Remember This

DMZ

A DMZ is a buffer zone between the internet and an internal network. It allows access to services while segmenting access to the internal network. In other words, internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the intranet.

Intrusion Detection Systems

A HIDS (host based intrusion detection system) can monitor all traffic on a single host system such as a server or a workstation. In some cases, it can detect malicious activity missed by antivirus software. A NIDS (network based intrusion detection system) is installed on network devices such as routers or firewalls, to monitor network traffic and detect network based attacks. It can also use taps or port mirrors to capture traffic. A NIDS cannot monitor traffic on individual hosts.

Trojans

A Trojan appears to be something useful but includes a malicious component, such as installing a back door on a user's system. Many Trojans are delivered via drive by downloads. They can also infect systems from fake antivirus software, pirated software, games, or infected USB drives.

Back doors

A back door provides another way to access a system. Many types of malware create back doors, allowing attackers to access systems from remote locations. Employees have also created back doors in application ans systems.

Chain of Custody

A chain of custody provides assurances that evidence has been controlled and handled properly after collection. It documents who handled the evidence and when they handled it. A legal hold is a court order to preserve data as evidence.

Clean Desk Policy

A clean desk policy requires users to organize their areas to reduce the risk of possible data theft. It reminds users to secure sensitive data and may include a statement about not writing down passwords.

Cloud Techs

A cloud access security broker (CASB) is a software tool or service deployed between an organizations network and the cloud provider. It provides security as a service by monitoring traffic and enforcing security policies. Private clouds are only available for one organizations. Public cloud services are provided by third party companies and available to anyone. A community cloud is shared by multiple organizations. A hybrid cloud is a combination of two or more clouds.

Cold Sites/Warm Sites

A cold site will have power and connectivity needed for a recovery site, but little else. Cold sites are the least expensive and the hardest to test. A warm site is a compromise between a hot site and a cold site. Mobile sites do not have dedicated locations, but can provide temporary support during a disaster.

DoS and DDoS attacks

A denial of service (DoS) attack is an attack from a single source that attempts to disrupt the services provided by another system. A distributed denial of service (DDoS) attack includes multiple computers attacker a single target. DDoS attacks typically include sustained, abnormally high network traffic.

Digital Signatures

A digital signature is an encrypted hash of a message. The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key. If successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation prevents senders from later denying they sent an email.

Disassociation Attack

A disassociation attack effectively removes a wireless client from a wireless network, forcing it to re-authenticate.

DRP

A disaster recovery plan (DRP) includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recover includes a review to identify any lessons learned and may include an update of the plan.

False positivs

A false positive from a vulnerability scan indicates the scan detected a vulnerability, but the vulnerability doesn't exist. Credentialed scans run under the context of a valid account and are typically more accurate than non-credentialed scans.

IDS threshold

A false positive incorrectly indicates an attack is occurring when an attack is not active. A high incidence of false positives increases the administrators workload. A false negative is when an attack is occurring, but the system doesn't detect and report it. Administrators often set IDS threshold high enough that it minimizes false positives but low enough that it does not allow false negatives.

Fat/Thin APs

A fat AP is also known as a stand-alone AP and is managed independently. A thin AP is also known as a controller-based AP and is managed by a wireless controller. The wireless controller configures the thin AP.

Forensic Imaging

A forensic image is a bit-by-bit copy of the data and does not modify the data during the capture. Experts capture an image of the data before analysis to preserve the original and maintain its stability as evidence. Hashing provides integrity for captured images, including images fo both memory and disk drives. You can take a hash of a drive before and after capturing an image to verify that the imaging process did not modify the drive contents.

HSM

A hardware security model (HSM) is a removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys.

Hot Sites

A hot site includes personnel, equipment, software, and communication capabilities of the the primary site with all the data up to date. A hot site provides the shortest recovery time compared with warm and cold sites. It is the most effective disaster recover solution, but it is also the most expensive to maintain.

Logic Bomb

A logic bomb executes in response to an event, such as when a specific application is executed or a specific time arrives.

Master Image

A master image provides a secure starting point for systems. Administrators sometimes create them with templates or with other tools to create a secure baseline. They then use integrity measurements to discover when a system deviates from the baseline.

Business Agreements

A memorandum of understanding or a memorandum of agreement (MOU/MOA) defines responsibilities of each party, but it is not as strict as a service level agreement (SLA) or interconnection security agreement (ISA). If the parties will be handling sensitive data, they should include an ISA to ensure strict guidelines are in place to protect the data while in transit. An MOU/MOA often supports an ISA.

Penetration Testing

A penetration test is an active test that can assess deployed security controls and determined the impact of a threat. It starts with a vulnerability scan and then tries to exploit vulnerabilities by actually attacking or simulating an attack.

Privacy Threshold Assessment

A privacy threshold assessment is typically a simple questionnaire completed by system or data owners. It helps identify if a system processes data that exceeds the threshold for PII. If the system processes PII, a privacy impact assessment helps identify and reduce risks related to potential loss of the PII.

Proxy Servers

A proxy server forwards requests for services from a client. It provides caching to improve performance and reduce internet bandwidth usage. Transparent proxy servers accept and forward requests without modifying them. Nontransparent proxy servers use URL filters to restrict access to certain sites. Both types can log user activity.

Quantitative vs Qualitative Risk Assessment

A quantitative risk assessment uses specific monetary amounts to identify cost and asset values. The single loss expectancy (SLE) identifies the amount of each loss, the ARO identifies the number of failures in a year, and the ALE identifies the expected annual loss.

Risk Register/Supply Chain Assessment

A risk register is a comprehensive document listing known information about risks. It typically includes risk scores along with recommended security to reduce the risk scores. A supply chan assessment evaluates everything needed to produce and sell a product. It includes all the raw materials and processes required to create and distribute a finished product.

Role-Based Access Control (BAC)

A role based access control model uses roles based on jobs and functions. A matrix is a planning document that matches the roles with the required privileges.

