CISSP 2018 Flash Cards

Ace your homework & exams now with Quizwiz!

Remote location in a different geographic location from the contracting organization

Off-shore

Graceful transition to a standby device is generally known as? 1: High availability (HA) 2: Fail-secure 3: Active/Passive Pair 4: Failover

4: Failover

Zero-day

A threat that is exploited and was unknown before it was detected

Security Evaluation Criteria

TCSEC ITSEC Common Criteria

The concept of separating interface and implementation

Abstraction

Industrial Control Systems

'Industrial Control Systems (ICS)' are computer-based systems that monitor and control industrial processes that exist in the physical world. ICS are either data-driven or operated remotely. Well-known industrial control systems include: -Distributed control systems (DCS) -Programmable logic controllers (PLC) -Supervisory control and data acquisition (SCADA)

Corrective

'Minimize' the 'impact' of a threat agent, or 'modify' or 'fix' a situation '(recovery)'

Advanced Encryption Standard (AES) (Rijndael)

128- or 192- or 256-bit key / 10 or 12 or 14 rounds of substitution and transposition -2002 replaced 3DES as a US Government Standard

Secure Stagine Workflow

1: Dev 2: Test 3: Stage 4: Prod

CHAP Process

1: User enters login name and password at login screen 2: Workstation sends the user name (not password) to the authentication server 3: The Authentication Server verifies that the user name exists in its DB, generates a unique string of challenge text, and sends to the user 4: The workstation login process receives the challenge text. The workstation hashes the user password, appends it to the challenge text, and hashes the entire string 5: The workstation sends the hash value to the authentication server 6: The authentication looks up the user account and extracts the stored hash value of the user's password, appends it to the challenge text, and hashes the entire string 7: The authentication server compares its calculated hash value with the hash value received from the user 8: If the hashes are identical, the user is successfully authenticated. If the hashes are different, the authentication fails

The statement "password complexity must include upper case, lower case and at least one symbol" is best described as a? 1: Guideline 2: Standard 3: Baseline 4: Policy Statement

2: Standard

Which one of these attacks is most likely to result in data compromise? 1: RF interference 2: Signal jamming 3: Evil Twin 4: War chalking

3: Evil Twin

Triple DES (3DES)

64-bit key / 48 rounds of substitution and transposition using either 2 or 3 keys -1999 replaces DES as a US Government standard -Considered deprecated (weak)

Recommended temperature range for a Data Center

70-74F

Information Security Management Systems (ISMS)

A framework for designing, establishing, implementing, maintaining and monitoring an information security program in order to achieve the objectives of: Confidentiality Integrity Availability

Framework

A logical structure with the intent to document and organize processes.

Formula for ALE

ALE = SLE *ARO

Multicast wireless sensor network designed for "wearables"

ANT

Process of tracing actions to their source

Accountability

This hearing is conducted by a quasi-judicial body

Administrative

Airgap Isolation

Air-gap refers to computers or networks that are physically isolated from the Internet or to any other computers that are connected to the Internet. Air gaps generally are implemented where the system or network requires extra security, such as classified military networks or industrial control systems that operate critical infrastructure

Server Virtualization

Allocates the resources of the host to guest server (virtual) computers - The physical host computer hardware has processor, memory, storage, and networking components. Specialized software dynamically allocates resources - Guest computers (virtual machines) act exactly as though they are physical machines each with independent operating systems, applications, and network connections

SSL VPN Portal

An SSL VPN portal is a single connection to multiple services. - The user is authenticated by an SSL VPN gateway - The user is presented a web page - The SSL VPN tunnel can be used to access non-web based applications

Due Dilligence

An investigation of a business or person generally before entering into a contract. It is the care and caution a reasonable person would take. Due Dilligence must honor Due Care.

Threat model that focuses on system design

Architecture-centric

Process of securely storing unaltered data

Archiving

Examples include IP addresses, command and control connections, file changes

Artifacts

The stage of a DRP lifecycle that requires a non-biased independent review

Audit

Local Storage Security

Best practices include: - Encrypting data at rest - Securing network and communications interfaces - Implementing access control lists - Physically separate storage devices from other hardware and restricting access to switches - Monitoring (HIDS) - Implementing DLP - Having a backup and recovery plan

Bit by bit copy of source material that preserves all latent data

Bit Stream Image

Short, sturdy, vertical post used to divert traffic from an area

Bollard

Weaponization of devices for use in DDoS attacks

Botnet

Term applied to an algorithm or key that has proven to be exploitable

Broken

The term applied to an algorithm or key length known to be exploitable

Broken

The outcome of this attack is user impersonation

Broken authentication

Prolonged period of low voltage

Brownout

The basis of this type of investigation is a dispute between parties

Civil

Designed by the ISO - this is now a global evaluation criteria

Common Criteria

In this model, data owners decide subject access

DAC Discretionary Access Control

The term applied to multiple layers of controls

Defense in depth

Purging technique that uses a strong electromagnetic field

Degaussing

Term applied to a weak algorithm or key

Deprecated

Iterative & Incremental Project Models

Develop software by using 'repeated cycles (iteration)' related to adding specific functionaloty (incremental). - The 'spiral' model is an iterative approach that emphasizes risk analysis and use feedback per iteration - The 'Agile' model uses iterative and incremental processes that emphasizes 'timebox team-based collaboration' - Rapid application development (RAD) combines prototyping and iterative processes

An attack used to force a wireless device offline

Disassociation

This type of plan describes plans and procedures for recovering technology and facilities

Disaster Recover Plan (DRP)

Legally enforceable software use agreement

EULA End User License Agreement

Attribute = why Objective = understanding

Education

How well a control works

Effectiveness

Resource Management

Efficient and effective use of resources.

Firewall term for outgoing

Egress

This group publishes the Unified Framework for Information Security Ethics

Ethics Working Group

Term given to the unauthorized release or removal of data

Exfiltration

Users

Expected to follow operational security procedures.

This type of trial witness is allowed to proffer an opinion

Expert witness

The decision state when abnormal activity is incorrectly identified as normal

False Negative

The decision state when normal activity is incorrectly identified as abnormal

False Positive

Type 1 Biometric Errors

False Reject Rate (FRR)

This procedure format requires decision making

Flowchart

Another name for a "virtual machine"

Guest

System Integrity

Implies that a system will work as intended. AKA Trustworthy computing.

Hijacking

Intercepting communications between two or more systems. Enables an attacker to eavesdrop, capture, manipulate, and/or reuse data packets

Risk Treatment

Is how an organization reponds to identified risks--generally defined as actions taken to either 'accept' the level of risk or 'mitigate' the 'impact' of the undesirable or unfavorable outcome and/or enhance the likelihood of a 'positive outcome'.

The intersection of FRR and FAR

CER Crossover Error Rate

Organization in the US where vulnerabilities can be reported

CERT/CC

This authentication protocol relies on challenge textand a hashing algorithm

CHAP Challenge Handshake Authentication Protocol

First state in the US that required data breach disclosure and notification

California SB 1386 California Security Breach Information Act

This alternate site is basically an empty shell with HVAC and power

Cold Site

Evidence Collection and Preservation

Collection and preservation of physical and digital evidence is a critical aspect of forensic investigations. Rule of thumb -- assume evidence will be used in a court of law and act accordingly. - Preservation is key - Act in order of volatility - Maintain an evidentiary chain (chain of custody) for all physical and electronic evidence collected during the investigation

Data Compilation

Collection of data for "later use" to be determined.

This cloud deployment model is provisioned for the exclusive use of a well-defined group

Community Cloud

Role generally tasked with identifying applicable statutory, regulatory, and contractual requirements

Compliance Officer

Trustworthy Computing

Confidence that a system will act in a correct and predictable manner in every situation.

This security principle relates to unauthorized disclosure

Confidentiality

This type of assessment performs checks against guidance, best practices, and applicable standards

Configuration assessment

Process used to support the development, implementation, and maintenance of baselines and standards

Configuration management

Proxy Server Configurations

Normal / Forward Proxy Transparent Proxy Reverse Proxy

Process of integrating a new employee

Onboarding

Regulatory and Contractual Obligations

Organizations are responsible for complying with local, state, federal laws and regulations as well as agreements and contractual obligations. Consideration should be given to local customs, traditions, and practices (cultural, tribal and religious)

Payment card system information security contractually enforced framework

PCI DSS Payment Card Industry Data Security Standard

The endpoint in the release management process

PROD

Pretexting using email

Phishing

This type of control stops a threat agent from being successful

Preventative

Integrity

Principle that data and systems should be protected from unintentional, unauthorized, or accidental changes.

