Security + Vocab

session hijacking

a type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address or session cookie.

Ad hoc network

a type of wireless network where connected devices communicate directly with each other instead of over an established medium. wireless stations are configured to connect to other another in a peer to peer topology. This would not normally be part of a secure network design, but might be required in some special circumstances, such as communicating with a wireless host that is physically remote form other network infrastructure.

data exposure

fault that allows PII to be read without being subject to approproate access controls.

redundancy

fault tolerance is often achieved by provisioning redundancy or critical components and signle points of ailure. A redundant component is one that is not essential to the nromal function of a system but that llows the system to recover from the failure of another component.

CER

file extension .CER

secret algorithm

is a cryptographic algorithm that uses the same key to encrypt and decrypt data

failover

operations are designed to failover to the new site until the previous site can be brought back online. failover is a technique that ensures a redundant component, device, application or site can quickly and efficiently take over the functionality of an asset that has failed.

PBKDF2

password based key derivation function2. a key derivation function used in key stretching to make potentially weak cryptographic keys such as passwords less susceptible to brute forc attacks.

password length

password policies- passwords must be at least this many characters

recovery 7c

password recovery mechanisms are often protected either by challenge questions or by sending a recovery link to a nominated email address or smartphone number.

static code analyzers

performed against the application code before it is packaged as an eecutable process. the software will scan the source coe for signatures of known issues.

Vishing

phishing attack conducted through a voice channel

Port security

preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

ECB

simplest mode of operation is the Electronic Code Book (ECV). ECB simply applies the same key to each plaintext block. This means that identical plaintext bocks can output identical cophertects, making the cipher text vulnerable to cryptanalysis

something you have

smart card, USB token, key fob that contains a chip with authentication data, such as a digitial certificate. more costly. loss and theft of devices. not always standards based so interoperatibility between products can be a problem.

Physical access control

smart cards and proximity cards can be used as a physical access control to gain access to building premises via secure gateways

ROT13

example of caesarean cipher rotates each letter 13 places

SAN

. Subject Alternative Name (SAN)- the subdomains are listed as extensions. If a new subdomain is added, a new certificate must be issued. when creating a web certificate it is important that the subject matches the Fully Qualified Domain Name (FQDN) by which the server is accessed, or browsers will reject the certificate. if using multiple certificates for each subdomain is impractical, a single certificate can be ussued for use with multiple subdomains by using a SAN. this can cause problems with legacy browser software and some mobile devices. There is also greater exposure for the servers operating each subdomain should the certificate be compromised.

cryptographic attacks

A cryptographic attack is a method for circumventing the security of a cryptographicsystem by finding a weakness in a code, cipher, cryptographic protocol or key management scheme. This process is also called "cryptanalysis". cryptanalysis this is the art of breaking or cracking cryptographic systems

Bridge

A device similar to a switch that has one port for incoming traffic and one port for outgoing traffic.

physical

A host or network segment that has no sort of physical connectivity with other hosts or networks is referred to as air gapped

ANT

protocol and its associated product standard ANT+ have seen widespread use in communiating health and fitness sensor data between devices.

user account

the logon ID required for any user who wants to access a Windows computer

elasticity

the systems ability to handle changes in demand in real time. A system with high elasticity will not experience loss of service or performance if demand suddenly doubles. Conversely, it may be important for the system to be able to reduce costs when demand is low. Elastiity is a common selling point for cloud services.

likelihood

variable used to calculate risk . likelihood is the probability of the threat being realized.

Active reconnaissance

active vulnerability scanning is that an attempt is made to actively test security controls and exploit any vulnerabilities discovered. more risk of detection, gain physical access to premises or using scanning tools on the targets web services and other networks

Scarcity social engineering

creating a false sense of scarcity/urgency can disturb peoples ordinary decision making processes. The social engineer can try to pressure his or her target by demanding a quick response. ie limited time, or invitation only ploys.

key management

in cryptography- the process of administering cryptographic keys, often performed by a CA, and including the management of usage, storage, expiration, renewal, revocation, recovery, and escrow. In physical security, a scheme for identifying who has copies of a physical key or key card.

cloud deployment models

in most cases the cloud will be offsite relative to the organizations users, who will require an Internet link to access the cloud services. There can be different ownership and access arranagements for clouds: Public, hybrid, private, community cloud.

Blowfish/Twofish

Blowfish is a freely available 64 bit block cipher algorithm that uses a variable key length. secure and fast. Twofish is a symmetric key block cipher, similar to blowfish, consisting of a block size of 128 bits and key sizes up to 256 bits

BPA

Business partners agreement. most common model in IT is the partner agreements that large IT companies set up with resellers and solution providers

cloud access security broker

CASB is enterprise management software designed to mediate access to cloud services by users accross all types of devices. Some of the functions of a CASB are: 1. enable SSO authentication and enforc access controls and authorizations from the enterprise network to the cloud provider. 2. scan for malware and rogue or non cmpliant device access 3. monitor and audit user and resource activity 4. mitigate data exfiltration by preventing access to unathorized cloud services form managed devices.

CRL

CAs must maintain a vertificate revocation list (CRL) of all revoked and suspended certificates which can be distributed throughout the hierarchy. A CRL has the attributes: 1. publish period or the date and time on which the CRL is published, most CAs are set up to publish the CRL automatically. 2. distribution points-- or the locations to which the CRL is published 3. validity period- the period during which the CRL is considered authoritative. This is usually a bit longer than the publish period 4. signature- the CRL is signed by the CA to verify its authenticity

cameras

CCTV. cheaper than security guards. deterrent. movement and access can be recorded. cameras in CCTV network are typically connected to a multiplexer using coaxial cabling. The multiplexer can then display images from the cameras on one or more screens, allow the operator to control camera functions, and record the images to tape or hard drive.

cyber incident response teams

CIRT is the single point of contact for the notification of security incidents. meter should be able to provide the range of decision making and technical skills required to deal with different types of incidents

continuity of operation planning

COOP. sometimes referred to as a Business continuity plan (BCP). collection of processes that enable an organization to maintain normal business operations in the face of some adverse event.

crypto service provider

CSP. a cryptographic module (algorithms underpinning cryptography that are interpreted and packaged as a computer program or programming library) that implements Microsofts CryptoAPImight be implemented as software or it might run as firmware e.g. as a smart card. In Microsoft Windows, a Cryptographic Service Provider is a software library that implements the Microsoft CryptoAPI. CSPs implement encoding and decoding functions, which computer application programs may use, for example, to implement strong user authentication or for secure email.

CSR

Certificate Signing Request. CSR. when a subject wants to obtain a certificate it completes a CSR and submits it to the CA. the CSR is Base 64 ASCII file containing the information that the subject wants to use in the certificate, including its public key. The CA then reviews the certificate and checks that the infomration is cvalid. IF the request is accepted, the CA signs the certificate and sends it to the subject.

CA

Certificate authority is the person or body responsible for issuing and guaranteeing certificates. Private CAs can be set up within an organization for internal communications. For public or business to business communications the CA must be trusted by each party. The function of the CA are: 1. provide a range of certificate services useful to the community of users serviced by the CA. 2. ensure the validity of certificates and the identity of those applying for them ie registrtion 3. establish trust in the CA by users and government an regulatory authorities and enterprises such as financial institutions 4. manage the servers ie repositories that store and administer the certificates 5. perform key and certificate lifecycle management

CHAP

Challenge Handshake Authentication protocol. Authentication scheme developed for dial up networks that uses an encrypted three way handshake to authenticate the client to the server. The challenge response is repeated throughout the connection (transparently to the user) to guard against replay attacks. developed as a means of authenticating users over a remote link. 1. challenge- the server challenges the client, sending a randomly generated challenge message. 2. response- the client responds with a hash calculated from the server challenge message and client password 3. verification- the server performs its own has using the password hash store for the client. if it matches the response, then access is granted. otherwise the connection is dropped. the handshake is repeated with a different challenge message periodicially during the connection, through transparent to the user to guard against replay attacks.

CBC

Cipher Block Chaining (CBC_ is a cipher mode of operation which improves cipher text integrity by applying an initialization vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertect from any given plaintext. the output of the first cipher text is then combined with the next plaintext block using an XOR operation. The process is repeated through the full chain of blocks, which ensures that no plaintext block produces the same cipher text. The problem with CBC is the chain nature of the algorithm means that it must be processed serially when performing encryption operations and cannot take advantage of the ability of modern CPUs to process information in parallel

cloud based 9D

Cloud based DLP extends the protection mechanisms to cloud storage services, using either a proxy to mediate access or the cloud service provider's API to perform scanning and policy enforcement.

trusted operating system

Common Criteria (CC) is an ISO standard defining security frameworks. an OS that meets the criteria for a Common Criteria OS protection profile can be described as a Trusted OS. in general a trusted oS provides: 1. trusted computing base (TCB)- the kernel and sasociated hardware and processes must be designed to support the enforcement of a security policy ( an Access control model) ie it should be taper resistant, resistnt to vulnreabilities, and not be able to be bypassed (provis complete mediation between users and resources). the TCB should be as small as possible to facilitate better analysis and understanding. 2. security features- such as support for multilevel security (Mandatory Access Control) a problem for many OSes is the means of rectricting root or Admin access to classified data. the process for patching security vulnerabilities is also critical. 3. assurance- such as secure design principles, avialble of code reviews and audits etc. IE. the computing evironment is trusted not to create security issues.

containerization

Containerization involves bundling an application together with all of its related configuration files, libraries and dependencies required for it to run in an efficient and bug-free way across different computing environments. The most popular containerization ecosystems are Docker and Kubernetes. when a device is privately owned and stores a mix of corporate and personal data, the questions of data ownership and privacy arise. have been addressed by EMM vendors in the form of containerization which allows the employer to manage and maintain the portion of the device that iterfaces with the corproate network. when the device is used on the enterprise network, a corporate workspace with a defined selection of apps and a separate storage container is created 9storage segmentation) the enterprise is thereby able to maintain the security it needs but does not have access to personal data/applications. Data in the proteted storage area can be used only by the apps permitted by EMM policy.

Corporate owned

Corporate Owned, Business Only (COBO)- the device is the property f the company and may only be used for company business

COPE

Corporate owned, personally enabled. the device is chosen and supplied by the company and remains its property. the employee may use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in force)

automated alerting and triggers

Correlation can then be used to drive an alerting system. baseline for expected pattern of operation for a server or network. thresholds are points of reduced or poor performance or change in configuration that generate an administrative alert. if a threshold is exceeded (a trigger) some sort of automated alert or alarm notification must take place.

CCMP

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol used for wireless LANs that addresses the vulnerabilities of the WEP protocol. replaces TKIP.

TKIP

Temporal Key Integrity Protocol. A mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard. TKIP fixes the checksum problem in WEP (Message Integrity Check), uses a larger IV (48 bit) to ensure a unique keystream, transmits it as an encrypted hash rather than in plaintext, and adds a squence counter to resist replay attacks

signal strength

The amount of power used by the radio in an access point or station. simply increasing power output is not always reliable. as you increase power, you also increase the chance of the signal bouncing, causing more interference, especially if there are multple APs. Also the client radio powr levels should match those of the AP or they may be able to recieve signals but not transmit back.

network infrastructure devices

Network infrastructure devices are the components of a network that transport communications needed for data, applications, services, and multi-media. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks.

stapling

OCSP stapling resolves the OSCP issues which are that responding to requests is resource intensive and can place high demands on the issuing CA running the OCSP responder. There is also a provacy issue as the OCSP responder cold be used to monitor and record client browser requests. OCSP stapling resolves these issues by having the SSL/TLS web server periodically obtain a time stamped OCSP response from the CA. When a client submits an OCSP request, the web server returns the time stamped response, rather than making the client contact the OCSP responder itself.

OpenID Connect

OIDC. an authentication layer that sits on top of the OAuth 2.0 authorization protocol. openID is an identity federation metho that enables users to be authenticated on cooperating websites by a third party authentication service. replaces OpenID to provide an identity management layer over the OAuth 2 protocol so that a site can request an authentication service only. likely to be the mainstream choice for developers implementing federated identity

logs/WORM

OS and applications software can be configured to record data about activity on a computer log. Logs can record information about events automatically. WORM media-- Write once, ready many. Storage media used in SIEM to maintain the integrity of the security data being compiled. for computer logs to be accepted as an audit trail, they must be shown to be tamper proof or tamper evident. log files should be writable only by system processes or by secure accounts that are separate from other admin accounts. Log files should be configured to append only, so that existing entries cannot be modified. or logs can be written to a remote server over a scure communications link. or log files can be written to Write Once, Read Many (WORM) media. WORM technology used to mean optical drives, such as CD-R and DVD-R.

user

On a directory based local network, such as Windos Active Directory, three may be a need for a wider range of user certficate types. For xample in Active Directory, there are user certificate templates for standard users, administrators, smart card logon/users, recovery agent users, and Exchange mail users (with secure templates for signature and encrypton) each certificate has different key usage definitions.

OAuth

Open Authroization a token based authroization protocol that is often used in conjunction with OpenID, protcol designed to facilitate this sort of transfer of information or resources between sites. with OAuth the user grants an OAuth consumer site the right to access resources stored on an OAuth provider website.

PCP/GPG

PGP= Pretty Good privacy which is a popular open standard for encyrption email communication and which can also be used for file and disk encryption. It support a wide range of encryption alogirhtm. PGP corporation is a commercial product. OpenPGP is Gnu Privacy Guard or GPG which is open standard. To use PGP a user needs to install PGP software. The user then creates his or her own certificate. In order to provide some verification that a certificate is owned by a particular user, PGP operates a web of trust model (essentially users sign one anothers certificates)

PIV/CAC/smart card

PIV card= personal identity verification card. a smart card that meets the standards for FIPS 201, in that it is resistant to tampering and provides quick electornic authentication of the cards owner. CAC= common access card. a smart card that provides certificate based authentication and supports two factor authentication

P12

PKCS #12 format allos the export of a certificate along with its private key. This would be used to archive or transport a private key. This type of file format is password protected. The private key must be marked as exportable.

PSK v enterprise v open

PSK= pre shared key. a secret that was shared between two parties via a secure channel prior to its use in encrypted communications. a PSK is generated from a pasphrase. Enterprise- 802.1x open-open authentication means that the client is not required to authenticate. This mode would be used on a public AP or hotspot. This also means that data sent over the link is unencrypted. can be combined with secondary authentication link a captive portal or splash page

PAP

Password authentication protocol. obsolete authentication mechanism used with Point-to point protocol (PPP). used to transfer TCP/IP data over serial or dial up connections. PAP transfers the password in plaintext and so is vulnerable to eavesdropping

memory/buffer vulnerability

The attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data. three buffer exploits 1. stack overflow-- the stack is an area of memory sued by a program subroutine. an attacker could use a bufer overflow to change the return address, allowing the attacker to run arbitrary code on the system 2. heap overflow- a heap is an area of memory allocated by the application during execution to store a variable of some sort. a heap overflow cna overwrite those variablews w unexpected effects 3. array index variable- an array is a type of variable desgined to store multple values. it is possible to exploit unsecure code to load the array w mor values that it expects, creating an exception that could be exploited.

SCADA/ICS

Supervisory Control and Data Acquisition (SCADA) systems are components of large scal, multiple site Industrial Control Systems (ICS) deployed to monitor and manage industrial infrastructure facility based processes. SCADA systems run as software on ordinary computers gathering data from and managing plant devices and equipment embedded PLCs referred to as field devices. SCADA is often built without regard to security, though there is a growing awareness of the necessity of enforcing security controls to protect them, especially when the operate in a network environment.

connection methods (11C)

mobile devices use a variety of connection methods to establish communications in local and personal area networks and for internet data access via service providers.

wifi

mobile devices usually default to using a wifi connection for data, if resent. if the user establishes a connection to a corporate network using a strong WPA2 security, there is a fairly low risk of eavesdropping or MitM attacks. the risks from wifi come from users connecting to open access points or possibly a rogue AP imitating a corporate network. these allow the access point ownr to launch any number of attacks, even potentially compromising sessions with secure servers (e.g. use an SSL stripping attack)

model verification

model verification is a compliance testing proess to ensure that the produt or system meets its design goals. model validation is the process of determing whether the application is fit for purpose

vehicles

modern motor vehicles use a substantial amount of electornics, all which can be vulnerable and explutable. computer systems t control engine, steering, breaks in vehicle entertainment, navigation, GPS, black boxes or event data recorder that can log the cars telemtry. Unmanned Aerial Vehicles (UAV)

Nation states/APT

more nation states have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals. The term Advanced Persistent Threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected witha virus or a rootkit, an APT refers to the ongoing ability of an adversry to comrpromise network security (to obtain and maintain access) using a variety of tools and techniques. nation state actors have been implicated in many attacks, particularly on energy and health netowrk systems. the goal of nation state actors are primarily espionage nd strategic advantage, but it is not unknown for countries ie North Korea to target companies purely for commerical gain. nation state actors will work at arms length from the state sponsoring and protecting them, maintaining plausible deniability.

authentication issues

most authentication issues involve users not being able to sign in.

mail gateways

most companies deploy a mail gateway server with spam filtering technology. a secure configuration for email is to install an email relay server in a DMZ. the mail relay can be installed with software to monitor and filter email traffic, checking for spam and infected file attachments. can also use blacklists, whitelists, SMTP standards checks, rDNS, tarpitting, recipient filtering to reduce spam. can also provide Data loss preventin services and encryption/decryption services.

content management

primarily refer to MDM but some solutions are branded as Mobile Application Management (MAM) or Mobile Content Management (MCM) because they focus on managing a part of the device, not all of it.

System sprawl/undocumented assets

primary benefit of virtualization is the ease of deploying new systes, this type of system sprawl and deployment of undocumented assets can also be the root of security issues. something rough up just to them languish over months/years undocumented, unsecured and unpatched and each of these undocumented systems could represent an exploitable vulnerability. they increase the potential attack surface of the network. policies and provedures for tracking, securing an when no longer used, destroying vitualized assets should be put in place and carefully enforced.

directory services

principal means of providing privilege management and authorization on an enterprise network. a network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers and printers. most directory services are implemenation of the LDAP.

wireless mice

principle security exploit of wireless keyboard is snooping. e.g. mousjacjing. hackers can use radio transmitters to inject commands and keystrokes or read input. the attack principally works because while keyboar dinput is often encrypted mouse input is not and the vulnerable devices cna be tricked into accepting keyboard input via the mouse controllor.

wireless keyboards

principle security exploit of wireless keyboard is snooping. e.g. mousjacjing. hackers can use radio transmitters to inject commands and keystrokes or read input. the attack principally works because while keyboar dinput is often encrypted mouse input is not and the vulnerable devices cna be tricked into accepting keyboard input via the mouse controllor. device can be reprogrammed to make the device look like another device class. it could then be used to inject a series of keystrokes upon an attachement or work as a keylogger.

least functionality

principle that a system should un only the protocls and services required by legitimate usrs and no more thus reducing the potential attack surface.

continuous integration

principle that developers should comit updates often. this designed to reduce the changes of two developers spending time on code changes that are later found to conflict w one another

infrastructure as code

principle that when deplying an application, the server instance supporting the application can be defined and provisioned through the software code. e.g. a setup program that not only installs the applicatiom but also creates a VM and OS on which to run the application

printers/MFDs

printers, or more generally Multifunction devices (MFD) with fax and scan capabilities represent a powerful pivot point on an enterprise network: interfaces and code are not always kept as secure as OS code, making them potentially more vulnerable to compromise. 2. an adversary can snoop on and copy highly confidential data in cleartext. 3. the hard disk is a useful means of staging data for exfiltration 4. network connectivity ight bridge ser and admin network segments and allow wider network penetration

PEM

privacy Enhanced Electornic Mail. base 64.

permission auditing and review

privileges are reviewed regularly. auditing would include monitoring group membrhsip and revieing access control lists for each resource plus identifying and disabling unnecessary accounts

Banner grabbing

probing a server to try to elicit any sort of response that will identify the server application and version number or any other interesting detail about the way the server is configured. this information allows an attacker to identify whether the server is fully patched and to look ip any known software vulnerabilities that might be exposed

3DES

where the plaintext is encrypted three times using different subkeys. in 2key 3DES there is one round with key 1 andround with key2 and then a final round with key1 making the key size 112 bit. Another mode usues three different keys for an overall key size of 168 bits. are considered weak in comparison with modern standards, such as AES

Object Identifies (OID)

certificate fields are expressed as object identifiers

Typosquatting

URL hijacking

motion detection

motion based alarm

alternate processing sites

recovery site

access violations

inappropriately shared credentials or unathorized account creations

on premise v hosted v cloud

location of It resources

sensors

packet sniffer

recovery

system brought back to secure state

bluejacking

A wireless attack where an attacker sends unwanted Bluetooth signals from a smartphone, mobile phone, tablet, or laptop to other Bluetooth enabled devices

HSM

think of a TPM as a sort of small and specialized Hardware Security Module (HSM). an HSM isa more poweful external device used to manage numerous keys in PKI.

accept/transfer/avoid/mitigate risk

1. accept/retence- no contermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed-- continue to monitor the risk 2. transfer/share- assigning risk to a third party such as insurance company 3. avoid- you stop doing the activity that is risk bearing - often not a credible option. 4. mitigate-process of reducing exposure to o the effects of risk factors. if you deploy a countermeasure that reduces exposure to a threat or vulnerability that is risk deterrence. risk redction refers to controls that can either make a risk incidnent less likely or less costly.

lock types

1. conventional-- a conventional lock prevents the door handle from being operated without the use of a key. More expensive types offer greater resistance against lock picking 2. deadbolt- this is a bolt on the frame of the door, separate to the handle mechanism 3. eletornic- rather than a key, the lock is operated by entering a PIN on an electronic keypad. this type of lock is also referred to as a cipher, combination or keyless 4. token based- a smart lock may be opened using a magnetic swipe card or feature a proximity reader to detect the presence of a wireless key fob or one time password generator (physical tokens) or smart card. 5. biometric- a lock may be integrated with a bioemtric scanner 6. multifactor- a lock may combine different methods

Architecture/design weaknesses

1. single points of failure-- a pinch point relying on a single hardware server or appliance or network channel. 2. complex dependencies-- services that require many diffrent systems to be available. ideally, the failure of individual systems or services should not affect the overall performance of other network services 3. availability over confidntiality and integrity-- often it is tempting to take shortcuts to get a service up and running. compromising security might represent a quick fix but creates long term risks 4. lack of documentation and change control-- network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted. it is vital that network managers understnad business workflows and the network services that underpin them. 5. overdependence on perimeter security-- if the network architecture is flat (that is if any host can contact any other host) penetrating the network edge gives the attacker freedom of movement

RSA

1977. widely deployed as a solution for creating digital signatures and key exchange. RSA block sizes and key lengths are variable according to the application with larger keys offering more security. RSA can only be used to encrypt short messages. The maximum message size is the key size in bytes mins 11. use RSA encryption to create a digital signature. the private key is used to encrypt the signature; the public key is distributed to allow others to read it: 1. the sender creates a digest of a message, using a pre secre hash algorithm and then encrypts the digest using her private key. 2. the digital signature is attaches to the original document and delivered 3. the recipient decrypts the signature using the senders public key, resulting in the original hash 4. the recipient then calculates his own message digest of the document, using the same algorithm as the sender, and compares it with the senders digest 5. if the two digests are the same, then the data has not been tampered with during transmission and the senders identity is guaranteed. if either the data had changed or a malicious user had intercepted the message and used a different private key, the digests would not match

IEE 802.1X

802.1x= a standard for encapsulating EAP communications over a LAN or wireless LAN and that provides port based authentication. also known as EAP (extensible authentication protocol). smart cards and other token based systems are often confiured to work with IEEE 802.1x port based network access control framework. 802.1x establishes several ways for devices and users to be seurly authenticated before they are permitted full network access. the authentication mechanisms will be some variant of Extensible Authentication Protocol (EAP) which allows lots of different authentication methods, many of them use a digitial certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credentials.

file transfer

A File Transfer protocol (FTP) server is typically configured with several public directories, hosting files and user accounts. Each user account can be configured with different permissions over files and directories. Most HTTP servers also functon as FTP servers, and FTP services, accounts and directories may be installed and enabled by default when you install a web server. FTP is more efficient compared to file attachements or HTTP file transfer, but has no security mechanisms. All authenication and data transfer are communicated as plain text, meaning that credentials can easily be picked out of any intercepted FTP traffic. Other file transfer protocols TFTP, SFTP, FTPS,

Viruses

A computer virus is a malware that replicates and spreads from computer to computer, usually by infecting executable applications or program code. spread through an infected network generally classified by the vector ie the different ways they can infect the computer and categorized by their virulence. The distinguishing feature of a virus is its ability to replicate by infecting other computer files, a virus can also be configured with a payload that executes when the virus is activated, the payload can perform any actions available to the host process.

digital signature

A digital signature is used to prove the identity of the sender of a message and to show that a message has not been tampered with since the sender posted it. This proved authentication, integrity and non repudiation. To create a digital signature using RSA encryption the private key is used to encrypt the signaturee; the public key is distributed to allow others to read it. The sender creates a diest of the message, using pre agreed hash algorithm, and then encrypts the digest using her private ket. this digital signature is then attached to the original document and delivered. The recipient can decrypt the signature using the senders public key resulting in the original hash. The recipient then calculates his own message digest of the document using the same hashing algorithm and the sender and compares it to the senders digest. if the two digests are the same, then the data has not been tampere with during transmission, and alices identity is guaranteed. If either the data had changed or a malicious user had intercepted the message and used a different private ket, the digests would not match. a message digest(fixed length string) that has been encrypted again with the users private key

ARP poisoning

A network based attack where an attacker with access to the target network redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and MitM. works by broadcasting unsolicited ARP reply packets. because ARP is an antiquated protocol with no security, the recieving devices trust this communication and update their MAC:IP address cache table with the spoofed address. a trivial ARP poisoning attack could be launched by adding static entries to the targets ARP cache. the usual target will be the subnets default gateway. if the arp poisoning attack is successful, all traffic destined for remote networks will be sent to the attacker.

network scanners

A network scanner is a software tool used for diagnostic and investigative purposes to find and categorize what devices are running on a network.identify the structure of the target network. identifies how hosts are connected together on the network.

peripherals

A peripheral device is generally defined as any auxiliary device such as a computer mouse or keyboard, that connects to and works with the computer in some way. e.g. wireless keyboard/mice and display attacks, printers, MFDs, MicroSF cards, digital camers,

automated courses of action

A resiliency strategy can specify automated courses of action that can work to maintain or to restore services with minimal human intervention or even no intervention at all. e.g. you might configure services that are primarily hosted on physical infrastructure to failover to loud base dinstances, or conversely, have a cloud based system failover to backup site with physical servers. you could al use automation to isolate a network segment if a computer worm outbreak is detected.

mantrap

A secure entry system with two gateways, only one of which is open at any one time.

screen filters

A security control that allows only the computer user to see the screen contents, thus preventing shoulder surfing

session keys

A session key is an encryption and decryption key that is randomly generated to ensure the security of a communications session between a user and another computer or between two computers. Session keys are sometimes called symmetric keys, because the same key is used for both encryption and decryption.