Types of attackers

A script kiddie is an attacker who uses existing computer scripts or code to launch attacks. Script kiddies typically have very little expertise, sophistication, and funding. A hacktivist launches attacks as part of an activist movement or to further a cause. An insider is anyone who has legitimate access to an organizations internal resources such as an employee of a company.

SIEM

A security information and event management system (SIEM) provides a centralized solution for collecting, analyzing, and managing data from multiple sources. It typically includes aggregation and correlation capabilities to collect and organize log data from multiple sources. It also provides continuous monitoring with automated alerts and triggers.

Single Point of Failure

A single point of failure is any component who's failure results in the failure of an entire system. Elements such as RAID (redundant array of inexpensive disks), failover clusters, UPSs (uninterruptible Power Supplies), and generators remove many single points of failure. RAID is an inexpensive method used to add fault tolerance and increase availability.

Shoulder Surfing

A social engineer can gain unauthorized information just by looking over someones shoulder. This might be in person, such as when a user is at a computer, or remotely using a camera. Screen filters help prevent shoulder surfing by obscuring the view for people unless the are directly in front of the monitor.

Spear Phishing

A spear phishing attack targets specific groups of users. It could target employees within a company or customers of a company. Digital signatures provide assurances to recipients about who sent an email, and can reduce the success of of spear phishing.

Types of Firewalls

A stateless firewall blocks traffic using an ACL. A stateful firewall blocks traffic based on the state of the packet within a session. Web application firewalls provide strong protection for web servers. They protect against several different types of attacks with a focus on web app attacks and can include load balancing features.

Embedded Systems 2

A supervisory control and data acquisition (SCADA) system has embedded systems that control an industrial control system (ICS), such as one used in a power plant or water treatment facility. Embedded systems are also used for many special purposes such as medical devices, automotive vehicles, aircraft and UAV's

Threats

A threat is a potential danger and a threat assessment evaluates potential threats. Environmental threats include natural threats such as weather events. Manmade threats are any potential dangers from people and can be either malicious or accidental. Internal threats typically refer to employees within an organization. While external threats can come from any source outside the organization.

Trusted OS

A trusted operating system meets a set of predetermined requirements, such as those identified in common criteria. It uses the mandatory access control (MAC) model.

TPM

A trusted platform module (TPM) is a hardware chip included in many laptops and mobile devices. It provides full disk encryption and supports a secure boot process and remote attestation. A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust.

UTM

A unified threat management (UTM) appliance combines multiple security controls into a single appliance. They can inspect data streams and often included URL filtering, malware inspection, and contention inspection components. Many UTMs include a DDoS mitigator to block DDoS attacks.

VPN

A virtual private network (VPN) provided remote access to a private network via a public network. VPN concentrators are dedicated devices used for VPNs. They include all the services needed to create a secure VPN supporting many clients.

Vulnerability Scanner

A vulnerability scanner can identify vulnerabilities, misconfigured systems, and the lack of security controls such as up-to-date patches. Vulnerability scans are passive and have little impact on a system during a test. In contrast, a penetration test is intrusive and can potentially compromise a system.

Passive vs Invasive testing

A vulnerability scanner is passive and non-intrusive and has little impact on a system during a test. In contrast, a penetration test is active and intrusive and can potentially compromise a system. A penetration test is more invasive than a vulnerability scan.

AES/3DES

AES is a strong symmetric block cipher that encrypts data in 128-bit blocks. AES uses 128-bit, 192-bit, or 256-bit keys. DES and 3DES are block ciphers that encrypt data in 64-bit blokes. 3DES was originally designed as a replacement for DES, but NIST selected AES as the current standard. However, 3DES is still used in some applications such as when legacy hardware doesn't support AES.

ARP poisoning

ARP poisoning attacks attempt to mislead systems about the actual MAC address of a system. ARP poisoning is sometimes used in man in the middle attacks.

Account Expiration Dates

Account expiration dates automatically disable accounts on the expiration date. This is useful for temporary accounts such as temporary contractors.

Remote Connection

Administrators connect to servers remotely using protocols such as SSH and Remote Desktop Protocol (RDP). In some cases, administrators use virtual private networks to connect to remote systems.

Downgrade Attack

Administrators should disable weak cipher suits and weak protocols on servers. When a server has both strong and weak cipher suites, attacker can launch downgrade attacks bypassing the strong cipher suite and exploiting the weak cipher suite.

SNMP

Administrators use SNMPv3 (Simple Network Management Protocol) to manage and monitor network devices and SNMP uses UDP ports 161 and 162. It includes strong authentication mechanisms and is more secure than earlier versions.

Protocol Analyzers

Administrators use a protocol analyzer to capture, display, and analyze packets sent over a network. It is useful when troubleshooting communications problems between systems. It is also useful to detect attacks that manipulate or fragment packets. A capture shows information such as the type of traffic (protocol), flags, source and destination IP addresses, and source and destination MAC addresses. The NIC must be configured to use promiscuous mode to capture all traffic.

Ping

Administrators use ping to check connectivity of remote systems and verify name resolution is working. They also use ping to check the security posture of systems and networks by verifying that routers, firewalls, and IPS's block ICMP traffic when configured to do so.

Post Exploitation

After exploiting a system, penetration testers use privilege escalation techniques to gain more access to target systems. Pivoting is the process of using an exploited system to target other systems.

802.1x server

An 802.1x server provides port-based authentication, ensuring that only authorized clients can connect to a network. It prevents rogue devices from connecting.

IPS vs IDS

An IPS can detect, react, and prevent attacks. It is placed inline with the traffic (also known as in-band). An IDS monitors and responds to an attack. It is not inline but instead collects data passively (also known as out-of-band).

IPSs

An IPS is a preventative control. It is placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can also be used internally to protect private networks.

Account Disablement Policy

An account disablement policy identifies what to do with accounts for employees who leave permanently or on a leave of absence. Most policies require administrators to disable the account as soon as possible, so that ex-employees cannot use the account. Disabling the account ensure that data associated with it remains available. Security keys associated with an account remain available when the account is disabled, but are no longer accessible if the account is deleted.