Specific instructions for carrying out a task

Procedure

Disk technology commonly used for fault tolerance

RAID

In this model, access is based on the subject's assigned roles

RBAC Role-based Access Control

Tokenization

Replaces sensitive data with non-sensitive substitutes known as tokens. - Tokenization does not alter the type or length of data - Tokenization requires less computational resources than encryption

Level of risk after controls are applied

Residual

Federal Information Processing Standard 199 (FIPS 199)

Requires that information and information systems be categorized as low, medium, or high security based upon confidentiality, integrity, and availability criteria: -'Confidentiality' as it relates to the impact of 'unauthroized disclosure' and/or 'unauthorized use' -'Integrity' as it relates to the impact of 'unauthorized modifications or destruction' -'Availability' as it relates to the impact of 'disruption of access to or use of the information

Ability of a subject to take an action (e.g. install software)

Rights

An extension of SSH to provide secure file transfer capabilities

SFTP

Appending random text to a string prior to hashing

Salting

This configuration is used to segregate high risk mobile applications

Secure Container

Type of key used to create a digital signature

Sender's private key

Breaking a process into tasks and assigning the tasks to various personnel

Separation of duties

Breaking a task into processes that are assigned to different subjects so that no one subject is in complete control

Separation of duties

This IDS response is to ignore the event as not applicable

Shunning

Examination of non-running code

Static analysis

This code assessment is an examination on non-running code

Static analysis

Building

The building includes: - Any structure containing critical functions essential to operations - Any structure containing sensitive information - Access points into the structure

This service generates a TGT Access Token

Ticket Granting Service

Potential danger to an asset

Threat

Handheld device that synchronizes with an authentication server

Token

In this IPsec mode only the payload is encrypted

Transport

This malware family often appears to be a legitimate application

Trojan

Awareness program test measure

True/False Multiple Choice

Principles used by a SSAE18 SOC2

Trusted Service Principles (TSP)

The number of keys used in asymmetric encryption

Two

Number of drives used for RAID 1

Two - mirrored drives

Requires firmware updates to be digitally signed

UEFI Unitec Extensible Firmware Interface

This software development project model emphasizes verification and validation at each phase

V-model

Process used to track files, source code, and configurations over time

Version Control

This malware family requires a host to replicate

Virus

Compromising a website or social media application frequented by the target

Watering Hole

Time, effort, and talent needed to achieve an objective

Workfactor

Tool that intercepts inadvertent drive writes

Write Blocker

[*] and Simple meaning

Write and Read

Symbol that indicates a registered trademark

®

Symbol that indicates an unregistered trademark

Control classification used to minimize the impact of a threat agent or fix a situation

Corrective

The process of tying individual log entries together based on related information

Correlation

This is the monetary value it takes to acquire, develop, maintain, or replace an asset

Cost

This is the use of a malicious script to transfer information objects between processes that are not supposed to communicate

Covert Channel

This solution is designed to detect and prevent data exfiltration

DLP

This host-based utility monitors program memory use

Data Execution Prevention (DEP)

EU Regulatory Compliance

Data Protection Directive / GDPR (EU) Cookie Law (EU)

Residual representation of data

Data Remanence

This phase of incident reponse focuses on identifying and analyzing IOAs and IOCs

Detection

Human

Disruption, manipulation, or compromise of people.

EU regulation that protects member data locally and abroad

GDPR General Data Protection Regulation

Using captured hashed credentials from one machine to successfully gain control of another machine

Pass-the-hash attack

Manipulating a trusted source of data

Poisoning

A table of precomputed hashes

Rainbow table

A previously unknown vulnerability for which there is no fix

Zero day

Remote access application that facilitates clear text connection to a remote system

Telnet

This type of VPN connection is transparent to the user

Always-on VPN

Controls boot up sequence

BIOS

These devices enforce enterprise security policies "in-the-cloud"

CASBs Cloud Access Security Brokers

Fixed length blocks of disk space

Cluster

SSO system embedded in Microsoft Active Directory

Kerberos

This report should always follow an exercise as well as a real event

Lessons learned

The first phase in a penetration test

Passive reconnaissance

Authentication factor that requires a physical device

Possession

Formal process used to make available code versions to various resources for simultaneous development

Provisioning

NFC is rooted in this technology

RFID

This document is used to solicit bids for a particular service or product and includes multiple criteria

RFP Request for Proposal

This process restores a system to an earlier point in time

Rollback

Requires that all boot loader components attest to their identity

Secure Boot

ISM Personnel

Should report as high as possible to maintain visibility, limit distortion, and minimize conflict of interest.

VPN tunnel configuration that allows the routing of some traffic over the VPN while letting other traffic direct access to the Internet

Split tunneling

This is the worth of an asset to its owner

Value

Weakness that can potentially be exploited

Vulnerability

An objective of this type of assessment is to identify host attributes and known CVEs

Vulnerability Assessment

Where would you place an SSL Accelerator? 1: Inline with web servers 2: In the DMZ 3: In the cloud 4: On premise

1: Inline with web servers

Synthetic transactions are used to measure this. 1: Response time 2: Throughput 3: Reaction time 4: Workload

1: Response time

This networking protocol can report on who joined the network, how they were authenticated and how long they were on. 1: NTLM 2: RADIUS 3: TACACS 4: EAP

2: RADIUS

Digital Signature

A 'digital signature' is a message digest that has been encrypted using a private key. The goal of a digital signature is 'integrity' and 'non-repudiation'. - Integrity is the assurance that the data has not been modified - Non-repudiation means that the signer 'cannot deny' sending the message. Conversely, the receiver can trust that the message came from the named signer.

Degaussing

A 'purging' technique that requires a machine or wand that produces a strong electromagnetic field which destroys all magnetically recorded data.

Virtualization

A technology that creates multiple environments from a single physical hardware system. In essence, a single physical machine emulates multiple systems

Risk Register

A tool used to document organizational risks and ancillary details such as owner, treatment measures, and monitoring tasks

Code that performs a function on behalf of an application

Agent

Embedded System Components

An embedded system generally has three "closed loop" components. -System on a chip (SOC) -Real-time OS (RTOS) -APP

Change Management

Applies a formal process to accomplish change. Key tasks include: - Proposed changes are evaluated for risks and benefits - Changes are prioritized in alignment with business needs - Changes are tested and roll-back strategies at the ready - Changes are authorized - Configuration management baselines are updated

Degree of confidence that a system will act in a correct and predictable manner

Assurance

This is a formal independent assessment of a Business Continuity Plan

Audit

Granting users and systems a predetermined level of access

Authorization

This penetration test approach does not provide any details of the test environment to the test team

Black box

What key would Mary use if she wants to send an asymmetrically encrypted data packet to Bob?

Bob's public key

Brewer-Nash (Chinese Wall)

Brewer-Nash is a context-oriented commercial model designed to defend against conflicts of interest. -Access controls change dynamically depending upon a user's previous actions

In this type of key attack, every possible key is tested (subject to time and resources)

Brute Force

Conceptual boundary that controls how processes are executed

CPU Protection Rings

Radio frequency distributed network

Cellular

Name of the room where a physically isolated network would be located

Clean room

Tactic or strategy to reduce or eliminate a vulnerability and/or likelihood or impact of an exploit

Control

This mechanism can be used to reduce likelihood and/or impact

Control (Safeguard, Countermeasure)

Injection of malicious code that executes in a browser

Cross Site Scripting (XSS)

Joint Exercises

Cyber incident scenarios should be included in business continuity exercises - Executive cybersecurity incident simulation exercise (extortion, denial of service) - Incident coordination simulation exercise - Response team simulation exercise - Communication and notification exercise

A broad term given to criminal activity that involves the Internet, a computer system, a computer network, or technology

Cybercrime

Temperature

Data Centers (inclusive of server rooms and networking closets) need to be kept cool - Recommended temperature for an area containing computing devices is between 70-74 degrees F - Damaging temperatures: Computers > 175F, Magnetic Storage > 100F, Paper products >350F

Data at a specific point in time

Data state

This IPS response appears to the attacker that it was successful

Deception

Extreme action that can be taken by (ISC)2 against a memeber

Decertification

Any action not explicitly allowed is denied

Default deny

This principle is expressed as "if not explicitly allowed, then access is denied"

Default deny

The intent of this model is to provide redundancy in the event that a security control fails or is exploited

Defense in depth / Layered defense

Multiple layers of controls

Defense-in-depth (Layered security)

Overwhelming system resources

DoS/DDoS

This term describes actions considered or taken due to threat of harm

Duress

Automated examination of running code

Dynamic analysis

Symmetric Recap

Feature - Attribute # of Keys - Single shared key Processing - Computationally efficient - Fast Strength - Difficult to break (large keys) Scalability - Not scalable Key Exchange - Inherently insecure

The category name for "lower level" models

Foundational

Primary reasons for job rotation and mandatory vacation

Fraud deterrent and detection

This key attack analyzes patterns

Frequency

Government and Sector Specific Regulations

GLBA HIPPA | HITECH FISMA

Determining the difference between RTO, RPO, and reality

Gap Analysis

The process of defining a virtual boundary around a specific physical area

Geofencing

The motivation for this adversary is to "make a statement"

Hacktivist

Hubs and Repeaters

Hubs and repeaters are OSI Layer 1 devices. - Repeaters amplify signals - Hubs retransmit a signal received on one connection point to all ports - Hubs are unsecure LAN devices (anyone can sniff the packets) that should be replaced with switches for security and increased bandwidth

#1 disaster response priority

Human health and safety

In an evacuation, the number one priority

Human life and safety

Business Continuity Planning Resources

ISO / IEC - ISO 22301:2012 Business Continuity Management Systems - Requirements FEMA - Business and industry guidance NIST - SP800-34 R1 Contingency Planning Guide for Federal Information Systems ISACA - Business Continuity - Disaster Recovery Planning Tool Other - Business Continuity Institute (BCI) - Management Resourses - Disaster Recovery Institute International (DRII) Professionsl Practices

International Organization for Standardization (ISO )Certifications

ISO 9001 Certified means the company has met the requirements detailed in the ISO 9000 Quality Management Systems standard ISO 27001 Certified means an organization has met the requirements detailed in the ISO 27000 Information Security Management System standard

Risk Treatment Options

Ignore - Act as if the risk doesn't exist Avoid - Eliminate the cause or terminate the associated activity Mitigate - Reduce the impact or likelihood by implementing controls or safeguards Deter - Discourage the threat acton or adversary taking action Share - Spread the risk among multiple parties Transfer - Assign the risk to another party via inurance or contractual agreement (subject to legal and regulatory constraints) Accept - Acknowledge the risk and monitor it

Important Privacy-related Regulations Regulation / Law GLBA (US) HIPPA (US) FERPA (US) Federal Privacy Act (US) COPPA (US) GDPR (EU) Cookie Law (EU)

Impact Financial records Medical records Student educational records Data collected by the government Online collection and use of data for minors under 13 Citizen data privacy protection Website cookie informa and consent requirements

Spoofing

Impersonating an address, system, or person. Enables an attacker to act as the trusted source and redirect/manipulate actions

Fail Safe - Fail Secure Principle

In event of an emergency, the organization's security structure must comply with safety, fire, and building codes Fail-safe implies that in an emergency situation, controls will default to open. Fail-secure implies that in an emergency situation, controls will default to locked.