IEEE 802.1x

A standard for encapsulating EAP communications over a LAN or wireless LAN and and that provides port-based authentication. Also known as EAP. The AP passes authentication information to a RADIUS server on the wired network for validation. this allows WLAN authentication to be integrated with the wired LAN authentication scheme.

event deduplication

A technique for removing duplicate copies of repeated data. in SIEM, the removal of reduduenant information provided by several monitored systems. Some errors may cause hundreds or thousands of identical error messages to spawn, temporarily blinding the reporting mechanisms of the SIEM system. Event deduplication means that this type of event storm is identified as a single event.

Ransomware

A type of trojan malware that tries to extort money from the victim. Ransomware uses payment methods such as wire transfers, bitcoin or premium rate phone lines to allow the attacker to extort money without revealing his or her identity or being traced by law enforcement

faraday cage

A wire mesh container that blocks external electromagnetic fields from entering into the container. the cage is a charged conductive mesh that blocks signals from entering or leaving the area

Evil twin

A wireless access point that deceives users into believing that it is a legitimate network access point. An evil twin might just have a similar name, (SSID) to the legitimate one.

bluesnarfing

A wireless attack where an attacker gains access to unauthorized information on a wireless device by using a Bluetooth connection

after action reports

AAR-- lessons learned. process to determine how effective COOP and DR planning and resources were. an AAR would be commissioned after DR exercises or after an actual incident. record actions taken and making notes about the progress of the exercise or incident. next phase would be to have a post incident or exercise meeting to discuss implementation of the lessons learned. then complete a report containing a history of the incident, impact assessment and recommendations for upgrading resources or procedures.

Access Point

AP. A device that provides a connection between wireless devices and can connect to wired networks.

acceptable use policy/rules of behavior

AUP or fair use policy sets out what someone is allowed to use a particular service or resouce for. must be reasonable.

arp

Address resolution protocol. Determine a MAC address based on an IP address. You need the hardware address to communicate. ARP-a view local ARP table. the mechanism by which individual hardware MAC addresses are matches to an IP address on a network

AES

Advanced Encryption Standard. Symmetric algorithm. adopted as a replacement for 3DES by NIST in 2001. faster and more secure than 3DES. block cipher with a block size of 128 bits and key sizes of 128, 192, or 256 bits.

web server

An HTTP server that hosts websites or intranets. A web server is software and hardware that uses HTTP (Hypertext Transfer Protocol) and other protocols to respond to client requests made over the World Wide Web. The main job of a web server is to display website content through storing, processing and delivering webpages to users.

Certificate

An X.509 digitial certificate is issued by a certificate authority (CA) as a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization. a digitial certificate is essentially a wrapper for a subjects public key. As well as the public key, it contains information about the subject and the certificates issuer or guarantor. The certificate is digitially signed to prove that it was issued to the subject by a particular CA. A digitial certificate is an electronic document that associates credentials with a public key.

Amplification

An amplification attack is a network based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor. Distributed Reflection DoS (DRDoS) or amplification attack. The adversary spoofs the victims IP address and attempts to open connections with multiple servers. Those servers direct their SYN/ACK responses to the victim server. this rapidly consumes the victims available bandwidth

application server

An application server is a server that hosts applications. Application server frameworks are software frameworks for building application servers. An application server framework provides both facilities to create web applications and a server environment to run them.

URL hijacking

An attack in which an attacker registers a domain name with a common misspelling on an existing domain so that a user who misspells a URL they enter into a browser is taken to the attackers website.

counter mode

An encryption mode of operation where a numerical counter value is used to create a constantly changing IV. Also referred to as CTM and CM

FTPS

Another means of securing FTP is to use the connection security protocol SSL/TLS. As with SMTP, there are two means of doing this-- Explicit TLS (FTPES)- use the AUTH TLS command to upgrade an unsecure connection estbalished over port 21 to a secure one. this protect authentication credentials. the data connection for the actial file transfer can also be encrupted using the PROT command. or implicit TLS FTPS- negoatie an SSL/TLS tunnel before the exchange of any FTP command. this mode uses the secure port 990 for the control connection. FTPS is tricky to configure when there are firewalls between the client and server.

antenna types and placement

Antenna= specially arranged metal wires that can send and receive radio signals. These are used for radio-based wireless networking. most wireless devices have simple omnidirectional vertical rod type antennas, which can recieve and send a signal in all directions. plastic coated variants often used on Aps = rubber ducky antennas. to extend the signal range, you can use a directional antenna focused at a particular point. directional antennas include Yagi (bar with fins) and parabolic (dish or grid) antennas. These are powerful for point to point connections (a wireless bridge) devices supporting wifi standard should have a maximum indoor range of up to 30 m. radio signals pass though solid objects, such as ordinary brick or drywall walls, but can be weakened or blocked by particularly dense or thick material and metal. interference from a variety of electromagnetic interference source can also affect signal reception and strength. other radio based devices can also cause interference as can devices as various as flourescent lighting, microwave ovens, cordless phones, and power motors and heaby maachinery.

AH

Authentication Header. An IPSec protocol that provides authentication for the origin of transmitted data as well as integirty and protection against replay attacks. performs a cryptographic has on the packet plus a shared secret key (known only to the communicating hosts) and adds this HMAC in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentialty and is consequently not often used.

Identification, authentication, authorization, and accounting (AAA)

Authentication, authorization and accounting. a security concept where a centralized platform verifies object identification, ensures the object is assigned relevant permissions and then logs these actions to create an audit trail

Cross site scripting

Cross-Site Scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and he attacker's site. 1. the attacker identifies an input validation vulnerability in the trusted site 2. The attacker crafts a URL to perform a code injection against the trusted site. This could be coded in a link form the attacker's site to the trusted site or a link in an email message. 3. When the user clicks the link, the trusted site returns a page containing the malicious code injected by the attacker. As the browser is likely to be configured to allow the site to run scripts, the malicious code will execute. 4. the malicious code could be used to deface the trusted site (by adding any sort of arbitrary HTML code), steal data from the users cookies, try to intercept information entered into a form, or try to install malware. The crucial point is that the malicious code runs in the clients browser with the same permissions level as the trusted site. the attack is partcularly effective not only because it breaks the browsers security model, but also because it relies only on scripting, which is generally assumed by browserts to be safe. The vast majority of sites use some sort of scripting and so will not display correctly without it.

custom firmware

Custom firmware, also known as aftermarket firmware, is an unofficial new or modified version of firmware created by third parties on devices such as video game consoles and various embedded device types to provide new features or to unlock hidden functionality.

roles and responsibilities

Cyber incident response team (CIRT) or computer security incident response team (CSIRT) as single point of contact for the notification of security incidents. Tghe members of this team should be able to provide the range of decision making and technical skills required to deal with different types of incidents. The team needs a mixture of senior management decision makers who can authorize actions followin the most serious incidents, managers, and technicians who can deal with minor incidents on their own initiaitves. incident responderas also need to be avialable. teams from legal, HR and marketing also need to be called on if necessary. incident response requires expert staffing.

Groups

DH depends on the use of a group, which can be any mathematical operation with the properties of a trapdoor function. the classic or finite field DH described uses an operation called modular exponentiation. The commonly used groups for finite field DH are group 1 (768 bit), group 2 (1024 bit), group 5 (1536 bit) and group 2048 (2048 bit)

DLL injection

DLL- Dynamic link library -- binary package that implements some sort of standard functionality. DLL injection is not a vulnerability of an application but of the way the operating system allows one process to attach to another. force a legit process to load a malicious link library. the link library will contain whatever function thr malware author wants to be able to run. to perform DLL injection- the malware must already be operating with sufficient privileges. also has to evade AV software. use code refactoring.

USB blocking

DLP products can identify confidential info and the transfer of content to removable media such as USB devices can then be blocked if it does not conform to a predefined policy

Email 9D

DLP products can scan content in structured formats such as a database with a formal access control model or unstructured formats such as email or word processing documents. The products use some sort of dictionary database o algorithm to identify confidential data. The transfer of content to removable media or email can then be blocked if it does not confirm to a predefined policy

DNS poisoning

DNS server cache poisoning. a network based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attackers choosing. redirect traffic for a legitimate domain to a malicious IP address. modify query traffic.

Domain name resolution

DNS= Domain name system which is the service that maps names to IP addresses on most TCP/IP networks, including the internet. DNS (Domain Name Server) resolution is the process of translating IP addresses to domain names. When a profile is configured to look up all numeric IP addresses, Webtrends makes a call to the network's DNS server to resolve DNS entries. Each computer has its own IP address.

DES

Data encryption standard. Symmetric encryption protocol. block cipher using 64 bit blocks and a 56 bit key. replacement = 3DES.

DLP

Data loss/leak prevention- A software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands. These products use some sort of dictionary database or algorithm (regular expression matching) to identify confidential data. the transfer of content to removable media, such as USB devices, or by email, IM or even social media, can then be blocked if it does not conform to a predefine dpolicy. usually consists of policy server, endpoint agents, network agents.

SRTP

Delivery of real time data protocol. principle one is Real Time Transport Protocol (RTP). works in conjunction with RTP Control Protocol (RTCP). Each RTP stream uses a corresponding RTCP session to monitor the quality of the connection and to provide reports to the endpoints. these reports can then be used by the applications to modify codec parameters or by the network stacks to tune WoS parameters. RTP and RTCP use a sequential pair of UDP ports, RTP using an even numbered port and RTCP session using the next higher odd numbered port. the secure connection established by SIPS can also be used to generate a master key to use with the secure version of the transport and control protocols (SRTP and SRTCP). these use AES ecnryption ahd SHA hashing for message confidentiality and integrity.

DHE

Diffie Hellam ephemeral mode. also called EDH is some cipher suites. a cryptographic protocol that is based on Diffie-Hellman and provides for secure key exchange by using ephemeral keys. used for perfect forward secrecy

DSA

Digital signtaure algorih. a public key encryption standard for digital signatures that provides authentication and integrity verification for messages. Adaption of ElGamal's algorithm is used by NIST in DSA. one of the main advantages of ElGamal over RSA is that it can use elliptical curve cryptography

DER

Distinguished Encoding Rules. scheme used by certificates to create a binary representation of the ifnormation in the certificate. A DER encoded binary file an be represented as ASCII characters using base64 Privacy Enhnaced Electronic Mail (PEM) encoding.

DDoS

Distributed Denial of Service- an attack uses multiple compormised computers (a botnet of zombies) to launch the attack. most bandwidth directed DoS attacks are distributed. this means that the attacks are launched from multiple, compromised computers. Typically an attacker will comrpomise one or two machines to use as handlers, masters or herders. The handlers are used to compromise hundreds or thousands or millions of zombie agent PCs with DoS tools bots forming a botnet. To compromise a computer, the attacker must install a backdoor application that gives them access to the PC. They can then use the backdoor application to install DoS software and trigger the zombies to launch the attack at the same time.

DoS

DoS attack- denial of service attack- a network based attack where the attacker disables systems that provide network services by consuming a network link's available bandwidth, consuming a single systems available resources, or exploiting programming flaws in an application or operating system. attack causes a service at a given host to fail or to become unavailable to legitimate users. typically, DoS attacks focus on overloading a service by using up CPU, system RAM, disk space or network bandwidth ie resource exhuastion. many DoS attacks attempt to deny bandwidth to web servers connectd to the internet. or attacks can target known vulnerabilities in software to cause them to crash

Resource exhaustion

DoS attack- overloading a service by using up CPU, system RAM, disp space, or network bandwidth

DNSSEC

Domain name system security extensions-- a security protocol that provides authentication of DNS data and upholds DNS data integrity. With DNSSEC enabled, the authoritative server for the zones create a package of resource records (called an RRSet) signed with a private key (the zone signing key). When another server requests a secure record exchange, the authoritiative server returns the package along with its public key, which can be used to verify the signature. the public zone signing key is itself signed with a seaprate key signing key. Separate keys are used so that if there is some sort of compromise of the zone signing key, the domain can continue to operate securely by revoking the comrpomised key and issuing a new one. the key signing key for a particular domain is validated by the parent domain or host ISP. the top level domain trusts are validated by the regional internet registries and the DNS root servers are self validated using a type of M of N control group key signing. this establishes a chain of trust from the root servres down to any particular subdomain.

EAP-FAST

EAP Flexible Authentication via Secure Tunneling. An EAP method that is expected to address the shortcomings of LEAP. similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a protected access credential (PAC), which is generated for each user from the authentication server's master key. the problem with EAP FAST is in distributing the PAC secreuly to each user requiring access. can either be distributed via an out of band method or via a server with a digitial certificate. or via anonymous Diffie Hellman key exchange.

EAP-TLS

EAP Transport Layer Security. An EAP method that requires a client-side certificate for authentication using SSL/TLS. an encyrpted TLS tunnel is established between the supplicant and authentication server using public key certificates on the authentication server and supplicant. as both supplicant and server are configured with certificates, this provides mutual authentication.

EAP-TTLS

EAP Tunneled Transport Layer Secrity. An EAP method that enables a client and server to establish a secure connection without mandating a client side certificate. similar to PEAP. uses a server side certificate to establish a protected tunnel through which the users authentication credentials can be transmitted to the authentication server. main distinction from PEAP is that EAP TTLS can use any inner authentication protocol (PAP or CHAP, e.g.) while PEAP must use EAP MSCHAP or EAP GTC

EMI/EMP

Electromagnetic intererence (EMI) is the effect unwanted electromagnetic energy has on electornic equipment. an Electromagnetic Pluse (EMP) is a very powerful but short duration wave with the potential to destroy any type of elecotrnic equipment. built EMP generators and deploy them with the intent of performing a DoS attack aainst a compuer.

elliptic curve

Elliptic curve curve cryptography is an asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields. Eliptic curse cryptography is another type of trapdoor function used to generate public/private key pairs. no known shortcuts to cracking the cipher or the math that underpins it, regardless of key length. therefore ECC used with a key size of 256 bits is very approximately compared to RSA with a key size of 2048 bits. An elliptical curve is often used with the DH and ELGamal protocols to generate the parameters on which the system depends.

ESP

Encapsulation Security Payload ESP) IPSec protocol which provides confidentiality and authentication by encrypting the packet rathe than simply calculating an HMAC. ESP attaches three fields to the packet (a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value)

vulnerability scanner

Examines an organizations systems, applications and devices and compares the scan results to configuration templates plus lists of known vulnerabilities. result is a report showing current state of operations and effectiveness of security controls. is dual use for attackers and defenders probes the network or application;ication to try to discover issues but would not attempt to exploit any vulnerabilities found. can be implemented purely as software or as a security appliance, connected to the network. needs to be kept up to date with information about known vulnerabilities.

EAP

Extensible Authentication Protocol. a wireless authentication protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication Involves three components: 1. supplicant- this is the client requesting authentication 2. autheticator- this is the device that recieves the authentication request (such as a remote access server or wireless access point). The authenticator establshes a channel for the supplicant and authentication server to exchange credentials using the EAP over LAN protocol. it blocks any other traffic. 3. authentication server- the server that performs the authentication (typically an AAA server)

FDE/SED

Full Disk Encryption- entire conents of the drive including system files and folders are encrupted. requires the secure storage of the key used to encrypt the drive contents. normally stored in a TPM also possible to use a removable USB drive. as part of the set up process you create a recovery password or key. this can be used if the disk is moved to another computer or the TPM is damaged. one of the drawbacks of FDE is that because the OS peforms the cryptographic operations, performance takes a hit. this issue is mitigated by Self Encrypting Drives (SED) where the cryptographicopreations are performed byt he drive controlled. SED uses a Media Encryption Key (MEK) to encrypt data and stores the MEK securely by encrypting it with a Key Encryption Key (KEK), generated from the user passwor.d

CGM

Galois/counter mode (CGM) a type of counter mode. Symmetric algorithms do not natively provide message intefiry. The Galois function addresses this by combining the cipher text with a type of message authentication code (GMAC) simile to an HMAC. Where CBC is only considered secure when using a 256 bit key, GCM can be used with a 128 but key to achieve the same level of security

HIDS/HIPS

HIDS- host based intrusion detection system- a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the systems state. HIDS captures information from a single host, such as a server, router, or firewall. HIDS come in many different forms with different capabilities. The core ability is to capture and analyze log files, but more sophisticated systems can also monitor OS kernel files, monitor ports and network interfaces and process data and logs generated by specific applications, such as HTTP or FTP. Host based Intrusion Prevention System (HIPS) with active response can act to preserve the system in its intended state. This means that the software can prevent system files from being omdified or deleted, prevent services form being stopped, log off unathorized users, and filter network traffic. HIDS/HIPS can be much more application specific than NIDS. HIDS/HIPS can analyze encrypted traffic (once it has been decrypted on the host) and it is easier to train the system to recongize normal traffic. disadcantages are that the software is installed on the host and therefore detectable ie vulnerable to attack by malware. the software also consumes CPU, memory and disk resuorces on the host.

HOTP/TOTP

HOTP= HMAC-based one time password. an algorithm that generates a one time password using a has based authentication code to verify the authenticity of the message. the authentication server and client token are configured with the same shared secret. the token could be a fob type device or implemented as a smartphone app. The shared secret can be transmitted to the smartphone app as a QR code image acquirable by the phones camera so that the user doesnt have to type anything. shared secret is combined with a counter to create a one time password when the user wants to authenticate. the device and server both compute the has and derie an HOTP value which the user must enter to auehtnicate with the server .the counter is incremented by one TOTP=time based one time password. an improvement on HOTP that forces one time passwords to expire after a short period of time

hardware security module

HSM. an appliance for geneerting and storing cryptographic keys. This sort of solution may be less suceptible to tampering and insider threats than software based storage. hardware based storage and distribution is typically implemented using removable media, a smart card or at the higher end a dedicate key storage HSM.

hikacking and related attacks

HTTP is a stateless protocol meaning that the server preserves no info about the client. A cookie is a way for web applications to retain info about clients. A cookie is created when the server sends an HTTP response header with the cookie. subsequent request headers sent by the client will usually include the cookie. cookies are eithre non perisistent (session) cookie sin which case they are stored in memory and deleted when the browser instane is close,d or peristence in which case they are stored on the harddrive until deleted by the user or psas a defined expiration date. normally a cookie can only be used by the server or domain that created it, but this can be subverted by a cross site scripting attack. another weakness is where cookies are used to estabish sessions in an application or for user authenication. session IDs are often generated using predictable patters making the session vulnerable to eavesdropping and hijacking, by replaying the cookie to re establish the session

HVAC

Heating, Ventilation, Air conditioning. Building control systems maintain an optimum heating, cooling and humidity level working environment for different parts of the building

Tunnel mode

IPSec can be used in two mode. Tunnel mode is when the whole IP packet (header and payload) is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN). This is also referred to as a router implementation

Transport mode

IPSec can be used in two modes. Transport mode is when the IP header for each packet is not encrypte,d just the data ie payload. this mode would be used to secure communications on a private network (an end to end implementation)

Loop prevention

In a network with multiple bridges, implemented these days as switches and routers, there many be more than one path for a frame to take to its intended destination. As a layer 2 protocol, ethernet has no concept of time to live. therefore, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitiely. Layer two loops are prevented by the spanning tree protocol (STP). spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

perfect forward secrecy

In standard SSL/TLS (using RSA key exchange), each session key is signed by the servers private key. The RSA key pair is used for both authentication and key exchange. this raises the possibility that if a session has been captured by a packet sniffer, and at some point later the servers private key is cormpomised, the session could be decrypted. This risk is mitigated by perfect forward secrecy which uses Diffie Hellman key agreement to create ephemeral session keys without using the severs private key. can be implemented using Diffie Hellman Ephemeral mode or Elliptic Curve Diffie Hellman Ephemeral mode. Because the DH key is truly ephemeral, even if the encrypted session is recorded there will be no way of recovering a key to use to decrypt at a later data. However, to use PFS, the server and client must negotiate use of a mutually supported cipher suite. A browser will usuallyy try to select a PFS compatible suite but may not support one supported by the server. Also, the server is able to dictate use of preferred cipher suite and may not be set to prefer PFS. use of Diffie Hellman key agreement is likely to reduce server performance, though as use of PFS becomes more prevalent, faster implementations of the cipher suites are likely to be developed

IaaS

Infrastructure as a Service. means of provisioning IT resources such as servres, load balancers, and Storage Area Network (SAN) components quickly. rather than purchase these components and the internet links they require, you rent them on an as needed basis from the service providers data cetner.

IPSec

Internet Protocol Security. A set of open, non propietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet. IPSec operates at a network layer (layer 3) of the OSi model, so the protocol is not application dependent. can provide confidentiality (by encrypting data packets) and integrity/anti replay (by signing each packet) main drawback is that it is quite processor intensive, adding an overhead to data communications. can be used to secure commuications on local networks and as a remote acces sprotocol. can be used with several cryptographic algorithms.

LDAPs

LDAP= lightweight directory access protocol. a network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information. runs over TCP/UDP port 389 by default. LDAPS= lightweight directory access protocol secure which is a method of implementing LDAP using SSL/TLS encryption

Layer 2 v layer 3

Layer 2 is a broadcast Media Access Control (MAC) MAC level network, while Layer 3 is a segmented routing over internet protocol (IP) network. layer 2 ethernet switch or a LAN switch, data switch, or workgroup switch. layer 3 switch- router appliances are capable of many different types of routing, especially over a wide area networks (WAN), and tend not to have many interface ports. such switches with the ability to route traffic efficiently between VLANs are called layer 3 switches. OSI model there are seven layers- the data link layer is layer 2 and the network layer is layer 3. the switches working in these layers are called layer 2 switch and layer 3 swithc respectiviely. Main difference between layer 2 and layer 3 switchinges is the routing function. a lyer 2 switch works with MAC addresses only and does not care about IP addresses or any items of higher layers. A layer 3 swtich, or multi;ayer swith can do all the job that a layer 2 swithc does, and in addition it can do static routing and dynamic routing. that means a layer 3 switch has both MAC address table and IP routing table and handles intraVLAn communication and packet routing between diferent VLANs as well.

LDAP

Lightweight directory access protocol. a network protocol used to access network directory databases, which store information about authorized users and their privileges, as ell as other organizational information

MTBF

Mean time between failures represents the expected lifetime of a product. server (which could be repaired by replacing the hard drive) would be described with an MBF. calculation is the total time divided by the number of failures. for example, if you have 10 devices that run for 50 hours and two of them fail, the MTBF is 250 hours/failure. can be used to determine the amount of asset redundancy a system should have. a redundant system can failover to another asset if there is a fault and continue to operate normally. it can also be used to work out how likely failures are to occur.

MAC filtering

Media access control filtering. Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it. static method is difficult to keep up to date and is relatively error prone. it is also easy for a wireless sniffer to discover valid MAC addresses and spoof them. Enterprise class APs allow you to specify a limit to the number of permitted addresses and automatically learn a set number of valid MAC addresses

MOU/MOA

Memorandum of understanding/Memorandum of agreement. MOU- a prelim or exploratory agreement to express an intent to work together. usually intended to be relatively informal and not to act as bidning contracts. usually have clauses to respect confidentiality. MOA- a formal agreement or contract that contains specific obligations rather than a broad understanding. if one party fails to fulfill its obligations, the other party will be able to seek redress under the terms of the agreement through the courts

Worm

Memory resident viruses that replicate over network resources. Self contained in that it does not need to attach itself to another executable virus. Just like viruses, replicate and spread from computer to computer through an infected network. Typically target some sort of vulnerability in an application such as a database server or web browser. Worm infestation effect is to rapidly consume the network bandwith as the worm replicates. A worm may also be able to crash an operating system or server application. Worms can also carry a payload that may perform some other malicious action such as installing a backdoor. A worm is a type of virus that spreads through memory and network connections, rather than infecting files

MD5

Message Digest algorithm v5. The message digest algorithm was designed in 1990 by RonalD divest one of the fathers of modern cryptography. The most widely used version is MD5 release in 1991, which uses a 128 bit hash value. it is used in IPSec policies for data authentication. considered weak as ways have been found to exploit collisions in the cipher. a bit faster than SHA, offers better compatibility between tools, and the chances of an adversary exploiting a collision in that context are remote.

MSCHAP

Microsoft challenge handshake authentication protocol. a protocol that strengthens the password authentication provided by Protected Extensible Authentication protocol (PEAP). because of the way it used vulnreable NT hsahes, MSCHAP should not be deployed without the protection of a secure connection tunnel so that the credentials being passed are encyrpted

man in the browser

MitB. the web browser is compromised by installing malicious plug ins or scrupts o intercepting API calls between the browser process and DLLs.

agent v agentless

Most NAC solutions use clent software called an agent to gather information about the device, such as its anti virus and patch status, presence of prohibited applications, or anything else defined by the health policy. An agent can be persistent or non persistent. some NAC solutions can perform agentless posture assessment. This is useful when the NAC solution must support a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available with an agentless solution.

Dissolvable v permanent

NAC solutions use client software called an agent to gather information about the device, such as its antivirus and patch status, presence of prohiited applications, or anything else defined by the health policy. an agent can be persistent, in which case it is installed as a software application on the client, or non persistent. a non persistent/or dissolvable agent is loaded into memory during posture assessment but is not installed on the device.

payment methods

NFC chip allows a mobile device to make payments via contactless point of sale (PoS) machines. user enters their CC info into a mobile wallet app on the device, the wallet app does not transmit the original CC info but a one time token that is interpreted by the card merchant and linked backed to the relevant customer account.