Whitelist / Blacklist

An application whitelist is a list of authorized software and it prevents users from installing or running software that isn't on the list. An application blacklist is a list of unauthorized software and prevents users from installing or running software on the list.

Embedded Systems

An embedded system is any device that has a dedicated function and uses a computer system to perform that function. It includes any devices in the IoT category such as wearable technology and home automation systems. Some embedded systems use a system on a chip (SoC).

Incident Response

An incident response policy defines a security incident and incident response procedures. Incident response procedures start with preparation to prepare for and prevent incidents. Preparation helps prevent incidents such as malware infections. Personnel review the policy periodically and in response to lessons learned after incidents.

Antivirus software

Antivirus software detects and removes malware, such as viruses, Trojans, and worms. Signature based antivirus software detects known malware based on signature definitions. Heuristic based software detects previously unknown malware based on behavior.

Service Models

Applications such as web-based email provided over the internet are software as a service (SaaS) cloud-based technologies. Platform as a service (PaaS) provides customers with a fully managed platform, which the vendor keeps up to date with current patches. Infrastructure as a service (IaaS) provides customers with access to hardware in a self-managed platform.

Web attacks

Attackers purchase similar domain names in typo squatting attacks (also called URL hijacking). Users visit the typo squatting domain when they enter the URL incorrectly with a common typo. In a session hijacking attack, the attacker utilizes the users session ID to impersonate the user. In a domain hijacking attack, an attacker changes the registration of a domain name without permission from the owner.

SQL injection

Attackers use SQL injection attacks to pass queries to back-end databases through web servers. Many SQL injection attacks use the phrase ' or '1' = '1' -- to trick the database server into providing information.

Availability

Availability ensures that systems are up and operational when needed and often addresses single points of failure. You can increase availability by adding fault tolerance and redundancies such as RAID, failover clusters, backups, and generators. HVAC systems also increase availability

Background Checks

Background checks investigates the history of an individual prior to employment and sometimes during employment. They may include criminal checks, credit checks, and an individuals online activity. An exit interview is conducted when an individual departs an organization. User accounts are often disabled or deleted during the exit interview and everything issued to the employee is collected.

Barricades

Barricades provide stronger barriers than fences and attempt to deter attackers. Bollards are effective barricades that can block vehicles.

Bcrypt/PBKDF2

Bcrypt and PBKDF2 are key stretching techniques that help prevent brute force and rainbow table attacks. Both salt the password with additional random bits.

Resetting Passwords

Before resetting passwords for users, it's important to verify the user's identity. When resetting passwords manually, it's best to create a temporary password that expires upon first use.

'Box' Testing Types

Black box testers have zero prior knowledge of the system prior to a penetration test. White box testers hav full knowledge and gray box testers have some knowledge. Black box testers often use fuzzing

Bluetooth Attacks

Bluejacking is the unauthorized sending of text messages to a nearby Bluetooth device. Bluesnarfing is the unauthorized access to or theft of information from a Bluetooth device. Ensuring devices cannot be paired without manual user intervention prevents these attacks.

Password cracking atttacks

Brute force attacks attempt to guess passwords. Online attacks guess the password of an online system. Offline attacks uess the password stored within a file, such as a database. Dictionary attacks use a file of words and common passwords to guess a password. Account lockout policies help protect against brute force attacks and complex passwords thwart dictionary attacks.

Buffer Overflow Attacks

Buffer overflows occur when an application receives more data than it can handle or receives unexpected data that exposes system memory. Buffer overflow attacks often include NOP (no operation) instructions (such as x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent buffer overflow attacks.

CRL

CAs revoke certificates for several reasons such as when the private key is compromised or the CA is compromised. The certificate revocation list (CRL) includes a list of revoked certificates and is publicly available. An alternative to using a CRL is the online certificate status protocol (OCSP), which returns answers such as good, revoked, or unknown. OCSP stapling appends a digitally signed OCSP response to a certificate.

CER/DER

CER (canonical encoding rules) is an ASCII format for certificates and DER (distinguished encoding rules) is a binary format. PEM (privacy enhanced mail) is the most commonly used certificate format and can be used for just about any certificate type. P7B certificates are commonly used to share public keys. P12 and PFX certificates are commonly used to hold the private key.

Cable locks/Sever Cabinets

Cable locks are effective threat deterrents for small equipment such as laptops and some workstations. When used properly, they prevent losses due to theft of small equipment. Locking cabinets in server rooms provide an added physical security measure. A locked cabinet prevents unauthorized access to equipment mounted in server bays.

Certificate Stapling

Certificate stapling is an alternative to OCSP. The certificate presenter (such as a web server) appends the certificate with a timestamped digitally signed OCSP response from the CA. This reduces OCSP traffic to and from the CA. Public key pinning helps prevent attackers from impersonating a web site with a fraudulent certificate. The web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions.

Certificates

Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the on the owner of the certificate and on the the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

Passwords

Complex passwords use a mix of character types. Strong passwords use a mix of character types and have a minimum password length of at least 14 characters.

Confidentiality

Confidentiality ensures that data is only viewable by authorized users. The best way to protect confidential data is by encrypting it. This includes any type of data, such as PII, data in databases and data on mobile devices. Access controls help protect confidentiality by restricting access. Steganography helps provide confidentiality by hiding data, such as hiding text files within an image file.

Device Management

Corportate-owned, personally enabled (COPE) devices are owned by the organization, but employees can use them for personal reasons. A bring your own device policy (BYOD) allows employees to connect their own devices to the corporate network. A choose your own device (CYOD) policy includes a list of approved devices. Employees with a device on the list can connect them to the network. A virtual desktop infrastructure (VDI) is a virtual desktop and these can be created so that users can access them from a mobile device.

Cross-Site Forgery Request

Cross-Site Forgery Request (XSRF) scripting causes users to perform actions on web sites, such as making purchases without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords.

Cross site scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Allows attackers to capture user information such as cookies. Input validation techniques at the server help prevent XSS attacks.