Term that describes the placement location if it is in the flow of traffic

In-band (Inline)

This phase of incident management focuses on identifying threats and implementing controls

Incident preparation

This phase of incident management includes containment, eradication, and recovery

Incident response

This backup strategy resets the archive bit

Incremental

Secure against legal responsibility

Indemnification

Aggregation

Individual pieces of data are combined to create a bigger picture that may have greater sensitivity than individual parts.

Patch Management Best Practices

Industry patch management best practices recommendations include: - Deploy a phased approach - Standardize the process - Always have a rollback plan - Rollback restores the system to a chosen earlier point in time - Report risks to management - Align patch management with organizational needs for availability and risk tolerance level **NIST SP 800-40 rev3 - Guide to Enterprise Patch Management Technologies

Ability to derive information that is not explicitly available

Inference

Model that dictates that information should flow only in ways that do not violate the security policy of the system

Information Flow

Choose one correct answer in each drop-down list. Information assets are generally classified by 1: Content 2: Severity 3: Confidentiality 4: Sensitivity Infrastructure and physical assets are generally classified by 1: Asset value 2: Criticality 3: Context 4: MTD

Information assets are generally classified by 'Content' Infrastructure and physical assets are generally classified by 'Criticality'

Term applied to using code to manage configurations and automate provisioning of infrastructure (e.g. build testing and staging servers

Infrastructure as Code

Stream Cipher Components

Input = Plain Text Keystream = Set of random values - True Random Number Generators (TRNGs) - Pseudorandom Number Generators (PRNGs) --Initial seed - Cryptographically secure Pseudorandom Number Generator (CSPRNG) Function = XOR operation

There are four components of the United Framework of Professional Ethics for Security Professionals:

Integrity - Perform duties in accordance with existing laws, exercising the highest moral principles. Objectivity - Perform all duties in a fair manner and without prejudice. Professional Competence and Due Care - Perform services diligently and with professionalism. Confidentiality - Respect and safeguard information and exercise due care to prevent improper disclosure

Security objectives of a digital signature

Integrity and Non-repudiation

Information Security Benchmark

Intended to help an organization identify their cybersecurity capabilities and initiative and compare those efforts to peers or competitors of the same sector or size.

This type of audit evaluates control objectives and controls

Internal Controls

Largest international police organization, with 192 member countries

Interpol International Criminal Police Organization

The objective of this test is evidence of enterprise readiness

Interruption (Full scale)

This program is responsible for documenting and tracking assets

Inventory management

Disruptive Technologies

IoT and access to real-time data are the foundation of the next generation of disruptive technologies including: -Machine learning (ML) -Autonomous vehicles -Block chain -Fog computing -Architecture that uses collaborative edge computing devices for local resource pooling (storage, communication, configuration and management) to achieve better QoS, data mining, and redundancy

Redundant Array of Independent Disks (RAID)

Is a disk technology that combines multiple disk drive components into a logical unit for the purposes of fault tolerance (data redundancy) and/or performance improvement

Software Development Lifecycle (SDLC)

Is a framework defining tasks performed at each step in the software development process - ISO/IEC 12207 is an internaltional standard for software life-cycle processes Phase 1 - Feasibility Study Phase 2 - Requirements Definition Phase 3 - Design Phase 4 - Development Phase 5 - Final Testing & Implementation Phase 6 - Implementation Support

Fibre Channel over Ethernet (FCoE)

Is a layer 2 standards-based protocol that allows Fibre Channel frams to be carried over Ethernet links - FCoE, network (IP), and storage (iSCSI) data traffic can be consolidated using a single network - FCoE is not routable at the IP layer

Attribute-based access control (ABAC) [Emerging]

Is a logical access control model that controls access to objects by evaluating rules against the attributes of entities (both subject and object), operations, and the environment relevant to a request - ABAC supports a complex Boolean rule set that can evaluate many different attributes - The policies that can be implemented in an ABAC model are limited only to the degree imposed by the computational language and the richness of the available attributes

Source Code Escrow

Is a mechanism for acquiring source code in the event that the vendor goes out of business or violates contractual obligations to maintain the code. A neutral, trusted 3rd party holds the source code. Benefits include: - Risk mitigation - Business continuity - Leverage

Extensibility

Is additional functionality of the modification of existing functionality without significantly altering the original structure or data flow (e.g. streaming media) - Open standard is a standard that is publicly available and can be freely adopted and extended

OAuth 2.0

Is an 'authorization framework' that enabled 'applications' to obtain limited access to user accounts on an HTTP service such as Facebook or Twitter

Identity-as-a-Service (IDaaS) [Emerging]

Is an SaaS-based identity and access management solution. There are three core components: - Identity and governance administration (IGA) which is the provisioning of users to cloud applications - Access which includes user authentication, SSO and authorization supporting federation standards. - Intelligence which includes identity access log monitoring and reporting

Risk Tolerance

Is an acceptable variation in outcomes related to specific performance measures.

Procurement

Is the process of finding,acquiring, buying goods, services, or works from an external source, often via a competitive bidding process. - Request for Information (RFI) is used to solicit advice in addressing and/or solving a problem - Request for Proposal (RFP) is used to solicit bids (including approach, experience, capability, proof of concept, support) for a product or service - Invitation to tender (ITT) is used when a product or service is known in advance and the objective is best price and/or service

Vulnerability Management

Is the process of identifying, mitigatingm and responding to known or anticipated vulnerabilities and exposures - Up-to-date inventory of information assets (hardware, software, OSs, and ancillary devices) is the foundation of a vulnerability management program

Federal Rules of Civil Procedure

Key Federal Rules of Civil Procedure (FRCP) include: - FRCP 33: Defines business records that are created or kept in electronic format as discoverable giving the requesting party access to them. - FRCP Rule 37(e): Creates a safe harbor from sanctions if you did not preserve, and therefore no longer have, electronic data that's requested provided that certain conditions and circumstances are met. - FRCP 16: Courts expect organizations to be ready for litigation, including being fluent in the IT and network architecture.

On Premise vs Cloud Decisioning

Legal/Regulatory/Contractual - Need to evaluate legal, regulatory, or contractual restrictions or obligations. For example: -Country where data is stored, processed, or transmitted -Required controls Infrastructure - Need to evaluate the required investment to built, maintain, and support the infrastructure Availability - Need to evaluate capability of resources and ability to provision additional resources. DR & BC - Need to evaluate synergy with disaster recovery and business continuity strategies and requirements Security - Need to evaluate security and privacy requirements

This phase of incident response focuses on improving plans and procedures

Lessons Learned

What key would Mary use to decrypt an asymmetrically encrypted data packet sent by Bob?

Mary's private key

Maximum time a process or service can be unavailable without causing significant damage to the business

Maximum Tolerable Downtime (MTD) Maximum Tolerable Outage (MTO)

The process of dumping RAM

Memory Imaging

Operational Metrics

Metrics are a standard of measurement - Metrics allows us to move beyond subjective language and individual experience by providing a common framework for observation and comparison. - Operational metrics are used to measure effectiveness, efficiency, and performance and to make subsequent tactical decisions

This site is fully redundant with real-time data replication

Mirrored Site

This storage device connects to the network via IP, supports direct access (mapping), and addresses files by file name

NAS

Network Models

Network models describe layers of communication. From a security perspective, it is important to understand conceptually what happens at each layer, the dependencies, and the weaknesses. -The Open Systems Interconnection (OSI) reference model is structured into seven layers. - The OSI model was defined in 1984 and published as ISO/IEC 7498-1 - The TCP/IP (also known as the DoD) reference model is structured into four layers

Model that dictates whatever happens at one security level does not affect the security of other levels

Non-interference

This term describes changes that must go through the change management process

Normal Changes

Firewall ACLs

Permission - ALLOW or PERMIT to allow traffic. DENY to block traffic Protocol - Typically TCP or UDP (You can use IP to indicate both) Source - Where the traffic is coming from (host, range, wildcard, ANY) Destination - Where the traffic is going to (host, range wildcard, ANY) Port - Listening port (e.g. HTTP is port 80) Deny - Last rule at the end of an ACL is to block any traffic that wasn't previously allowed. Can be a statement (explicit) or a command (implicit)

Determines what actions a subject can perform on a file or folder (e.g. read)

Permissions

This statement generally describes what information will be collected and how it will be used

Privacy statement

Intrusion Detection Systems

Proximity - Measures magnetic field Motion - Detects physical disturbance Photometric - Changes in light Passive Infrared - Changes in heat Acoustical - Changes in noise Contact - Electrical circuit is broken

Metadata created by a user and is hidden or embedded in a file

Pseudo Metadata

This cloud deployment model has no restrictions as to who can provision resources

Public Cloud

This key is freely distributed

Public key

The purpose of this team is to monitor the exercise, inject communication as necessary, and evaluate activity

Purple team

This risk assessment methodology uses descriptive terminology

Qualitative

This type of risk assessment uses descriptive terminology

Qualitative

Attackers use error message disclosure for this purpose

Reconnaissance

This command is used to edit the Windows registry

Regedit

This utility reports on access to USBs and CD/DVDs

Removable Media Control (RMC)

The objective of this attack is to capture and reuse data packets

Replay

Set of rules that dictate how long unaltered data must be kept

Retention

Hashing algorithm created by the NSA

SHA Secure Hash Algorithm

This protocol is used for remote host management

SNMP

Evacuation Safety Plans and Drills

Safety plans including evacuation routes and "safe locations" should be posted and personnel trained. - Assembly places should be pre-assigned - Evacuation, shelter-in-place, and lock-down drills practiced - If circumstances allow, personnel should be instructed to secure confidential material and take access control devices with them. - No matter what else is happening -- human life and safety is always the number one priority

Salting

Salts are values appended to the input to negate the value of rainbow tables.