NIPS/NIDS

NIPS- network based intrusion prevention System. an inline security device that monitors suspicious network and or system traffic and reacts in real time to block it. active response. one typical preventitive measure is to end the TCP session, sending a spoofed TCP reset packet to the attacking host. another option is for the sensor to apply a temprorary filter on the firewall to block the attackers IP address (shunning). NIDS- network intrusion detection system- a system that uses passive hardware sensors to monitor traffic on a specific segment of the network. basic a packet sniffer (referred to as a sensor) with an analysis engine to identiy malicious traffic and a console to allow configuation of the system. basic functionality is to provide psasive detection ie to log intrusion incidents and to displau an alert at the management interface or to email the administrator account. does not slow down traffic and is undetectable by the attacker. cant respond to an attack, heavy traffic can overload the sensor and which can allow packets to pass through uninspected, training and tuning are complex, encrypted traffic cannot be abalyzed

NTLM

NT LAN Manager authentication. a challenge response authentication protocol created by microsoft for use in its products. updates rproblems in LM: the password is Unicode, and mixed case and can be up to 127 characters long. the 128 bit MD4 hsa function is used in place of DES. Lan Manager= LN is a challenge/response auehtnication protocol- when the server recieves a logonrequest it generates a random value caled the challenge or nonce and sends it to the client. both client and server encrypt the challenge using the has of the users password as a key. the client sends this response back to the server. the server compares the response with its version and if they match, autheticates the client. only provides for client authentication, making it vulnreable to man in the middle attacks, and pass the hash attack where the attacker submits a captured authentication has rather than trying to obtain the plaintext password

NFC

Near Field Communication. A standard for peer to peer (2 way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID. An NFC transaction is sometimes known as a bump

NAC

Network access control. a means of ensuring endpoint security-- ensuring that all devices connecting to the network conform to a "health" policy (patch level, anti-virus/firewall configuration, etc.) Most NAC solutions work on the basis of preadmission control (that is, the device must meet the policy to gain access). With preadmission control, supplicant client devices connect to the network via a NAC policy enforcer, such as a swithc, router or wireless access point. other options for the location of the policy enforcer include a VPN remote access gatewat or a specifically configured DHCP server. the policy enforcer checks the client credentials with the NAC policy server and performs machine and user authentication with a RADIUS AAA server. The client is allocated a suitable IP address by a DHCP server and assigned to a VLAN by the switch; depending on whether the policy was met, this would allow access to the network or t a quarantined area or capitbe web portal only.

NAT

Network address translation. a simple form of internet security that conceals intrenal addressing schemes from the public internet by translating between a single public address on the external side of a router and private, non routable addresses internally. NAT was originally devised as a way of freeing up scarce IP addresses for hosts needing Internet access. provides an addressing method for private networks connecting to the internet. essentially, NAT is a service translating between a private (or local) addressing scheme used by hosts on the LAn and a public (or global) addressing scheme used by an Internet facing device. NAt is configured on a border device, such s a router, proxy server or firewall. There are several types of NAt, including static, dynamic, overlaoded and destination NAT. Static and dynamic NAT estbalish connections using 1:1 mappings between a single or pool of private network addresses and the public address.

Secure POP/IMAP

Post Office Protocol v3 (POP3) is a malibox protocol designed to allow mail to be stored on a server and odwnloaded to the recipients email client at his or her convencience. a POP3 client application establishes a TCP connection to the POP3 server over port 110. the user is authenticated by username and password and the contents of his or her mailbox are downladed for processing on the local PC. POP3S is the secured version of the protocol operating over TCP port 995 by default. Secure IMAP (IMPAS) POP3 has limitations, which are addressed by the Internt Message Access Protocol v4 (IMAP4). POP3 is primarily designed for dial up access, the client contacts the server to downlad its message then disconnects. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. it also allows a client to manage the mailbox on the server to oraganize and to crate multiple mailboxes. Clients connect to IMAP over TCP port 143. They authenticate themselves then retrieve messages from designed folders. as with other email protocols, the connection can be secured by establshing an SSL/TLS tunnel. the default port for IMAPS is TCP port 993.

PEAP

Protected Extensible Authentication Protocol. Similar to EAP-TLS, PEAP is an open standard developed by a coalition made up of Cisco Systems, Microsoft, and RSA security. encrypted tunnel is established between the supplicant and authentication server, but PEAP onl requires a server side public key certificate. The supplicant does not require a certificate. With the server authenticated to the supplicant, user authentication can then take place through the secure tunnel with protection against sniffing, password guessing/dictionary, MitM.

RIPEMD

RACE Integrity primitives Evaluation Message Digest ( a message digest algorithm designed as an alternative to MD5 or SHA. Research and Developmnt in Advanced Communications Technologies in Europe (RACE) is a program set up by the EU.

Role based access control

RBAC. an access control model where resources are protected by ACLs that are managed by admins and that provide user permissions based on job functions. set of organizational roles are defined and users allocated to those roles. Users gain rights implicitly through being assiged to a role, rather than explicitly being assigned the right directly.

round robin

RRDNS- round robin Domain Name System- a load balancing technique where multiple DNS A records are acreated with the same name. a client enters a web server name in a browser and the DNS server responsible for resolvin that name to an IP address for client connectivity will return one of several configured addresses, in turn, from amongst a group configured for the purpose.

RFID

Radio Frequency ID. A means of encoding information into passive tags, which can be easily attached to devices, structures, clothing or almost anything else. When a reader is within range of a tag (usually either up to 10 cm or up to 1 m), it produces electromagnetic wave that powers up the tag and allows the reader to collect information from it or to change the values encoded in the tag.

random/psuedorandom number generation

Random Number Generator (RNG) module in the cryptographic implementation is critical to its strength. True Random number generator (TRNG)-- sample some sort of physical phenomena, such as atmospheric noice, with a high rate of entropy. This method is slow but considered much stronger. A Pseudorandom number generator (PRNG) uses software routines to simulate randomness. The germinator usually uses dat from the system, such as mouse and keyboard input timing, process IDS and hard drive samples, as a seed. The seed state is then passed through a mathematical formula in order to output a pseudorandom number

SNMPv3

SNMP= Simple Network Management Protocol-- a protocol for monitoring and managing network devices. SNMP consists of an SNMP monitor and agents. the agent is a process (software or firmware) running on a switch, router, server, or other SNMP comptabile network device. the agent maintains a database called a Management Information Base (MIB) that holds statistics relating to the activity of the device. the agent is also capable of initiating a trap operation where it informs the management system of a notable event. the threshold for triggering traps can be set for each value. the snmp monitor a software program provides a location from which network activity can be overseen. it monitors all agents by polling them at regular intervals for information from the MIBs and displays info for review. it also displays any trap oprations as alerts for the network admin to assess and act upon as necessary. SNMPv3 is more secure than 1 or two. support encyrption and strong user based authentication. instead of community names, the agent is configured with a list of usernames and access permissions. When authentication is required, the SNMP message is signed with an MD5 or SHA has of the users passphrase. the agent can verify the signature and authenticate the user using its own record of the passphrase. SNMPv3 can also use DES or AES to encrypt the contents of traps and query responses.

RADIUS

Remote Authenitcation Dial in USer service. a standard protocol used to manage remote and wireless authentication infastructures. 1. the remote user connects to a RADIUS client, such as an access point, switch, or remote access server. 2. the RADIUS client prompts the user for the authentication details, such as a username and password or digitial certificate. Certificiate based authentiation is available if the RADIUS product support EAP. 3. the remote user enters the required information. the RADIUS client uses this information to create an Access-Request packet. The packet contains username and password (password encrypted using MD5) the RADIUS client and server must be configured with the same shared secret. This is used to has the password. connection type (port) RADIUS client ID (IP address) message authenticator 4. the access request packet is encapsulated and sent to the AAA server using UDP on port 1812. 5. the AAA server decrypts the password. It then checks the authentication info against its security database. If the authentication is valid, it responds to the cleint with an Access-Accept packet; otherwise an Access-Reject packet is returned. depending on the authentication method, there may be another step where the AAA server issues an Access-Challenge, which must be relayed by the RADIUS client. 6. the client checks an authenticator in the the response packet; if it is a valid and an access accept packet is returned, the client authenticates the user. the client then generates an accounting request 9start) packet and transmits it to the server on port 1813 it then opens a session with the user. 7. The server processes the accounting request and replies with an accounting response 8. when the session is closed or interrupted, the client and server exchange Accounting request (stop) and response packets

RC4

Rivest Ciphers or Rons code or Arcfour. stream cipher using a variable length key (from 40 to 128 bits). was used in SSL and WEP but is not deprecated in favor of more modern ciphers

collectors

SIEm software features collectors or connectors to store and interpret (or parse) the logs from diffreent types of systems (host, firewall, IDS sensor etc.) and to account for differences between vendor implementations. A collector would usuaully be implemented as pluf in code written for the SIEM and would scan and parse each event as it was submitted to the SIEm over the network. a collector might also be implemented as a software agent running on the device. The agent would parse the logs generated by the device and establish the network connection back to the SIEM. The sensors and collectors gathering data can be separate from the main SIEM server hosting the correlation engine.

SMS/MMS

SMS= short message services. MMS= multimedia message services. SMS and MMS are operated by cellular network providers. allow tranmission of text messages and binary files. vulnerabilities in processing these messages have resulted in DoS attacks against certain handsets. Vulnerabilities in SMS and the SS7 signaling protocol that underprins it have also cast doubt on the securty of 2 step verification mechanisms.

SFTP

SSH FTP (SFTP) addresses the privacy and integrity issues of FTP (file transfer protocol) by encrypting the authentication and data transfer between client and server. in SFTP a secure link is created between the client and server using SSH over TCP port 22. Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or MitM attacks. this solution requires an SSH server that supports SFTP and SFTP client softwar.e

HTTPS

SSL/TLS used with HTTP ie HTTPS. to implement HTTPS, a server is assigned a digitial certificate signed by some trusted certificate autheority CA. the certificate proved the identiy of the server. the servre uses the digitial cert and SSL TLS protocol to encyrpt communications between it and the client. this means that the communications cannot be read or chaned by a third party

SSL/TLS

SSL= Secure Socket Later. Transport Layer Security = TLS. TLS developed from SSl and ratified as a standard. SSL/TLS works as a later between the application and transport laters of the TCP/Ip stack. it is usually used to encrytp TCP connections. it is typically used with the HTP application but can als obe used to secure other TCP application protocols. SSL/TLS handshake-- 1. client makes a connection request (CLIENT_HELLO) listing the highest protocol version, cipher suites and compression algorithm(s) supported. it also sends the date and time plus a random number (ClientRandom), which is used to generate the secret key. The client may also specify a session ID, allowing resumption of an existing session without regentering keys. 2. the server responds with SERVER_HELLO selecting the highest protocol version and strongest cipher suote supported by both, and its own randomly generated number 9ServerRandom), along with any session information. 3. if client and server suport comptable versions and ciphres, the servre sends its X.509 certificate to the client 9CERTIFATE command) followed by the SERVER_DONE command. 4. the cient checks the server's certificate and if verfied responds wth CERTIFICATE_VERIFY. it then performs key exhcnage or key agreement to select the secret session key for use with the confidenality cipher, such as AES, can be done using RSA or Diffie ellman. 5. the server and client then follow the same steps to derive a shared master secret key from the pre master secret and the ClientRandom and ServerRandom values. 6. client and server then exhcnage the CHANGE_CIPHER_SPEC command, to indicate that subsequeny communications will be encrypted, and the FINISHED command, which contains a digest of the command exchange that is used to verify that the handshake process has not been tampered with 7. Once the session is established, clint an server exchange encrypted data in SSL/TLS records, which are placed in transport later packets for delivery.

signle sign on

SSO. an authentication technology that enables a user to authenticate once and recieve authorization for multiple services

SSH

Secure Shell. a remote administration and file copy program that supports VPNs using port forwarding, and that runs on TCP port 22.

SHA

Secure hash algorithm. A cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2. developed for US government by NIST. SH1 was quickly released and it used a 160 bit digest, has weaknesses. SH2-- variants using longer digests (notable 256 bits and 512 bits). Widely used as part of SSL, IPSec, DSS

SECaaS

Security as a Service-- means of implementing a particular security cntrol, such as virus scanning or SIEM like functionality in the cloud. there would be a connector to the cloud service installed locally. e.g. an anti virus agent would scan files locally but be managed and updated from the cloud provider. SECaaS can also be taken to mean providing security systems for cloud based applications, such as SaaS, PaaS

SAML

Security assertion markup language. an XML based data format used to exchange authentication information between a client an a service 1. the principal's user agent (typically a browser) requests a resource from the service provider (SP), making an assertion of identity 2. if the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP) 3. the user agent authenticates with the IdP. the IdP validates the supplied credentials and if correct, provides an authorization token. 4. the user agent presents the SP with the authorization token 5. the SP verifies the token and if accepted, establishes a session and provides access to the resource. SAML authorizations/tokens are written in eXtensible Markup Language (XML).

SIEM

Security information and event management. A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications

SLA

Service level agreement- a contractual agreement setting out the detailed terms under which a service is provided

SaaS

Software as a Service-- rather than purchasing software licenses for a given number of seats, a business would access software hosted on a suppliers servers on a pay as you go or lease arrangement (on demand). virtual infrastructure allows developers to provision on demand applications much more quickly than previously. the applications can be developed and tested in the cloud without the need to test and deploy on client computres.

Passive v active

The main distinction between scan types is between active and passive test routines. a scanning technique to passively test security controls operates by sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types of vulnerabilities. a passive scanner may also use limited interaction techniques such as banner grabbing. These passive techniques will not normally cause performance problems in the server or host being scanned but they will only return a limited amount of information. active scanning techniques involve making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on the host. more likely to cause performance problems with the hosts. should be scheduled during periods of network downtime. active techniques more likely to detect a wider range of vulnerabilities in host systems and can reduce false positives.

aggregation switches

These are functionally similar to layer 3 switches, but the term is often used for high performing switches deployed to aggregate links in a large enterprise or service prover's routing infrastructure. Rather than 1 Gbps access port and 10 Gbps uplink ports (as would be typical of an access layer switch), basic interfaces on an aggregation switch would be 10 Gbps and uplink/backbone ports would be 40 Gbps.

Command line tools

These tools make it easy to install open source software or develop on UNIX within Terminal. macOS can automatically download these tools the first time you try to build software, and they are available on the downloads page.

Salt, IV, nonce

To resist cryptanalysis, many cryptographic modules need to apply a value to the data being encrypted to ensure that if two identical plaintext are used as input, the output is never the same. The value is usually applied using an XOR operation. The value does not have to be keyt secret. Nonce = an arbitrary number used only once in a cryptographic communication, often to prevent replay attacks (only used once but could be random or pseudo random or a counter value) Salt = a security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to ("salting") each plaintext input. IV = initialization vector. a technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption. there also may be a requirement that an IV not be reused but this is not a primary characteristic

TLS

Transport Layer Security-- a security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection.

TPM

Trusted Platform Module (TPM)RoT is usually established by a type of cryptoprocessor called a trusted platform module which is a specification for hardware pased storage of digitical certificates, keys, hashed passwords and othre user and platform identification information. ie functions as an embedded smartcard. implemented as part of the chipset or as an embedded function of the CPU. Each TPM microprocessor is hard coded with a unique unchangeable RSA private ey (endorsement key) which is used to create various other tpes of subkeys used in key storage, signature, and encryption operations. During the boot process, the TPM compares hashes of key systems state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with. TPM also supports concepts of an owner, usually identified by a password. Anyone with admin control over the setup program can take ownershp of the TM, which destroys and then regenerates it subkeys. TPM can be managed in Windows via the tpm. msc console or though group policy.

USB OTG

USB On the Go (OTG) allows a port to function either as a host or as a device. e.g. a port on a smartphone might operate as a device when connected to a PC, but as a host when connected to a keyboard or external hard drive. USB OTG can be abused. media connected to the smartphone could host malware. the malware might not be able to affect the smartphone itself but could spread between host computers or networks via the devic. it is also possible tha a charging plug could act as a Trojan and try to install apps,

UTM

Unified Threat management. all in one security appliances and technologies that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss prevention, content filtering etc. into a single appliance. usually single console from which you monitor and manage various defense settings. created to resolve problem of managing several complex platforms as well as meeting the significant cost requirements. makes management of organizations network security easier, has downsides though, creates single point of failure that could affect an entire network. can also struggle with latency issues if they are subject to too much network activity.

logical (VLAN)

VLAN- virtual local area network. a logically separate network, created by using switcihng technology. even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate. because enterprise networks typically feature hundreds of switching appliances and network ports, segmentation is more likely to be enforced using virtual LANs (VLANs). any given switch port can be assigned to any VLAN in the same topoogy, regardless of physical location of the switch. the segmentation enforced by VLANs at the data link layer can e mapped to logical divisions enforced by IP subnets at layer 3. VLANs are configured on switches. The VLAn establishes a logica grouping of hosts at layer 2 of the OSI model (Data lInk) and a subnet gives the host in a particular VLAN a distinct network address at layer 3 of the OSI model (Network).

VDI/VDE

Virtual Desktop Infrastructure-- using a VM as a means of provisioning corporate desktops. in a typical VDI desktop omputers are replaced by low spec, low power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server infrastructure. use a remote desktop protocol to connect to the VM. All application processing and data storage in the Virtual Desktop Environemtn (VDE) or workspace is performed by the server.

VM sprawl avoidance

Virtual Machine lifecycle management (VMLM) software can be deployed to enforce VM sprawl avoidance. VMLM solutions provide you with a centralized dashboard for maintaining and monitoring all the virutal environments in your organization. the management procedures for developing and deploying machine images need to be tightly drafted and monitored. VMs should conform to an application specific template with the minimum configuration needed to run that application ie not running unnecessary services. Images should not be run in any sort of environment where they could be infected by malware or have any sort of malicious code inserted.

VM escape protection

Vm escaping is malware running on a guest OS jumping to anoter guest or to the host. the malware needs to identify that it is running in a virtual environment to do this. and then comrpomose the hypervisor. preventing VM escaping is dependent on the virutalization vendor identifying security vulnerabilities in the hypervisor and on these being patched. The impact of VM escaping can be reduced by using effective service design and network plaement when deploying VMs. e.g. when considering security zones such as a DMZ, VMs providing frontend and middleware/backend services should be separated to different physical hosts. This reduces the security implications of a VM escapng attack on a host in the DMZ.

voice and video

Voice over IP (VoIP), web conferencing, and Video teleconferencing (VTC) solutions have become the standard method for the provision of business communication over the last decade as the network technolgoies that support them have become faster, more reliable and cheaper. The main challenges that these applications have in common is that they transfer real time data and must create point to point links between hosts on different networks. Real time services are those that require real time playback. This type of data can be one way, as it is the case with video streams such as Internet TV, or two way as is the case with VoIP and VTC. each part of internet telephony and video conferencing needs to be evaluated for threats and vulnerabilities. includng protocols, servers, handsets and software. the protocols designed to support real tim services cover one or more of the following functions-- 1. session control-- establish, manage, and disestablish communications sessions- user discovery, availability advertising, negotiating session parameters, and session management and termination 2. data transport-- handles the delivery of the actual video or voice information 3. quality of Service-- provides information about the connection to a QoS system, which in turn ensures that voice or video communications are free from problems such as dropped packets, delay or jitter. protocols include SIP, RTP. Also unified communication.

penetration testing v vulnerability scanning

Vulnerability scans and vulnerability assessments search systems for known vulnerabilities. A penetration test attempts to actively exploit weaknesses in an environment. While a vulnerability scan can be automated, a penetration testrequires various levels of expertise.

web application firewall

WAF. A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks. use application aware processing rules to filter traffic. Can be programmed with signatures of known attacks and use pattern matching to block requests containing suspect code. ouput from WAF will be written to a log, which you can inspect to determine what threts the web applicaiton might be subject to. Can be deployed as an appliance or as a plug in software for a web server platform. e.g. ModSecurity, NAXSI, Imperva.

WPA

Wi Fi Protected Access. An improved encryption scheme for protecting Wi Fi communications, designed to replace WEP Version 1 of WPA still uses the RC4 cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger. TKIP fixes the checksum problem in WEP, uses a larger IV to ensure a unique keystream, transmits it as an encrypted hash rather than in plaintext and adds a sequence counter to resist replay attacks.

WPS

Wi Fi protected Setup. An insecure feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8 digit PIN. setting up an AP securely is relatively complex for residential consumers, vendors have developed a system to automate thr process called Wifi Protected setup. To use WPS, both the AP and the wireless station (client device) must be WPS capable. Activating the pushbotton on the AP and the adapter simultaneously will associate the devices using a PIN, then associate the adapter with the AP using WPA2. The system generates a random SSID and PSK. If the devices do not support the pushbottom method, the PIN (printed on the AP) can be entered manually. WPS is vulnerable to brute force attack.

Wi Fi Direct/ad hoc

Wi-Fi Direct (formerly Wi-Fi Peer-to-Peer) is a Wi-Fi standard for peer-to-peer wireless connections[1] that allows two devices to establish a direct Wi-Fi connection without an intermediary wireless access point, router, or Internet connection. Wi-Fi Direct is single-hop communication, rather than multihop communication like wireless/mobile ad hoc networks.An ad hoc network is one that is spontaneously formed when devices connect and communicate with each other. The term ad hoc is a Latin word that literally means "for this," implying improvised or impromptu. Ad hoc networks are mostly wireless local area networks (LANs).in Wi Fi direct, one of the devices actually functions as a soft access point. Ad hoc networks only support weak WEP security while Wi Fi direct can use WPA2. peer to peer functions should be genreally disabled as it might be possible for an attacker to exploit a misconfigured device and obtain a bridged connection to the corporate network.

type 1 hypervisor

a bare mtal virtual platform means that the ypervisor (type I) is installed directly onto the computer and manages access to the host hardware without going through a host OS. The hardware needs only support the base system requirements for the hypervisor plus resources for the type and number of guest OSes that will be installed.

firmware OTA updates

a baseband update modifies the firmware of the radio modem used for cellular, WiFi bluetooth, NFC and GPS connectivity. the radio firmware in mobile device contains an OS that is separate from the end user operating system . baseband operating system have been associated with several vulnerablities over the years, so imperative to ensure that updates are applied promplty. updates are usually pushed to the handset by the device vendor often as part of OS upgrades. The updates can be delivered wirelressly, either through a WiFi network or the data connection, referred to as Over the Air (OTA).

least privilege

a basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

implicit deny

a basic principle of security stating that unless something has explicitly been granted access, it should be denied access

Bots

a bot allows the hacker to compromise devices, and turn them into zombies in order to perform DDOs attacks. a botnet is a series of computer that has been infected by a control program called a bot, that enables attackers to exploit the computers to mount attacks. That means that there is a virtual robot inside of your computer performing functions that are being commanded to it. Your machine is infected, it now becomes one of the many devices that is part of this botnet. often gets into your computer through a trojan. Once the botnet software installs itself onto your computer, it doesn't do anything. It just sits there, and it waits for commands from the main system. There is a centralized command and control system that will send out messages, the botnets are looking for those messages and then will perform whatever function is being asked of them in those commands from the mothership.

Brute Force

a brute force attack attempts every possible combination in the key space in order to derive a plaintext psasword from a has. The keyspace is determined by the number of bits used (the length of the key). the longer the key, the more diffiult it is to compute each value, let alone check whether the plaintext it produces is a valid password. constrined by time and computing resources, most effective at cracking short passwords. brute force attacks that are distributed across multiple hardware compnents, like a cluster of high end graphics cards, can be successful at cracking longer passwords

Crypto malware

a class of ransomer that attempts to encrypt data files on any fixed, removable and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key which is held by the attacker

code signing

a code signing certificae is issed to a software publisher, following some sort of identity check and validation process by the CA. the publisher then signs the executables or DLLs that make up the proram to guarantee the validity of a software application or browser plug in.

order of restoration

a complex data center or campus network must be reconstituted according to a carefully designed ordr of restoration. if sytems are brought back online in an uncontrolled way, ther eis the serious risk of cauing additional power problems or of causing problems in the network, OS, or application layers because dependencies between different appliances and server have not been met. generally the order of restoration is: 1. enable and test power delivery systems 2. enable and test switch infrastructure, then routing appliances and systems 3. enable and test network security appliances 4. enable and test critical network servers 5. enable and test backend and middlare. verify data integrity 6. enable and test fron tend applications 7. enable client workstations and devices and client browser access.

honeypot

a computer system set up to attract attackers, with the intention of analyzing attack strategies nd tools to provide early warnings of attack attempts, or possible as a decoy to divert attention from actual computer systems. a honey net is an entire decoy network. can help an organization improve its security system. risk the attacker can learn a great deal about how the network is configured and protected from analyzing the honey pot. honey pots often fully exposed to internet. on a production network , a honeypot is more likely to be located in a protected but untrusted area between the internet and the private network ie the demilitarized zone, or on an isolated segment on the private network. this provides early warning and evidence of whether an attacker has been able to penetrate to a given security zone.

flood guard

a security control in network switches that protects hosts on the switch against SYN flood and ping flood DoS attacks.

recertification

a security control where user access privileges are audited to ensure they are accurate and adhere to relevant standards and regulations

Kiosk

a computer terminal deployed to a public environment. Have a wide range or uses, such as providing ATM servivs or airport check n. Needs to be fully locked down so that users are only able to access the menus and commands needed to orepate the kiosk application. some kiosks will run dedicated operating systems. hardware ports must be made completely inaccessible. if the kiosk supports keyboard input, this must be filtered to prevent the use of control keys to launch additional windows or utilities.

supporting confidentiality

a cryptographic message can only be understood by someone with the right decrypting cipher. Without the cipher, the message looks like gobbledygook. It doesn't matter if a message is stolen or intercepted, because the thief will not be able to understand or change what has been stolen.

privacy impact assessment

a detailed study to assess the risks associated with storing, processing, and disclosing PII. the study should identify vulnerabilities that may lead to data brach and evaluate controls mitigating those risks.

smart cards

a device similar to a credit card that can store authentication information, such as a users private key, on an embedded microchip can be contact based, ie inserted into a reader, or contactless ie proximity card.

risk register

a document showing the results of risk assessments in a comprehensible format. may resemble the traffic light grid shown earlier with columns for impact and likelihood ratings, date of identification, description, countermasures, owner/route for escalation, and status. risk registers are also commonly depicted as scatterplots graphs, where impact and likelihood are each an axis, and the plot point is associated with a legend that includes more information about the nature of the plotted risk. a risk register should be shared between stakeholders so that they understand the risks associated with the workflows that they manage. a document change management process can be used to implement changes in a planned and controlled way.

man in the middle attack

a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently. the attacker sits between two communicating hosts, and transparently captures, monitors and relays all communication between the hosts. Could also be used to covertly modify the traffic. one way to launch a MitM attack is to use trojan software to replace some genuine software on the system. can be defeated using mutual authentication, where both server and client exchnage secure credentials.