DNS poisoning and amplification attacks

DNS poisoning attacks attempt to corrupt DNS data. Amplification attacks increase the amount of traffic sent to or requested from a victim and can be used against a wide variety of systems, including individual hosts, DNS servers, and NTP servers.

DNS

DNS zones include records such as 'A' records for IPv4 addresses and 'AAAA' records for IPv6 addresses. DNS uses TCP port 53 for zone transfers & UDP port 53 for DNS client queries. Most internet based DNS servers run BIND software on Unix or Linux servers, and it's common to configure DNS servers to only use secure zone transfers. DNSSEC helps prevent DNS poisoning attacks. Nslookup and dig are two command line tools used to test DNS. Microsoft systems use nslookup; Linux systems include dig.

Data Loss Prevention

Data exfiltration is the unauthorized transfer of data out of a network. Data loss prevention (DLP) techniques and technologies can block the use of USB devices to prevent data loss and monitor outgoing email traffic for unauthorized data transfers. A cloud-based DLP can enforce security policies for data stored in the cloud, such as ensuring that PII is encrypted.

Data Leakage

Data leakage occurs when uses install p2p software and unintentionally share files. Organizations often block p2p software at the firewall.

Detective Controls

Detective controls attempt to detect when vulnerabilities have been exploited. Some examples include log monitoring, trend analysis, security audits, and CCTV systems.

Diffie-Hellman

Diffie-Hellman is a secure method of sharing symmetric encryption keys over a public network. Elliptic curve cryptography is commonly used with small wireless devices. ECDHE is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys.

Digital Signatures

Digital signatures can verify the integrity of emails and files, and they also provide authentication and non-repudiation. Digital signatures require certificates.

Physical Access Controls

Door access systems include cipher locks, proximity cards, and biometrics. Cipher locks do not identify users. Proximity cards can identify and authenticate users when combined with a PIN. Biometrics can also identify and authenticate users.

Dumpster Diving

Dumpster divers search through trash looking for information. Shredding or burning papers instead of throwing them away mitigates this threat.

EMI interference

EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable. Cable droughts protect cables distributed throughout a building in metal containers. A faraday cage prevents signals from emanating beyond the cage.

Zero-day exploits

Educating users about new viruses, phishing attacks, and zero day exploits helps prevent incidents. Zero-day exploits take advantage of vulnerabilities that aren't known by trusted sources, such as operating system vendors and antivirus vendors.

Encryption

Encryption provides confidentiality and helps ensure that data is viewable only by authorized users. This applies to any data at rest (such as data stored in a database) or data in transit being sent over a network.

Remote Authentication 1

Enterprise mode requires an 802.1x server. EAP-FAST supports certificates. PEAP and EAP-TTLS require a certificate on the server. EAP-TLS also uses TLS, but it requires certificates on both the 802.1x server and each of the clients.

Error and Exception handling

Error and exception handling helps protect the integrity of the operating system and controls the errors shown to users. Applications should show generic error messages to users but log detailed information.

Failover Clusters

Failover clusters are one method of server redundancy and they provide high availability for servers. They can remove a server as a single point of failure. Load balancing increases the overall processing power of a service by sharing the load among multiple servers. Configurations can be active passive, or active-active. Scheduling methods include round robin and source IP address affinity. Source IP address affinity scheduling ensures clients are redirected to the same server for an entire session.

Physical Access Controls 3.0

Fencing, lighting, and alarms all provide physical security. They are often used together to provide layered security. Motion detection methods are also used with these methods to increase their effectiveness. Infrared detectors detect movement by objects of different temperatures.

Data Protection

File and folder level protection protects individual files. Full disk encryption protects entire disks, including USB flash drives and drives on mobile devices. The chmod command changes permissions on Linux systems.

Implicit Deny

Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn't previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.

Group Policy

Group policy is implemented on a domain controller within a domain. Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more.

Group-Based Access Control (BAC)

Group-based privileges reduce the administrative workload of access management. Administrators put user accounts into security groups, and assign privileges to the groups. Users within a group automatically inherit the privileges assigned to the group.

HTOP and TOTP

HOTP and TOTP are both open source standards used to create one time passwords. HOTP creates a one-time use password that doesn't expire until used. TOTP creates a one-time password that expires after 30 seconds. Both can be used as software tokens for authentication.

HVAC 2.0

HVAC systems increase availability by controlling tempt and humidity. Temperature controls help ensure a relatively constant temperature. Humidity controls reduce the potential for damage from electrostatic discharge and damage from condensation. HVAC systems should be integrated with the fire alarm systems and either have dampers or the ability to be turned off in the event of a fire.

Hashing

Hashing is a one-way function that creates a string of characters. You cannot reverse the hash to re-create the original file. Passwords are often stored, as hashes instead of storing the actual password. Additionally, applications often salt passwords with extra characters before hashing them.

Hashing for Integrity

Hashing verifies integrity for data such as email, downloaded files, and files stored on a disk. A hash is a number created with a hashing algorithm and is sometimes listed as a checksum.

HVAC

Higher-tonnage HVAC systems provide more cooling capacity. This keeps server rooms at lower operating temperatures and results in fewer failures.

Honeypots/Honeynets

Honeypots and honey nets attempt to divert attackers from live networks. They give security personnel an opportunity to observe current methodologies used in attacks and gather intelligence on these attacks.

Firewalls

Host-based firewalls provide protection for individual hosts such as servers or workstations. A host-based firewall provides intrusion protection for the host. Linux systems support xtables for firewall capabilities. Network based firewalls are often dedicated servers or appliances and provide protection for the network.

IPsec

IPsec is a secure encryption protocol used with VPNs. Encapsulating security payload (ESP) provides confidentiality, integrity, and authentication for VPN traffic. IPsec uses tunnel mode for VPN traffic and can be identified with protocol ID 50 for ESP. It uses IKE (internet key exchange) over port 500. A full tunnel encrypts all traffic after a user has connected to a VPN. A split tunnel only encrypts traffic destined for the VPN's private network.

