solutions for a particular issue that include avoiding physical cable loops among switches, using spanning tree protocol (STP) on switches, and implementing port security.

Three factors of MFA

Something you know, something you have, something you are

Four attributes of MFA

Somewhere you are, something you can do, something you exhibit, someone you know

SPIM

Spam over Instant Messaging; Spam that is delivered through instant messaging.

Role-based training

Specialized training that is customized to the specific role that an employee holds in the organization.

One of the most common type of fire suppression systems

Sprinklers

Playbooks

Step-by-step guides intended to help IR teams take the right actions in a given scenario; a set of procedures detailing the steps to take when an event has been detected.

Walk-throughs

Step-by-step reviews of procedures or program logic to find incorrect logic, errors, omissions, or other problems; this exercise can help ensure that team members know their roles as well as the IR process, and that the tools, access, and other items needed to respond are available and accessible to them.

RAID 5

Striping data with parity; Data is striped across drives, with one drive used for parity (checksum) of the data. Parity is spread across drives as well as data

RAID 0

Striping data; data is spread across all drives in the array

The two primary types of nonmathematical cryptography (or ciphering methods)

Substitution and transposition

DHCP snooping

Switch process that monitors DHCP traffic, filtering out DHCP messages from untrusted sources. Typically used to block attacks that use a rogue DHCP server.

The two main types of cryptosystems that enforce confidentiality

Symmetric and asymmetric

Fake telemetry

Synthetic network traffic that resembles genuine communications, delivered at an appropriate volume to make honeynets and honeypots look real.

2 specific vendor management risks

System integration Lack of vendor support

Common types of SIEM log files

System logs, Application logs, Security logs, Vulnerability scan output, Network logs

RFID

System of tags which contain data that can be read from a distance using radio waves.

Automated Indicator Sharing (AIS)

System that enables the sharing of attack indicators, at machine speed, between the US government and the private sector as soon as the threat is verified

Asymmetric cryptosystem

System that uses individual combinations of public and private keys for each user of the system

Symmetric cryptosystem

System where encryption key and decryption key are the same; use a shared secret key available to all users of the cryptosystem

Generator

Systems that are used to provide power for longer outages

Single point of failure

Systems, devices, or other components that, if they fail, would cause an outage; a component or entity in a system which, if it no longer functions, would adversely affect the entire system.

Examples of authentication technologies

TOTP, HMAC-based OTP, SMS, token key, static codes, authentication applications, push notifications, phone call

Three major types of exercises that IRTs use to prepare

Tabletop exercises, Walk-throughs, simulations

Common choices for backup media

Tape, disk, optical media, flash media

Three categories of security control

Technical controls, managerial controls, operational controls

Adversarial artificial intelligence (AI)

Techniques such as machine learning used to solve a variety of problems and challenges used by an adversary.

Privileged Access Management (PAM)

Technologies that help organizations provide secured privileged access to critical assets and meet compliance requirements by securing, managing and monitoring privileged accounts and access.

Closed-circuit television

Television that displays what the camera is seeing on a screen

State actors

Term used to describe Nation-States when they interact on the world stage implementing their foreign policies.

Elasticity

The ability of a material to bounce back after being disturbed

How digital forensics plays a role in both strategic intelligence and counterintelligence efforts

The ability to analyze adversary actions and technology, including components and behaviors of APT tools and processes, has become a key tool in the arsenal for national defense and intelligence groups. At the same time, forensic capabilities can be used for intelligence operations when systems and devices are recovered or acquired, allowing forensic practitioners to recover data and provide it for analysis by intelligence organizations.

Nonpersistence

The ability to have systems or services that are spun up and shut down as needed

(Certificate) verification

The act of checking the CA's digital signature using the CA's public key; performed when you receive a digital certificate from someone with whom you want to communicate.

Dumpster diving

The act of digging through trash receptacles to find information that can be useful in an attack.

Isolation

The act of moving a system into a protected space or network where it can be kept away from other systems.

Pivoting

The act of moving to a new location in a network and begins the attack process over again, performing scans to see visible machines that weren't before.

(Certificate) revocation

The act of revoking a certificate (making it invalid)

Four strengths of asymmetric key cryptography

The addition of new users requires the generation of only one public-private key pair; users can be removed far more easily; key regeneration is required only when a user's private key is compromised; can provide integrity, authentication, and nonrepudiation; key distribution is a simple process; no preexisting communication link needs to exist

Annualized Loss Expectancy (ALE)

The amount of damage expected from a risk each year; calculated by multiplying the SLE and the ARO.