SSL/TLS accelerators

a hardware device with a specialist chipset-- Application Specific Integrated Circuit (ASIC)-- dedicated to performing public key encryption calculations, which are intensive in CPU and memory resouces. these are usually implemented as plug in cards for server equipment or load balancing appliances and therefore can be placed anywhere in the network where SSL/TLS offloading is desired.

hardware/firmware security

a hardware root of trust (RoT) or trust anchor is a secure subsystem that is able to provide attestation 9declare something to be true). the hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, then it signs the report and allows the NAC server to trust it. The NAC server compares the report to its stored template of the same metrics and file signatures and devices whether to grant access or not. the problem with establishing a hardware root of trust is that devices are used in environments where anyone cna get complete control over them. There cannot be complete assurance that the firmware underpinning the hardware root of trust is inviolable, but attacks agianst trusted modules are really difficult so as to provide effective security in most cases.

bcrypt

a key-derivation function based on the blowfish cipher alogirthm. an extension of the crypt UNIX library for generating hases from passwords. it uses the Blowfish cipher to perform multiple rounds of hsahing.

Backdoor

a mechanism for failing access to a computer that bypasses or subverts the normal method of authentication

pinning

a method of trusting digitial certificates that bypasses the CA hierarchy and chain of trust to minimize man in the middle attacks. When certificates are used by a transport protoco, such as SSL/TLS there is a possibility that the chain of trust between the client, server and whatever intermediate and root CAs have provided certificates can be compromised. If an adversary can substitute a malicious but trusted certificate into the chain they could be able to snoop upon the supposedly secure connection. certificate pinning refers to several techniques to ensure that when a client inspects the certificate presented by a server or a code signed application, it is inspecting the proper certificate. This might be achieved by embedding the certificate data in the application code or by submitting one or more public keys to an HTTP browser via an HTTP header, ie HPKP>

certificate chaining

a method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred o as a chain of trust.

router

a network device that links dissimilar networks and can support multiple alternate paths between location-based parameters such as speed, traffic loads, and cost. provides connectivity between subnetworks based on their IP address.

Switch

a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address.

automation/scripting

an automation solution will have a system of continuous monitoring to detect service failures and security incidents. Continuous monitoring might use a localled installed agent or heartbeat protocol or may involve checking availability remotely.

credentialed v non credentialed

a non credentialed scan is one that proceeds without being able to log on to a host. so the only view obtained is the one that the host exposes to the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces but they are not given any sort of privileged access. a credentialed scan on the other hand is one in which is given a user account with logon rights to various hosts plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in depth analysis especially in detecting when applications or security settings may be misconfigured. It also demonstrates what an insider attack or one where the attacker has compromised a user account may be able to achieve

rule based access control

a non-discretionary access control technique that is based on a set of operational rules or restrictions. any access control model where access control policies are determined by system enforced rules rather than system users. RBAC, ABAC and MAC are all examples of rule based access control.

cloud storage

a particular type of SaaS where the vendor provides reliable data storage and backup. Many cloud storage solutions are comined with content management tools with document permission, version history and collaborate editing features.

rollback to known configuration

a physical instance might not support snapshots but has an internal mechanism for restoring the baseline system configuration, such as Windows system restore. ensures non persistence.

tokens

a physical or virtual item that contains authentication data, commonly used in multifactor authentication. software token= a small piece of code that stores authentication information

Pivot

a pivot point is a system and or set of privileges that allows the tester to compromise other network systems ie lateral spread or the point of access ie a compromised computer or user account for instance

pointer deference

a pointer is a reference to an object at a particular memory location. attempting to access that memory address is called dereferencing. If the pointer has been set to a null value (pherhaps by some malicious process altering the execution environment), this crates a null pointer type of exception and the process will crash.

intranet

a private network that is only accessible by the organizations own personnel. this is a network of trusted hosts owned and controlled by the organization.

extranet

a private network that provides some access to outside parties, particularly vendors, partners and select customers. network of semi trusted hosts, typically representing business partners, supplers or customers. hosts must authenticate to join the extranet

hashing

a process or function that transforms plaintext into cipher text that cannot be directly decrypted. a has is that value that results from hashing encryption. Also known as a hash value or message digest

protocol analyzer

a protocol analyzer facilitates eavesdropping. works in conjunction with a sniffer to perform traffic analysis. Can either analyze live capture or open a saved capture file. Can decode a captured frame to reveal its content in a readable format. A protocol analyzer is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Such a channel varies from a local computer bus to a satellite link, that provides a means of communication using a standard communication protocol (networked or point-to-point).

replay

a replay attack consists of intercepting a key or password hash then reusing it to gain access to a resource, such as the pass the has attack. This type of attack is preventing by using once only session tokens or time stamping sessions

snapshots

a saved system state that can be reappled to the instance. mechanism for ensuring non persistence. point in time copy of data maintained by the file system. A backup program can use the snapshot rather than the live data to perform the backup. virtual system managers can usually take snapshot or cloned copies of VMs. a snapshot remians linked to the original VM, while a clone becomes a separate VM from the point that the cloned image was made.

passively test security controls

a scanning technique to passively test security controls operates by sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types of vulnerabilities. a passive scanner may also use limited interaction techniques such as banner grabbing. these passive techniques will not normally cause performance problems in the server or host being scanned but they will only return a limited amount of information (the scans can still take up network bandwidth and resources on the network servers. scans could also cause routers or servers to crash

confusion

a secure cipher must exhibit the property of confusion. Confusion means that the key should not be derivable from the cipher text. If one bit in the key changes, many bits in the cipher text should change (each plaintext bit should have a 50 percent chance of flipping). Also the same key should not be used by the algorithm in a predictable way when outputting ciphetects from different plaintext. Confusion is achieved by substitutions (a substitution cipher involves replacing units (a letter or block of letters) in the plaintext with different ciphertext. Simple substitution ciphers rotate or scramble letters of the alphabet), employing both the whole key and parts of the key to output cipher text blocks. Confusion prevents attackers from selectively generating encrypted versions of plaintext messages and looking for patterns in their relationship to derive the key.

diffusion

a secure cipher must exhibit the property of diffusion. diffusion means that predictable features of the plaintext should not be evident in the cipher text. If one bit of the plaintext is changed, many bits of the cipher text should change as a result. Diffusion is obtained through transposition (the unite sin a transposition cipher stay the same in plaintext and cipher text but their order is changed according to some mechanism). Diffusion prevents attackers from selectively determining parts of the message. Modern ciphers must use both substitution and fission to resist cryptanalysis

VPN concentrator

a single device that incorporates advanced encryption and authentication methods in order to handle a large number o VPN tunnels. A VPN concentrator is a type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. It is a type of router device, built specifically for creating and managing VPN communication infrastructures.

Shoulder Surfing

a social engineering tactic to obtain someones password or PIN by observing him or her as he or she types it in. a privacy filter is a security control that allows only the computer user to see the screen contents ie prevents shoulder surfing

Dumpster Diving

a social engineering technique of discovering things about an organization or person based on what it throws away

Tailgating

a social engineering technique to gain ccess to a building by following someone else or persuading them to hold the door

content filter

a software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on)

host based firewall

a software application running on a single host and designed to protect only that host. tend to be program or process based, that is when a program tries to intiiate (in the case of outbound) or accept (in the case of inbound) a TCP/IP network connection, the firewall prompts the user to block allow once, or allow always. Advanced configuration options allow the user to do things such as specify ports or OP scopes for particular programs . unlinke a network firewall, a host based firewall will usuaully display an alert to the user when a program is blocked, allowing the user to override the block rule or add an accept rule. Drawback- as a software it is open to compromise by malware

Firewall

a software or hardware device that protects a system or network by blocking unwanted network traffic. firewalls are the devices principally used to implement security zones, such as intranet, DMZs, and the internet. basic function of a firewall is traffic filtring. firewall processes traffic according to rules. traffic that does not conform to a rule that allows it access is blocked.

Whaling

a spear phishing attack directed specifically against upper levels of management in the organization

guest accounts

a special type of shared account with no password. allows anonymous and unathenticated access to a resource.

fault tolerant

a system that can experience failures and continue to provide the same (or nearly the same) level of service is said to be fault tolreant. Fault tolerance is often achieved by provisioning redundancy for critical components and single points of failure.

key stretching

a technique that strengths potentially weak cryptographic keys, such as passwords or passphrases created by people, against brute force attacks. original key is put through thousands of rounds of hashing. can be replicate dbut slows down the attac

Phishing

a type of email based social engineering attack, m in which the attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. usually combined with spoofing (disguising one computer resrouces as another)

Domain Hijacking

a type of hijacking attack where the attacker steals a domain name by altering its registration information and thn trasferring the domain name to another entity. Sometimes referred to as brandjacking. can be achieved by supplying false credentials to the domain registrar when applying for a new domain name or re registering an existing one. can also exploit the legitimate account used to manage the domain (via a weak password or RAT installed on a client compute) or even to compromise the domain registrars security procedures in some way.

air gaps

a type of network isolation that physically separates a network from all other networks.

air gap

a type of network isolation that physically separates a network from all other networks. an air gapped host is one that is not physically connected to any network. Such a host would normally have stringent physical access controls, such as housing it within a secure enclosure, validating any media devices, connected to it, and so on.

load balancer

a type of switch or router that distributes client requests between different resources, such as communications links or similarly configured servers. This provides fault tolerance and improves throughput. distirbutes client requests across available server nodes in a farm or pool. clients use the single name/Ip address of the load balancer to connect to the server in the famr. this provides for higher throughput or supports more connected users. provides fualt tolerance. if there are multiple servers available in a farm, all addressed by a single name/IP address ia a load balancer, then if a single server fails, client requests can be routed to another server in the farm. layer 4 load balancer- base forwarding decisions on IP address and TCP/UDP port values. stateless. layer 7 load balancer or content switch- need to be able to make forwarding decisions based on application level data, such as a request for a particular URL or data type. requires more complex logic. most load balancers need to be able to provide some or all of the following features: configurable load- the ability to assign a specific server in the farm for certain types of traffic or a configurable proportion of the traffic. TCP offload- the ability to group HTTP packets from a single cluent into a collection of packets asigned to a specific server SSL offload- load balancer can handle the processing of authetication and encryption/decryption reducing the load onthe servers in the farm. caching-- caching mechaism to reduce load on web servers prioritization- filter and manage traffic based on its priorty

identify vulnerability

a vulnerability assessment is an evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system. Essentially, the vulnerability assessment determines if the current configuration matches the ideal configuration baseline. could involve manual inspection of security controls but are more often accomplished through automated vulnerability scanners. a vulnerability scanner examines an organizations systems, applications and devices and compares the scan results to configuration templates plus a list of known vulnerabilities. The result is a report showing the current state of operation and the effectiveness of any security controls.

zero day

a vulnerability that is exploited before the developer knows about it or can release a patch

server side v client side execution and validation

a web application can be designed to perfom input validation locally on the client or remotely on the servr. apps can use both techniques for different functions. main issue w client side validation is that the client wil lalway be more vulnerable to some sort of malware interfering with the validation process. main issue w server side validation is that it can be time consuming and involves multiple transactions betwen the server and the client. even after psasing client side validation the input will still undergo serer side validation before it can be posted/accepted.

captive portals

a web page that a client is automatically directed to when connecting to a network, usually through public Wi Fi.

wireless scanners/crackers

a wireless scanner can be used to detect the presence of such networks and report the network name (SSID), MAC address of the access point (BSSID), the frequency band (2.4 or 5 GHZ) and radio channel used by the network and the security mode. tools are also available to sniff packets as they are transmitted wirelessly.

guest

a zone that allows untrusted or semi trusted hosts on the local network. Examples would include computers that are publicly accessible or visitors bringing their own portable computing devices to your permises.

privileged accounts

able to install and remove programs and drivers, change system level settings, and access any object in the file system Admin =windows. linix= root.

ACl

access control list. specifies which subjects (user accounts, host IP addresses, and so on) are allowed or denied access and the privileges given over the object (read only, read/write, and so on). ACLs are configured by specifying an ACL. The rules in a firewall's ACl are processed top to bottom. the rules in a firewalls ACL are processed top to bottom. if traffic matches one of the rules, then it is allowed to pass; consequenlty the most specific rules are placed at the top.

ACLs

access control lists specifies which subject (user accounts, host IP addresses, and so on) are allowed or denied access and the privileges given over the object (read only, read/write, and so on)

expiration

account expiration is the specified amount of time when an account expires to eliminate the possibility that it will be forgotten about and act as possible system backdoors. password expiration policy- when time is reached, the user is forced to change the password. expiration date on account means that account cannot be used beyone a certain date

enforcement and monitoring for rooting/jailbreaking

account used to install the OS and run kernel level processes is not the one used by the device owner. privelege escalation to get aound this: 1. rooting-- this term is associated with Android devices. some endors provide authorized mechanisms for users to access the root account on their device. For some devices, it is necessary to exploit a vulnerability or use cutom firmware. 2. jailbreaking- iOS is more restrictive than Android so the trem jailbreaking became popular for exploits that enabled the user to obtain root privieleges, sideload apps, change or add carriers, and customize the interface. iOS jailbreaking is accomplished by booting the device with a patched kernel. For most exploits, this can only be done when the device is attached to a computer when it boots (tethered jailbreak) 3. carrier unlocking- for either iOS or Android, this means removing the restrictions that lock a device to a single carrier. --rooting or jailbreaking mobile devices involves subverting the security measures on the device to gain admin access to it. This is generally done in order to enable access to setting that cannot normally be changed or to allow applications to be installed that are not authorized by the device vendor. Also has the side effect of leaving many many security measures permanently disabled. if the user has root permissions, then essentially any MDM agent software running on the device is compromised. The device is also at greater risk from malware.

user training

admin control. could ensure that the media is not left unattended on a desk and is not inserted into a computer without scanning it first

Keylogger

aggressive spyware or trojan. actively attempt to steal confidential info. records keystrokes, thereby capturing information.

quantitative

aims to assign concrete values to each risk factor. SLE, ALE. problem with quantitiative risk assessment is that the proecss of determining and assigning these values is complex and time consuming. the accuracy of the values assigned is also dfficult to determine without historical data. however, over time and with experience, this approach can yield a detailed and sophisticated description of assets and risks and provide a sound basis for justifying and prioritizing security expenditure.

crypto modules

algorithms underpinning cryptography that are interpreted and packaged as a computer program or programming library

continuous monitoring

an automation solution will have a system of continuous monitoring to detect service failures and security incidents. Continuous monitoring might use a locally installed agent or heartbeat protocol or may involve checking availability remotely. as well as monitoring the primary site, it is important to observe the failover components to ensure that they are recovery ready.

full device encryption

all but earl versions of moble evice Oses for smartphones and tablets provide full device encryption. various levels of encryption. all user data on the device is always encrypte dbut the key is stored on the device. this is primarily used as a means of wiping the device. the OS kist needs to delete the key to make the data inaccessible rather than wiping each storage location. email data and any apps using the Data Protection option are subject to a second round of encryption using a key derived from and protected by the users passcode if this is configured. this provides security for data in the event that the device is stolen. not all user data is encrypted using the data protetion option; contacts, SMS messages and pictures are not, for exampl.

standard naming convention

allows better administrative control over network resources. the naming strategy should allow administrators to identify the type and function of any partcular resource or location at any point in the directory information tree.

recovery sites

alternate processing sites or recovery sites. A site is another location that an provide the same or similar level of service. an alternate rocessing site might always be availbale and is use, while a recovery site might take longer to set up or only be used in an emergency

DDoS mitigator

an ISP can use either an ACl or blackhole to drop packets for the affected IP addresses. A blackhole is an area of the network that cannot reach any other part of the network. blackhole option is preferred as evaluating each packet in a multi gigabit stream against ACLs overhwlems the processin resources available. blackhold also makes the attack less damaging to the ISPs other customers. with both approaches legitimate traffic is discarded along with the DDoS packets. Another option = sinkhole routing so that traffic flooding a particular IP address is routed to a different network whre it can be analyzed. Potentially, some legitiamte traffic could be allowed through, but the real advantage is to identify the source of the attack and devise rules to filter it. The target can then use low TL DNS records to change the IP address advertised for the service and try to allow legitimate traffic past the flood.

OCSP

an Online Certificate Status Protocol (OCSP) server or an OSCP responder. check the certificates status on the OCSP which rather than returning a whole CRL, this just communicates the status of the requested certificate. a problem is responding to requests is resource intensive and can place high demands on issuing CA running the OCP responder. Also a privacy issue. also a problem with privacy issues because the OSCP responder couldbe used to monitor and record client browser requests.

Social engineering

an activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or violate security guidelines

antivius

an antivirus scanner is a software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools etc. an on access anti virus scanner or intrusion prevention system works by identifying when processes or scripts are executed and intercepting or hooking the call to scan the code fist. if the code matches a signature of known malware of exhibits malware like behavior that matches a heuristic profile, the scanner will prevent execution and attempt to take the configured action on the host file (clean , quarantine, erase and so on). An alert will be displayed to the user and the action will be logged. The malware will normally be tagged using a vendor propietary string and possible by a CME (Common Malware Enumeration) identifier.

asset management

an asset management process takes inventory of and tracks all the organizations critical systems, components, devices, and other objects of value. it also involves collecting and analyzing information about these sasets so that presonnel can make more informed changes or otherwise work with assets to achieve business goals. thre are many software suites and associated hardware solutions available for tracking and managing assets (or inventory). An asset management database can be configured to store as much or as little info as is deemed necessary, though typical data would be type, model, serial number, sset ID, location, user, value and service info.

MAC spoofing

an attack in which an attacker falsifies the factory assigned MAC address of a devices network interface. MAC spoofing changes the media access control (MAC) address configured on an adapter interface or asserts the use of an arbitrary MAC address. while a unique MAC address is assigned to each network interface by the vendor at the factory, it is simple to override it in software via OS commands, lterations to the network driver configuration, or using packet crafting software. this can lead to a variety of issues when investigating security incidents or when depending on MAC addresses as part of a security control, as the presented address of the device may not be reliable. because it operates at the data link layer, MAC address spoofing is limited to the local broadcast domain.

IP spoofing

an attack in which an attacker sends IP packets from false (or spoofed) source address to comunicate with targets. the identifying headers in TCP/IP packets can quite easily be modified using hardware. in an IP spoofing attack, the attacker changes the source and or destination address recorded in the IP packet. IP spoofing is done to disguise the real identity of the attackers host machine. IP spoofing can be defeated on a coproate network by requiring authenticated IPSec tunnels to critical services.

replay attack

an attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session. to crack WEP, a type of replay attack is used to make the access point generate lots of packets, usually by replaying ARP packets at it, and cycle through IV values quickly.

Multi-factor authentication

an authentication scheme that combines the requirements of something you know, something you have and something you are

Kerberos

an authentication service that is based on a time sensitive ticket granting system. network authentication protocol. provides SSO. 3 parts. client request services from a server, which both rely on an intermediary- a key distribution center (KDC) to vouch for their identity. two services make up a KDC(runs on port 88 using TCP/UDP): the authentication service (AS) and the ticket granting service. work over a trusted local network

Hoax

an email based, IM based, or web based attack that is intended to trick the user into performing necessary or undesired actions, such as deleting important system files in an attempt to remove a virus, or sending money or important information via email or online forms. In a hoax attack an email alert or web popup will claim to have identified some sort of security problem such as a virus infection, and offer a tool to fix the problem, the tool however will be some sort of trojan application

email

an email certifiate can be used to sign and encrypt email messages, typically using S/MIME or PGP. The users email address must be entered in the Subject Alternative name (SAN) extension field.

Vulnerabilities due to embedded systems

an embedded system is a complete computer system that is designed to perform a specific, dedicated function. typically static environments-- ie in terms of security can be ideal because unchanging, static environments are typically easier to protect and defende. however vulnerabilities include often being a black box to security admins ie little support for identifying and correcting security issues.

honeynets

an entire dummy network used to lure attackers. a network containing honeypot hosts, designed to attract and study malicious activity. when deploying a honeynet, it is particularly important to ensure that compromised hosts cannot be used to break out of the honeynet and attack the main network.

Shibboleth

an identity federation method that provides single sign on capabilities and enables websites to make informed authroization decisions for access to protected online resources. open source implementation of SAML. compnents of Shibboleth: 1. identity providr- suppots the authentication of users. can be integrated with LDAP, Kerberos, X.509 and other directory and authentication systems 2. Embedded Discovery Service- allows the user to select a preferred identity provider 3. Service provider- processes calls for user authentication by contacting the users preferred identity provider and processing the authentication request and authoriation response. The service provider can be used with the IIS and Apache web servers

reporting requirements/escalation

an incident may be judged too critical to continue to be managed by the first responder. the process by which more senior staff become involved in the management of an incident is called escalation. escalation may also be necessary if no response is made to an incident within a certain time frame. data breach is where an attack succeeds in obtaining information that should have been kept secret or confidential. as well as attempting to identify the attacker, a data breach will normally require that affected parties by notified, especially if personally identifiable information or account security information is involved. as well as data protection legislation many industries have strict regulations regarding the safe processing of data and will set out reporting requirements for notifying affected customers as well as the regulator. The regulator will also require evidence that the systems that allowed the breach have been improved

privacy threshold analysis

an initial audit to determine whether a computer system or workflow collects, stores or processes PII to a degree where a PIA must be performed. PTAs must be repeated every three years.

improper input handling

an input validation attack passes invalid data to the application, and because the input handling on theroutine is inadequate it causes the application or even the oS to behave in an unexpected way. there are many ways of exploiting improper input handling, but many attacks can be described as either overflow or injection type attacks. when an attacker tries to exploit improper nput handling, the results might simply be to crash the process hoting the code or even the OS. The attacker may be able to use the exploit to obtain sufficient privieleges to run whatever malware (or arbitrary code) he or she chooses. a successful exploit can also faciliate data exfiltration from applications, databases, and OS if it allows the adversary to obtain privielegs over the data that they would not normally have.

integer overflow

an integer overflow attack caues the target software to calculate a value that exceeds the fixed upper and lower integer bounds. this may cause a positive number to become negative. it could also be used wher the software is calculating a buffer size, if he attacker is able to make the buffer smaller than it should be, he or she may then be able to launch a buffer overflow attack.

Substitution ciphers

an obfuscation technique where each unit of plaintext is kept the same sequence when converted to ciphertect, but the actual value of the unit changes

Online v offline CA

an online CA is one that is available to accept and process certificate signing requests, publish certificates revocation lists, and perform other certificate management tasks. Because of the high risk posed by compromising the root CA, a secure configuration involves making the root an offline CA which means that it is disconnected from any network and usually kept in powered down state. The drawback to an ofline CA is that the CRL must be published manually and the root CA will also need to be brought online to add or update intermediate CAs.

rogue AP

an unauthorized device or service, such as a wireless AP on a corporate or private network that allows unauthorized individuals to connect to the network.

lessons learned

analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. analyze the effectivness of the IRT and the invident response plan particularly what worked well and what needed improvement. completion of the incident documentation to provide a comprehensive description of the invident and how the IRT responded to it

USB

android devices can be connected to computer via USB port, apple devices require a lightining to US converter cable. removable media

ARO

annual rate of occurrence. high likelihood- high ARO

anomaly

anomaly based detection- a network monitoring system that uses a basline of acceptable outcomes or event pattersnt to identify events that fall outside the acceptable range. irregularieis in the use of protocols.

configuration validation

another important process in automation resiliency strategies is to provide configuration validation. this process ensures that a recovery solution is working at each layer (hardware, network connectivity, data replication and application. An automation solution for incident and disaster recovery will have a dashboard of key indicators and may be able to evaluate metrics such as compliance with RPO and RTO from observed data.

live boot media

another option to ensure non persistence is to use an instance that boots from read only storage to memory rather than being installed on a local read/write hard disk.

self signed

any machine, web server, pr program code can be deployed with a self signed certificate. Self signed certificates will be marked as untrusted by the operating system or browser but an administative uer can choose to override this.

Adware

any type of software or browser plug in that displays commercial offers and deals. If user consents to their data being used its adware not spyware. As well as the intrusive aspect, adware and spyware can have negative impact on performance and system stability, with consequent effect on user productivity

Application based v network based

application based firewalls- firewalls can run as software on any type of computing host. application based firewalls ssuch as host based firewall which is implemented as a software application running on a single host designed to protect that host only. appliation firewall- software designed to run on a server to protect a particular application only. this is a type of host based firewall and would typically be deployed in addition to network firewall. Network operating system (NOS) firewall- a software based firewall running under a network server OS. the server would function as a gateway or proxy for a network segment. network based firewalls- appliance firewall- stand alone hardware firewall that performs the function of a firewall only. the functions of the firewall are implemented on the appliance firmware. monitors all traffic passing into and out of a network segment. can be implemented with routed interfaces or as a layer 2/virtual wire transparent firewall. router firewall- similar to appliance firewall except the functionality is built into the router firmware.

Vulnerabilities due to lack of vendor support

applications and devices that remain on sale with serious known vulnerabilities in firmware or drivers and no prospect of vendor support for the a fix is a serious problem.

location based policies

apply different policies to users based on their location in the network

improper error handling

apps need to be able to handle errors and exceptions. This means that the application performs in a more or less expected way when something unexpected happens. An exception means that the current procdure cannot continue. an exception could be caused by invalid user input, a loss of network connectivity, another server or prces failie etc. the programmer should have written an error or exception handler to dictate what the application should then do. some handlers wil ldeal with anticipated errors and exceptions, and there should also be a catch all handler that will deal with the unexpected. the application must not fal in a way that allows the attacker to execute code or perform some sort of injection attack. another issue is that an applications interpreter will default to a standard handler and display deault error messages when something goes wrong. these may reveal the inner workings of code to an attacker. better for an application to use custom error handlers so that the develper can choose the amount of info shows when an error is caused.

security guards

armed or unarmed. can be placed in front of and around a location to protect it. monitor critical checkpoints. verify identification. allow/disallow access. log physical entry events. visual deterrent. apply their own knowledge and intuition to ptoential security breaches. expensive.

obfuscation

art of making messages difficult to understand.d Cryptography is a very effective way of obfuscating a message but unfortunately it is too effective in the case of source code because it means the code cannot be understood by the computer either. At some point the code has to be decrypted to be executed. they key syed for deception must usually be bundled with the source code and this means that you are relying on security by obscurity rather than strong cryptography

supporting integrity

as well we being unintelligible, a message that has been encrypted cannot be changed, so encryption guarantees the message is tmamper proof.

clickjacking

attack where what the user sees and trusts as a web appliation with some sort of login page or form ontains a malicious layer or invisible iFrame that allows an attacker to intercept or redirect user input. can be launched using any type of comrpomise that allows an adversary to run JvaScript. clickjacking can be mitiated by using HTTP response headers that instruct the browser not to open frames from different origins (domains) and by ensuring that any buttoms or input boxes on a page are positioned on the top most layer

Disassociation

attack- hits the target with disassociation packets, rather than fully deauthenticating the station. A disassociated station is not completely disconnected, but neither can it communicate on the network until it reassociated. work against both WEP and WPA. the attacks can be mitigated if the wireless infrastructure supports Management Frame Protection (MFP). Both the AP and clients must be configured to support MFP.

obfuscation/camouflage

code can be made difficult to analyze by using an obfuscator, which is sotware that randomizes the names of variables, contants, functions etc. and performs other operations to make the compuled cod ephysically and mentally difficult to read andfollow.