Identification/Authentication/Authorization/Accounting

Identification occurs when a user claims an identity such as with a username or email address. Authentication occurs when the user proves the claimed identity (such as with a password) and the credentials are verified. Access control systems provide authorization by granting access to resources based on permissions granted to the proven identity. Logging provides accounting.

Backups

If you have unlimited time and money, the full backup alone provides the fastest recovery time. Full/incremental strategies reduce the amount of time needed to perform backups. Full/differential strategies reduce the amount of time needed to restore backups.

Physical Access

In the event of a fire, door access systems should allow personnel to exit the building without any form of authentication. Access points to data centers and server rooms should be limited to a single entrance and exit whenever possible.

Integrity

Integrity verifies that data has not been modified. Loss of integrity can occur through unauthorized or unintended changes. Hashing algorithms such as MD5, SHA-1, and HMAC, calculate hashes to verify integrity. A hash is simply a number created by applying the algorithm to a file or message at different times. By comparing hashes, you can verify that integrity has been maintained.

Risk Management 2.0

It is not possible to eliminate risk, but you can take steps to manage it. An organization can avoid risk by not providing a service or not participating in a risky activity. Insurance transfers risk to another entity. You can mitigate risk by implementing controls, but when the cost of the controls exceeds the risk, an organization accepts the remaining, or residual, risk.

Exploiting Mobile Devices

Jailbreaking removes all software restrictions from an Apple device. Rooting modifies an Android device, giving users root-level access to the device. Sideloading is the process of installing software on an Android device from a source other than an authorized store.

Job Rotation

Job rotation policies require employees to change roles on a regular basis. Employees might change roles temporarily, such as for three to four weeks, or permanently. This helps ensure that employees cannot continue with fraudulent activity indefinitely.

Kerberos

Kerberos is a network authentication protocol within a Microsoft Windows Active Directory Domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (or TGT server) to issue time stamped tickets that expire after a certain time period.

Data Roles

Key data roles within an organization are responsible for protecting data. The owner has overall responsibility for the protection of the data. A steward or custodian handles routine tasks to protect data. A privacy officers is an executive responsible for ensuring the organization complies with the relevant laws.

Keyloggers

Keyloggers capture a users keystrokes and store them in a file. This file can be automatically sent to an attacker or manually retrieved depending on the keylogger. Spyware monitors a users computer and often includes a keylogger.

Layered Security

Layered security, or defense-in-depth practices, uses control diversity, implementing administrative, technical, and physical security controls. Vendor diversity utilizes controls from different vendors. User training informs users of threats, helping them avoid common attacks.

Least Functionality

Least functionality is a core security principle stating that systems should be deployed with the least amount of applications, services and protocols.

Least Privilege

Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions

LDAP

Light Weight Directory Access Protocol is based on an earlier version of x.500. Windows active directory domains and unix realms use LDAP to identify objects in query strings with codes such as CN = Users and DC = GetCertifiedGetAhead. LDAPS encrypts transmissions with TLS.

Logs

Logs record what happened, when it happened, where it happened, and who did it. By monitoring logs, administrators can detect event anomalies. Additionally, by reviewing logs, security personnel can create and audit trail.

Loop Protection

Loop protection such as STP (Spanning Tree Protocol) or RSTP (Rapid STP) is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected together.

MAC filtering

MAC filtering can restrict access to a wireless network to specific clients. However, an attacker use a sniffer to discover allowed MAC addresses and circumvent this form of network access control. It's relatively simple for an attacker to spoof a MAC address.

Malware

Malware includes a wide variety of malicious code, including viruses, worms, Trojans, ransomware, and more. A virus is malicious code that attaches itself to an application and runs when the application is started. A worm is self-replicating and doesn't need user interaction to run.

Mandatory Vacations

Mandatory vacation policies require employees to take time away from their job. Theses policies help to deter fraud and discover malicious activities while the employee is away.

Social engineering 2

Many of the reasons that social engineers are effective are because they use psychology-based techniques to overcome users objections. Scarcity and urgency are two techniques that encourage immediate action.

Mobile Device Management (MDM)

Mobile device management (MDM) tools help enforce security policies on mobile devices. This includes the use of storage segmentation, containerization, and full device encryption to protect the data. They also include enforcing strong authentication methods to prevent unauthorized access.

Security Controls

Most security controls can be classified as technical (implemented with technology), administrative (implemented with administrative or management methods) or physical (items you can touch).

NAT

Network Address Translation (NAT) translates public IP addresses to private IP addresses and private IP addresses back to public. A common form of NAT is port address translation. Dynamic NAT uses multiple public IP addresses while static NAT uses a single public IP address.

NAC

Network access control (NAC) includes methods to inspect clients for health such as having up to date antivirus software. NAC can restrict access of unhealthy clients to a remediation network. You can use NAC for VPN clients and for internal clients. Permanent agents are installed on the clients. Dissolvable agents (sometimes called agent less) are not installed on the clients and are often used to inspect employee-owned mobile devices.

Normalization

Normalization is a process used to optimize databases. While there are several normal forms available, a database is considered normalized when it confirms to the first three normal forms

Asymmetric Encryption

Only a private key can decrypt information encrypted with a matching public key. Only a public key can decrypt data encrypted with a matching private key. A key element of several asymmetric encryption methods is that they require a certificate and a PKI.

Types of attackers 2

Organized crime elements are typically motivated by greed and money but often use sophisticated techniques. Advanced persistent threats (APTs) are sponsored by governments and they launch sophisticated, targeted attacks.

PAP

PAP (password authentication protocol) uses a password or PIN. A significant weakness is that PAP sends the information across a network in cleartext, making it susceptible to sniffing attacks. CHAP (challenge handshake authentication protocol) is more secure than PAP because passwords are not sent over the network in cleartext.

AP modes

PSK mode (or WPA-PSK & WPA2-PSK) uses a pre-shared key and does not provide individual authentication. Open mode doesn't use any security and allows all users to access the AP. Enterprise mode is more secure than personal mode, and it provides strong authentication. Enterprise mode uses an 802.1x server (implemented as a RADIUS server) to add authentication.