Recovery Point Objective (RPO)

The amount of data that the organization can tolerate losing during an outage.

Single Loss Expectancy (SLE)

The amount of financial damage expected each time a risk materializes; calculated by multiplying the AV by the EF.

Recovery Time Objective (RTO)

The amount of time that the organization can tolerate a system being down before it is repaired.

Network vulnerability scanner

The application of vulnerability scanning to network devices to search for vulnerabilities at the network level.

Steganography

The art of using cryptographic techniques to embed secret messages within another file; can be done with audio, video, or images

Site risk assessment

The assessment of all risks and hazards that could happen at a particular site.

Extensible Authentication Protocol-TLS

The authentication protocol most commonly deployed on WPA2-Enterprise networks to enable the use of X.509 digital certificates for authentication; provides for certificate-based and mutual authentication of the client and the network.

Mean Time to Repair (MTTR)

The average amount of time to restore a system to its normal operating state after a failure.

SIEM Alerts

The capability (quality) of the SIEM dashboard to analyze log files and post alerts when certain information appears in the log files; the primary communication in the SIEM that visualizes raw data, log info, and identifies security events.

SIEM Trends

The capability (quality) of the SIEM dashboard to analyze patterns in hardware breakdown and performance issues, so that they can predict when maintenance may need to happen in the future. There are separate categories of events, such as application, system, and security events.

Scalability

The capacity for the system to change in size and scale to meet new demands

Why might a certificate be revoked?

The certificate was compromised (owner accidentally gave away the private key) The certificate was erroneously issues (CA mistakenly issued a certificate without proper verification) The details of the certificate changed The security association changed (subject is no longer employed by the organization sponsoring the certificate)

Services integration and Management (SIAM)

The connection of infrastructure and software elements to provide specific services to a business entity; many different service providers working together in a single-business IT organization

Site resiliency

The considerations that can be connected to the idea of restoration sites and their availability

HTML5

The current version of the HTML standard, which can be used as an alternative to Adobe Flash media

Information life cycle

The cycle of gathering, recording, processing, storing, sharing, transmitting, retrieving, and deleting information.

Blue Team

The defensive team in a penetration test or incident response exercise.

Disaster Recovery Planning (DRP)

The discipline of developing plans to recover operations as quickly as possible in the face of a disaster.

Data controller

The entities who determine the reasons for processing personal information and direct the methods of processing that data; a term used primarily in European law and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.

Production environment

The environment for the actual system operation. It includes hardware and software configurations, system utilities, and communications resources. Also called the operational environment.

Cryptocurrency

The first major application of the blockchain

HTTP headers

The first printing line of output in a web application that tells your web browser how to interpret the data that follows it

Reconnaissance

The gathering of information about a target, whether that is an organization, individual, or something else

Key management

The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.

Redundancy

The inclusion of extra components so that a system can continue to work even if individual components fail, for example by having more than one path between any two connected devices in a network.

Shadow IT

The information systems and solutions built and deployed by departments other than the information systems department. In many cases, the information systems department may not even be aware of these efforts.

Cuckoo

The leading open source automated malware analysis system.

Discretionary Access Control (DAC)

The least restrictive access control model in which the owner has total control over any object that he/she owns along with the programs that are associated with those objects.

Attestation

The lending of credibility to assertions made by a third party

Risk appetite

The level of risk that an organization is willing to accept as a cost of doing business.

False acceptance rate

The measure of the likelihood that the access system will wrongly accept an access attempt. i.e. will allow an unauthorized user access.

Data sanitization

The method used to repeatedly delete and overwrite any traces or bits of sensitive data that may remain on a device after data wiping has been done.

Asset value (AV)

The monetary value of a company-owned product, usually determined using the cost to acquire an asset, replace an asset, or the depreciated cost of an asset.

RSA

The most common asymmetric cryptography algorithm.

Digital encoding rules

The most common binary format of digital certificates. These are normally stored in files with .DER, .CRT, or .CER extensions.

Domain validation certificates

The most simplest and common certificate issued by a CA; for this, the CA simply verifies that the certificate subject has control of the domain name

Annualized Rate of Occurrence (ARO)

The number of times the risk is expected each year; expressed in a decimal format.