ABAC

attribute based access control. an access control technique that evaluates a set of attributes that each subject posesses to determine if access should be granted. makes access decisions based on a combination of subject and object attributes plus any context sensitive or system wide attributes. as well as group/role membreships, these attributes could include information about the OS currently being used, the IP address, or the presence of up to date patches and anti malware. flexibile. high osts

Security automation

automated firewalls, IDS, SIEM and privielege management. e.g. security automation might mean that a user account is provisioned by running a script for the appropriate role rather than relying on a human admin to select the appropriate security groups and policy settings

netcat

available for windows and linux. configure nectar as a backdoor. first set up a listener on the victim system set to pipe traffic from a program, such as the command interpreter to its handler. Used the other wt around, nectar can be used to receive files.

qualitative

avoids the complexity of the quantitative approach and is focused on identifying signficiant risk factors. the qualitative approach seeks out peoples opinions of which risk factors are signficant. assets and risks may be placed in simple categories. assets categorized as irreplaceable, high value, medium value, low value. risks categorized as one off or recurrring and as critical, high, medium and low probability. traffic light impact grid- for each risk- red, yellow or green indicator can be put into each column to represent the sverity of the risk, its likelihood, cost of controls etc.

differential

backup all data modified since the last full backup. moderate time to backu and moderate time to restore. no more than two sets.

full backup

backup all selected data regardles sof when it was previously backup up. high time to back low time to restore.

incremental

backup. new files and files modified since the last backup. low time to backup, high time to restore.

barricades/bollards

barricade is something that prevents access. prupose of barricades is to channel people through defined entry and exit pints. Each entry point should have an authentication mechanism so that only authorized persons are allowed through. bollards used in sites where risk of terrorist attacks to prevent vehicles from approaching closely to a building at speed.

Baseline deviation

baseline deviation reporting means testing the actual configuration of clients and servers to ensure that they are patched and that their configuration settings match the baseline template. Microsoft Baseline Security Analyzer (MBSA) tool was popularly used to validate the security config. baseline deviations that are the result of an attack may be very subtly if the attacker has done reconaissance and is familiar with the basleine.

UEFI/BIOS

basic input/output system (BIOS) provides industry standard program code that oreates the essential components of the PC and ensures that the design of each manufacturers motherboard is PC compatible. newer motherboards use a different kind of firmware called Unified Extensible Firmware Interface UEFI). UEFI provides support for 64 bt CPU operation at boot, a full GUI and mouse operation at boot and better security.

account types

basis of privilege management system. standards users have limited privivleges and admiistraritive/privileged accounts

key stretching algorithms

bcrypt. PBKDF2

something you do

behavioral biometric recogntion. template is created by analuzing a behavior such as typing or wirint a signature. variations in speed and pressure applied are supposed to uniquely verify each individual. high error rates. more troublesome to perform. more likelt yo be an intrusion detection or continuous authenticam mechanism.

Trust social engineer

being convincing or establishing trust usually depends on the attacker obtaining privileged information about the organization. ie an attack is more convincing if the attacker knows the employees name.

biometrics

biometric authentication- authentication schemes based on individuals' physical characteristics

something you are

biometric recognition system. fingerpring, iris, retina, facial recognition. chosen biometric is scanned and recorded in database and when the user ants to access a resource he or she is rescanned and the scan is compared to the template. if the confirmation scan matches the template to within a defined degree of tolerance, access is grante.d problems- users can it intruive/threatining to privacy, can be discriminatory or inaccesisble to those with disabilities, setup and maintenance cost to provision biometric reads, vulnerability to spoofing methods

key strength

bit strength ie number of bits in a key

black box

blind. pen testing consultant is given no privileged information about the network and its security systems. this type of test would require the tester to perform the reconnaissance phase. useful for simulating the behavior of an external threat

Authority (social engineering)

difficult to refuse a request by someone they perceive as superior in rank or expertise

BYOD

bring your own device. the mobile device is owned by the employee. the mobile will have to meet whatever profile is required by the company (in terms of OS version and functionality) and the employee will have to agree on the intallation of corporate apps and to some level of oversight and auditing. this model is usually the most popular with employees but poses the most difficulties for security and network managers.

cable locks

cable hardware locks for use with portable devices such as laptops

recording microphone

can be used for snoorping. MDM software may be able to lock down use of features such as recording microphones.

downgrade

can be used to facilitate a man in the middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths. For example, rather than use TLS 2.0 as the server might prefer, the client requests the use of SSL. It then becomes easier for Mallory to forge the signature of a certificate authority that Alice trusts and have Alice trust her public key.

cross site request forgery

can exploit applications that use cookies to authenticate users and track sessions. to work, the attacker must convince the victim to start a session with the target site. The attacker must then pass an HTTP request to the victims browser that spoofs an action on the target site, such as changing a password or an email address. This request could be disguides in a few ways and so could be accomolushed without the victim necessarily having to clck a link if the target site assumes that the browser is authenticated because there is a valid session cookie and doesnt complete any additional authorization proces on the attackers input, it will acept the input as genuine. also referred to as a confused deputy attack.

Organized Crime

can operate across the internet from different jurisdictions than its victims which increases the complexity of prosecution. organized crime will seek any opportunity for criminal profit, but typically activities are financial fraud (against individuals and companies) and blackmail

eradication

cause can then be removed. sample responses to incidents: 1. investigation and escalation 2. allow attack to proceed by contain so that valuable systems and data are not at risk 3. hot swap with backup systems 4. prevention -- countermeasures to end the incident. eradication will involve the reconstitution of affected systems, re audit security controls, ensure the affected parties are notified and provided with the means to remediate their own systems

voice recognition

cheap. obtaining an accurate template cna be difficult and time consuming. background noise and other environmental factors can also interfere with logon. voice is also subject to impersonation

cipher modes

cipher modes of operation which refers to the way a cryptogrpahic product processes multiple blocks

Rootkit

class of backdoor malware that is harder to detect and move. work by changing core system files and programming interfaces so that local shall processes, such as explorer, taskmgr, or lasklist on Windows etc. plus port scanning tools such as netstat no longer reveal their presence (at least if running from the infected machines). They also contain tools for cleaning system logs, further concealing the presence of the rootlet. The most powerful rootlets operate in kernel mode, infecting a machine through a corrupted device driver or kernel patch. a less effective type of rootlet operates in user mode, replacing key utilities or less privileged drivers. Also examples of rootlets that can reside in firmware (ie in computer firmware or firmware of any sort of adapter card, hard drive, removable drive or peripheral device) these can survive any attempt to remove the rootlet by formatting the drive and reinstalling the os.

private cloud

cloud infrastructure that is completely private to an owned by the organization. in this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With private cloud computing, organizations canexercise greater control over the privact and security of their services. this type of delivery method is geared more toward banking and governmental services that require strict access control in their operations. can be in premise or offsite relative to the other business units. An onsite link can obviously deliver better performance and is less likely to be subject to outages. On the other hand, a dedicated offsite faciliaty may provide better shred access for multiple users in different locations. hosted private-- hosted by a third party for the exclusive use of the organization. this is more secure and can guarantee a better level of performane but is correspondingly more expensive.

PFX

format that allows the export of a certificate along with its private key. This would be used to archive or transport a private key. This type of file format is password protected. The private key must be marked as exportable.

refactoring

code performs the same function by using different methods. this might be done legitimately to imrpove the code in some way, such as making it run more efficiently, or making it easier to maintain and updat.e can also be used by malware authors to evade detection by AV scanners because the code syntax means that the malware must be identified by a new signature, or be caught by heuristic analysis.

code reuse/dead code

code reuse- using a block of code from elsewhere in the same application or form another application to perform a different function (or perform the same function in a different contect) the risk here is that the copy and paste approach causes the developer to overlook potential vulnerabilities. dead code is exectured but has no effect on the program cod.e. unrechable code is part of application source code that can never be executed.

Ping

command that can be used to detect the presence of a host on a particular IP address or that responds to a particular host name. time consuming, not stealthy, would not return detailed results. perform connectivity test

Competitors

competitor driven espionage is thought to be pushed by nation state backed groups. but it is not inconceivable that a rogue business might use cyber espionage against its competitors. such attacks could aim at theft or at disrupting a competitors business or damaging their reputation. Competitor attacks might be facilitated by employees who have recently changed companies and bring an element of insider knowledge with them

threat assessment

compiling a prioritized list of propable and possible threats. some of these can be derived form the ist of assets, others may be non specific to your particular organization. threats could be created by something that the organization is not doing or an asset that it does not own as much as they can from things that it is doing or assets it does own. e.g. public infrastructure, supplire contracts, customer security, epidemic disease. a large part of threat assessment will identify human threat actors, internal and external to the organization. natural diaster, manmade disaster, environmental, legal and commercial. threat assessments should not be confied to analyzing your own business- must also consider critical suppliers and the supply chain.

Wearable technology

computing functionality is being added to wearable items, such as smart watches, bracelets and pendant fitness monitors and eyeglasses. most wearable tech use bluetooth to pair with a smartphone but some can be capable of wifi communiations

usage auditing and review

configuring the security log to record key indicators and then revieiwng the logs for suspicisous activity. behavior recorded by event logs that differs from expected behavior may indiate everything form a minor security infraction to a major incident.

Principles (reason for effectiveness of social engineering attack

consensus, social proof, familiarity, liking, authority and intimidation, scarcity and urgency

proximity cards

contactless smart card is a proximity card in which data is transferred using a tiny antenna embedded in the card.

technical

controls implemented in operating systems, software, and security appliances. Examples include Access Control Lists (ACL) and intrusion detection systems

technical control

controls implemented in operating systems, software, and security appliances. examples include Access Control Lists and Intrusion Detection systems

physical control

controls such as alarms, gateways and locks that deter access to premises and hardware are often classed separately

administrative control

controls that determine the way people act, including policies, procedures and guidance. e.g. annual or regularly scheduled security scans and audits can check for compliance with security policies

administrative

controls that detmeurine the way people act, including policies, procedures, and guidance. e.g. annual or regularly scheduled security scans and audits can check for compliance with security policies

strategic intelligence/counterintelligence gathering

counterintelligence is the process of information gathering to protect against espionage and hacking. more counterintelligence info comes from activity and audit logs generated by network appliances and server file systems.

CTM

countermode. addresses the problem of parallelism. functions in the same way as a stream cipher. each block is combined with a nonce counter value. This ensures unique cipher texts from identical plaintext and allows each block to be processed individually and consequently in parallel improving performance

Urgency social engineering

creating a false sense of scarcity/urgency can disturb peoples ordinary decision making processes. The social engineer can try to pressure his or her target by demanding a quick response. ie limited time, or invitation only ploys.

account maintenance

creating an account, modifying account properties, disabling an account, changing an account's password etc.

development lifecycle models

creation and maintenance of software into phases.

high resiliency

cryptography can be used to design highly resilient control systems . a control system is one with multiple parts, such as sensors, workstations, and servers and complex operating logic. such a system is resilient if compromise of a small part of the system is prevented from allowing companies of the whole system. cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system

supporting obfuscation

cryptography is a very effective way of obfuscating am message but unfortunately it is too effective in the case of source code because it means the code cannot be understood by the computer either. At some point the code has to be decrypted to be executed. The key used for decryption must usually be bundled with the source code and this means that you are relying on security by obscurity rather than strong cryptography

security through obscurity

cryptography is in opposition to security through obscurity which means keeping something secure by hiding it.

data in use

data is present in volatile memory such as system RAM or CPU registers and cache. When a user works with data, that data usually needs to be decrypted as it goes form in rest to in use. The data may stay decrypted for an entire work session, putting it at risk. Some mechanisms such as Intel Software Guard Extensions are able to encrypt the day as it exists in memory, so that untrusted process cannot decode the information

data sanitization tools

data sanitization and disposal policy refers to the procedures that the organization has in place for disposing of obsolete information and equipment. methods for data sanitization include: 1. overwriting/disk wiping-- zero filling. 2. low level format-- reset to factory condition. 3. pulverizing/deguassing- magnetic disk can be mechanically shredded or deguassed in specailit machinery. destroy with a drill hammer 4. disk encryption

PII

data that can be used to identify, contact or locate an individual. context matters. prvacy issues, identity theft.

SSL decryptors

decryptor/inspector/interceptor. a type of proxy ued to examine encrypted traffic before it enters or leaves the network. this ensures that traffic complies with data policies and that encryption is not being misued, either as a data exfiltration mechanims or to operate a Command and Control (C2) remote access trojan. an SSL decryptor would be positioned at the network edge and implemented as a transparent bridge. This makes it almost impossible for an adversary to evade the device, unless there is a seaprate backdoor network channel. the drawback is that the decryptor will be a single point of failure, unless a load balancing and failover system is implemented. some typical functions of SSl decryptors inlcude 1. block connections that use weak cipher suites or implementations 2. block connections that cannot be inspeced e.g. they do not use a standard enterprise certificate 3. do not inspect authorized traffic that is subject to privacy or compliance regulations 4. integrate with IDS, DLP, and SIEM to apply security policies nd provide effective monitoring and reporting.

DMZ

demilitarized zone. a small section of a private network that is located behind one firewall or between two firewalls and made available for public access.also refereed to as a perimter network. The idea of a DMZ is that traffic cannot pass through it. A DMZ enables external clients to access data on privatesystems, such as web servers, without compromising the security of the internal network as a whole. if communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a proxy.

general purpose guides

detailed guidance available from several organizations to cover both vendor neutral deployments and to provide third party assessment and advice on deploying vendor products. like the Open Web Application Security Project (OWASP). Security Technical Implementation Guides (STIGs), NationalChecklist Program (NCP), SANS Institue, Center for Internet Security

identification

determine whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholdersmultiple channels by which precursos to an incident may be recorded: 1. using log files, error messages, IDS alerts, firewall alerts, and other resources to establish baselines and identifying those parameters that indicate a possible security incident 2. comparing deviations to established metrics to recognize incidents and their scopes 3. manual or physical inspections of site, premises, netowkrs and hosts 4. notification by an employee, customer or supplier, 5. public reporting of nre vulnerabilities or threats by a systems vendor, regulaor, the media or other outside party. allow a system for confidential reporting. identify the first responder on the CIRT team analyze the incident

code development

development-- code on secure server for editing. usually a sandbox. then test/integration- in this enviro code form multiple developers merged to a single master cpy and subjected to basic unit/functional tests. these tests aim to ensure that the code builds correcly and fulfills the functions required by the design 3. then staging -- mirror of production environment. testing focus on usability and performance. may use test or sample data and will have dditional access controls. 4. production-- the application is released to end users

Dictionary

dictionary attack- a type of password attack that compares encrypted passwords against a predetermined list of possible password values. dictionary attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a noncomplex password. rather than attemtping to computer every possible value, the software eunumerates values in the dictionary

national v international

different frameworks based on geographic location and customers served

ephemeral keys

different key for each session or an ephemeral key. improves security because even if an attacker can obtain the key for one session, the other sessions will remain confidential. This massively increases the amount of cryptanalysis that an attacker would have to perform to recover an entire conversation

industry specific frameworks

different regulations for different industries ie HIPAA for healthcare and the Gramm leach Bliley Act GLBA for financial services

camera use

digital cameras can be equipped with wifi and cellular data adapters to allow connection to the internet and posting of images directly to social media sites. smart camera can also be equiped with a GPS reciever. the flash media storage used by a camera may also be infected wih malware or used for data exfiltration so cameras should be trated like any other removable USB storage an their connection to enterpris ehosts subject to access controls. on board camera can be used for snooping. MDM software may be able to lock down use of on board camera.

Watering Hole attack

directed social engineering attack. relies on the circumstance that a group of targets use an insecure third party site. e.g. staff running an international e commerce site might use a local pizza delivery firm and if an attacker can compromise the pizza delivery site they may also be able to install malware on the computers of the e commerce company's emplyess and penetrate the commerce company website

disablement

disable account after maximum number of incorrect logon attempts within a certain period. once an account is disabled, the user is denied access to the server until the network admiistrator reenables the account

Disabling unnecessary ports and services

disable unecessesary ports and services

DAC

discretionary access control. an access control model where each resource is protected by an access control list (ACL) managed by the resources owner or owners. owner is the original creator of the resource, though ownership can be assigned to another user. The owner is granted full control over the resource, meaning that he or she can modify its ACL to grant rights to others. most flexible, weakest and most easy to compromise

password reuse

do not reuse passwords.

Resources/funding

do they have the backing of nation states etc?

context aware authentication

e.g. smartphones now allow users to disable screen locks when the device detects that it is in a trusted location, such as the home.

clean desk

each employees work area should be free from documents to prevent sensitive info from being obtained by unathorized staff or guests in the workplce.

file system security

each object in the fil system has an ACL associated with it. The ACl contains a list of accounts (principals) allows to access the resources and the permissions they have over it. each record in the ACL is acalled an access control entry (ACE). the order of ACEs in the ACL is important in determining effective permissions for a given account.

virtual IPs

each server node or instance needs its own IP address, but externally a load balanced service is advertised using a Virtual IP (VIP) address(es). Different protools available to handleVIP addresses-- differ in the ways that the VIP responds to ARP and ICMP, and in compability with services such as NAT and DNS. One of the ost widely used protocols is the Common Address Redundancy Protocol (CARP). Also ciscos propietary Gateway Load Balancing Protocol (GLBP).

ECDHE

elliptic curve Diffie Hellam Ephemeral. A cryptographic protocol that is based on Diffie Hellman and that provides for secure key exchange by using ephemeral keys and elliptic curve cryptography. provides a perfect forward secrecy mechanism for Transport Layer Security (TLS)

Elliptic curve

elliptic curve cryptology is another type of trapdoor function to generate public private keys. advantage of ECC over RSA algorithm is that there are no known shortcuts. ECC used with a key size of 256 bits is approximately comparable to RSA with a ley size of 2048 bits. often used with the Diffie Hellman and ElGamal protocols to generate the parameters on which the system depends

mandatory vacations

employees forced to take vacation time, in a full week increment so that the corporate audit and security employees have time to investigate and discover nay discrepencies in employee activity

change management

implement changes in a planned and controlled way-- need to change is often described as either reactive, where the change is forced on the organization or proactive-- where the need for change is initiated interally. changes can also be categorized according to their pact and level of risk. in a formal change management proces-s Request for Change (RFC) and Change Advisory Board (CAB)

subscription services

employees may require access to all kinds of subscription services. some examples include: market and financial intelligence and information, security threat intelligence and information, reference and training materials in various formats, software applications and cloud services paid for by subscription rather than permanent licenses. most of this sort of content will be delivered by a secure web site or cloud application. It may be necessary to provision authentication mechanisms for enterprise SSO access to the services. Another use of subscriptions is a web feed, where updated articles or news items are pushed to the client or browser. Web feeds are based on eithre the Real Simple Syndication (RSS) or Atom formats, both of which us XML to mark up each document supplied by the fed. it is possible that such feeds may be vulnerable to XML injection style attacks, allowing an attacker to show malicious links or even interact with the file system

vulnerabilities due to End of life systems

end of life system is one that is no longer supported by its developer or vendor. End of life systems no longer recieve security updates and so represent a critical culnerability f any remail in active use.

Supply chain

end to end process of supplying, manufacturing, distributing and finally releasing goods nd services to a customer. for the TPM to be trustwothy the supply chain of chip manufactuers, firmware authoris, etc. must all be trustwothy

password complexity

enforce password complexity rules (that is, no use of usernamewithin psasword and combination of at least six upper lower case alpha numberic and non alpha numberic characters.

continuing education

ensures that the participants do not treat a single training cours or certificate as a sort of final accomplishment. skills and knowege must be continually updated to cope with chages to technology and regulatory practices.

key escrow

escrow means that something is held independently. In terms of key management, this refers to archiving a ey or keys with a third party. This is a useful solution for organizations that dont have the capability to store keys securely themseves, but it invests a great deal of trust in the third party.

separation of duties

establishing checks and balances against the possibility tha critical systems or procedures can be compromised by insider threats. no one preson should have too much power/responsibility. duties/responsiblities should be divided among individuals to prevent ethical conflicts or abuse of powers. duties such as authorization and approval and design and development should not be held by the same individual. shared authority, lease privielege etc.

XOR

exclusive OR. an operation that outputs to true only if one input is true and the other input is false.. a one time pad is an unbreakable encryption mechanism. The one time pad itself is the encruption key and it consists of exactly the same number of characters as the plaintext and must be generated by a truly random algorithm. To encode and decode the message,e ach character on the pad is combined with the corresponding character in the message using some numerical system. For example a binary message might use a XOR bitwise operation. XOR produces 0 if both valyuesare the same and 1 if the values are different, or put another way an XOR operation outputs to true only if one input is true and the other input is false.

unauthorized software

execution control is the process of determing what additional software may be installed on a client or server beyond its baseline. Execution control to prevent the use of unathorized software can be implemented as either an application whitelist or blacklist. if unathorized software is found installd and/or running on a host, it should normally be removed and you will want to investigate how the software was allowed to be installed or executed.

Application whitelisting/blacklisting

execution control to prevent use of unathorized software can be implemented as eithre an application whitelist or blacklist. whitlist control means that nothing can run if it is not on the approved whitlist. blacklist control means that anthing not on the prohibited blacklist can run.

false acceptance rate

false positivies- interloper is accepted. lead to security breaches

Fat v thin

fat AP= an access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller. thin AP= an access point that requires a wireless controller in order to function

controller based v standalone

fat v thin AP

infrared detection

flame detector- these use infrared sensors to detect flames, and are the most effective and expensive type. Passive Infrared (PIR) which detect moving heat sources for motion detection

escalation of privelege

following the initial exploit, the tester likely has to find some way of escalating privileges available to him/her. for example the initial exploit might give him/her local administration privileges. he or she might be able to use these to obtain system privileges on another machine and then domain administrator privileges from another pivot point.

carrier unlocking

for either iOS or Android this means removing the restrictions that lock a device to a single carrier

P7B

format implements PKCS #7 which is a means of bundling multiple certificates in the same file. it is typically in ASCII format. This is most often used to deliver a chain of certificates that must be trusted by the processing host. it is assocated with the use of S/MIME to encrypt email messages. P7B files do not contain the private key

deployment models

mobile device deployment model describes the way emploees are provided with mobile devices and applications

forward and reverse proxy

forward proxy server- client computers connect to a specified point within the perimeter network for web access. Provides for a degree of traffic management and security. in addition, most web proxy servers provide caching engins, whereby frequenly requested web pages are retained on the proxy, negaing the need to re fetch those pages for subsequent requests. some proxy servers are also pre fetch pages that are referenced in pages that have been requested. When the client computer then requests that page, the proxy server already has a local copy. a reverse proxy server-- provides for protocol specific inbound traffic. for security purposes, it is inadvisable to place application servers, such as messaging and VoIP servers, in the perimeter network, where they are directly exposed to the Internet. Instead you can deploy a reverse proxy and configure it to listen for clients requests from a public network (the internet) and create the approprate request to the internal server on the corporate network. reverse proxies can publish applications from the corporate network to the internet in this way. in addition, some reverse proxy servers can handle the encryption/decryption and authentication issues that arise when remote users attempt to connect to corporate servers, reducing the overhead on those sersers.

benchmarks/secure configuration guides

framework gives a high level view of how to plan IT services, it does not generally provide detailed implementation guidance. at a system level, the deployment of servers and applications is covered by benchmarks and secure configuration guides.

industry standard frameworks and reference architectures

frameworks provide best practice guides to implementing IT and cybersecurity. These frameworks can shape company policies and provide checklists of procedures, activities and technologies that should ideally be in place. a cybersecurity framework is al its of activities and objectives undertaken to mitigate risks. The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target. valuable for given structure to internal risk management procedures. valuable to save organizations from building its security program in vacuum.

non regulatory

frameworks that do not attempt to address the specific regulations of a specific industry but represent best practice IT security governance generally.

WPA2

fully compliant with the 802.11i WLAN security standard. The main difference to the original iteration of WPA is the use of AES for encryption. AES is stronger than RC4/TKIP. AES is deployed within the CCMP. AES replaces RC4 and CCMP replaces TKIP. the only reason not to use WPA2 is if it is not supported by adapters, APs or operating systems on the network.

digital cameras

gitical cameras may be equipped with wifi and cellular data adapters to allow connection to the internet and posting oimages directly to social media sites. a smart camera may also be equipeed with a GPS reciever allowing an image to be tagged with info about where it was taken. the flash media storage used by the camera may also be infected with malware or used for data exfiltration so cameras should be trated like any other emovable USB sotrage and their connection to enterprise hosts subjected to access controls.

Hacktivist

groups such as Anonymous, Wikileaks or LulzSec, uses cyber weapons to promote a political agenda. attempt to obtain nd release confidential information to the public domain, perform DoS attacks, or deface websites

Types of actors

hacker-- white hat or black hat.

driver manipulation

hardware drivers that we install in our operating system-- these drivres sit between the hardware and the operating system itself. They are effectively privieleged code thats running, very much truste dby the OS. great place to embed malicious software.

hardware 6C

hardware token type of device is typified by the SecurID token from RSA> the device generates a passcode based on the current time and a secret coded into the device. an internal clock is used to keep time and must be kept precisely synchronized to the time on the authentication server. code is entered along with a PIN or password known only to the user to protect the system against loss of the device itself

HMAC

hash based message authentication code. A method used to verify both integrity and authenticity of the message by combining cryptographic hash functions, such as MD5 or SHA-1 with a secret key. be known only to sender and recipient and cannot be recovered from the MAC because the function is one way so in theory only the sender and the recipient should be able to obtain the same MAC, confirming the messages origin nd that it has not been tampered with. A message authentical code is used to provide integrity and authenticity. in order to create a MAC rather than a simply digest the message is combined with a secret key. a Hash based message authentication code (HMAC), uses MD5, or SHA algorithm. in HMAC the key and message are combined in a way designed to be resistant to exendion attacks against other means of generation MACs

heuristic/behavioral

heuristics- a technique that leverages past behavior to predict future behavior. behavioral based detection-- in IDSs and IPSs, an operation mode where the analysis engine recongie baseline normal traffic and events, and generates an incident when an anomaly is detected. analysis engine means that the engine is trained to recognize baseline normal traffi or events. anything that deviates from this baseline (outside a defined level of tolerance) generates an incident. the idea is that the software will be able to identify zero dat attacks. the engine does not keep a record of eberything that has happened and then try to match new traffic to a precise record of what has gone before. it uses heuristics to generate a statistical model of what the baseline looks like. it may develop several profiles to model network use at different times of the dat. the system generates false positives and false negatives until it has had time to imrpove statistic model of what is normal

steganography for 4

hiding a message within another message or data is a type of security by obscurity

order of volatility

how should info be collected. general principle is to capture evidence in the order of volatility-- from more volatile to less volatile. generally from 1. CPU registers and cache memory 2. routing table, arp cache, process table, kenerl statistics 3. memory (RAM) 4. temporary file systems 5. Disk 6. remote logging and monitoring data 7. physical configuration and network topology 8. archival media

Access control models

how users recieve rights, how ACLs are written

type 2 hypervisor

hypervisor application or type II hypervisor is itself installed onto a host operating system. the hypervisor software mst support the host OS. a gues OS or host based system.