Password Crackers/Network Scanners

Password crackers attempt to discover passwords and can identify weak passwords, or poorly protected passwords. Network scanners can detect all the hosts on a network, including the OS and service or protocols running on each host.

Password Policies

Password policies include several elements. The password history is used with the minimum password age to prevent users from changing their password to a previously used password. Maximum password age causes passwords to expire and requires users to change their passwords periodically. Minimum. password length specifies the minimum number of characters in the password. Password complexity increases the key space, or complexity, of a password by requiring more character types.

Password cracking attacks 2

Passwords are typically stored in hashes. A pass the hash attack sattempts to use an intercepted hash to access an account. Salting adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks. A hash collision occurs when the hashing algorithm creates the same hash from different passwords. Birthday attacks exploit collisions in hashing algorithms.

Patch Management

Patch management procedures ensure that operating systems and applications are up to date with current patches. This protects systems against known vulnerabilities. Change management defines the process and accounting structure for handling modifications and upgrades. The goals are to reduce risks related to unintended outages and provide documentation for all changes.

Reconnaissance

Penetration tests include both passive and active reconnaissance. Passive reconnaissance uses open-source intelligence methods, such as social media and an organizations web site. Active reconnaissance methods use tools such as network scanners to gain information on the target.

PII

Personally Identifiable Information (PII) includes information such as a full name, birth date, biometric data, and identifying numbers such as a SSN. PHI is PII that includes medical or health information. Organizations have an obligation to protect PII and PHI and often identify procedures for handling and retaining PII in data policies.

Port Security

Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.

Preventive Controls

Preventive controls attempt to prevent security incidents. Hardening systems increases their basic configuration to prevent incidents. Security guards can prevent unauthorized personnel from entering a secure area. Change management processes help prevent outages from configuration changes. An account disablement policy ensures that accounts are disabled when a user leaves the organization.

Private Networks

Private networks should only have private IP addresses. These are formally defined in RFC 1918.

Proximity Cards

Proximity cards are credit card-sized access cards. Users pass the card near a proximity card reader and the card reader then reads data on the card. Some access control points use use proximity cards with PINs for authentication.

Data Classification

Public data is available to anyone. Confidential data information is kept secret among a certain group of people. Proprietary data is data related to ownership, such as patents or trade secrets. Private data is information about individuals that should remain private. Data classifications and data labeling help ensure personnel apply the proper security controls to protect information.

Remote Authentication 2

RADIUS, TACACS+, and Diameter all provide centralized authentication. TACACS+ can be used with kerberos. Diameter is an improvement over radius and it supports many additional capabilities, including securing transmissions with EAP.

RAID

RAID subsystems, such as RAID-1, RAID-5, and RAID-6, provide fault tolerance and increased data availability. RAID-5 can survive the failure of 1 disk. RAID-6 can survive the failure of 2 disks.

RC4/Blowfish

RC4 is a strong symmetric stream cipher, but most experts recommend using AES instead today. Blowfish is a 64-bit block cipher and twofnsh is a 128-bit block cipher. Although NIST recommends AES as the standard, Blowfish is faster than AES-256.

RSA

RSA is widely used to protect data such as email and other data transmitted over the internet. It uses both a public key and private key in a matched pair.

Cryptology Terms

Random numbers are picked by chance. Pseudo-random numbers appear to be random but are created by deterministic algorithms, meaning that given the same input, a pseudo-random number generator will create the same output. In cryptology, confusion indicates that the cipher text is significantly different than the plaintext. Diffusion cryptographic techniques ensure that small changes in the plaintext result in significant changes in the cipher ciphertext.

Ransomware

Ransomware is a type of malware that takes control of a users system or data. Criminals then attempt to extort payment from the victim. Ransomware often includes threats of damaging a users system or data if the victim doesn't pay the ransom. Ransomware that encrypts the user's data is sometimes called crypto-malware.

Mobile Devices 2

Remote wipe sends a signal to a lost or stolen device to erase all data. Geolocation uses GPS and can help locate a lost or stolen device. Geofencing creates a virtual fence or geographic boundary and can be used to detect when a device is within an organizations property. GPS tagging adds geographical data to files such as pictures. Context-aware authentication uses multiple elements to authenticate a user and a mobile device.

Replay attacks

Replay attacks capture data in a session with the intent of later impersonating one of the parties in the session. Timestams and sequence numbers are effective counter measures against replay attacks.

Two accounts

Requiring administrators to use two accounts, one with administrator privileges and another with regular user privileges, helps prevent privilege escalation attacks. Users should not use shared accounts.

Risk

Risk is the likelihood that a threat will exploit a vulnerability. Risk mitigation reduces the chances that a threat will exploit a vulnerability, or reduces the impact of the risk, by implementing security controls.

Rogue Access Points

Rogue access points are often used to capture and exfiltrate data. An evil twin is a rogue access point using the sam SSID as a legitimate access point. A secure AP blocks unauthorized users, but a rogue access point provides access to unauthorized users

role-based training

Role-based training ensures that employees receive appropriate training based on their roles in the organization. Common roles that require role-based training are data owners, system administrators, system owners, end users, privileged users, and executive users.

Rootkits

Rootkits have system-level or kernel access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes.

Access Control Lists

Routers and stateless firewalls (or packet-filtering firewalls) perform basic filtering with an access control list (ACL). ACL's identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the ACL. Anti-spoofing methods block traffic using ACL rules.

Rule-Based Acmes Control (BAC)

Rule-based access control is based on a set of approved instructions, such as an access control list. Some rule-BAC systems use rules that trigger in response to an event, such as modifying ACLs after detecting an attack or granting additional permissions to a user in certain situations.