Password Authentication Protocol (PAP)

The oldest and most basic form of authentication and also the least safe because it sends all passwords in cleartext.

Tor

The onion router; a mechanism for anonymously routing traffic across the Internet using encryption and a set of relay nodes

Runbooks

The operational procedures guides that organizations use to perform actions; simplify the decision process for common operations that may support incident response, and they can help guide and build automation for tasks like communications, malware removal, or scanning.

Revert to known state

The option of restoring a device to a previous secure condition; also possible by using snapshots in a virtualization environment or other tools that track changes

Footprinting

The organized research and investigation of Internet addresses owned or controlled by a target organization.

Root certificate

The original digital certificate issued by a Certification Authority.

Inherent risk

The original level of risk that exists before implementing any controls.

Domain reputation

The overall "health" of your branded domain as interpreted by mailbox providers.

False rejection rate

The percentage of times that the system fails to recognize an authorized person and rejects that person as unauthorized.

Data Protection Officer

The person in charge of privacy/data protection in the EU under GDPR; GDPR requires that every data controller designates someone in this position and grant that individual the autonomy to carry out their responsibilities without under oversight.

Recovery

The phase of the IRC produces a restoration to normal - the heart of this phase. It may mean bringing systems or services back online or other actions that are part of a return to operations. This phase requires that eradication be successful, but it also involves implementing fixes to ensure that whatever security weakness, flaw, or action that allowed the incident to occur has been remediated to prevent the event from immediately reoccurring.

Lessons learned

The phase of the IRC that ensures that organizations improve and do not make the same mistakes again. It may be as simple as patching systems or as complex as needing to redesign permission structures and operational procedures. These are then used to inform the preparation process, and the cycle continues.

Eradication

The phase of the IRC that involves removing the artifacts associated with the incident. In many cases, it will involve rebuilding or restoring systems and applications from backups rather than simply removing tools from a system since proving that a system has been fully cleaned can be very difficult.

Identification

The phase of the IRC that involves reviewing events to identify incidents. You must pay attention to IoCs, use log analysis and security monitoring capabilities, and have a comprehensive awareness and reporting program for your staff.

Preparation

The phase of the IRC where you build the tools, processes, and procedures to respond to an incident. Includes building and training an Incident Response team, and acquiring, configuring, and operating security tools and incident response capabilities.

Containment

The phase of the IRC where, once an incident has been identified, the IRT needs to contain it to prevent further issues or damage. This can be challenging and may not be complete if elements of the incident are not identified in the initial identification efforts.

Provenance

The place or source of origin of any data; where an image or drive came from and what happened with it.

Crossover error rate

The point where the false acceptance rate (FAR) crosses over with the false rejection rate (FRR). A lower CER indicates a more accurate biometric system.

Dark web

The portion of the internet that is intentionally hidden from search engines, uses masked IP addresses, and is accessible only with a special web browser.

Risk register

The primary tool that risk management professionals use to track risks facing the organization; a document in which the results of risk analysis and risk response planning are recorded.

Data minimization

The principle that organizations only collect the smallest possible amount of information necessary to meet their business requirements; in data protection, the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.

Lateral Movement

The process by which an attacker is able to move from one part of a computing environment to another.

Anonymization

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual.

Normalization

The process of applying rules to a database design to ensure that information is divided into the appropriate tables.

Code signing

The process of assigning a certificate to code. The certificate includes a digital signature and validates the code; process that uses digital signatures to provide an assurance that the software code has not been modified after it was submitted by the developer

Risk awareness

The process of being consistently informed about the risks in one's organization or specific department; involves evaluating assets, vulnerabilities, and threats in order to clearly define an organization's risk level.

Pulping

The process of breaking paper documents into wood pulp, removing ink; materials can be recycled

Boot attestation

The process of determining that the boot process is valid; report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server.

Full Disk Encryption (FDE)

The process of encrypting all the data on the hard disk drive used to boot a computer, including the computer's operating system, and permitting access to the data only after successful authentication with the full disk encryption product

Privilege escalation

The process of gaining elevated rights and permissions. Malware typically uses a variety of techniques to obtain this.

Infrastructure as code

The process of managing and provisioning computer data centers through machine-readable definition files rather than physical hardware configuration or interactive configuration tools.

Threat hunting

The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.

Degaussing

The process of removing or rearranging the magnetic field of a disk in order to render the data unrecoverable; magnetically wipes data from tapes and traditional magnetic media like hard drives.