Anti-spoofing

identifying and dropping packets that have a false source address e.g. ip spoofing

Passive reconnaissance

ie OSINT or an attacker can cyber stalk his or her victims to discover information about them via google search or by using other web or socoial media search tools. or vulnerability scanning when the vulnerability scanner would probe the network application or try to discover issues but would not attempt to exploit any vulnerabilities found. will not likely alert the target of the investigation as it means querying publicly available information

Level of sophistication

ie a script kiddie, a newbie, a hacktivist etc.

Internal/External

ie is the threat coming from an external threat ie nation states, competitors, or organized crime or an internal malicious insider

memory leak

if a process is operating correctly, when it no longer requires a block of memory, it should release it. if the program code does not do this, it could create a situation where the system continually leaks memory to the faulty process. This means less memory is available to other processes and the system could crash. memory leaks are particularly serious in service/background applications, as they will continue to consume memory over an extended preiod of time. memory leaks in the os kernel are also serious. a memory leak may itself be a sign of a malicious or corrupted process.

logs and event anomalies

if a threhold is exceeded 9a trigger) some sort of automated alert or alarm notification must take place. A low priority alert may simply be recorded in a log. A high priority alarm might make some sort of active notification, such as emailing a system administrator or triggring a physical alarm signal. This allows administrators to identify and troubleshoot serious logs and event anomalies promptly.

adverse actions

if any sort of disciplinary procedure is invoked, it is important to take the possibility of adverse action into consideration. adverse action means that in disciplining or firing an employee, the employr is discriminating against them in some way. to preclude the possibility of an adverse action being invoked, the policy violation must be backed up by evidence, and it must be shown that the same poliy applies equally to all employees

low latency

if cryptography is deployed with a real time sensitive channel, such as voice or video, the processing overhead on both the transmitter and receiver must be low enough not to impact the quality of the signal

hot and cold aisles

if multiple racks are installed in a data center, install equipment so that servers are placed back to back not front to back, so that the warm exhaust from one bank of servers is not forming the air intake for anothre bank. in order to prevent air leaks from the hot aisle to the cold aisle, ensure that any gaps in racks are filled by blank panels and use strip curtains or ecluders to cover any spaces above or between racks.

unencrypted credentials/cleartext

if the credential is ever stored or transmitted in cleartext, the account can no longer be considered secure. The account must be re-securd as soon as this sort of policy violation is detected. Ensure that you are using secure remote protocols like Secure Shell (SSH), ensure that you are using SSL/TLS to secure communications with any comptabile protocol, ensure that users known not to store passwords in unencrypted text, spreadhseets or database files, ensure any custom apps you develop employ encryption for data at rest, in transit and in use

remote wipe

if the handset is stolen it can be set to the factory defaults or cleared of any personal data (santization_ some utilities may also be able to wipe any plug in memory cards too. the remote wipe could be triggred by several incorrect passcode attempts or by enterprise management software. in theory, a thief can prevent a remote wipe by ensuring the phone cannot connect to the network, then hacking the phone and disabling the security

supporting authentication

if you are able to encrypt a message in a particular way, it follows that the recipient of the message knows with whom he or she is communicating with ie the sender is authenticated. Of course the recipient must trust that only the sender has the means of encrypting the message. This means that encryption can form the basis of identification, authentication and access control systems

capture system image

image acquisition is the process of obtaining a forensically clean copy of data from a device held as evidence. an image can be acquired from either volatile or non volatile storage. through write blockers and data recovery, hashing utilities, imaging utilizes.

Intermediate CA

in a hierarchical model, a single CA called the root issues certificates to several intermediate CAs. The intermediate CAs issue certificates to subjects lead or end entities. This model has the advantage that different intermediate CAs can be set up with different certificate policies, enabling users to percieve clearly what a particular certificate is designed for.

stream v block

in a stream cipher each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known. Like a one time pad, the plaintext is combined with a separate randomly generated message. Unlike a one time pad, this is not predetermined by calculated from the key (key stream generator) and an IV. The IV ensures the key produces a unique cipher text from the same plaintext. As with a one time pad, the key stream must be unique, so an IV must not be reused with the same key. The recipient must be able to generate the same key stream as the sender and the streams must be synchronized. Stream ciphers might use markers to allow for synchronization and retransmission. Some types of stream ciphers are made self synchronizing. In a block cipher the plaintext is divided into equal size blocks (64 or 128 bit).If there is not enough data in the plaintext, is it padded to the correct size using some string defined in the algorithm. For example a 1200 bit plaintext would be padded with an extra 80 fits to fit into 10 X 128 bit blocks. Each block is then subjected to examples transposition and substitution operations, based on the value of the key used.

Private Key

in asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely

Initial exploitation

in the initial exploitation phase which is also referred to as weaponization, an exploit is used to gain some sort of access to the targets network. this initial exploitation might be accomplished using a phishing email and payload or by obtaining credentials via social engineering

documented incident types/category definitions

in the need to allocate resource efficiently it means that identified incidents must be assessed for severity and prioritized for remediation. Types and categories include 1. data integrity- most important factor in prioritizing incidents will often be the value of data that is at risk 2. degree to which an incident disrupts business processes. an incident can either degrade or interrupt the availability of an asset, system or business process. 3. economic publicity-- both data integrity and downtime will have important economic effects, both in the short term and the long term short term meaning incident response itself and lost business opportunities long term meaning damage to reputation or market standing 4. scope-- the scope of an incident ie the number of systems affected is not a direct indicator of priority ie a large number of systems might be infected with a type of malware that degrades performance, but is not a data breach rusk vs a compromise data on a single server storing top secret info 5. detection time-- data is typically breached within minutes-- systems used to search for intrusions must be thorough and the response to detections must be fast 6. recovery time-- some incidents require length remediation as the system changes required are complex to implement. this extends recovery period should trigger heightened alertness for continued or new attacks

exercise

incident response exercises. the procedures and tools used for incident response are difficult to master and execute effectively. you do not want to be in the situation where the first time staff members are practicing them in the high pressure environment of an actual incident. running test exercises helps staff develop competencies and can help to identify deficiencies in the procedures and tools

retinal scanner

infrared light is shone into the eye to identify the pattern of blood vessels. arrangement of blood vessels is highly complex and typically does not change form birth to death, except in event of certain disease or injury. very secre and accurate but equipment is expensive, relatively intrusive and complex. false negatives can be produced from cataracts

Infrared

infrared signaling has been used for PAN in the past, but the use of infrared in modern smartphones and wearable technology focused on two othre uses: IR blaster-- this allows the device to interact with an IR reciever and operate a device such as TV or HVAC monitor as though it were the remote control handset. IR sensor- these are used as proximity sensors (to detect when a smartphone is being held to the ear) and to measure health information (such as heart rate and blood oxygen levels)

IV

initialization vector. a technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption. initialization vector attack is a wireless attack where the attacker is able to predict or control the IV an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network main problem with WEP is the 24 bit initialization vector (IV)- the IV is not sufficiently large, meanin it will be reused within the same keystream under load making it subject to statistical analysis. IV is often not generated using a sufficintly random algorithm.

secure cabinets/enclosures

install equipment within secure cabinets/encolsures. these can be supplied with key opreated or electronic locks

credential management

instruct users on how to keep their authentication metod secure. also needs to alert usres to different types of social engineering attacks. alert users to different types of social engineering attacks.

ISA

interconnection security agreement. ISAs are defined by NISTs SP800-47 Security Guide for Interconnecting Information technology systems. Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls

supply chain assessment

involves determining whether each link in the chain is sufficiently robust. Each supplier in the chain may have their own suppliers, and assessing robustness means obtaining extremely privileged company information. consequently assessing the whole chain is an extremely complex process and is an option only available to the largest companies. most businesses will try to identify alternative sources for supplies so that the disruption to a primary supplier does not represnt a single point of failure.

ipconfig/ip/ifconfig

ipconfig = windows based utility used to gather information about the IP configuration of a work station/configuration assigned to the network adapter. ifconfig = a UNIX/Linux based utility used to gather information about the IP configuration of the network adapted or to configure the network adapter. it has been replaced with the ip command in most linux distributions

Diffie Hellman

key agreement protocol. 1976. D-H itself is not used to encrypt messages or to authentically senders. it is used to securely agree on a key to encrypt messages using a symmetric encryption algorithm, such as AES. Works as follows: 1. Alice and Bob are on shared integers p and q, where p is a large prime number and q is a smaller integer that functions as a base. these values can be known to eavesdroppers without compromising the process 2. Alice and Bob respectively choose a different integer (a and b, respectively). These values must not be disclosed to anyone else (Alice does not tell Bob, a, and Bob does not tell Alice b) 3. Alice and Bob calculate integers A = q^a (mod p) and B = q^b (mod p) and send those to one another. mod returns the remained when q^a or q^b is divided by p 4. alice and bob now both know p, q, A, and B, Alice knows a and Bob knows b. Alice and Bon use what they know to derive the same shared secret (s). Alice calculates s = B^a (mod p) and Bob calculates s= A^b (mod p) Because of the way the math works, they will calculate the same value 5. s is then used to generate the session key for another cipher such as AES 6. man in the middle attack truing to interfere with the process might know p, q, A, and B but without the knowledge of a or b you cannot derive S. The most notable use of DH is in IPSec as part of the Internet Key Exchange protocol. DH can also be used in the transport layer security (TLS) protocol to provide Perfect Forward secrecy

defense in depth/layered security

layered security is typically seen as the best protection for systems security because it provides defense in depth. The idea is that to fully compromise a system, the attacker must get past multiple security controls providing control diversity. These layers reduce the potential attack surface and make it much more likely that an attack will be prevented (or at least detected and then prevented by manual intervention)

NDA

legal bass for protecting information assets. NDAs are used between companies and employees, between companies and contractros and between two companies. face legal consequences if break agreement. deter employees and contractors from violating the trust that an employee place sin them.

false rejection rate

legitimate user is not recongnized. cause inconvenience to users

environmental controls

like HVAC systems and fire management processes to reduce exposure risks. environmental security means maintaining a climate that is not damaging to electronic systems and ensures a stable supply of power. HVAC ensures adequate cooling and humidity and dust control within a room or other enclosed space. hot and cold aisles. fire detection and prevention

displays

like most periphrals, displays have no protection against malicious firmware updates. e.g. exploit against a reverse engineered Dell monitor. One the malicious firmware is loaded, the display can be manipulted by sending t intrustions coded ino pixel values in a specially crafted web page.

containment

limiting the scope and impact of the incident. Typical response is to pull the plug on the affected system but this is not always appropriate. issues facing CIRT: 1. what damage or theft has already occured? how much more could be inflicted and in what sort of time frame (loss control) 2. what countermeasures are avialable? what are their costs and implications? 3. What actions could alert the attacker to the fact that the attack has been detected? What evidence of the attack must be gathered and preserved. if further evidence needs to be gathered the best approach may be to qurantine or sandbox the affected system of netowk to allow for analysis of the attack and the collection of evidence using digitial forensic techniques. this can only be done if there is no scope for the attaker to cause additional damage or loss. can also cause for escalation if the incident is judged too critical to only be held by first responder. reporting requriements for data breach

supporting non repudiation

linked to authentication and identification. it is the concept that the sender cannot deny sending the message. if the message has been encrypted in a way only known to the sender, it follows the sender must have composed it

incident response plan

lists the procedures, contacts, and resources available to responders of a security incident (where security is breached or attempted breach)

active-active 9b

load balancing can only provide for stateless fault tolerance, as by itself it cannot provide a mechanism for transferring the state of data. if you need fault tolerance of stateful data, you must implement a clustering technology whereby the data residing on one node (or pool) is made available to another node (or pool) seamlessly and transparently in the event of a node failure. This allows servers in the cluster to communicate session information to one anothe. Load balancing provides front end distribution of client requests, clustering is used to provide failt tolerance for back end applications. Two types of clustering. Active/Active configurations consist of n nodes, all of which are processing concurrently. This allows the admin to use the maximum capacity from the available hardware while all nodes are functional. In the event of a failover (term used to describe the situation where a node has failed) the workload of the failed node is immediately (and transparently) shifted onto the remaining nodes. At this time, the workload on the remaining nodes is higher and performance is degrarded during failover-- a significant disadvantage.

active-passive 9b

load balancing can only provide for stateless fault tolerance, as by itself it cannot provide a mechanism for transferring the state of data. if you need fault tolerance of stateful data, you must implement a clustering technology whereby the data residing on one node (or pool) is made available to another node (or pool) seamlessly and transparently in the event of a node failure. This allows servers in the cluster to communicate session information to one anothe. Load balancing provides front end distribution of client requests, clustering is used to provide failt tolerance for back end applications. Two types of clustering. Active/passive configurations use a redundant node to failover. ie in an 8 node Active/passive cluster, the 8th node doesnt do anything and supports no services (other than those needed to support the cluster itself) until a failover occurs. On failover, the redudnant node assumes the IP address of the failed node and responsibility for its services. Major advantage is that performance is not adversely affeced during failover. hardware and operating system costs are higher because of the unused capacity.

record time offset

local time is the time within a particular time zone, which will be offset from UTC bt severl hours.

Attributes of actors

location, sophistication, resources and intent

something you know

logon. username and password. PIN. security questions- account reset mechanisms

time synchronization

logs may be collected from appliances in different geographic locations and, consequently, may be configured with different time zones. This can cause problems when correlating events and analyzing logs. A SIEM may be able to normalize events to the same time zone.

media gateway

lots of different ways to communicate these days-- VoIP, IM, SMS etc. to faciliate communications, often necessary to transfer a call betewen two disparate systems, e.g. a user might initiate a voice all on a VOVoIP system with a reciever using the Public Switched Telephone Network (PSTN)== a media gateway handles the job of interfacing between these different communications platforms and protocols. can be provisioned as a dedication appliance or as a software running on a server. must connect to untrusted networks, consequently they should be positioned in a DMZ and configured with least privelege access controls

home automation

makes heating, lighting, alarms and appliances all controllable through a computer and network interface. smart devices and home automation might be managed throuhg a hub device with voice control functionality.

preparation

making the systems resilient to attack in the first place. this includes hardening systems, writing policies and procedures and establishing confidential lines of communication. Also implied creating a formal incident response plan. establish policieis and producedures for dealing with security breachesd and the personnel and resources to implement those policies. formal Incident response Plan should be developed

Insiders

malicious insider threat is when the perpetrator of an attack is a member of, ex member of, or somehow affiliated with the organizations own staff, partners or contractors. those who harbor grievances. technical controls are less likely to be able to deter structured insider threats

Trojan

malicious program hidden within an innocuous seeming piece of software. Usually the trojan tries to compromise the security of a target computer. code concealed within an application package that the user thinks is benign such as a game or a screensaver. The purpose of the trojan is not to replicate but to other cause damage to a system or to give an attacker a platform for monitoring or controlling the system. User will often receive pop up ads, frequent crashes, slow computer performance, strange services running. Many trojans cannot conceal their presence entirely and will show up as running process or service so as to conceal/avoid detection. often configure their process image name to be something similar to a genuine executable or library

Logic Bomb

malicious program of script that is set to run under particular circumstances or in response to a defined event, such as the admin account being disabled

advanced malware tools

malware is often able to evade detection by automated scanners. Analysis of SIEm and intrusion detection logs might reveal suspicious network connections, or a user may observe unexplianed activity or behavior on a host. When you identify symptoms such as these, but the AV scanner or UTM appliance does not report an infection, you will need to analyze the host for malware using advanced tools. Plethora of advanced analysis and detection utilities but the starting point for most technicians is Sysinternals-- suite of tools designed to assist with troubleshooting issues with Windows.

tethering

mobile devices share its cellular data or Wi Fi Connection with other devices. peer to peer functions should be genreally disabled as it might be possible for an attacker to exploit a misconfigured device and obtain a bridged connection to the corporate network.

MAC

mandatory access control. an access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label). each object and subject is granted a clearance level or label. subjects are only permitted to access objects at their own clearance level or below. Or a reseource and user can be labeled as beloning to a domain and a user may only access a resource if they belong to the same domain.

Time synchronization

many applications on networks are time dependent and time critical such as authentication and security mechanisms scheduling applications or backup software. the network Time protocol (NTP) provides a transport over which to synchoronize these time dependent applications. NTP works over UDP port 123.

memory management

many arbitrary code attacks depend on the target application having faulty memory management procedures. This allows the attacker to execute his or her own code in the space marked out by the target application. there are known unscure practices for memory management that should be avoided and checks for processing untrusted input, such as strings, to ensure that it cannot overwrite areas of memory.

iris scanner

matches pattrens on the surface of the eye using near infrared imaging and so is less intrusive than retinal scanner and quicker. offer similar levels of accuracy but are much less likely to be affected by disease

password history

maximum number of incorrect logon attempts within a certain period. once the max number of incorrect logons hsa been reached, the server disables the account.

MTTR

mean time to repairs is a measure of the time aken to correct a fault so that the system is restored to full operation. also can be described as mean time to replace or recover. the metric is important in determining the overall recovery time objective.

exploitation frameworks

means of running intrusive scanning. an exploitation framework uses the vulnerabilities identified by a scanner and launches scripts or software to attempt to exploit selected vulnerabilities which might involve considerable disruption to the target, including service failure, and risk data security. an exploitation framework compromises a database of exploit code, each targeting a particular CVE (common vulnerabilities and exposures). the exploit code can be coupled with modular payloads. depending on the access obtained via the exploit, the payload code may be used to open a command shell, create a user, install software etc. the custom exploit module can then be injected into the target system. The framework may also be able to disguise the code so that it can be injected past an intrusion detection system or antivirus software

non presistence

means that any given instance is completely static in terms of processing function. data is separated from the instance so that it can be swapped out for an "as new" copy without suffering any configuration problems. use 1. snapshot revert to known state 2. rollback to known configuration 3. live boot media all to ensure non persistence.

vendor diversity

means that security controls are sourced from multiple suppliers. a single vendor solution is a tempting choice for many organizations, as it provides interoperatibility and can reduce training and support costs. Some disadvantages to a single vendor though could be 1. not obtaining best in class performances as one vendor might specialize in firewalls but the bundles malware scanning is found to be less effective. 2. less complex attack surface as a single vulnerability in a suppliers code could put multiple appliances at risk in a single vendor solution 3. less innovation -- dependence on a single vendor might make the organization invest too much trust in that vendors solution and less willing to research and test new approaches.

scalability

means that the costs involved in supplying the service to more users ar elinear. e.g. if the number of users doubles in a scalable system, the costs to maintain the same level of service would also double (or less than double). if costs more than double, the system is less scalable. to scale out is to add more resources in parallel with existing resources. to scale up is to increas the power of existing resources.

control diversity

means that the layers of control should combine different classes of technical and administrative controls with the range of control functions (prevent, deter, detect, correct and compensate)

weak/deprecated algorithms 4a/4b

means that the use of the algorithm and key length is allowed, but the user must accept some risk. The term is used when discussing the key lengths or algorithms that may be used to apply cryptographic protection to data (e.g., encrypting or generating a digital signature).

machine/computer

might be necessary to issue certificates to machines ie servers, PCs, smartphones, and tablets. regardless of function. For example, in an Active Directory domain, machine certificates could be issued to Domain controllers, member servers or even client workstations. Machines without valid domain issued certificates could be prevented from accessing network resources. machine certificates might be issued to network appliances, such as routers, stiches and firewalls.

permission issues

might derive from misconfiguration, either where users dont have the proper permissions needed to do their jobs, or where they have more permissions than they need

hybrid cloud

mix of public private community hosted onsite offsite cloud solutions. e.g. a travel organization may run a sales website for most of the year using a private cloud but break out the solution to a public cloud at times when migh higher utilization is forecast

Mobile device management concepts

mobile devic management (MDM) is a class of management software designed to apply security policies to the use of mobile devices in the enterpris.e this software can be used to manage enterprise owned devices as well a Bring Your Own device (BYOD). management software logs the use of a device on the network and determines whether to allow it to connect or not, based on administrator set parametres. when the device is enrolled with the management software it can be configured with policies to allow or restrict ue of apps, corporate data, and built in functions, such as video camera or microphone.

platform/vendor specific guides

most vendors will provide guides, templates and tools for configuring and validating the deployment of network appliances, operating systems, web servers, and application/dabatase servers. the security configurations for each of these devices will vary not only by vendor but by device and version as well. the vendor support portal will host the configuration guides

fingerprint scanner

most widely implemented biometric technology. fingerprint= unique pattern. technology is relatively inexpensive, simple to use and non intrusive. problem- possible to obtain a copy of a users fingerprint and create a mold of it that will fool the scanner.

CYOD

much the same as COPE but the employee is given a choice of device form a list

public cloud

multi tenant. Hosted by a third party and shared with other subscribers. This is what many people understand by cloud computing. as a shared resouces there are risks regarind performanc and security

application/multipurpose

multipurpose proxy-- a proxy that is configured to filter and service several protocol types, as opposed to an application specific proxy, which services only one applicaiton.

regulatory

national and international frameworks may be used to demonstrate compliance with a countries legal regulatory compliance requirements or with industry specific regulations.

NFC (11C)

near field communications (NFC) chip allows a mobile deice to make payments via contactless point of sale (PoS) machines. despite having a strict physical proximity requirement, NFC is vulnerable to several type of attacks. cretain antenna configuations may be able to pick up the RF signals emitted by NFC from several feet away, giving an attacker the ability to eavesdrop from a more comfotable distance. an attacker with a reader may also be able to kim information form an NFC device in a crowded area. an attacker may also be able to corrupt data as t is being transferred through a method similar to a DoS attack- by flooding the area with an excess of RF signals to interrupt the transfer. if somelne loses an NFC device or a thief steals it, and the device has no additional layers of authentication security, then anyone can use the device in several malicious ways.