This mechanism is used to isolate untrusted applications or files

Sandbox

Email Security

Secure POP3 Secure IMAP S/MIME

The benefit of adding SSL to IMAP

Secure authentication

Security Code Review

Security code assessment is the process of examining and testing source code to verify that the proper security controls are present and work as intended

Symmetric key that is used only one time

Session Key

Timeframe inpact of awareness programs

Short-term

Incident Mgmt. Testing

Should be conducted on a periodic basis to assure readiness. - Exercises include tabletop and simulations - Participants should include the IMT team, external resources, and as applicable, executive management

A part of a system that, if it fails, will stop the entire system from working

Single Point of Failure (SPOF)

Space between the end of a file and the end of the cluster

Slack space

Targeted (to a group) version of phishing

Spear phishing

Mandatory implementation requirements (related to policies)

Standards

Original publication was the orange book -- followed by the rainbow series

TCSEC

This environment is used to merge code, isolate bugs, and measure performance and functionality

TEST

Common Vulnerabilities & Exposures

The 'Common Vulnerabilities and Exposures (CVE)' list is a database of information security vulnerabilities and exposures - The CVE provides a standardized identifier for a given vulnerability or exposure as well as a decription, advisories, and recommended actions - cve.mitre.orge - nvd.nist.gov

Network Virtualization (NSX)

The complete reproduction of a physical network in software - Network virtualization presents logical networking devices and services (e.g logical ports, switches, routers, firewalls, load balancers, VPNs) - Virtual networks offer the same features and guarantees of a physical network with the operational benefits and hardware independence of virtualization

Use Cases (Hashing)

The objective of hashing is proving integrity. -Validate that a message has not been changed during transmission (message digest) -Verify that a file has not been altered (checksum) -Verify that a forensic clone is intact

Downstream Liability

The potential liability incurred by a company whose computer systems are compromised and becomes the source of harm.

Jurisdiction

The power or right of a legal or political agency to exercise its authority over a person, subject matter, or territory. Jurisdiction considerations include: Privacy and security regulations (or lack of) Access of local governments to stored or transmitted data Attitudes towards "foreigners" Law enforcement

Data Protection -- Access Management

The primary objective of access management is to protect information and information systems from unauthorized access ('confidentiality'), modification ('integrity'), and disruption ('availability') Access control models dictates how subjects (users) access objects (resources) or how objects access objects Access control best practices dictate organizational behavior (e.g. dual control, separation of duty).

Corporate Governance

The system by which organizations are directed and controlled. Governace structures and principles identify the distribution of rights and responsibilities.

Asset-centric

The threat models begin by identifying asset value and motivation of threat agents

RPO unit of measurement

Time

This code testing determines if the application works as expected

Use Case (Positive testing)

Transmission of voice traffic over IP-based networks

VoIP

Process of seeking electronic data for use in a civil or criminal legal case

eDiscovery

Downgrade Attack

A 'downgrade attack' is an attack on a system or communications protocol that forces degradation to a lower-quality crypto mode (if available) designed for backward compatibility

Hashed MAC

A 'hashed message authentication code (HMAC) is a hashed value that includes a symmetric key. -An HMAC cannot be reproduced without knowing the key. -An HMAC provides integrity and data origin authentication -HMAC is used by cryptographic protocols such as the TLS and IPsec to verify the integrity of transmitted data during secure communications

Cybercrime

A broad term given to criminal activity that involves the Internet, a computer system, a computer network, or technology: Examples include data theft, data exfiltration, data modification, privacy violation, denial of service, command and control activity, and distribution and use of botnets. It is a global low-risk, high-reward venture.

Control

A control (sometimes called the coutermeasure or safeguard) is a tactic, mechanism, or strategy that accomplished one or more of the following: - Reduces or eliminates a vulnerability - Reduces or eliminates the likelihood that a threat agent will be able to exploit a vulnerability - Reduce or eliminates the impact of an exploit

Application Security Training

A critical first step to develop a secure application is an effective training plan that allows developers and programmers to learn secure coding principles and how they can be applied

Cryptographic Attacks

A cryptographic attack is the circumvention of a cryptographic system by exploiting a weakness in a code, cipher, cryptographic protocol, or key management scheme. - This process of finding a cryptographic weakness (vulnerability) is known as "cryptanalysis".

Quarantine and Remediation

A device that does not comply with the pre-admission policy is placed in a quarantine zone. 'Quarantine zone' options include: - Continue with limited access - Remediation to establish conform with preadmissions policy

Directory Services

A directory service is the centralized collection and distributed database (domain) of user data, computers, and trusted entities. Directory services include: - Lightweight Directory Access Protocol (LDAP) - Microsoft Active Directory (AD) which is Microsoft's implementation of LDAP LDAP attributes include: - Scalability (billion + user entries) - Distributable and synchronizable - Default LDAP port is 389, Secure LDAP is 636

Recovery Procedures

A disaster is not the time to figure out how to recover or restore a system, nor is it the time to determine inventory or search for vendor contracts. - All these items should be addressed beforehand and documented in recovery procedures and supporting documents. - Recovery procedures should include configuration information, contact information (including service contracts and SLAs) and recovery and resumption instructions - Appropriate access controls should be applied to recovery procedure documents

Disaster Recovery Plan Readiness

A disaster recovery plan (DRP) should be maintained in a state of readiness, which includes: - Personnel trained to fulfill their roles and responsibilities within the plan - Plans and strategies exercised to validate their content - Systems and system components tested on a scheduled basis to ensure their recovery and operability - Plan examination and auditing to ensure compliance with business objectives.

Supply Chain Disruption

A disturbance of the normal flow of goods, materials, and services in a supply chain. Example: facility damage, natural disaster, labor disputes, shortages etc

Extensible Authentication Protocol (EAP)

A general authentication framework. - There are more than 40 EAP-methods - EAP is widely used in 802.11 (wireless) networks

System and Data Recovery

A key component of disaster recovery is the capability to restore systems and data. Restoration requires that accurate and reliable copies of data and system configurations are maintained and tested. - Trafitional backup strategies use removable media (generally tape) - Current/emerging strategies use local or remote online storage - Order of recovery should be related to the BIA

Mantrap

A mantrap is a two-tier barrier. Entry door on one side and an exit door on the opposite side. One door of a mantrap cannot be unlocked and opened until the opposite door has been closed and locked.

Regulatory Expectations

A number of regulations and contractual obligations either expect or mandate that organizations will conduct security assessments on a scheduled basis. For example: - GLBA mandates US financial institutions to undergo periodic assessment T&E - FISMA mandates US federal agency T&E - PCI DSS mandates participating merchant T&E - Cyber insurance policies may require T&E - Business aggreements may require T&E

Self-signed Certificate

A self-signed certificate is signed by the person creating it. - The advantage is that there is no additional expense. - The disadvantages are that a self-signed certificate can easily be impersonated, will present the user with a warning message and cannot be revoked. - Use cases include an internal development server

SSL (TLS) VPN Gateway

A user connects to an SSL gateway or endpoint using a web browser - SSL/TLS capabilities are embedded in most web browsers

VM Escape Protection

A virtual machine escape occurs when a virtual machine and the host operating systems interact. This should never happen. - Over time, multiple exploted vulnerabilities have been identified. - It is essential that VM hosts are included in organizational vulnerability and patch management programs

Web Security Gateway (WSG)

A web security gateway is an application that operates as a proxy and can filter content, enforce rules, and inspect for malicious content at the application level (e.g. XSS exploits)

This symmetric algorithm is the current US government standard

AES/Rijndael

IPsec component that provides integrity but not confidentiality

AH Authentication Header

A sophisticated attack in which an attacker gains access to a network and stays there undetected for a long period of time

APT Advanced Persistent Threat

# of times an event is expected to occur in any one year

ARO Annualized rate of occurrence

This protocol is used for MAC to IP translation

ARP

No expectation of privacy statement should be included in this user agreement

Acceptable Use Policy (AUP) agreement

Accounting

Accounting is the logging of access and use of information resources.

Process Integration

Achieve operational synergies and efficiencies.

Acquisition Process

Acquisition is the process of getting something Phase 1: Feasibility Study Phase 2: Requirements Definition Phase 3: Selection and Aquisition Phase 4: Configuration Phase 5: Final Testing & Implementation Phase 6: Implementation Support

This software development project model emphasizes a timebox team approach

Agile

Always-on VPN

An always-on VPN starts automatically as soon as a client device recognizes an Internet connection - Connection and authentication are transparent to the user - Non-compliant devices are rejected

Supply Chain

An ecosystem of organizations, processes, people and resources involved in providing a product or service. Represents steps taken to get the product or service to the customer.

Embedded System Defined

An embedded system is an electronic product that contains a microprocessor and software designed to perform a specific task. An embedded system can either be fixed or programmable -Embedded systems are found in consumer, cooking, industrial, automotive, medical, commercial, and military applications -Embedded systems range from very small personal devices to large-scale environments. For example, digital watches, health meters, printers/MFDs, camera systems, routers, sensor traffic lights, automotive safety, and industrial control systems.

Information Security Classification Policy

An information security classification policy should include the following statements (or equivalent) -The company will use a three-tiered data classification scheme of legally protected, internal use only, and public (example only) -The company will publish definitions of each classification -Each classification will have handling and protection standards -Asset owners are responsible for assigning classifications -Classifications will remain in force, regardless of the location or state of the asset at any given time

Background Check

An investigative report. It may include criminal, financial, credit and/or education history, workers compensation claims, and public records. The depth and breath should specifically be related to job roles and responsibilities and level of access. The applicant has a right to privacy. Consent should always be requested.

Asset Definition

Any data, device, or other component of the envrionment that supports information or information system related activities. The 'value' of an asset is the worth of the asset to the owners, authorized users, and unauthorized users. -Asset value can include the cost of liability or compromise The 'cost' of an asset is the monetary value it takes to acquire, develop, maintain, or replace it.