Tokenization

The process of replacing sensitive data with unique identification symbols (tokens) that retain all the essential information about the data without compromising its security.

static code analysis

The process of reviewing source code while it is in a static state; i.e., it is not executing.

Social media analysis

The process of scouring the Internet to gather personal information and create a fuller profile of each potential juror's attitudes, interests, and experiences

Rooting/Jailbreaking

The process of taking root access on a mobile device.

Carrier unlocking

The process of unlocking a mobile phone from a specific cellular provider.

Ciphering

The process of using a cipher to do that type of scrambling to a message

E-discovery

The processes by which electronic data that might be used as legal evidence are requested, secured, and searched; this is often used for public records, Freedom of Information Act requests, and investigations.

Admissibility

The quality of the evidence in a case that allows it to be presented to the jury; evidence typically falls under this category if it is offered to prove the facts of a case and it does not violate the law; criteria includes relevance, reliability, whether it was obtained legally, authentic, etc.

Broadcast storm

The result of one or more devices sending a nonstop flurry of broadcast frames on the network.

protocol analyzer output

The returned data from hardware or software that captures packets to decode and analyze their contents.

Control risk

The risk that arises from the potential that a lack of internal controls within the organization will cause a material misstatement in the organization's financial reports.

Residual risk

The risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.

Non-repudiation

The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place.

Domain name system (DNS)

The service that translates URLs to IP addresses.

Key length

The size of a key, usually measured in bits, that a cryptographic algorithm uses in ciphering or deciphering protected information.

Public key infrastructure

The system for issuing pairs of public and private keys and corresponding digital certificates

Employee Offboarding

The tasks associated when an employee is released from the enterprise.

Incident response team

The team that manages and executes the IR plan by detecting, evaluating, and responding to incidents.

Hotspot

The term used when a mobile device provides internet to wireless devices by using Wi-Fi

Shared and Generic Accounts/Credentials

The type of account that allows multiple users to utilize the same account; typically prohibited by proper account management in order to maintain identification, authentication, authorization, and accounting

Guest accounts

The type of account that is useful if you want to grant someone limited access to a computer or network without creating a new account.

Service accounts

The type of account used to provide privileged access used by system services and core applications

Bluesnarfing

The unauthorized access of information from a wireless device through a Bluetooth connection.

Typosquatting

The unethical practice of registering domain names very similar to those of high-volume sites in hopes of receiving traffic from users seeking the high-volume site who mistakenly enter an incorrect URL in their browsers.

Message digest

The unique output value derived from the content of a message; a small representation of a larger message. Message digests are used to ensure the authentication and integrity of information, not the confidentiality.

Trust model

The use of a trusted third party to verify the trustworthiness of a digital certificate.

Predictive analysis

The use of data warehouses and complex algorithms to forecast future events, based on historical trends and calculated probabilities

Multipath Solutions

The use of multiple network paths to ensure that a severed cable or failed device will not cause a loss of connectivity.

Threat vectors

The way in which an attacker poses a threat

How are common languages such as Python, Perl, and Bash leveraged as part of an attack process?

These languages can be used to create persistent remote access using bind or reverse shells, as well as a multitude of other useful exploit tools.

Why should shared and generic accounts be avoided when applicable?

They are difficult to troubleshoot or audit in the even of a breach, as multiple users use them. Each user should have their own non-admin account.

Why is it important to place datacenters and other facilities a significant distance away from one another?

This distance prevents most common natural disasters from disabling both (or more) datacenters. Additionally, it helps ensure that facilities will not be impacted by issues with the power grid, network connectivity, and other similar issues.

Application deny/block listing

This lists applications or files that are not allowed on a system and will prevent them from being installed or copied to the system.

Application allow listing

This lists the applications and files that are allowed to be on a system and prevents anything that is not on the list from being installed or run; a security option that prohibits unauthorized software from executing.

The meaning of a wildcard included in a certificate name

This means that the certificate is good for subdomains of the registered domain as well (only one level, though). It is indicated by an asterisk.

Geographic dispersal

This process ensures that single disaster, attack, or failure cannot disable or destroy them.

Criminal syndicates

Threat actors who have moved from traditional criminal activities to more rewarding and less risky online attacks.

What is the purpose of hash functions?

To take a potentially long message and generate a unique output value derived from the content of the message.