S/MIME

need for mesage authentication and confidentiality. do this with PKI called Secure/Multipurpose Internet Mal Extensions (S/MIME). To use S/MIME the user is issued a digital certificate containing his or hre public key, signed by a CA to estbalish its validity. The public key is a pair with a private key kept secret by the user. To establish the exhange of secure emails, both users must be using SMIMe and exchange certificates. 1. alice sends bob her digital cert, containing her public key and validated digital ID. she signs this message using her private key 2. bob uses the public key in the cert to decode her signature and the signature of the CA valdating her digital cert and digitial ID and decides that he can trust Alice and her email address 3. h responds with his digital cert and public key and Alice, following the same process decides to trust Bob and they now have one anothers erts in their trusted cert stores 4. When alice wants to send Bob a confidential message, she makes a hash of the message and signs the has using her private key. she then encyrpts the message, hash, and her public key using bobs public key and sends a message to bob with this data as an SMIME attachement 5. bob recieves the message and decrypts the attachment using his private key. he validates the signature and the interity of the message by decrypting it with alices public key and comparing her has value with one he makes himself. PROBLEM-- have a signing and an encryption key pairs.

in band v out of band

need to consider how an IDS/IPS sensor will provide event reporting and alerting. in band- management channel ould use the same network as the link being monitored. this is less secure because the alerts might be detected by an adversary and intercepted or blocked. out of band link offers better security- this might be established using separate cabling infrastruture or using the same cabling and physical switches but a separate VLAN for the management channel.

job rotation

no person permitted to remain in the same job for an extended period. helps an org ensure that it is not tied too firmly to any one individual because vital institutional knowledge is spread among trusted employees. job rotation also helps prevent abuse of pwoer, reduces boredom and enhances individuals professional skills.

race conditions

occur when the outcome from execution processes is directly dependent on the order and timing of certain events and those events fail to execute in the order and timing intended by the developer. A race condition vulnerability is typically found where multiple threads are attempting to write a variable or object at the same memory location. race conditions have been used as an anti virus evasion technique. This type of vulnerability is mitigated by ensuring that a memory object is locked when one thread is manipulating it.

jamming

often unintentional, but also possible for an attacker to purposefully jam an AP. This might be done simply to disrupt services or to position an evil twin Ap on the network with the hope of stealing data. Wifi jamming attack can be preformed by setting up an AP with a stronger signal. interference from other radio sources. only way to defeat a jamming attack are either to locate the offending radio source and disable it, or to boost the signal from the legitimate equipment. Source of interference can be detected using a spectrum analyzer

service accounts

often used by scheduled processes, such as maintenance tasks, or may be used by application software, such as databases for account of system access. system service account, local service account, network service account

Online v Offline 6B

oline v offline password attack. an online password attack is where the adversary directly interacts with the authentication service- a web login form or VPN gateway for instance. the attac will submit psaswords using eithr a database of known passwords and variations or a list of passwords that have been cracked offline. can show up in audit logs are repeatedly failed logons and then a successful logon, or sevreal successful logon attempts at unusual times or locations. can be mitigated by restricting the numer of logon attempts or shunning logon attempts from known bad IP addresses. offline attack- creacker does not interact with the authentication system to perform the cracking because exploit known vulnerabilities in password trannsmission and storage algorithms. perform brute force attacks an use precompiled dictionaries and rainbow tables to break naively chosen password or work n a database of hsahed passwords

patch management tools

on Windoes- updates are widely released fixes for bugs and are rated by severity. there are also definition updates for software such as malware scanners and junk mal filters and driver updates for hardware devices. Hotfixes are patches supplied in response to specific customer troubleshooting requests. feature packs add new functionality to the software. Service packs and update rollups form a collection of updates and hotfixes that can e applied in one package. patches, driver updates and service packs for windoes can be installed using the Windoes update client. on Linux, pre compiled packages can be instaled using various tools, such as rpm 9redHat) apt-get (Debian) or yum (fedora). Linux is based on distributions which contain the Linux kernel plus any other software package the distribution vendor or sponsor considers approproate. Copies of packages will be posted to a software repository. Linux software is made availbale both as source code and as pre compiled applications.

onboarding/offboarding

onboarding- process of ensure accounts are only created for valid users, only assigned the appropriate privivleges and that the account credentials are known only to the valid user. appropriate privielges are usually dtermined by created workflows for each function that the user or user role performs. offboarding- the process of withdrawing user privigielegs either when the user stops performing in a certain role or within a project group, or leabes the organization completely disable or delete the account

Familiarity social engineering

one of the basic tools of social engineer is simply to be affable and likable, and to present the request they make as completely reasonable and unobjectionable

high availability

one of the key properties of a resilient system is high availability. availability is the percentage of time that the system is online, measured over the defined period (typically one year). The corollary of availability is downtime (that is the percentage or amount of time during which the system is unavailable). the maximum tolerable downtime metric ststaes the requirement for a particular business function. high availability loosely described as 24x7 or 24x365. for a critical system, availability ill be described as two nine ie 99% or up to five or six nines 99.999%

Impersonation

one of the most basic social engineering techniques. e.g. attacker to phone into a department claiming they have to adjust something on the users system remotely, and get the user to revel their password. For this attack to succeed, they must be convincing and persuasive

master image

one of two mastering instructions an automation system may use when provisining a new or replacement instance automatically. a master mage-- this is the "gold" copy of a server instance, with the OS, applications, and patches all installed and configured. this is fster than using a template, but keeping the mage up to date can involve more work than updating a template.

templates

one of two mastering instructions an automation system may use when provisining a new or replacement instance automatically. template-- similar to a master image, this is the build instructions for an instance. Rather than storing a master image, the software may build and provision an instance according to the template instructions

Mission essential functions

one that cannot be deferred. the organization must be able to perform the function as close to continually as possible, and if there is any service disruption, the mission essential functions must be restored first. analysis of mission essential functions generally governmend by 1. maximum tolerable downtime 2. recovery time objective 3. work recovery time 4. recovery point objective.

misconfigured devices 9A

one type of firewall, ACL or content filtering misconfiguration blocks packets that are supposed to be allowed through. This will cause an application or protocol to fail to function correctly. This type of error will usuaully be easy to identify as users will report incidents connected with the failure of the data traffic. Diagnosis can be confirmed by trying to establish the connection from both inside and outside the firwall. if it connects from outside the firewall but not from inside, this would confirm the firewall to be the cause of the issue. Other possible outcome of a badly configured firewall is that packets may be allowed through that should be blocked. This is a more serious outcome because the result is to open the system to security vilnerabilities. it is also not necessarily easily detected as it does not typicaly cause anything to stop functining.

shared and generic accounts/credentials

one where passwords are known to more than one person. generic OS accounts. may be set up for temporary staff. breaks principle of non repudiation and makes an accurate audit trail difficult to establish more likely that the password for the account will be compromised password changes hard to communicate

Asymmetric algorithms

operations are performed by two different but related public and private keys in a key pair. Each key is capable of reversing the operation of its pair. For example, if the public key is used to encrypt a message, only the paired private key can decrypt the cipher text produced. The public key cannot be used to decrypt the cipher text, even though it was used to encrypt it. the keys are linked in such a way to make it impossible to derive one from the other. This means the key holder can distribute th public key to anyone he or she wants to receive secure messages from. no one else can use the public key to decrypt the messages; only the linked private key can do that. public key cryptography. invovles a lot of computing overhead and the message cannot be larger than the key size. When a large amount of data is being encrypted on a disk or transported over a network, asymmetricc encryption is inefficient. Consequently, asymmetric encryption is mostly used for authentication and non reputation and for key agreement of exchange. many PKC products are based on RSA algorithm

hypervisor

or Virtual Machine Monitor (VMM) manages the virtual machine environment and facilitates interaction with the computer hardware and network. can be type I or II.

propietary

or intellectual policy-- information created and owned by the company, typically about the products or services that they make or perform. IP is an obvious target for a company's competitors and IP in some industries is of interest to foreign governments. IP may also represent a counterfeiting opportunity.

asymmetric algorthms

or public key cryptography. a two way encryption algorithm where encryption and decryption are performed by a pair of linked by different keys

rogue system detection

organizations will use topology discovery (using network scanning tools) as an auditing technique to build an asset database and identify non authorized hosts or rogue system detection or network configuration errors. a rogue device is an unauthorized device or service, such as a wireless access point DHCP server, or DNS server, on a corporate or private network that allows unauthorized individuals to connect to the network. rogue system detection is the process of identifying and removing any hosts that are not supposed to be on a network

stored procedures

part of a database that executes a custom query. procedure is supplied an input by the calling program and returns a pre defined output for matched records. this can provide a more secure means of queryin the database. any stored procedure that are part of the database but not requred by the application hould be disabled.

Pass the hash

pass the has attack- if an attacker can obtain the hash of a user passwords, it is possible to present the hash (without cracking it) to authenticate to network protocols such as CIFS. if an admin account is compromised with PtH attack they can run malware with local admin privileges.

use of open source intelligence

passive reconnaissance. OSINT = publicly available information and tools for aggregating and searching it. can be information published intentionally or unintentionally. an attacker can cyber stalk his or her victims to discover information about them via google search or by using other web or socoial media search tools.

Spear Phishing

phishing cam where the attacker has some information that makes an individual target more likely to be fooled by the attack.

biometric factors

physical - fingerprint, eye and facial recognition. or behavioral voice, signature, typing pattern.

known plaintext/cipher text

plaintext is an unencrypted message. cipher text is an encrypted algorithm

PaaS

pltatform as a service. provides resources somewhere between SaaS and IaaS. a typical PaaS solution would provide servers and storage network infrastructure as per IaaS but also provide a multi tier web application/database platform on top. As distinct from SaaS though, this platform would not be configured to actually do anything. Your own developers would have to create the software than runs using the platform. The service provider would be responsible for the integrity and availability of the platform components, but you woul be responsible for the security of the application you created on the platform.

crossover error rate

point at which FRR and FAR meet. the lower the CER the more efficient and reliable the tehcnology

time of day restrictions

policies or configuration settings that limit a user's access to resources. logon hours

safe

portable devices and mdia may be stored in a safe. safes can feautre key operated or combination locks but are more likely to come with electronic locking mechanisms. also fire safes that give a certain level of protection against exposure to smoke and flame and to water penetration

Host health checks

posture assessment is the process by which host health checks are performed against a client device to verify compliane with the health policy.

geofencing

practice of creating a virtual boundary based on real world geography-- controlling the use of camera r video function-- ie disabling cameras on mobile devices when they are in areas that should not allow photographs or video according to policy. or limit the functionality of any device that leaves a boundary.

Personnel management

practice of ensuring that all of an organiations personnel, whether internal or external, are complying with policy

incident response process

preparation then identification then containment, eradication and recovery and then lessons learned

data execution prevention

prevent areas in memory marked for data storage from executing code (running a new problem). one issue is applications might not work with DEP security features enabled.

application management

primarily refer to MDM but some solutions are branded as Mobile Application Management (MAM) or Mobile Content Management (MCM) because they focus on managing a part of the device, not all of it.

GPS tagging

process of adding geographic identification metadata, such as the latitude and longitude where the device was located at the time, to media such as hotographs, SMS messages, video etc. It allows the app to place the media at specific latitutdes and longitude coordinates. GPS tagging is highly senssitive personal information and should be processed carefully by the app. the user must be able to conset to the ways in which this information is used and published.

Data retention

process of an organization maintaing the existence of and contorl over certain data in order to comply wih business policies and or applicable laws and regulations. must balance retention needs with stipulations. data retention policies must therefore integrate closely with data disposal polcieis for optimal security of confidential information

exit intervewis

process of ensuring that an employee leaves a company gracefully. disable user account and privileges. retrieving company assets. returning personal assets.

secure configurations

process of putting an operating system or application in a secure configuration is called hardening, which is implemented to cofnrim wiht the security requirements in a defined security policy. hardening can resitrct the systems access and capabilities so hardening must be balanced against the access requirements and usability in a particular situation.

integrity management

process to determine whether the development environment varies from the secure baseline. may be performed by scanning for unsigned files or files that do not otherwise match the baseline

vulnerable business process

processes that could result in the disclosure, modification, loss, destruction or interruption of critical data or it could lead to loss of service to customers. financial and reputation risks

Spyware

program that monitors user activity and sends the information to someone else. This can occur with or without the users knowledge. can have negative impact on performance and system stability which can negatively effect users productivity. also may be able to take screenshots or activate recording devices, such as a microphone or webcam. another spyware technique is to spawn browser pop up windows or modify DNS queries attempting to direct the user to another website

protected distribution/protected cabling

protected distribution system- a physically secure cabled network is referred to as a protected distribution system (PDS). there are two principal risks: 1. an intruder could attack eavesdropping equipment to the cable ( a tap). 2. An intruder could cut the cable (Denial of Service). A hardened PDS is one where all cabling is routed through sealed metal conduit and subject to periodic visual inspection.

PHI

protected health information- medical and insurance records, hospital and lab tests. may be associated with a speciic person or used as an anonymized or de identified data set for analysis and research. PHI is sensitive and unrecoverable.

domain validation

proving the ownership of a particular domain. this may be proved by responding to an email to the authorized domain contract or by publishing a text record to the domain. This process can be highly vulnerable to compromise.

provisioning and deprovisioning

provisioning- deploy the appliation tothe target enironment. an enterprise provisioning manager might assemble multiple applications in a package. or a signle insance. deprovisioning is removing appliation from packages or instances. also need to make environment changes, and remove configurations that were made to just support the appliation

proxy

proxy server works on a store and forward mode. rather than inspecting traffic as it passes through, the proxy deconstructs each packet, performs analysis then rebuilds the packet and forwards it on (providing it conforms to the rules). in fact, a proxy is a legitimate man in the middle. this is more secure than a firewall that performs only filtering. if a packet contains malicious content or construction that a firewall does not detect as such, the firewall will allow the packet. A proxy would erase the suspicious content in the process of rebuilding the packet. drawback is more processing done that with a firewall. a basic proxy server provides for protocol specific outbound traffic.

risk assessment

quantitative and qualitative. the output of risk assessments will identify vlnerable business processes. calculate by considerling likelihood and impact.

ALE

quantitative risk assessment aims to assign concrete values to each risk factor. Annual Loss Expectancy (ALE)- the amount that would be lost over the course of a year. this is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO)

SLE

quantitative risk assessment aims to assign concrete values to each risk factor. single loss expectancy (SLE)0 the amount that would be lost in a single occurene of the risk factor. this is determined by multipluing the value of the asset by an Exposure Factor (EF). EF is the percentage of the asset value that would be lost.

Rainbow Tables

rainbow table attack: a type of password attack where an attacker uses a set of related plaintext passwords and their hashes to crack passwords. rainbow table- precomputed lookup table of all possible passwords and their matching hashes. not all possible has values are stored, as this would require too much memory. values are computer in chains and only the first and last value needs to be stored. the has value of a stored password can then be looked up in the table and the corresponding plaintext discovered

database security

range of objects that can be secured with fine grained permissions is wider. objects in a database scheme include the database itself, tables, views, rows (records) and columns (fields) different policies can be applied for statements such as SELECT< INSERT, UPDATE< and DELETE

facial recognition

records multple indicators about the size and shae of the face, distance between eyes, width and length of the nose. needs optimal light conditions. privacy issues, high false acceptance and rejection rates and can be vulnerable to spoofing.

data owner

senior exec with ultimate responsibility for maintaining the confidentiality, integrity and availability of the info asset. owner responsible for labeling asset and ensuring that it is protected with appropriate controls. the owner also typically selects a steward/custodiaan and directs their actions.

chain of custody

records where, when and who collected the evidence, who subsequently handled it, and where it was sored. the chain of custody must show access to, plus storage and transporation of, the evidence at every point from the crime scene to the court room. anyone handling the evidence must sign the chain of custody and indicate whate they were doing with it. evidence should be stored in a secure facility-- means access control, but also environment control. if the evidence is transported, the transport must also be secure.

hot site

recovery site can failover almost immediately. the site is already within he organizatins ownership and is ready to deploy

cold site

recovery site takes longer to set up (up to a week)

warm site

recovery site. in between hot and cold. e/g/ a hot site could consist of a building with operational computer equipment that is kept updated with a live data set, a warm site is similar but with the requirement that the latest data set will needed to be loaded.

RTO/RPO

recovery time objective is the period following a disaster that an individual IT system may remain offline. this represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance) . recovery point objective is the amount of data loss that a system can sustain, measured in time. that is, if a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered from a backup copy to a point not more than 24 hours before the database was infected.

single point of failure

reducing dependencies makes it easier to provision redundant systems to allow the function to failover to a bacup system smoothly. this means the system design can more easily eliminate the sort of weakness that comes form having single points of failure that can disrupt the function

RAID

redundant array of independent disks. many disks can act as backups for each other to increase reliability and fault tolerance. if one disk fails the data is not lost, and the server can keep functioning. the RAID advisory board defines RAID levels, numbered 0 to 6, where each level corresponds to a specific type of fault tolerance. there are also proprietary nd nested RAID solutions. some of the most commonly implemented types of RAID are 1. level 0-- striping without parity (no fault tolerance) this means that data is written in blocks across several disks simulataneously. this can improve performance, but if one disk fails, so does the whole volume and data on it will be corrupted 2. level 1- mirroring- data is written to two disks simulatanseouly providing redundancy. storage effieicny is only 50%. 3. level 5- striping with parity- data is writing across three or more disks, but additional information (parity) is calculated. this allows the volume to continue if one disk is lost. this solution has better storage efficiency han RAID 1. 4. double parity of level 5-- with an additional partiy stripe. this allows the volume to continue when two disks have been lost. 5. nested (0+1, 1+0, 5+0)-- nesting RAID sets generally improved performance or redundancy (e.g. some nested RAID solutions can support the failure of more than one disk)

legal hold

refers to the fact that information that may be relevant to a court case must be preserved. information subject to legal hold might be defined by regulators or industry best practice, or there may be a litigation notice from law enforcement or lawyers pursuing a civil action. this means that computer systems may be taken as evidence, with all the obvious disruption to a network that entails.

persistence

refers to the testers ability to reconnect to the comromised host and use it as a Remote Access Tool or backdoor. To do this, the tester must establish a command and control C2 or C&C network to use to control the compromised host (upload tools and download data). the connection to the compromise host will typically require a malware executable to run and a connection to a network port and the attackers IP address to be available. persistence will be followed by further reconnaissance. running when the computer is restarted

RAT

remote access trojan. backdoor applications. mimic the functionality of legitimate remote control programs but are designed specifically for stealth installation and operation. once the RAT is installed it allows the attacker to access the PC< upload files, and install software onto it. This could allow the attacker to use the computer in a botnet, to launch a DDOs, attack or mass mail spam. The attacker must establish some means of secretly communicating with the compromised machine ie through a covert channel. this means the RAT must establish a connection from the compromise host to a Command Control host or network operated by the attacker. this network connection is usually the best way to identify the presence of a RAT

remote access v site to site

remote access v site to site vpn. Remote access: in this scenario, clients connect to a VPN gateway/router/concentrator on the local network. the VPN clients will connect over the internet. Site to site VPN- this model connects two or more local networks, each of which runs a VPN gateway/router/concentrator. Where remote access VPN connections are typically initiated by the client, a site to site VPN is configured to operate automatically. The gateways exchange security information using whichever protocol the VPN is based on. This establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data. Hosts at each site do not need to be configured with any info about rhe VPN> The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel.

removable media control

removable media such as flash memory cards, USB attached flash and hard disk storage and opitcal discs. apply policies to prevent or manage the use of remvable media devices. as the media might be a vector for maalware, either through the files stored in the media or its firmware. the media also might be a means of exfiltrating data. a strong policy would block access to any storage device without encrypted access controls.

untrained users

represent a serious vulnrebaility because they are susceptible to social engineering and malware attacks and may be careless when handling sensitive or confidential data.

standard operating procedure

standard is a measure by which to evaluate compliance with the policy. a procedure, often referred to as a Standard Opreating Procedure (SOP) is an inflexible, step by step listing of the actions that must be completed for nay given task. Most critical tasks should be governed by SOPs.

application cells/containers

resource separation at the operating system level. The OS defines isolated cells for each user instance to run in. Each cell or container is allocated CPU and memory resources, but the processes all run through the native OS kernel. These containers may run slihtly different OS distributions but cannot run guest OSes of different types ie can not run Windoes in a Redhat Linux container. Alternatively, the containers might run separate application processes in which case the variables and libraries required by the application process are added to the container. one of the best known container virtualization products is Docker. Containerization is also being widely used to implement corporate workspaces on mobile devices.

identify common misconfigurations

results of vulnerability scans will identify common misconfigurations, lack of necessary security controls, and other related vulnerabilities

identify lack of security controls

results of vulnerability scans will identify common misconfigurations, lack of necessary security controls, and other related vulnerabilities

system owner

role is responsible for designing and planning computer, network, and database systems. the role requires expert knowledge of IT security and network design.

privacy officer

role is responsible for oversight of any PII assets managed by the company. The privacy officer ensures that the processing and disclosure of PII complies with legal and regulatory frameworks. oversees retention of PII. one principal of personal data privacy is that info be retained for only as long as is necessary. this can complicate he inclusion of PII in backups and archives.

revert to known state

same as snapshot for ensuring non peristence

secure baseline

same specificiation that each development enviro should be built to, possibly using automated provisioning

SATCOM

satellite communications. establish telecommunications in extremely remote areas or use a communications system that is wholly owned and managed. SATCOMs are as secure as the service provider operating the system.

Configuration compliance scanner

scanners measure systems and configuration settings against best practice frameworks. might be necessary for regulatory compliance or you might voluntarily want to conform to externally agreed standard of practice

scheduling 9b

scheduling algorithm- in load balancing, the code and metrics that determine which node is selected for processing each incoming request. simplest type called round robin ie picking the next node. another method pick node with fewest connections. each method can also be weighted- using admin set preference r dynamic load information or both

screen locks

scren lock that can only be bypassed using the correct password, pin, swipe patterm. access control. can also b configured with a lockout policy-- meaning if an incorrect psascode is entered the device locks for a set preiod of time, which can be configured to escalate thus deterring the attempt to guess the passcode.

correlation 9E

second critical function of SIEM is that of correlation. This means that the SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Correlation can then be used to drive an alerting system.

fencing/gate/cage

security fencing should be transparent, so that guards can see any attempt to penetrate it, robust, so that it is difficult to cut, and secure against climbing, which is generally achieved by making it tall and possibly by using razor wire. gives building an intimidating appearance. gate- fitted with a lock. equipment installed inside cages so that technicians can only physically access the racks housing their own company's servers and appliances

Secure Boot and Attestation

security system offered by UEFI. It is designed to prevent a computer from being hikacked by a malicious OS. User secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the OS boot loader using the stored certificate to ensure that it has ben digitially signed by the OS vendor. this prevents a boot loader that has been modified by malware (or an OS installed without authorization) from being used.

sandboxing

segmented environment. no processes should be able to connect to anything outside the sandbox.

segregation/segmentation/isolation

segregation- a situation where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments. hey might only be able to communicate over certain network ports, for instance. assuming an Ethernet netowkr, network segments cna be established ohysically by connecting all the hosts in one segment to one switch and all the hosts in another segment to another switch. The two Switches can be connected by a router and the router can enforce network policies or ACLs to retruct communication beyween two segments segment-- a portion of a network where all attached hosts can communicate freely with one another. isolated segment- is one that has no connectivity with other segments. A host or network segment that has no sort of physical connectivity with other hosts or networks is referred to as air gapped.

inline v passive

sensors can be deployed in one of two modes-inline and passive inline-- all traffic passes through them (also making them a single point of failure if thre is no fault tolerance mechanism) ie this means that they need to be able to cope with high bandwidths and process each packet very quickly to avoid slowing down the network. inserted into a network segment so that the traffic that is monitoring must pass through the sensor. psasive sensor- monitors a copy of network trafic- the actual traffic does not pass through the device. more efficient than the inline sensor beause it does not add an extra handling step that ontributed to packet delay

storage segmentation

separate storage container for corporate workspace with a defined slection of apps

types of certificates

server certificate (guarantees the identity of ecommerce sites or any sort of website to which users submit data that should be kept confidential), machine certificates (to servres, PCs, smartphones, tablets), email/user certifiates (can be used to sign andencrypt email messages, typically using S/MIME or PGP), user certificate (ie standard, amins, smart cards, recovery agents, etc.), code signing certificates (issued to a software publisher, following some sort of identity check and validation process by the CA) , root certificate (one that identifies the CA itself, self signed), self signed certificates (any machine, web server or program code can be deployed with a self signed certificate).

SSID

service set identifier. A character string that identifies a particular wireless LAN (WLAN)

affinity

session affinity is a scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question. also called source IP. laer 4 approach to handling user sessions. ie when a client establishes a session, it becomes stuck to the node that first accepted the request. this can be acocmplished by hashing the IP and port info along with other scheduling metrics. This has uniquely identifies the session and will change if a nod stos responding or a node weighting is changed.

group based access control

set permissions or rights for several users at the same time. users are given membership to the group and then the group is given access to the resources or allowed to perform the action. a user can be amember of a multiple groups and can therefore recieve rights and permissions from several sources

lighting

seucirty lighitng. contributes to th perception that a building is safe and secure all night. makes people feel safe. acts as a deterrent-- intrusion is more difficult and surveillance easier.

disable default accounts/passwords

should do

trust model

shows how users and different CAs are able to trust one another

enforcement and monitoring for sideloading

sideloading- directly install apps withoug going through the store interface. MDM software often has the capability to blockunapproved app sources.

rules

signature based detection. analysis engine is programmed with a set of rules that it uses to drive its decision making process.

signature based

signature based monitoring- a network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable . analysis engine is loaded with a database of attack patterns or signatures. if traffic matches a pattern, then the engine generates an incident. signatures and rules powering intrusion detection need to be updated regularly to provide protection against the latest threat types.

Secure Token

signed using the SML signature specification

signs

signs and warnings to enforce the idea that security it tightly controlled. deterrent.

Smart devices/IoT

smart devices are home appliances with integrated computer functionality most smart devices use a linux or Android kernel. because they are effectively running mini computers smart devices are vulnerable to some of the standard attacks associated with web applications and network functions. integrated peripherals uch as cameras or microphones could be compromised to facilitate surveillance.

cellular

smartphones and some tablets use the cell phone network for calls and data access- there have been attacks and successful exploits against the major infrastructure and protocols underpinning the telecoms network

correlation engines

software application that programmatically understands relationships.

shimming

the code library that intercepts and redirects calls to enable legacy mode functionality. the shum must be added to the registry and its files added tothe system filder. the shm database represents another way that malware with local admin privieleges can run on reboot. shim built into the OS that allows you to modify applications to run as if they are on different versions of Windows. that way you are able to take legacy pieces of software and run them on the latest version of the OS.

SDN

software defined network. a software application for defining policy decision on the control plane (makes decisions about how traffic should be prioritized and secured and where it should be switched).These decisions are then implemented on the data plane (handles the actual switching and routing of traffic and impoition of ACLs for security) by a network controller application, which interfaces withthe network devices using application programming interfaces (APIs). The interface between the SDN applications and the SDN acontroller is described as the northbound API which that between the controller and the appliances is th southbound API. at the device level, SDN can use virtualized appliances or physical appliances. the appliances just need to support the southbound API of the newrok controller software. this archietecture savves the network admin the job and complexity of configuring each appliance with appropriate settings to enforce the desired policy. Allows for fully automated deployment of network links, appliances and servers. an architecture designed around SDN may alos provide greater security insight because it enables a centralized view of the network.

patch management

software issus resolve issues that a vendro has identified. two approaches to apply updates-- 1. aply all the latest patches to ensure the system is as secure as possible against attacks targeting flaws in the software. 2. only apply a patch it if solves a particular problem being experienced. second approach requires more work, but recongized hat updates, particularly with service releases- can cause problems, especially with software application compatibility, so the second approach is wisest.

network mapping

software that can scan a network and identify hosts, addresses, protocols, network interconnections etc.

software 6C

software token- 2 step verification - software token generated on a server and send it to a resource hat is assumed to be safely controlled by the user, such as a smartphone or email account.

tokens/cards

software token- a small piece of code that stores authentication information common access card- a smart card that provides certificate based authentication and supports 2 factor authentication PIV card- personal identity verification card- a smart card that meets the standards for FIPS 201, in that it is resistant to tampering and provides quick electronic authentication of the cards owner smart card- a device similar to a credit card that can store authentication information such as a users private key, on an embedded microchip

nslookup/dig

software tool for querying DNS server records. command-line tool available in many computer operating systems for querying the Domain Name System to obtain domain name or IP address mapping, or other DNS records. The name "nslookup" means "name server lookup".

Password cracker

software used to determine a password, often through brute force or dictionary searches. works on the basis of exploiting known vulnerabilities in password transmission and storage algorithms. can work on a database of hashed passwords. exploit weaknesses in a protocol to calculate the has and match it to a dictionary word or brute force it.

version control and change management

software version control is an ID system for each iteration of a software product. most version contorl numbers represent both the version and the internal build numbers. when a developer commits new or changed code to the repository the new source code is tagged with an updated version number and the old version is arhcived. allows rollback if problem is dicoverd.

external media

some adnroid and windows devices support removabe storage using external media, such as plug in Micro SecureDigitial (SD) card slot; some may suppot the connection of USb based storage devices.

low power devices

some technologies require more processing cycles and memory space. This makes them slower and means they consume more power. Consequently, some algorithms and key strengths are unsuitable for handheld devices and embedded systems, especially thise that work on battery power.

script kiddies

someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. might have no specific target or any reasonable goal other than gaining attention or proving technical capabilities. Capable of launching sophisticated cyber attacks because the tools and information with which to conduct them is now more widely available on the internet

false positive

something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not

false positive

something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not. risk of acting on false positives, as attempting to resolve a non existent or misattributed issue by making certain configuration changes could have a significant negative impact on the security of your systems

false negative

something that is identified by a scanner or other assessment tool as not being a vulnerability, when in fact it is.