This firewall operates at the 7th layer of the OSI model

Application Layer

Asset Custodian Responsibilites

Asset (system, data, and resource) custodian responsibilities include: -Implementing protection mechanisms -Monitoring for problems or violations -Reporting suspected incident -Common custodian roles include network administrators, IT specialists, database administrators, application developers, application administrators, and librarians

This process results in independent evidence-based assurance

Audit

Positive identification of a person or system

Authentication

The process of proving an identity to an operating system or application

Authentication

Example of this SE principle "This is Detective Jones calling"

Authority

Key policy-related responsibility of the Board of Directors (or equivalent)

Authorization

Accumulation of access rights, permissions, and privileges over time

Authorization creep

Authorization

Authorization is granting users and systems a predetermined level of access to resources.

This feature is used to remove all data and applications on the device after a prespecified number of failed logins

Auto-wipe

Hardware/Firmware Security Components

BIOS - Basic Input Output System UEFI - Unified Extensible Firmware Interface Secure Boot - Secure Boot TPM - Trusted platform module HSM - Hardware security module FDE/SED - Full disk encryption/senf-encrypting drives CPU Rings - Conceptual boundaries

Securing Embedded Devices

Best Practice for Evaluation & Security: -Research supply chain including chip manufacturer and operating system -Research available security controls -Immediately change the default credential -Implement strong authentication controls -Disable unnedded features and services -Disable clear text Telnet login and use SSH instead -Segregate embedded devices -Restrict remote access to devices -Include devices in patch management program

Beyond the Perimeter

Beyond the perimeter includes: - Information that can be obtained without breaching the perimeter/building - The area beyond the perimeter where protective security measures can be projected - Information or assets which are taken offsite and require protection

Finger scan is an example of this type of authentication

Biometric

Biometric Adoption

Biometric systems are the most trustworthy (even more so when combined with another factor); however, adoption has been influenced by cost, enrollment time, and user acceptance During the enrollment process, the biometric registration system takes multiple measurements and goes through a series of validation processes. - The measurements are either hashed or encrypted - Biometric systems may inadvertently detect drug usage, illness, and pregnancy

Biometric - Something You Are or Do

Biometrics refers to "human characteristics" Something you are is a physiological characteristic - Physiological biometric markers include fingerprints, fingerscans, retina scans, iris scans, facial recognition, vascular patterns, palm scans, and hand geometry. Something you do iss a behavioral trait - Behavioral biometric traits include voice pattern recognition, keystroke dynamics, and signature dynamics Adoption and accuracy are the most significant implementation challenges

Shortwave low power technology based on 802.15

Bluetooth

The role of this body is primarily oversight and fiduciary. 1: Owners 2: Board of Directors (or equivalent) 3: Executive management 4: Chief Information Security Officers

Board of Directors (or equivalent)

Panoply of Plans (NIST SP 800-34 R1)

Business Continuity Plan (BCP) - Overall strategy and plan for sustaining the business Continuity of Operations Plan (COOP) - Business unit plan and procedures for operational activities Crisis Communication Plan (CCP) - Plan and procedures for internal and external communications Disaster Recovery Plan (DRP) - Plan and procedures for recovering technology and facilities Occupancy Emergency Plan (OEP) - Plan and procedures for minimizing loss of life and property Cyber Incident Response Plan (CIRP) - Plan and procedures for mitigating a cyber attack

Process used to identify essential services and MTD

Business Impact Analysis (BIA)

Controls Framework and Guidance

COBIT - Set of control objectives for IT management developed by ISACA and the IT Governance Institute ISO /IEC 27000 Series - International standards of developing and maintaining an information management system NIST SP800-53 - Set of controls to protect information systems belonging to the federal government and private subcontractors NIST Cybersecurity Framework - Designed for public and private use to enhance and measure cyber resilience SANS Critical Security Controls (CIS) - Recommended set of actions for cyber defense. A principal benefit of the CIS is that they prioritize and focus a smaller number of actions with high pay-off results.

Security Testing

Can be automated scanning, manual functionality testing, or a combination with the objective of identifying potential points of exploitation - Commonly tested exploits include input validation bypass, injection, XSS, parameter tampering, cookie poisoning, user privilege escalation, credential manipulation, directory traversal, backdoors and debug options, and configuration subversion.

Disaster Response

Can be either chaotic or orderly. The difference between these two scenarios is established procedures, assigned responsibilities, and practiced response. Disaster response has three immediate goals: - Protect the health and safety of employees, customers, first responders, and the public at large - Minimize damage to property and the environment - Evaluate the situation and determine the next steps

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Can be used for large scopes - Facilitated workshops involving business process teams - Developed at the Carnegie Mellon University Software Engineering Institute (CM SEI)

Connection Methods and Exploits

Cellular - Radio frequency distributed network //Denial of service attacks WiFi - Radio frequency contained network //Multiple (Lesson 30.3) SATCOM - Satellite communications network //Exploit of design flaws that can result in injection, interception, and manipulation Bluetooth - Shortwave network //Bluejacking and bluesnarfing NFC - Near field communication network //Eavesdropping, interception, and theft ANT - "Wearables" sensor network //Eavesdropping, interception, impersonation

In this architecture, the processing unit is a mainframe or terminal host

Centralized computing

A log that establishes evidence integrity

Chain of Custody

Related Infosec organizational roles include:

Chief Risk Officer (CRO) Chief Information Security Officer (CISO) Information Security Officer (ISO) Information Assuance Officer (IAO) or manager (IAM)

Class of fire that involes ordinary combustibles

Class A

Fire Classes

Class of fire / Type of Fire / Type of Extinguisher A - Ordinary combustibles; wood, paper, rubber, fabrics, and many plastics / Water, dry powder, Halon B - Flammable Liquids and Gases: gasoline, oils, paint, lacquer, and tar / Carbon dioxide, dry powder, halon C - Fire involving Live Electrical Equipment / Carbon dioxide, Dry powder, Halon D - Combustible Metals or combustible Metal Alloys / Special agents K - Fires in cooking appliances that involve combustible cooking media: vegitable or animal oils and fats

Tricking a user into clicking on a button, picture, or link

Clickjacking

What it is called if a hash function produces the same output for two different inputs

Collision

Act that makes unauthorized access to US federal government, financial institution system, or any system used for interstate or foreign commerce a crime

Computer Fraud and Abuse Act

US federal laws specific to Computer Crime

Computer Fraud and Abuse Act National Information Infrastructure Protection Act of 1996 Wiretap Act Electronic Communications Privacy Act

Term applied when a compuer is used in the act of committing a crime

Computer crime

Set of activities used to establish and maintain system integrity

Configuration Management(CM)

Center for Internet Security (CIS) Benchmarks

Consensus-bases best practices for the secure configuration of a target system. NOTE: Widely accepted by government, business, industry and academia.

This phase of incident reponse focuses on minimizing damage

Containment

Asset sensitivity generally relates to this characteristic

Content

802.11 Security Protocols

Control / Authentication / Key / Encryption / Integrity / Status WEP / Preshared Key (PSK) or open / 64- or 128-bit key. All users and services use the same key / RC4 Stream Cipher / 32-bit CRC Hash / Insecure WPA / Enterprise RADIUS, certificate or Personal PSK / Separate keys (TKIP), 256-bit key / RC4 Stream Cipher / 64-bit MIC / Temporary fix, Superseded by WPA2 WPA2 / Enterprise RADIUS, Certificate, or Personal PSK / Separate keys, 256-bit key and block size / AES Block Cipher / CCMP / Current standard. Vulnerable if using Wi-Fi Protected Setup (WPS)

Locks

Conventional Lock - Key controlled cylinder - susceptible to "bumping" Pick Resistant Lock - Conventional locks that have complex and difficult to reproduce keys Cipher Lock - Uses a programmable key pad Electronic (digital) Lock - Cipher lock with centralized control and auditing capabilities Biometric Lock - Biometric recognition - may also require a key code

EU law that includes website inform and consent requirements

Cookie Law

Wi-Fi Protected Setup (WPS)

Created by the Wi-Fi Alliance and introduced in 2006, the goal was to make it easy to add new devices to an existing network without entering long passphrases - The PIN flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, within the WPS PIN, the network's WPA/WPA2 pre-shared key - All WPS devices are vulnerable to unauthorized access if not kept in a secure area--an unauthorized user can connect by pressing the WPS button to command the router to make a WPS connection

The burden of proof for this type of case is "beyond a reasonable doubt"

Criminal

This type of plan includes procedures for internal and external communications

Crisis Communications Plan (CCP)

Expanded view of information security to include external relationships and global threats

Cybersecurity

Codependency

Cybersecurity and business continuity are codependent - Conduct regular joint plan review to establish hierarchy of plans - Collaborate in defining incident classifications and thresholds - Merge exercise program coordination efforts - Standardize communication and collaboration tools - Optimize after action (lessons learned) reporting

Automated tools designed to detect and prevent data exfiltration

DLP Data Loss Prevention

This solution is designed to prevent and report on malicious and.or accidental exfiltration

Data Loss Prevention (DLP)

Acceptable Use Policy Elements

Data Protection - Data classification and handling standards Authentication - Login requirements including password standards and use of tokens and.or biometrics Application - Procurement, installation, and licensing Communication - Written and verbal communication use and limitations (including personal email) Internet - Use, activity, and engagement (including social media) Mobile Device - Use, configuration, activity, and device protection Remote Access - Use, configuration, activity, and physical security Incident Reporting - Instructions on how to spot and report suspicious activity

Combining data from different operational systems for further analysis

Data Warehousing

BI Components

Data Warehousing - Combines data from different operational systems so that the data can be queried and analyzed over time Data Mining - Process of analyzing data with tools that look for trends, patterns, correlations, or anomalies resulting in metadata Predictive Analytics - The use of data, statistical algorithms, and machine learning techniques to identify the likelihood of future outcomes based on historical data Aggregation - Data is presented in a summarized format

The term used to descibe a situation where data is exfiltrated, extracted, or there is a loss of internal control

Data breach

Unintential distribution of data

Data leakage

DLP Automation

Data loss prevention (DLP) automated tools are designed to detect and prevent data exfiltration ('unauthorized release or removal of data') -DLP technologies locate and catalogue data based on a predetermined set of handling standards -DLS tools monitor target data while in use, in motion, and at rest

Process of analyzing data for metadata

Data mining

Combining multiple datasources into a larger database for retrieval and analysis

Data warehousing

The log analysis process of filtering out duplicate entries or noise

Deduplication

This type of credential should always be changed before putting a system or application into production

Default

Intellectual Property (IP)

Describes a wide variety of property created by musicians, authors, artists, designers, and inventors. Intellectual property can be used in commerce or can be artistic or literary work. Intellectual property law includes patents, trademarks, copyrights, trade secrets, and software licensing.