Configuration review

To verify the operating condition and the effectiveness of its security configuration and rule sets.

Mobile Device Management (MDM) (or UEM)

Tools that allow a device to be managed remotely.

Software development kit

Tools that allow the creation of products or add-ons for a specific operating system or other computing platform

IP scanners

Tools that scan through a range of IP address and report levels of responsiveness.

Exploitation frameworks

Tools used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.

Four major information classification categories of the US government

Top secret, secret, confidential, unclassified

Hashing

Transforming plaintext of any length into a short code called a hash

Tethering

Transforms a smartphone or Internet-capable tablet into a portable communications device that shares its Internet access with other computers and devices wirelessly; the act of using a cellular-network-connected mobile device as a mobile hotspot.

Two types of IPSec modes

Transport and tunnel

Two types of SOC reports

Type 1 and type 2

2 examples of volume-based network DDoS attacks

UDP floods and ICMP floods

(Managed) PDUs

Units that are used to provide intelligent power management and remote control of power delivered inside server racks and other environments.

Drone

Unmanned aerial vehicle that can be used to capture images of a site, to deliver a payload, or even to take action like cutting a wire or blocking a camera; aren't a critical concern for most, but are increasingly an element that needs to be considered.

Spam

Unsolicited, unwanted commercial email messages

Background checks

Used by employers to verify the accuracy of the information you provided on your resume or job application. Items checked include: employment verification, education background/degrees, references, credit history, medical records, driving record, court records, and criminal records.

Bridge Protocol Data Unit (BPDU)

Used by switches to share information with other switches that are participating in the Spanning-Tree Protocol

Legacy platforms

Used to describe systems that are no longer being marketed or supported

Software Defined Networking (SDN)

Using a central control program separate from network devices to manage the flow of data on a network

Forensic technique used to recover data from drives and devices

Using a recovery tool or manually, review the drive, find files based on headers or metadata, and recover the file(s) and file fragments. It is also still possible to recover fragments of files in cases where a file has been partially overwritten.

Sandboxing

Using a virtual machine to run a suspicious program to determine if it is malware.

Why is it important to implement a diversity of technologies when building resilience into an infrastructure?

Using different vendors, cryptographic solutions, platforms, and controls can make it more difficult for a single attack or failure to have system- or organization- wide impacts.

scanless

Utility that runs port scans through third-party websites to evade detection; a port scanner that cannot be traced back.

Auto-update

Utility which automatically updates systems software as new releases become available.

4 third-party risks

Vendor Management Supply Chain Outsourced code development Data storage

9 research sources for threat intelligence

Vendor websites Vulnerability feeds Conferences Academic Journals Request for Comments (RFC) Local industry groups Social media Threat feeds Adversary tactics, techniques, and procedures (TTP)

Attributes listed on every digital certificate

Version of X.509 to which the certificate conforms Serial number (from the certificate creator) Signature algorithm identifier Issuer name Validity period Common name Subject Alternative Name (optional) Subject's public key

CPU cache volatility level

Very volatile - registers are constantly changing as processing occurs

Ten use cases for using secure protocols (hint: think of what each secure protocol does)

Voice and video Time synchronization Email and web File transfer Directory services Remote access Domain name resolution Routing and switching Network address allocation Subscription services

2 major categories of Network DDoS attacks

Volume-based and protocol-based

Four cryptographic protocols

WPA2, WPA3, CCMP, SAE

What is the biggest (or one of the biggest) security concerns with IoT devices?

Weak default settings

Four major types of sprinklers

Wet, dry, pre-action, deluge

Hashing collision

When a hash function produces the same value for two different methods; the existence of this typically leads to the deprecation of a hashing algorithm

False negative

When a vulnerability scan fails to report a true threat.

False positive

When a vulnerability scan reports a threat that is not really one.

Tailgating

When an unauthorized individual enters a restricted-access building by following an authorized user.

Dual-supply

When two independent power supply units, either capable of handling the load, are used; ensures that a power supply failure won't disable a server

Bluetooth

Wireless PAN technology that transmits signals over short distances between cell phones, computers, and other devices

Wi-Fi

Wireless local area network that uses radio signals to transmit data.

Intermediate CA

a CA that issue certificates to child CAs and is issued certificates by a root CA, creating a certificate chain

Cloud reference architecture

a document published by NIST that offers a high-level taxonomy for cloud services; a vision for how the elements of the architecture fit together.