Certificate based authentication

something you have

exercises/tabletops

staff ghost the same procedures as they would in a disaster, without actually creating disaster conditions or applying or changing anything. thse are simple to set up but do not proide any sort of practical evidence of things that ould go wrong, time co complete etc.

role based awareness training

staff preforming secuity sensitive roles and grading the level of training and education required. focus on job roles rather than job titles. training for system owner should focus on knowledge of IT security and network desing. Data owner should focus on compliance issues and data classification systems. system admin/data custodian-- technical understanding of access controls and privielege management systems. standard users- ordinary users may require training on product or sector specific issues. privieleged users- employees with access to prvieleged data should be given extra training on data management and PII plus any relevant regulatory or compliance frameworks. executive users-- awareness due to whale phising/spear phishing. executive users will also require training on compliance and regulatory issues and may need a good understanding of technical controls, secure system architecture and design and secure supply chain management depending on the business function they represen.

stateful v stateless

stateless process or application can be understood in isolation. no stored knowledge of or reference to past transactions. each transaction is made as if from scratch for the first time. Stateful applications and processes, however, are those that can be returned to again and again, link online banking or emial. They're performed withthe context of previous transactions and the current transaction may be affected by what happened during previous transactions. for these reasons, stateful apps use the same servers each time they process a request form a user. a circuit level stateful inspection firewall addresses these problems by maintaining stateful information about the session established between two hosts (including malicious attempts to start a bogus session) Information about each session is stored in a dynamically updated state table. when a packet arrives, the firewall checks it to confirm whether it belongs to an existing connection. if it does not, it applies the orindary packet filtering rules to determine whether to allow it. once the connection has been allowed the firewall allows traffic to pass unmonitored, in order to conserve processing effort. packet filtering firewall is statless. meaning it does not preserve information about he connection between two hosts. each packet is analyzed indepdenently, with no record of previously processed packets. this typ of filtering requires the least processing effort, but it can be vilnreable to attacks that are spread over a sequene of packets. can also introduce problems in traffic flow, especially when some sort of load balancing is being used or when clients or servers need to use dynamically assigned ports

steganography tools

steganography is a technique for obscuring the presence of a message, often by embedding information within a file or other entity. contain document is called a covertext. a steganography tool is a software that facilitates this (or conversely can be used to detect the presence of a hidden message within a cover text).

Steward/custodian

steward-- this role is primarily responsible for data quality. this involes task such as ensuring data is labelled and identifies with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regultions. data custodian-- this role is responsible for managing the system on which the data assets are stored. this includes responsibility for enforcing access control, encryption and backup/recovery measures.

push notification services

store services that an app or website can use to display an alert on a mobile devce. develops need to take care to properly secure the account and servies used to send push notifications.

extended validation

subjecting to a process that requires more rigorous checks on the subjects legal identity and control over the domain or software being signed. EV standards are maintained by the CA/Browser forum.

external storage devices

such as USB flas drives present adversaries with an incredible toolkit. the firmware can be reprogrammed to make the device look like another device class, such as a keyboard in which it could then be used to inject a series of keystrokes upon an attachement or work as a keylogger.

symmetric algorthms

symmetric enryption is a two way encryption scheme in which encryption and decryption are both performed by the same key. Also know as shared key encryption

RTOS

system on a chip (SoC) is a design where all of these processors, controllers and devices are provided on a single processor die (or chip) this type of packaging saves space and is usually powerf efficient and so is very commonly used with embedded systems

tcdump

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

TACACS+

terminal access controller access control system plus. an alternative to RADIUS developed by CISCO. TACACS+ is in use, TACACS and XTACACS are legacy protocols. all data in TACACS+ packets is encrypted. more often used for device administration that for authenticating end user devices. allows centralized control of accounts set up to manage routers, switches, and firewall appliances, as well as detailed management of the privivielegs assiged to those accounts

stress testing

testing an application to see ho an aplication performs under extreme performance or usage scnarios.

testing

testing the object under assessment to discover vulnerabilities or to prove the effectiveness of security controls

Network address allocation

the Dynamic Host configuration protocol (DHCP) provides an automatic method for network address allocation. as well as an IP address and subnet mask it can include optional parameters, such as the default gateway, DNS address, DNS suffix, or NetBIOS name server address. this avoids the configuration errors that can occur if addresses are specified manually.

distributive allocation

the ability to switch between available processing and data resources to meet service requests. typically achieved using load balancing services during normal operations or automated failover during a disaster

dynamic analysis (e.g. fuzzing)

the application is tested under real world conditions using a staging environment. fuzzing is a tehcnique designed to test software bugs and vulnerabilities. three types of fuzzers representing diff way of injecting manipulated input into the application 1. application U- identify input streams accepted by the app, such as input boxes, command line switches or import/export functions 2. protocol- transmit manipulated packets to the application, perhaps using unexpected values in the headers or payloads 3. file format- attempt to open files whose format has been manipulaed. the fuzzer cna use semi random input (dumb fuzzer) or might cract specific input based around known exploit vectors

injection

the attack embeds code within the input or appends code to it that executes when the server processes the submission.

buffer overflow

the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data. stack overflow, heap overflow, array index overflow. An application attack that exploits fixed data buffer sizes in a target piece of software by sending data that is too large for the buffer.

resources v security constraints

the comparative strength of one cipher over another largely depends on the bit strength of the key and the quality of the algorithm. Some algorithms have known weaknesses and are deprecated for use in particular contest.. When selecting a product or individual cipher for a particular use case, a tradeoff must be achieved between the demand for the best security available and the resources available for implementation

Public Key

the component of asymmetric encryption that can be accessed by anyone

white box

the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. white box tests are useful for simulating the behavior of a privileged insider threat

compensating

the control does not prevent the attack but restores the function of the system through some other means, such as using data backup or an alternative site

detective

the control may not prevent or deter access, but it will identify and record any attempted or successful intrusion

preventive

the control physically or logically restricts unauthorized access. a directive can be though of as an administrative version of a preventive control

corrective controls

the control responds to and fixes an incident and kay also prevent its reoccurrence

aggregation 9E

the core function of a SIEM tool is to aggregate logs from multiple sources.

data at rest

the data is in some sort of persistent storage media.. Is it usually possible to encrypt the day using techniques such as whole disk encryption, database encryption and file or folder level encryption. Also possible to apply permissions such as ACLS, to ensure only authorized personnel can read or modify data.

certificate issues

the most common problem when dealing with ceritifcate issues is that of a client rejecting a server certificate (or slightly less commonly, an authentication server rejecting a clients certificate)

Federation

the notion that a network needs to be accessible to more than jst a well defined group, such as employees. company trusts accounts created and managed by a different network. federated identity management. the networks establish trust relationships so that the identity of a user from network A can be trusted as authentic by network B

gray box

the pen testing consultant is given some information, typically this would resemble the knowledge of junior or non IT stage to model particular types of insider threats. This type of test requires partial reconnaissance on the part of the tester. gray box tests are useful for simulating the behavior of an unprivileged insider threat.

data exfiltration

the process by which an attacker takes data that is stored inside of a private network and moves it to an external network.

key exchnage

the process by which sender and receiver share the key to use for encryption. any method by which cryptographic keys are transferred among users, thus enabling the use of cryptographic algorithm

virtualization

the process of creating a simulation of a computer environment, where the virtualized system can simulate the hardware, operating system, and applications of a typical computer without being a separate physical computer.

analytics

the process of reviewing the events and incidents that trigger IDS/IPS.

root

the root certificate is the one that identifies the CA itself. The root certificate is self signed. A root certificate would normally use a key size of at least 2048 bits. Many providres are swtiching to 4096 bits.

deterrent

the security control may not physically or logically prevent access but psychologically discourages an attacker from tempting an intrusion

operating system

the software that supports a computer's basic functions, such as scheduling tasks, executing applications, and controlling peripherals.

transitive trust

the trust extends to other trusted domains. if domain a trusts domain b and domain b trusts domain c then domain a also trusts domain c

modes of operation 4b

the way a cryptographic process processes multiple blocks. In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity.[1] A block cipher by itself is only suitable for the secure cryptographic transformation (encryption or decryption) of one fixed-length group of bits called a block.[2] A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. includes ECB, CBC, GCM

routing and switching

the way a network operates is to connect computers and peripherals using two pieces of equipment-- switches and routers. These two let the devices connected to your network talk with each other as well as talk to other networks. Routers and switches perform very different functions in a network: switches are used to connect multiple devices on the same network within a building or campus. A switch can connect your computers, printers and servers creating a netowrk of shared resources. Routres are used to tie multiple networks together. e.g. you would use a router to connect your networked computers to the internet and thereby share an internet connection among many users. the router will act as a dispatcher, choosing the best route for your information to travel so that you recieve it quickly. Routers analyze the data being sent over a network, change how it is packaged and send it to another netwokr or over a different type of network. They connect your business to the outside world, protect your information from security threats, and can even device which omputers get priority over others. Routers can include different capabilities such as firewalls, VPNs, IP Phone network.

Data roles

there are also imporant data roles for oversight and management of a range of information assets within the organization. define roles such as data owners, data steward, data custodian. privacy officer.

use of third party libraries and SDKs

third party library-- binary package (such as DLL) that implements some sort of standard functionality. each library must be monitored for vulnerbilities and patched prmpty. Software Development Kit (SDK)- the programming enviro used to create the software might provide sample code or libaries of pre built functions. monitor for vulnerabilities.

immutable system/infrastructure

this approach first strictly divised data from the components processing data. once designed and provisond as instances, the components are nenver changes or patche din place. deploying a patch or adding a new application means building a new instance and deploying that.

data in transit

this is the state when data is transmitted over a network. In this state, data can be protected by a transport encryption protocol such as TLS or IPSec

community cloud

this is whree several organizations share the costs of either a hosted provate or filly private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies.

implementation v algorithm selection

three different types of cryptographic algorithms are used in computer security systems: hash functions, symmetric encryption and asymmetric encryption. a single hash function, symmetric cipher or asymmetric cipher is called a cryptographic primitive. a complete cryptographic system or product is likely to use multiple cryptographic primitives. The algorithms underpinning cryptography must be interpreted and packages as a computer program which can be described as a crypto module or API. The crypto module will support commands germinated from applicator such s encrypt or decrypt this. Also just because an algorithm is strong doesn't mean the implementation of that encryption algorithm will be strong.

taps and port mirror

three main options for connecting a sensor to the appropriate point in the network. 1. SPAN (switches port analyzer)/mirror port- this means that the sensor is attached to a specifically configured port on the switch that recieves copies of frames addressed to nominated access ports (or all the other ports). This method is not completely reliable. Frames with errors will not be mirrored and frames may be dropped under heavy load. 2. Passive test access point (TAP)-- this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cbaling to a monitor port. There are types for copper and iber optic cabling. Unlike SPAN, no logic decisions re made so the monitor port recieves every frame-- corrupt or malformed or not-- and the copying is unaffected by the load. 3. Active TAP-- this is a powered device that performs signal regeneration (again there are copper and fiber variants) which may be necessary in some circumstances.

alarms

three main types of alarm. 1. circuit- circuit based alarm sounds when the circuit is opened or closed, depending on the type of alarm. could be caused by a door or window opening or by a fence being cut. a closed circuit alarm is more secure because an open circuit alarm can be defeated by cutting the ciruit. 2. motion detection- a motion based alarm is linked to a detector trigered by any movement within an area. Either microwave radio reflection or passive infrared, which detect moving heat sources. 3. Duress- triggered manually by staff if they come under threat. wireless pendants, concealed sensors/triggers, DECT handsets, smartphones.

secure DevOps

tie togethre development and operationgs. ie DevOps. ie more collab between developers and system admin. support 1. immutable infrastructure 2. infrastructure as code 3. seurity autmation

identification of critical systems

to support resiliency of mission essential and primary business functions, it is crucial for an organization to perform the identification of criticl aystems. this means compiling an inventory of its business processes and its tangible and intangible assets and reousces incluindg people, tangible assets, intangible assets, procedures.

Always on VPN

traditional VPN solutions require the user to initiate the connection and enter their authentication credentials. An always on VPN means that the computer establishes the VPN whenever an internet connection over a trusted network is detected, using the users cached credentials to authenticate.

wireless

traffic from Wi-Fi networks might be less trusted than from the cabled network. You might also operate unathenticated open access points or authenticated gust WiFi networks, which should be kept isolated from the main network.

transparent

transparent proxy server- forced or intercepting. intercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance. a non transparent server means that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080

Tunneling/VPN

tunneling is the practice of encapsulating data from one protocol for safe transfer over another network such as the Internet. VPN= virtual private network-- a secure tunnel created between two endpoints connected via an unsecure networ (typically the Internet). tunneling is a technology used when the source and destination computers are on the same logical network but connected via different physical networks. use internet access infrastructure and set up a secure tunnel for private communiations through the internet connection. this is referred to as a VN. efficient in terms of cost because everyone has internet. main concern is providing security for the transmission that pass throughthe public network and preventing unathorized users from making use of th VPN connection. vpn mplemented as remote access or site to site`

symmetric algorithms

two way encryption algorithm in which encryption and decryption are both performed by a single secret key. Alternatively, there may be two keys or multiple subways, but these are easy to derive from possession of the master key. The secret key is so called because it must be kept secret because if it is lost or stolen the security is breached. used for confidentiality only. Because the same key must be used to encrypt and decrypt information it cannot bee sed to prove someones identity. very fast but main problem is the secure disitribution and storage of the key. This problem becomes exponentially greater the more widespread the keys distribution needs to be.

birthday

type of brute force attack aimed at exploiting collisions in has functions. This type of attack can be used for the purpose of forging a digital signature. The attack works by the attacker creating a malicious document and a benign document that produces the same has value. The attacker submits the benign document for signing by the target. The attacker then removes the signature from the benign document and adds it to the malicious document, forging the targets signature. The trick here is being able to create a malicious document that outputs the same has as the benign document. The birthday paradox means that the computational time required to do this is less that one might expect. To protect against a birthday attack, encryption algorithms must demonstrate collision avoidance

license compliance violation (availability/integrity)

unlicensed software installs affect both avaialbility and integrity-- availability-- the software vendor may suspend all licenses if the customer is found to be non compliant. integrity-- unlicensed software exposes an organization to large fines and penalties. Licensing agreements such as master License Agreements (MLAs) can be complex and keeping track of usage requires investment in license management and auditing softeare. must identify unlicensed and unathorized software installed n clients, servers and VMs. ideally privielge management and change controlled instances would prevent this from happening. Identifying per seat or per user compliance with licensed software. prepare for vendor audits . ensure compliance with the terms of open source licensing.

aircraft/UAV

unmanned aerial vehicles (UAV) - full sized fixed wing aircraft to smaller drones. potential to use communications channels to interfere with the drone potentially causing a crash or for it to go off course. drones can also be used to perform surveillance or perform other types of attacks ie. scattering infected USB sticks.

geolocation

use of network attributed to identify or estimate the physical position of a device. cell phone service providres can use the cell system to triangulate the location of a phone to within a few meters.

weak cipher suites and implementation (4A)

use of weak cipher suites and implementations can represent a critical vulnerability for an organization. Means that data it is storing and processing may not be secure. It may also allow a malicious attacker to masquerade as it, causing huge repetitional damage. A weak cipher is one that cannot use long keys. (e.g. Md5, 3DES, RC4 cannot use key sizes larger than 128 bits making them successful to brute force attacks). Many attacks are directed against the implementation of an algorithm or random number generator in software products rather than the algorithm itself. e.g. in 2014 a vulnerability in iOS and OS X emerged meaning that SSL certificate validation was disabled by a mistaken code update. An attacker with system access may also be able to obtain keys from system memory or page files/scratch disks if the system is vulnerable to privilege implementation. REMEMBER-- cryptography depends absolutely on the security of the key

medical devices

used in hostpials, clinics, portable devices such as cardiac monitor and insulin pumps. unscure communication protocols, many of the control systems for these devices run on unsupported versions of OSes because the costs of updating the software to work with newer OS versions is high and disruptive to patient services. goals of attacks on medical devices include 1. use compromised devices to pivot to networks storing medical data withthe aim of stealing protected health information (PHI) 2. hold medical units random by threatening to disupt services 3. kill or injure patients (or threaten to do so) by tampering with disage levels or device settings.

somewhere you are

using a mobile device with location services. geographc location, measured using a devices GPS and or IPS or it could be by IP address. geolocation by IP address works by looking up a hosts IP address in a geolocation database such as GeoIP, IPinfo or DB-IP and retrieiving the registrants country, region, city, name and other info. the registrant will usally be the ISP, so the info you recieve will provide an approximate location of a host based on the ISO> if the ISP is one that serves a large or diverse geographic area, you will be less likely to pinpoint the location of the host. not used as primary authentication factor, may be a contunuous authentication mechanism.

Intimidation social engineering

using spurious technical arguments and jargon which can exploit the fact that few people are willing to admit ignorance.

backup utilities

utilities that support enterprise backup operations come with features to support retention policies.

Netstat

utility to show network information on a machine running TCP/IP, notably active connections and the routing table. check the state of ports on the local machine. check for service misconfiguration. also may be able to identify suspect remote connections to service on the local host or from the host to remote IP addresses. network statistics.

impact

variable used to calculate risk. the severity of the risk if realized as a security incident. this may be determined by factors such as the value of the asset or the cost disruption if the asset is comrpomise.d

certificate formats

various formats for encoding a certificate as a digital file for exchanging between different systems. All certificates use an encoding scheme called Distinguished Encoding Rules (DER) to create a binary representation of the information in the certificate. A DER encoded binary file can be represented as ASCII characters using Base64 privacy Enhanced Electronic Mail (PEM) encoding. The file extensions .CER and .CRT are also oftne used, but these can contain either binary DER or ASCII PEM data. other formats are .PFX or .P12, P7B,

nmap

versatile port scanner used for topology, host, service and OS discovery and enumeration. default behavior = ping and send a TCP ACK packets to port 80 and 443 to determine whether a host is present. on a local network segment, map will also perform arp and ND (neighbor discovery sweeps) if a host is detected, map performs a port scan against that host to determine which services it is running.

privilege escalation

vertical privielege escalation ie elevation is where a user or application can access functionality or data that should not be available to them. Horitzonal esclation is where a user accesses functionality or data that is inteded for another user.

VDI

virtualization can provide an additional deployment model. Virtual Desktop Infrastructure (VDI) means provisioning a worksation OS instance to interchangeable hardware. the hardware only has to be capable of running a VDI client viewer. the instance is provided as new for each session and can be accessed remtely. same technolgy can be accessed via a mobile device such as a smartphone or tablet. this removes some of the security concerns about BYOD as the corpoate apps and daa are segmented from the other apps on the device.

waterfall v agile

waterfall: 1. requirements- capture everything that the system must do and the levels to which it must perform 2. design- develop a system architecture and unit strcture that fulfills the requirements 3. implementation- develop the system units as programming code 4. verification- ensure the implementation meets the requirements and design goals 5. testing- integrate the units and ensure they work as expected. 6. maintence- deploy system to target enviro and ensure that it is operated correctly 7. retrement- deporvision the sstem and any dependencies. each phase in waterfall must be completed and signed off befre the next phase can begin. can be hard to go back and make changes. Agile on the other hand--iterating through phases concurrently on smaller modules of code or sub projects 1. concept- devise initial scope and vision and determine feasibility 2. inception- identify stakeholders and stat to provision resources and determin requiremens 3. itreation- prioritize requirements and work through cycles of designing, developing, testing and test deploying solutions to the project goals, adapting to changing requirements, priorities and resources as needed. 4. transition- perform final integration and testing of the solution and prepare for deployment in the user environment 5. production- ensure that the solution operated effectively 6. retirement- deprovision the solution and any dependencies. rects to change better, but has the disadvantage of lacking focus and being open ended.

default configuration, misconfiguration/weak configuration (11B)

weak or misconfigured security configurations may lead admin access protected with a default account or password that is publicly available, sensitive ports open to the Internet, or any number of other such weaknesses. any service or interface that is enabled through the default installation or default configuration and left unconfigured should be cosidered a vulnerability. in last few years, vendors have started shipping devices and software in secure default configurations. this means that the default installation is theoretically secure but minimal.

onboarding

welcome a new employee to the org. background checks, identity and access management, signing an NDA, asset allocation, training/policies.

Split tunnel v full tunnel

when a client connected to a VPN uses the internet, there are two ways to manage the connection: split tunnel- the client accesses the internet directly using its native IP configuration and DNS servers. Full tunnel- internet access is mediated by the corporate network which will alter the clients Ip address and DNS servers and may use a proxy. full tunnel offers better security but the network address translations and DNS operations required may cause problems with some websites, especially cloud services.

policy violation

when a policy violation by an employee or contractor is detected, it is necesary to follow incident response proceures rather than act off the cuff. determine whether was accidental or intentional, and the severity of the violation.

compiled v runtime code

when an app is compiled, the compiler tests that the code is well formed. well formed does not just mean that the code will execute without errors, just that its syntax is compliant with the requirements of the programming language. for functional testing, code must be executed in its runtime environment. a runtime environment will use one of two approaches for exeution on a host system 1. compiled code is converted to binary machine language that can run independently on the target OS 2. interpreted code is packagd pretty much as is but is compiled line by line by an interpreter. this ofers a solution that is platform independent because the interpreter resolves the difference between OS types and versions. as well as the OS interpreter, the runtime environment will include any additional libraries containing functions called by the main program

file integrity check

when installing software from other sources, file integiryt checks can be performed manually using tools such as 1. certutil - hashfile File Algorithm- this is a built in Windows command where File is the input and Algorithm is one of MD5, SHA1, SHA256 or SHA512. You have to compare the value obtained to the published fingerprint manually (or by using a shell script) 2. File Checksum Integrity Verifier- this is a donwloadable Windows utility that can be used as an alternative to certutil. You can use the -v switch to compare the target ith the value stored in a file, add theumbrints to an XML database, and check to see if the has of a target file matches one stored in the database. 3. md5sum|sha1sum|sha256sum|sha512sum-- linux tools to calculate the fingerprint of a file supplied as the argument. You can also use the -c switch to compare the input file with a source file containing the pre computed hash 4. gpg- if a linux source file has been signed you need to use the publishers public key and the gpg utility to verify the signature file integirty monitoring for files that have already been installed and that could have been compromised.

penetration testing authorization

when testing on the production network, there are also difficult issues regarding employee privacy and data confidentiality to resolve, especially if the test involved third party consultants. if these issues are unresolvable, either the scope of the test will have to prohibit continuing to the point where actual personal or corporate data is compromised or the test will have to be run in a simulated environment. have to consider internet service providers, and legal considerations based on the company's presence in different geographies. all staff and contractors involved in the pen test must have written authorization to proceed. NDAs and confidentiality agreements must be in place

collision

where a function produces the same has value for two different inputs.

normalization

where an application accepts string input, the input should be subjected to nromalization procedures before being accepted. normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. this ensures that the string is in a format that can be processed correctly by the input validation routines

intrusive v non intrusive

whether they use purely passive techniques or some sort of active session or agent, vulnerability scanners represent a non-intrusive scanning type ie the scanner identifies vulnerabilities from its database by analyzing things such as build and patch levels or system policies. on the other hand, an exploitation framework is a means of running an intrusive scanning because it uses the vulnerabilities identified by a scanner and launches scripts or software to attempt to exploit selected vulnerabilities which might involve considerable disruption to the target, including service failure, and risk data security

Intent/motivation

while assessing the risk that any one type of threat actor poses to your own organization, critical factors to profile are those of intent and motiviation. an attacker could be motivated by greed, curiosity or some sort of grievance. the intent could be to vandalize and disrupt a system or to steal something

application whitelisting

whitelist control means that nothing can run if it is not on the approved whitelist

Wi Fi enabled microSD cards

wi Fi enabled microSC cards can connect to a host WiFi network to transfer images stored on the card. straightforward to replace the kernel on this type of device and install whatever software the hacker chooses. this presents a hacker with a perfect device to use to perform network reconnaissance similar to th wifi pineapple.

band selection/width

wi fi products work in either the 2.4 GHz band or the 5 GHz band, or both. While band selection does not have a direct effect on the confidentiality or integrity of the network, it can affect availability and performance. 802.11a- legacy products working in the 5 GHz band only. 802.11bg- legacy products working in the 2.4 GHz band only. 802.11n- products can be either dual band (supporting both 2.4 and 5 GHz operation) or 2.4 GHz only. most are dual band but early 802.11n were single band only. 802.11ac- 5GHZ only. most APs supporting 802.11ac are dual band but use the 2.4 GHz band for legacy clients.

Hashing algorithm

widely used in computer programming to create a short representation of data. these functions are for things like checksums to ensure the validity of data. A cryptographic hash algorithm also produces a fixed length string, called a message digest, from a variable length string. The difference is that the function is designed so that it is impossible to recover the original message from the message digest and so that different messages are unlikely to produce the same digest ie collision. hash functions are used for confidentiality (to store passwords securely) and for authentication, non repudiation, and integrity (as part of digital signature) Two of the most commonly used cryptographic has algorithms are SHA and MD5

Bluetooth

widely used radio standard for wireless connectivity. devices can be configured with a passcode to try to prevent malicious pairing. a peripheral dvice connected to a bluetooth device can be used to launch highly effective attacks.

wildcard

wildcard domain-- the certificate is issued to the parent domain and will be accepted as valid for all subdomains (to a single level) wildcard certificates cannot be issued with Extended Validation (EV). when creating a web certificate it is important that the subject matches the Fully Qualified Domain Name (FQDN) by which the server is accessed, or browsers will reject the certificate. if using multiple certificates for each subdomain is impractical, a single certificate can be ussued for use with multiple subdomains by using a wildcard domain. this can cause problems with legacy browser software and some mobile devices. There is also greater exposure for the servers operating each subdomain should the certificate be compromised.

tracert

windows. trace route = linux. provides a simple means of probing the path from one end system (host) to another, listing the intermediate systems (routers) providing the link. To discover how subnets are connected by router (and whether any misconfigured gateways between the subnets exist). determines the route a packet takes to a destination. ICMP. Time to Live

spam filter

with blacklists, whitlists, SMTP standards checkking (rejecting email that is not strictly RFC compliant can block some spam, but can also block legitimate traffic), rDNS (reverse DNS lookup)-- rejecting mail from servers where the IP address does not match the domain in the message header or is a dyanmically assigned address, tarpitting-- introducing a delayed response to th SMTP session which makes the spammers server less efficient- in many cases the spamming software will simply give up, recipient filtering- blocking mail that is not addressed to a valid recipient email adress.

Consensus social engineering

without an explicit instruction to behave in a certain way, many people will just act as they think others would act. ie an attacker can persuade someone to do something that might seem off by saying "that is not something any one else has ever said no to" or by posting fake reviews to a malicious website

fire suppression

works on the basis of the Fire triangle. works on the principle that a fire requires heat, oxygen and fuel to ignite and burn and removing any one of the elements provides fire suppression and prevention

zones/topologies

zone-- in networking, an area of a network where the security configuration is the same for all hosts within it. topologies-- topologies-- a network specification that determines the network's overall layout, signaling, and dataflow patterns.