Software development model that couples IPPD and Agile processes

DevOps

ISO/IEC 15408 Common Criteria

Developed in 1993 by the ISO, the "Common Criteria' provides a universal structure and language for expressing product and system requirements -Incorporates components of TCSEC, ITSEC, CTCPEC (Canadian Trusted Computer Product Evaluation Criteria), and various Federal criteria -The Common Criteria evaluates products against a protection profile -Common Criteria rating categories are 'functional' and 'assurance' -Results are published in a certified products list

In this architecture, there is no central authority and each node is responsible for its own security

Distributed system

Match the following access control concepts Terms Dual control Need to know Authorization creep Default deny Separation of duties Definitions - Accumulation of access rights and permissions over time - Demonstrated reason for requiring access - Any access or action not explicitly allowed - is forbidden - Breaking a task into separate processes that are assigned to different subjects - Requiring more than one subkect to complete a specific task

Dual control - Requiring more than one subkect to complete a specific task Need to know - Demonstrated reason for requiring access Authorization creep - Accumulation of access rights and permissions over time Default deny - Any access or action not explicitly allowed - is forbidden Separation of duties - Breaking a task into separate processes that are assigned to different subjects

Which term best describes the reasonable care and caution taken before entering to a contract or agreement? 1: Due diligence 2: Director duties 3: Downstream liability 4: Due care

Due diligence

A vairent of this authentication protocol is used in 802.11 wireless networks

EAP Extensible Authentication Protocol

Incident Response (IR) Process - Eradication

Eliminate components of the incident - Examples include deleting malware, disabling breached accounts, mitigating associated vulnerabilities

Removing Unused Programs

Every application has potential vulnerabilities. Applications advertise via listening ports. If the application is not being used, uninstalling it reduces the potential attack surface. - Make sure to remove all components and earlier versions. - If an application is required, ensure that it is included in your vulnerability and patch management programs

Workplace Safety

Every organization has a responsibility to protect personnel and provide safe workplaces. Workplace safety planning includes: - Realistic threat analysis - Written procedures - Awareness traininig - Drills Workplace safety also extends to privacy, monitoring, travel, and off premise work environment

Static Code Analysis

Examination of non-running code (static) for vulnerabilites

Dynamic Analysis

Examination of runnind code for vulnerabilities (automated)

Security Code Review

Examination of source code to verify that the proper security controls are present and work as intended

US federal government classification system

FIPS 199

These US rules apply to electronic evidence, preservation, and presentation

FRCP Federal Rules of Civil Procedures

Capacity of a system to operate even if one or more components fail

Fault Tolerant

Perimeter Gates and Fences

Fencing is the first line of non-natural defense Fencing height guidelines: - Fences 3-4 feet tall deter casual intruders - Fences 6-7 feet are too tall to easily climb - Fences 8 feet and taller deter more determined intruders especially when augmented with razor and electical wire There are 4 Underwriters Laboratory (UL) rate classes of gates (1-4). Each step up requires additional levels of protection - Gates may be opened via an access control system

One of the events this utility reports on is changes to DLLs

File Integrity Checker (FIC)

Filters

Filters are designed to evaluate requests, content, or instructions - Filters can be implemented as hardware appliances or software applications/utilities - Filters can be stand-alone or integrated security services

Information Security Models

Focus on interactions and provide structure and rules to be followed to accomplish a specific objective (e.g. confidentiality, integrity, and availability) -Foundational (lower level) models inclides State Machine, Non-Interference, and Information Flow -Relationship (higher level) models include Bell-LaPadula, Biba, Clark-Wilson, Harrison-Ruzzo-Ullman (HRU) and Brewer Nash

Storage Media Management

Focuses on protecting local, cloud, and removable storage with a focus on access and environmental controls

Fuzzing

Fuzz testing, or fuzzing, is an automated testing technique used to discover coding errors and security loopholes by inputting invalid, unexpected, or semi-random data, called 'fuzz', and monitoring the application response - A fuzzer is a program that automatically injects data into a program/stack

Process of determining an object's position based on its latitude and longitude

Geolocation

In this architecture, resources are shared in such a way to appear to be one large computer

Grid computing

Set Security Policies

Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment

Designed to help users understand and conform to a policy or standard

Guidelines

Match the following terms: Term: HRU Clark-Wilson Brewer-Nash Bell-LaPadula Biba Definitions -Conflict of interest defense -Integrity enforced by access permissions -No read up. No write down -No read down. No write up -Access triple

HRU - Integrity enforced by access permissions Clark-Wilson - Access triple Brewer-Nash - Conflict of interest defense Bell-LaPadula - No read up. No write down Biba - No read down. No write up

Physical device whose function is cryptoprocessing

HSM Hardware Security Module

User Training

Handling standards should be succinctly documented in a usable format. -Handling standard compliance should be referenced in the Acceptable Use Policy -Users should be introduced to handling standards during the onboarding process. -Handling standards should be reinforced throughout the user lifecycle

This term is applied to the process of configuring security related settings and minimizing vulnerabilites

Hardening

Cryptographic technique used to prove integrity

Hashing

Humidity and ESD

High humidity can cause corrosion and low humidity can cause excessive static electricity. - Relative humidity between 45-60% is acceptable for areas that are processing data. - Electrostatic discharge (ESD) is the release of static electricity when two objects touch. ESD can damage or destroy electronic components. - ESD can be minimized by the use of antistatic grounding workbenches, mats, bags, and wristbands - Electrical storms can increase the ESD risk

Policies

High-level statements (governance communications) intended to communicate rules and expectations and to provide direction. Standards, baselines, guidelines, and procedures support the implementation of a policy.

Honeypots and Honeynets

Honeypots are decoy systems used to attract and examine attacker-activity and techniques - 'High-interaction' honeypots are "live" systems - 'Low-interaction' honeypots emulate the production environment 'Honeynets' are multiple linked honeypots that simulate a network environment

This software monitors and restricts local host ingress and egress traffic

Host Firewall

This host-based software reports on local suspicious activity

Host Intrusion Detection (HIDS)

Circulation pattern where rows of server racks are oriented so that the front of servers face each other

Hot / Cold aisle

This configuration supports adding a component without interruption

Hot Plug

HTTPS

Hypertext Transfer Protocol (HTTP) is the underlying protocol used by websites and defines what actions browsers and webservers should take in response to commands. HTTP is a clear text protocol and subject to eaves dropping, replay and MiTM attacks. - HTTPS (Hypertext Transfer Protocol Secure) is an extension to HTTP that adds support for SSL and TLS in order to encrypt communications between a browser and a website (TCP port 443) - Use case: secure web connectivity and authentication

Software or firmware components that can virtualize system resources

Hypervisor

Business process related to provisioning, education, auditing, and deprovisioning

IAM Identity and Access Management

These systems monitor processes in the physical world

ICS Industrial Control Systems

Entrance / Exit Access Control

ID Card / Badge - Identification card with or without picture (non-electronic) Smart card - Card with integrated circuitry used in conjunction with a card reader Biometric - Use of biometric technology to identify and authenticate a person Access Logs - Requirement to document access (sign in / sign out) Audit Logs - Logs generated by smart and biometric systems Mantrap - Two tier barrier

Network Access Devices

IDS / IPS (Network) - Monitors and reports on intrusions (IDS) and can take action (IPS) Firewalls - Controls ingress and egress traffic Filters - Filters access (e.g. SPAM, Content, DLP. URL) Proxy - Acts on behalf of a client (e.g. forward, transparent) WSG - Web Security Gateway

Email Security -- Secure IMAP

IMAP is used to receive email from an email server to a local email account - Downloaded files remain on the email server -- important if you use multiple devices to access email - IMAP allows clear text authentication (port 143) - Use case: Secure IMAP is an extension of IMAP that supports SSL/TLS for secure login (port 993)

Proactive early warning sign that an attack may be imminent or already underway

IOA Indicator of Attack

Proactive early warning sign of an attack

IOA Indicator of an Attack

Evidence that a system or netowkr has been compromised or exploited

IOC Indicator of Compromise

Substantive or corroborating evidence that a system or netowkr has been exploited

IOC Indicator of Compromise

This protocol is used for addressing and routing

IP

VoIP Related Terminology

IP Convergence - IP as the standard transport for transmitting all information VoIP - Transmission of voice traffic over IP based network IP Telephony - Full suite of VoIP enabled services previously provided by a PBX

IPsec

IPsec is the defacto standard for IP based VPNs - Host-to-host, host-to-site, and site-to-site connections - Native to IPv6 and a bolt-on to IPv4 - Uses cryptography to provide authentication, integrity, confidentiality, and non repudiation

Sector-specific member-driven information sharing organizations

ISACs Information Sharing and Analysis Centers

Information Sharing and Analysis Centers (ISACs)

ISACs collect, analyze and disseminate actionable sector specific threat information to their members and provide members with tools to mitigate risks and enhance resiliency. The concept of ISACs was introduced and promulgated pursuant to Presidential Decision Directive-63 (PDD-63), signed May 22, 1998, after which the federal government asked each critical infrastructure sector to establish sector-specific organizations to share information about threats and vulnerabilies. nationalisacs.org/member-isacs

The process of maintaining awareness of ongoing vulnerabilities, threats, and risks

ISCM Information Security Continuous Monitoring

Developed by a European consortium to evaluate functionality and assurance independently

ITSEC

US Fair Credit Reporting Act (FCRA)

If a consumer report is a factor in a negative hiring decision (adverse action). the applicant is entitled to know the source of information used against them.