Extranet

a network configuration that allows select personnel outside of an organization to access internal information systems

Port tap

a purpose-built device that passively makes a copy of network data but does not alter the data. Once you install it, you are done. No programming is required.

Artificial Intelligence

a subdiscipline of computer science that attempts to simulate human thinking; focuses on accomplishing "smart" tasks by combining ML, deep learning, and related techniques

Screened subnet

also known as DMZ; used to contain systems that are accessible by the outside world or some other less secure population; commonly uses two firewalls; one resides between the public network and DMZ and the other resides between the DMZ and the private network; can be logical or physical segments of a network

Simple Network Management Protocol version 3

an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior

Jurisdiction

an area of authority or control; the right to administer justice; concerns may extend beyond which law covers the overall organization. Ex: Cloud providers often have sites around the world, and data replication and other services elements mean that your data or services may be stored or used in a similarly broad set of locations. This "area" may claim rights to access that data with a search warrant or other legal instrument.

Digital signature

an encrypted code that a person, website, or organization attaches to an electronic message to verify the identity of the message sender

Authorized hackers

an ethical hacker with good intentions and permission to hack (white hat)

Four data roles/responsibilities that should be assigned to a person/people in any organization

data owner, data controller, data processor, data custodian/steward, data protection officer

Three ways to prove integrity of forensic data

hashing, checksum, provenance

Examples of file manipulation commands

head, tail, cat, grep, chmod, logger

Examples of ephemeral data

process table, kernel statistics, the system's ARP cache

Cipher

the generic term for a technique (or algorithm) that performs encryption; a method used to scramble or obfuscate characters to hide their value

NIC teaming

the process of grouping together two or more physical NICs into one single logical NIC, which can be used for network fault tolerance and increased bandwidth through load balancing

(Certificate) enrollment

"The process of requesting, receiving, and installing a certificate."; the process of proving your identity to the CA in some manner in order to obtain a digital certificate

Worms

Independent computer programs that copy themselves from one computer to other computers over a network

Driver manipulation

A software attack where the attacker rewrites or replaces the legitimate device driver or application programming interface (API) to enable malicious activity to be performed

Jamming

A DoS attack against wireless networks. It transmits noise on the same frequency used by a wireless network.

Birthday attack

A cryptographic attack that searches for any two digests (collisions) that are the same.

Downgrade attack

A cryptographic attack; an attack in which the system is forced to abandon the current higher security mode of operation and fall back to implementing an older and less secure mode.

Supply-chain attacks

A cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.

Refactoring

A driver manipulation method. Developers rewrite the code without changing the driver's behavior.

Shimming

A driver manipulation method. It uses additional code to modify the behavior of a driver.

Watering Hole Attack

A malicious attack that is directed toward a small group of specific individuals who visit the same website.

Pass the hash

A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.

Dictionary attack

A password attack that creates encrypted versions of common dictionary words and compares them against those in a stolen password file.

Whaling

A phishing attack targeted to senior business executives, government leaders, and other high-level positions.

Pharming

A phishing attack that reroutes requests for legitimate websites to false websites.

Spear phishing

A phishing attack that targets only specific users.

Malicious flash drive

A physical device that contains malicious PDFs, files, etc that could be harmful to your computer; older systems would automatically upload from this physical device without user consent

Resource exhaustion

A situation in which a hardware device with limited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.

Cross-site request forgery (XSRF)

An attack that exploits the trust a website has in a user's browser in an attempt to transmit unauthorized commands to the website.

Dynamic Link Library (DLL) injection

A software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, causing the victim application to experience instability (crashes) or leak sensitive information. To mitigate, all calls to different DLLs should be hard-coded in the application.

Spyware

A special class of adware that collects data about the user and transmits it over the Internet without the user's knowledge or permission

Phishing

A technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail

Eliciting Information

A technique used to gather information without targets realizing they are providing it

Offline Brute Force Attack

A type of attack in which the attacker attempts to guess all possible character combinations from captured packet scans or databases and attempts to crack the password offline.

Structured Query Language (SQL) injection

A type of attack in which the hacker adds SQL code to a Web or application input to gain access to or alter data in the database.

Online Brute Force Attack

A type of attack that attempts to guess all possible character combinations from an online system; can be thwarted by setting account lock-out on the application.