Data Transmission

SMTP (simple mail transfer protocol) sends email on TCP port 25, POP3 receives email on port 110, and IMAP4 uses port 143. STARTTLS allows an encrypted version of the protocol to use the same port as the unencrypted version. HTTP and HTTPS use ports 80 $& 443 and transmit data over the internet in unencrypted and encrypted formats respectively

SSH/TLS

SSH encrypts traffic over TCP port 22. Transport Layer Security is a replacement for SSL and is used to encrypt many different protocols. Secure FTP (SFTP) uses SSH to encrypt traffic. FTP Secure (FTPS) uses TLS to encrypt traffic.

Sandboxing

Sandboxing is the use of an isolated area and it is often used for testing. You can create a sandbox with a virtual machine (VM) and on Linux systems with the chroot command. A secure deployment environment includes development, testing, staging, and production elements.

Secure System Design

Secure systems design considers electromagnetic interference (EMI) and electromagnetic pulse (EMP). EMI comes from sources such as motors, power lines, and fluorescent lights and can be prevented with shielding. Systems can be protected from mild forms of EMP (a short burst of electromagnetic energy) such as electrostatic discharge and lightning.

SAML

Security Assertions Markup Language is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

Separation of Duties

Separation of duties prevents any single person or entity from controlling all the functions of a critical or sensitive process by dividing tasks between employees. This helps prevent potential fraud, such as if a single person priest and signs checks.

Forms of Detection

Signature based detection identifies issues based on known attacks or vulnerabilities. Signature based detection systems can detect known anomalies. Heuristic or behavior based IDSs (also called anomaly based) can detect unknown anomalies. They start with a performance baseline of normal behavior and then compare network traffic against this baseline. When traffic differs significantly from the baseline, the IDS sends an alert.

Smart Cards

Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password). Smart cards include embedded certificates used with digital signatures and encryption. CAC's and PIV's area are specialized smart cards that include photo identification. They are used to gain access into secure locations and to log on to computer systems.

Social Engineering

Social engineering uses social tactics to trick users into giving up information or performing actions they wouldn't normally take. Social engineering attacks can occur in person, over the phone, while surfing the internet, and via email.

Social Media

Social media sites allow people to share personal comments with a wide group of people. However, improper use of social networking sites can result in inadvertent information disclosure. Attackers can also use information available on these sites to launch attacks against users or in a cognitive password attack to change a users password.

Software Development Life Cycle Models

Software development life cycle (SDLC) models provide structure for software development projects. Waterfall uses multiple stages going from top to bottom with each stage feeding the next stage. Agile is a flexible model that emphasizes interaction with all players in a project. Secure DevOps is an agile-aligned methodology that stresses security throuout the lifetime of the project

Spam / Phishing

Spam is unwanted email. Phishing is malicious spam. Attackers attempt to trick users into revealing sensitive or personal information or clicking on a link. Links within email can also lead to unsuspecting users to install malware.

Spoofing Attacks

Spoofing attacks typically change data to impersonate another system or person. MAC spoofing attacks change the source MAC address and IP spoofing attacks change the source IP address.

Application Analysis

Static code analysis examines the code without running it and dynamic analysis checks the code while it's running. Fuzzing techniques send random strings of data to applications looking for vulnerabilities. Stress testing verifies an application can hanlde a load (ex: DDoS). Sandboxing runs an application within an isolated environment to test it. Model verification ensures that the application meets all specifications and fulfills its intended purpose.

Steganography

Steganography hides messages or other data within a file. For example, you can hide messages within the white space of a JPEG or GIF file. Security professionals use hashing to detect changes in files that may indicate the use of steganography.

Stream Ciphers vs Block Ciphers

Stream ciphers encrypt data a single bit, or a single byte at a time in a stream. Block ciphers encrypt data in a specific-sized block such as 64 bit or 128 bit blocks. Stream ciphers are more efficient than block ciphers when encrypting data in a continuous stream.

Symmetric Encryption

Symmetric encryption uses the same key to encrypt and decrypt data. For example, when transmitting encrypted data, symmetric encryption algorithms use the same key to encrypt and decrypt data at both ends of the transmission media. RADIUS uses symmetric encryption.

TLS

TLS is the replacement for SSl. Both TLS and SSL require certificates issued by certificate authorities (CAs). TLS encrypts HTTPS traffic, but it can also encrypt other traffic.

Physical Access Controls 2.0

Tailgating is a social engineering tactic that occurs when one user follows closely behind another without using credentials. Mantraps allow only a single person to pass at a a time. Sophisticated mantraps can identify and authenticate individuals before allowing access.

Administrator Tools

Tcpdump is a command-line protocol analyzer. It can create packet captures that can then be viewed in Wireshark. Nmap is a sophisticated network scanner that runs from the command line. Netcat can be used to remotely administer systems and also gather information on remote systems.

Technical Controls

Technical controls use technology to reduce vulnerabilities. Some examples include encryption, antivirus software, intrusion detection systems (IDS's), intrusion prevention systems (IPS's), firewalls, and the principle of least privilege. Technical physical security and environmental controls include motion detectors and fire suppression systems.

Test Restores/Backups

Test restores are the best way to test the integrity of a company's backup data. Backup media should be protected with the same level of protection as the data on the backup. Geographic considerations for backups include storing backups off-site, choosing the best location, and considering legal implications and data sovereignty.

Tethering

Tethering is the process of sharing a mobile devices internet connection with other devices. Wi-Fi direct is a standard that allows devices to connect without a wireless AP or wireless router. MDM tools can block access to devices using tethering or Wi-Fi direct to access the internet.

Attribute Based Access Control (ABAC)

The ABAC (attribute based access control) model uses attributes defined in places to grant access to resources. It's commonly used in software defined networks (SDN's).

BIA

The BIA identifies mission essential functions and critical systems that are essential to the organizations success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident.

Discretionary Access Control (DAC)

The DAC (discretionary access control) model specifies that every object has an owner, and the owner has full, explicit control of the object. Microsoft NTFS uses the DAC model.

Mandatory Access Control (MAC)

The MAC (mandatory access control) model uses sensitivity labels for users and data. It is commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals.