Match the following items Terms: Impact Threat Risk Exploit Vulnerability Definition: -Potential danger -Taking advantage of a vulnerability -Magnitude of harm -Measurment of impact and likelihood -Weakness

Impact - Magnitude of harm Threat - Potential danger Risk - Measurement of impact and likelihood Exploit - Taking advantage of a vulnerability Vulnerability - Weakness

Implementation

Implementation objective is to use tools and methodologies uniformly. Reports should be generated for the intended audience. - Automation is employed whenever possible - Interoperable data specifications (e.g. XML and SCAP) are used so data can be collected once and reused as applicable - Operational processes such as patch management are informed by and complement (not replaced by) the ISCM process

Data Integrity

Implied information is known to be good, and that the information can be trusted as being complete, consistent, and accurate.

Managing Risk

Implies that the level of risk is understood, and is either accepted or being actively controlled (treated) and in either case, monitored.

CERT Information Sharing & Disclosure

In the US, identified flaws can be reported to the CERT Coordination Center (CERT/CC). CERT/CC serves as a coordinating body that works with affected vendors to resolve vulnerabilities. - "Vulnerabilities reported to the CERT/CC will be disclosed to public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors" - "Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established staandard may result in earlier or later disclosure"

CDN Hybrid Mode

In the hybrid CDN model, content is served using both dedicated servers and peer-user-owned computers. - Threats include bandwidth usage, P2P distribution of malware, and the introduction of executable files and unauthorized system access - Mitigating controls include firewall restrictions, QoS, and user security awareness training.

This term is used to describe a set of instructions for planning for and responding to a specific scenario

Incident playbook

Handling Standards

Inform custodians and users how to protect the information they use and systems they interact with. -Handling standards dictate by 'classification' level how information must be stored, transmitted, communicated, accessed, retained, and destroyed. -Handling standards may extend to incident management and breach notification -Handling standards extend to automated tools such as DLP (data loss prevention) solutions.

ISM Responsibilities

Information Security Management (ISM) responsibilities: Being a subject matter expert and security champion Managing the information security program Communicating with executive managment Coordinating the budget for information security activities Ensuring the development and upkeep of governance documents

Security objective of hashing is to prove this

Integrity

Security principle related to hashing

Integrity

This security principle relates to unauthorized modification

Integrity

Trademarks

Intended to protect recognizable names, icons, shape, color, sound, or any combination used to represent a brand, product, service, or company Trademark law created exclusive rights ® is used to indicate a registered trademark ™ is used to indicate an unregistered trademark A servicemark ℠ is used to identiry a specific service A trademark or service mark can be renewed every 10 years

This testing evaluates the connection between two or more components

Interface testing

Intruder Incident Response

Intruder access to physical devices can result in a successful attack and exploit - Users should be trained to recognize and report suspicious activity. Users should question intruders only in safe situations - ONLY trained personnel should confront an intruder

Uniquely identified physical devices that have embedded computing system, sensors, actuators and network connectivity

IoT Internet of Things

Identity and Access Management (IAM)

Is a business process with the objective of "enabling the right individuals to access the right resources at the right times and for the right reasons" - IAM functions include provisioning, education, auditing, and deprovisioning - IAM functions takes place throughout the employee lifecycle - IAM functions are a shared responsibility - Managers, owners, HR, IT, physical security, information security, and aduit

Multiprotocal Label Switching (MPLS)

Is a scalable, protocol-independent transport technique for high performance networks. - Operates between OSI Layers 2 and 3 - Data packets are assigned labels (tags) - MPLS label edge routers (LER) make packet forwarding decisions based on the short path label contents and quality of service (QoS) requirements - The LER at the outbound point in the MPLS cloud removes the label and forwards the packet using standard IP routing information

Configuration Management (CM)

Is a set of practices designed to ensure that configuration items are deployed in a consistent state and stay that way through their lifetime

Something You Know

Is a shared secret known to the user and the authentication system - Passwords, passphrases, and PINS are data strings (letters, numbers, symbols) - Cognitive passwords (challenge questions) utilize a preselected question and answer based on fact, opinion, or memory - Out-of-wallet password (challenge questions) are answers to questions derived from subscription databases

Security Assertion Markup Language (SAML)

Is an open standard that provides user authentication and authorization services - One-to-many model End user (Principal) Identity Provider (idP) - SAML-compliant authentication service Service Provider (SP) - SAML-compliant web application

Legal Hold

Is an order that suspends the modification, deletion, and/or destruction of records and media. - A legal hold can be issued to avoid evidence spoliation - Evidence spoliation is the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying evidence

Digital Evidence

Is any information or data of value to an investigation that is stored on, received by, or transmitted by an electronic device including: - Device memory - Media such as hard drives, USBs. tapes., and other storage devices - Logs, records, and audit trails - Text messages, emails, pictures and videos, and internet searches

Vulnerability

Is defined as a hardware or software weakness that can potentially be exploited. Common examples of vulnerabilities include: - Operating systems and application flaws - Broken versions - Weak ciphers - Improper input/output handling - Poor coding

Supply Chain Dependency

Is defined as the reliance on a source to provide a product or service.

Virtual Private Network

Is designed to facilitate secure remote access communication over a public network. - VPNs are a cost effective alternative to dedicated point to point connections by transforming the Internet into a secure circuit

Session Initiation Protocol (SIP)

Is designed to manage multimedia connections such as VoIP, video calls, and instant messaging over IP. - SIP provides ''integrity protection' by utilizing MD5 hash functions - SIP supports 'encryption mechanisms' including TLS. - SIP privacy extensions include callerID suppression

Redundancy

Is duplication of critical components or functions with the intention of increasing reliability and mitigating the risks associated with single point of failure (SPOF) - Redundancy can be configured to require manual intervention (e.g. spare parts) or to be automatic (fail-over) - 'Passive' (standby) components are inactive until a failure occurs - 'Active' components operate in parallel with the primary system to provide continuous service without noticable inturruption

Location - Somewhere You Are

Is location based - either physical or logical - A physical location can be geographic or situated in proximity to a specific device - A logical location is an IP Address

Authorization Creep

Is the accumulation of access rights, permissions, and privileges over time. - Promotions, lateral moves, cross-training and temporary coverage may contribute to authorization creep.

Fault Tolerance

Is the capability of a system to continue to operate in the event of failure of one or more system components. - Fault tolerant systems rely on redundant components (e.g. power supply, disk storage) - Components are continually monitored for availability - Failures are transparent to users (with the exception of potential degradation of service

Swapping

Is the process of replcaing a failed component - 'Warm swap' is the ability to insert and remove hardware while the system is in a suspended state - 'Hot swap' is the ability to insert and remove hardware while the system is running - 'Hot plug" is the ability to add a component without interruption

Exploitation

Is the stage where the testers explout target systems to compromise them. Depending upon the ROE, this phase may be undertaken as "proof of concept" or actual exploit - 'Persistence' is the act of installing or modifying services, installing malware or rootkits, creating backdoors, and/or creating accounts that will survive reboots. - 'Pivoting' is the act of using a weakness on one system to access a better protected system - 'Escalation of privilege' is the act of exploiting a vulnerability to gain elevated access to a resource

Risk Assessment

Is used to identify inherent risk, the control environment, known vulnerabilities and exposures, threat likelihood and impact and ultimately, the residual risk to the organization - Application security risks include unauthorized access (confidentiality), unauthorized or unintentional modeification (integrity), and disruption (availability). - The risk assessment methodology can be qualitative, quantitative, or hybid - Risk management options include acceptance, mitigation, sharing, transfer, and avoidance

Risk Appetite Statement

It is a board (or equivalent) approved governance document designed to provide guidance on the levels of risk that constituents are empowered to take. Risk appetite definitions can provide consistency in the decision-making process. It enables people to take well calculated risks when opportunities arise, and conversely, to identify when a more cautious approach should e taken to mitigate a threat.

Denial of Service Attack

Jamming - Overwhelming wireless frequencies with illegitimate traffic - Frequency becomes unavailable for legitimate traffic Disassociation (aka Disauthentication) - Spoofing a disassociate message which forces a device to reassociate - Device is continually "knocked offline" - Can be used as a precursor to an Evil Twin attack

Compliance Officer, Information Security Officer, Privacy Officer

Joint responsibility for identification of and ensuring compliance with applicable organizational regulatory, and contractual security and privacy requirements.

Cryptanalysis Approach

Known Ciphertext - A sample of ciphertext is available without the plaintext associated with it Known Plaintext - A sample of ciphertext and the corresponding known plaintext is available Chosen Plaintext - Can choose the plaintext to get encrypted and obtain the corresponding ciphertext Chosen Ciphertext - Can select the ciphertext and obtain the corresponding plaintext.

MPLS device that makes packet forwarding decisions

LER Label Edge Router

Labeling Objective

Labeling is the vehicle for communicating the assigned classification to custodians, users and applications (e.g. access control, DLP). -Labels make it easy to identify the data classification -Labels can take many forms: electronic, print, audio, or visual. -Labels should be appropriate for the intended audience. -Labels transcend institutional knowledge and provide staility in environments that experience personnel turnover

Digital Certificates

Mechanisms used to generate a private key and to associate a public key with a collection of components sufficient to authenticate the claimed owner. - The X.509 standard defines the certificate format and fields for public keys - The X.509 standard defines the distribution procedures. - The current version of X.509 for certificates is v3 - Certificate use object identifiers or OIDs which are globally unambiguous persistent names

Data "about data"

Metadata

Exploit Tools

Metasploit - Attack simulator Wireshare - Protocol analyzer W3AF - Web application attack Backtrack - Packet sniffing and injection Cain & Abel - Cracking encrypted passwords or network keys SQLmap - Exploiting SQL injection

Standard of measurement

Metrics

Incident Response (IR) Process - Containment

Minimize the damage - Examples include shitting down a system, disconnecting it from a network, disaling certain functions

This type of testing identifies if an application can shut down gracefully if it encounters unexpected behavior

Misuse case

Name given to controls used to reduce risk

Mitigating

Performance Measurment

Monitoring and reporting on achievements.