Keyloggers

A type of attack that records keystrokes to provide cybercriminals with confidential data

Extensible Markup Language (XML) injection

A type of code injection attack in which the attacker attempts to embed code in XML documents.

Lightweight Directory Access Protocol (LDAP) injection

A type of code injection attack in which the attacker embeds commands in text being sent as part of a LDAP query

Collision attack

A type of cryptographic attack; an attempt to find two input strings of a hash function that produce the same hash result.

Replay Attack

A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network.

Example of a TOC/TOU scenario

An OS builds a comprehensive list of access permissions for a user upon logon and then consults that list throughout the logon session

Request forgeries

An attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated.

Buffer Overflow Attack

An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.

Bluejacking

An attack that sends unsolicited messages to Bluetooth-enabled devices.

Directory Traversal

An attack that takes advantage of a vulnerability so that a user can move from the root directory to restricted directories.

Server-Side Request Forgery (SSRF)

An attack that tricks a server into visiting a URL based on user-supplied input; these attacks are possible when a web application accepts URLs from a user as inpout and then retrieves information from that URL.

Spraying attack

An attack that uses naming conventions to guess passwords or sensitive information.

Logic bombs

An instruction in a computer program that triggers a malicious act

Memory leak

An undesirable state in which a program requests memory but never releases it, which can eventually prevent other programs from running.

Session Replay Attack

Attacker listens to the conversation between the user and the server and captures the authentication token of the user

API attacks

Attacks on an API. API attacks attempt to discover and exploit vulnerabilities in APIs.

Cloud-based attacks

Attacks that occur in cloud-based services; for these attacks, you are likely operating in what may potentially be a more secure datacenter, and once in which it would be far harder to figure out which systems your operations are running.

On-premise attacks

Attacks that occur on systems that reside on premise; these attacks give you the ability to audit access to the facility or to check on what occurred to a specific physical machine, since it's on location.

Shoulder surfing

Gaining compromising information through observation (as in looking over someone's shoulder).

Error handling

Coding methods to anticipate and deal with exceptions thrown during execution of a process.

Tainted training data for machine learning (ML)

Data that confuses the artificial intelligence (AI) machine during the training process; attackers send modified training data that causes the AI to behave incorrectly and ineffectively.

Malicious universal serial bus (USB) cable

Engineered USB cables that carry malware; they're less common since they require dedicated engineering to build, rather than simply buying commodity flash drives

Pretexting

Occurs when someone improperly accesses your personal information by posing as someone who needs data for one reason or another

Principle of intimidation

Principle (of social engineering) that relies on scaring or bullying an individual into taking a desired action; the individual who is targeted will feel threatened and respond by doing what the social engineer wants them to do

Principle of Familiarity

Principle (of social engineering) that rely on the victim liking the individual or even the organization the individual is claiming to represent, thus thinking everything is "normal."

Principle of Consensus

Principle (of social engineering) that uses the fact that people tend to want to do what others are doing to persuafe them to take an action

Principle of Authority

Principle (of social engineering) that we are more likely to agree to a request made by an authority figure

Bots

Remotely controlled systems or devices that have a malware infection; groups of bots are known as botnets.

Credential harvesting

Social engineering techniques for gathering valid credentials to use to gain unauthorized access.

Backdoor

Software code that gives access to a program or a service that circumvents normal security protections.

Improper input handling

Software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.

Ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

Fileless virus

Software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.

Invoice scams

The act of using a fake invoice in an attempt to get a company to pay for things it has not ordered

Hybrid Warfare

a new term used to describe a strategy that deliberately mixes elements and techniques of conventional warfare (e.g., national uniforms, heavy weapons) and unconventional warfare (e.g., guerrilla, paramilitary, information, or cyber war) as a way to coerce adversaries while avoiding attribution and retribution


Set pelajaran terkait

American History EOC released items

View Set

Histograms - Part #2 - Types of Histograms

View Set

HR Management - Chapter 7 - Training and Developing Employees

View Set

Solving Exponential and Logarithmic Equations Assignment

View Set

Chapter 2: The Biological Perspective

View Set

Financial Accounting - Chapter 15

View Set

Strategic Management Chapter 6 Testbank, Strategic management, Management Chapter 5 Test Bank, Ch. 4 Multiple Choice, Capstone Chap.5 Strategies in Action

View Set

Chapter 42 Management of Patients With Musculoskeletal Trauma

View Set

Skeletal Muscle Tissue - TU-F2017

View Set