RTO/RPO

The RTO identifies the maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. The RPO refers to the amount of data you can afford to lose.

SSID

The SSID (service set identifier) identifies the name of the wireless network. You should change the SSID from the default name. Disabling the SSID broadcast can hide the network from casual users, but an attacker can easily discover it with a wireless sniffer.

Encryption Modes

The electronic codebook (ECB) mode of operation is deprecated and should not be used. Cipher block chaining (CBC) mode combines each block with the previous block when encrypting data and sometimes suffers from pipeline delays. Counter (CTM) combines an IV with a counter to encrypt each block. Galois/Counter Mode (GCM) combines counter mode with hashing techniques for integrity.

Incidence Response Steps

The first step in the incident response process is preparation. After identifying an incident, personnel attempt to contain or isolate the problem. This is often as simple as disconnecting a computer from a network. Eradication attempts to remove all malicious components from an attack and recovery returns a system to normal operation. Reviewing sessions learned allows personnel to analyze the incident and the response with a goal of preventing a future occurrence.

Input Validation

The lack of input validation is one of the most common security issues on web based applications. Input validation verifies the validity of inputted data before using it, and server side validation is more secure than client side validation. Input validation protects against many attacks such as buffer overflow, SWL injection, command injection, and cross-site scripting attacks.

Database Encryption

The primary methods of protecting the confidentiality of data are with encryption and strong access control. Database column encryption protects individual fields within a database.

Biometric Authentication

The third factor of authentication (something you are, defined with biometrics) is the strongest individual method of authentication because it is the most difficult for an attacker to falsify. Biometric methods include fingerprints, retina scans, iris scans, voice recognition, and facial recognition. Iris and retina scans are the strongest biometric methods mentioned in this section, though iris scans are used more than retina scans due to the privacy issues and scanning requirements. Facial recognition is the most flexible, and when using alternate lighting (such as infrared), they might become the most popular. The crossover error rate (CER) measures the accuracy of a system and lower CER's are better.

Time of Day Restrictions

Time of day restrictions prevent users from logging on during restricted times. They also prevent logged-on users from accessing resources during certain times. Location based policies restrict access based on the location of the user.

Popular Hashing Algorithms

Two popular hashing algorithms used to verify integrity are MD5 and SHA. HMAC verifies both the integrity and authenticity of a message with the use of a shared secret. Other protocols such as IPsec and TLS use HMAC-SHA-1.

Hypervisors

Type I Hypervisors run directly on bare-metal systems without an operating system. Type II Hypervisors are software that run within an operating system. Container virtualization runs within isolated cells or containers and does not have its own kernel.

Usage/Permission Auditing

Usage auditing records user activity in logs. A usage auditing review looks at the logs to see what users are doing and it can be used to recreate an audit trail. Permission auditing reviews help ensure that users have only the access they need and no more and can detect privilege creep issues.

Multi-factor authentication

Using two or more methods in the same factor of authentication (such as PIN and password) is single factor authentication. Dual-factor (or two-factor) authentication uses two different factors, such as using a hardware token and a PIN. Multi-factor authentication uses two or more factors

Video Surveillance

Video surveillance provides reliable proof of person's location and activity. It can identify who enters and exits secure areas and can record theft of assets.

VLANs

Virtual Local Area Networks (VLANs) separate or segment traffic on physical networks and you can create multiple VLANs with a single Layer3 switch. A VLAN can logically group several different computers together, or logically separate computers, without regard to their physical location. VLANs are also used to separate traffic types, such as voice traffic on VLAN and data traffic on a separate VLAN.

Virtualization

Virtualization allows multiple virtual servers to operate on a single physical server. It provides increased availability with lower operating costs. Additionally, virtualization provides a high level of flexibility when testing security controls, updates, and patches, because they can easily be reverted using snapshots.

Vishing

Vishing is a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call.

WPA

WPA (Wi-Fi Protected Access) provided an immediate replacement for WEP (Wired Equivalent Privacy) and originally used TKIP, which was compatible with older hardware. Later implementations support the stronger AES encryption algorithm. WPA2 is the permanent replacement for WEP and WPA. WPA2 supports CCMP (based on AES), which is much stronger than the older TKIP protocol and CCMP should be used instead of TKIP.

Wireless attacks

WPA2 using CCMP and AES prevents wireless replay attacks. TKIP is vulnerable and should not be used. Radio-frequency identification (RFID) attacks inlcude eavesdropping, replay, and DoS.

WPS

WPS (Wi-Fi protected setup) allows users to easily configure a wireless device by entering an eight-digit PIN. A WPS attack guesses all possible PINs until it finds the correct one. It will typically discover the PIN within hours and use it to discover the passphrase.

Order of Volatility

When collecting data for a forensic analysis, you should collect it from the most volatile to the least volatile. The order of volatility is cache memory, regular RAM, swap or paging file, hard drive data, logs stored on remote systems, and archived media.

ipconfig/ifconfig

Windows systems use ifconfig to view network interfaces. Linux systems use ifconfig, and ifconfig can also manipulate the settings on the network interfaces. You can enable promiscuous mode on an NIC with ifconfig. The ip command is similar to ifconfig and can be used to view and manipulate NIC settings.

Wireless Scanners

Wireless scanners can detect rogue access points on a network and sometimes crack passwords used by APs. Netcat can be used for banner grabbing to identify the OS and some apps and services on remote servers.

Security Policies

Written security policies are administrative controls that identify a security plan. Personnel create plans and procedures to implement security controls and enforce the security policies.

AP range

You can limit the range of an AP to a room or building by reducing the AP's power level. This prevents people from connecting because they will be out of the AP's range.

BCP Validation

You can validate business continuity plans through testing. Tabletop exercises are discussion-based only and are typically performed in a classroom or conference setting. Functional exercises are hands-on exercises.

CSR

You typically request certificates using a certificate signing request (CSR). The first step is to create the RSA-based private key, which is used to create the public key. You then include the public key in the CSR and the CA will embed the public key in the certificate. The private key is not sent to the CA.