Multimedia and Content

Multimedia includes (but is not limited to): - Remote (virtual) meetings - Instant messaging and chat services - Content distribution networks (CDN)

This function maps private IP addresses to public IP addresses

NAT

Organization that fomalized the ISCM program for federal agencies

NIST (SP 800-126)

This US framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk

NIST Cybersecurity Framework

Information Security Continuous Monitoring (ISCM)

NIST SP800-137 defines ISCM as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management solutions - The ISCM process was designed to support the NIST risk management framework requirement for on-going and iterative monitoring

The US government repository of standards-based vulnerability management data

NVD National Vulnerability Database

The motivation for this adversary can be disruption, IP theft, influence, fear and/or sabatoge

Nation-state

Primary US federal anti-hacking statue

National Information Infrastructure Protection Act

NFC

Near Field Communication (NFC) is a short-range wireless technology that requires close proximity and/or device contact. NFC is rooted in RFID technology -NFC is used in commerce (e.g. contactless payment systems such as Apple pay), smartphone (sharing contacts, photos, videos or files), identity and access tokens, and gaming -Range is less than 20 cm -Security concerns include eavesdropping, interception, and theft

Commonly used privacy framework

OECD Privacy Principles

The purpose of this plan is to create a safe environment for building occupants

Occupant Emergency Plan (OEP)

Provisioning Lifecycle Phase 1

Onboarding, Account Request, User Agreement, Credential Management - Account creation request. Request may be directed in house or to an IDaaS provider - User agreements are signed -- AUP / Confidentiality agreement - User accounts created and group memebership established - Credentials assigned - Orientation training

Intellectual Property Law

Patents Trademarks Copyrights Trade Secrets

All merchants that accept payment cards are required to comply with this standard

Payment Card Industry Data Security Standard (PCI DSS)

The objective of this test is to exploit (actual or proof of concept) weaknesses

Penetration Test

The act of activating malware or configuring services that survive a reboot

Persistence

Frames contain what type of addressing

Physical

Cryptographic Terminology - Cipher

Plaintext (cleartext) - Human readable text Ciphertext - Encrypted and/or human unreadable text Cipher - A technique that transforms plaintext into ciphertext and back to cleartext Algorithm - A cryptographic algorithm is a mathematically complex modern cipher Stream Cipher - Algorithm that works with one bit at a time Block Cipher - Algorithm that works with blocks of data

443 is an example

Port

The use of data mining, algorithms, and machine learning to identify the likelihood of future outcomes

Predictive analytics

This phase of incident response establishes and exercises incident management capability

Preparation

A private sector classification often used to identiry intellectual property

Proprietary

In a firewall ACL, this is expressed as TCP, UDP, or IP

Protocol

Rainbow Tables

Publically available tables of precomputed hashes.

Qualitative

Qualitative risk assessments use descriptive terminology such as high, medium, and low or normal, elevated, and severe

This type of risk assessment uses numeric and monetary values

Quantitative

Quantitative

Quantitative risk assessments assign numeric and monetary values to all elements of the assessment

RADIUS vs TACACS+

RADIUS Protocol - UDP or TCP Ports - 1812 &1813 or 1645 & 1646 Encryption - Only the password Combines authentication and authorization Primary use - Network access TACACS+ Protocol - TCP Ports - 49 Encryption - Entire payload Separates authentication and authorization Primary use - Device administration

This exercise is conducted primarily to check procedure accuracy and familiarity

Read through (Desk Check)

Management validates that rights and permissions assignment are correct

Recertification

This alternate site is based on an agreement with another facility

Reciprocal Site

Metric related to the amount of time allocated for system recovery

Recovery Time Objective (RTO)

Team Descriptions

Red Team - External entities that emulate the behaviors and techniques of likely attackers Blue Team - Internal security team (defenders) Purple Team - Independent 3rd party that monitors both teams in real time, evaluates activity, if applicable, facilitates communication, and recommends enhancements

Duplication of components

Redundancy

eDiscovery (also called electronic discovery)

Refers to any 'process' in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civi; or criminal legal case. -Federal Rules of Civil Procedure (FRCP) and Federal Rules of Evidence (FRE) apply to the process of preparing and producing electronically stored information (ESI), as well as for resolving related disputes.

eDiscovery

Refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. - Federal Rules of Civil Procedure (FRCP) and Federak Rules of Evidence (FRE) apply to the process of preparing and producing electronically stored information (.ESI), as well as for resolving related disputes

Trade Secrets

Refers to proprietary business and technical information, processes, designs, or practices that are confidential and critical to a business Trade secrets do not require any registration and remain the only legal control for IP to remain undisclosed An organization has to take reasonable steps to protect its secrecy

Order of Volatility

Refers to the acquisition of evidence before it disappears, is overwritten, or is no longer useful. The goal is to create a snapshot of the environment as it existed at the time of the attack or incident. For example: - Dynamic data (RAM) - Dump files - Temp files - Log files - Static data (media)

In this type of XSS attack, the user is manipulated into sending a malicious string to the webserver

Reflected

Regulatory Framework

Reflective of regulatory expectations and examination requirements. Well known Framework: FDIC Cybersecurity Assessment Tool (CAT)

Replication Strategies

Replication is an automated process that streams copies of data to one or more locations in real time or near time Point-in-Time - Periodic snapshots replicated. If recplicated, snapshots are pointer-based, just changes transmitted Asynchronous Replication - Write is considered complete as soon as local storage commits. Remote storage updated with a slight time lag Synchronous Replication - Data written in two locations (local and remote). Both write operations must successfully complete before the system can proceed. Guaranteed zero data loss

Controls Guidance

Resources for researching and selecting controls include: -NIST Special Publications 800 Series -NIST Federal Information Processing Standards (FIPS) -NIST National Cybersecurity Framework -National Security Agency (NSA) IA Mitigation Guidance -ISO 27002:2013

Match the Incident Management component with the associated activity Components: Response Preparation Prevention Detective Activities: - Containment - Training - Controls implementation - Monitoring

Response - Containment Preparation - Training Prevention - Controls implementation Detective - Monitoring

Business Continuity Governance

Responsibilities include: - Board of Directors (or equivalent) approval of Business Continuity policies - Board of Directors (or equivalent) oversight of BCP strategies, plans, and testing - Management oversight of BCP preparedness including external parties

Privacy Officer

Responsible for developing, implementing, and administering all aspects of an organizations privacy compliance program.

Codification

Roles and responsibilities should be documented in policies, job descriptions, or employee manuals and supported by agreements such as acceptable use agreements, nondisclosure agreements (NDA), or confidentiality agreements.

This malware family targets OS kernel, boot record, and firmware in order to gain privileged system access

Rootkit

These Layer 3 devices forward packets using IP addresses and protocols such as RIP, OSPF, and BGP

Routers

Routers

Routers are Layer 3 forwarding devices. - Routers forward packets using IP addresses and routing protocols - Access can be controlled via port or IP address ACLs - Routers can perform NAT functions - Routers support different WAN technologies. - Routers support various routing protocols such as RIP, OSPF, EIGRP, and BGP

SCAP Validation

SCAP validation program is implemented through the NIST National Voluntary Laboratory Accreditation Program (NVLAP) - NISTIR 7511 Security Content Automation Protocol Validation program requirements - NIST validated SCAP products and modules (National Vulnerability Database)

SIEM Reporting

SIEM reporting generally includes: - Automated alerts based on preset triggers (immediate issues) - sent to a dashboard or via a communications channel - Graphic and text security, operational, and compliance reporting

Agreement that specifies the service commitment

SLA Service Level Agreement

An organization has determined that one hour of ecommerce is worth $10,000. If one server in the server farm failed, the ability to service customers would degrade 15%. Based on past experience, they anticipate a failure 3 times a year. Match the quantitative risk assessment components. Terms: SLE AV ARO ALE EF Definitions: -15% -3 -$1,500 -$4,500 -$10,000

SLE - $1,500 AV - $10,000 ARO - 3 ALE - $4,500 EF - 15%

SSAE 18 Report Versions

SOC 1 - Report of controls relevant to user entities financial statements - Agreed upon scope SOC 2 - Based upon Trusted Services Principles (TSP) SOC 2, reports on controls intended to mitigate risk related security, availability processing integrity, confidentiality, and privacy - Organization chooses categories; not controls - Criteria provided by the AICPA SOC 3 - Same as SOC 2 but does not detail testing performed and is designed for public distribution

Appliance that is specifically designed to perform SSL/TLS encryption and decryption functions

SSL/TLS Accelerator

This configuration management variant focuese on the integration of security requirements

SecCM Security-focused Configuration Management

The Future of Secure DevOps

Secure DevOps is a game changer - Developers at the frontline of security - Automated, continuous, and integrated security testing - Resilient applications and infrastructure

This secure protocol is used to download (and delete) emails from a server to an email client

Secure POP3

Email Security -- Secure POP3

Secure POP3 - POP3 is used to receive email from an email server to a local email account. - Downloaded files are removed from the email server (default) - POP3 allows clear text authentication (port 110) - Use case: Secure POP3 is an extension of POP3 that supports SSL/TLS for secure login (port 995)

SSH / SFTP

Secure Shell (SSH) is a cross platform protocol that establishes a secure connection between an SSH server and an SSH client. - SSH is used to administer systems remotely, provide a command shell on a remote network, or tunnel other protocols (TCP port 22) - SSH is a secure replacement for cleartext telnet, rlogin, rsh, and rsync. - SFTP is an extension of SSH 2.0 to provide secure file transfer capabilities - Use case: Remote access and administration

NIST Security Education, Training, and Awareness (SETA)

Security -- Attribute, Level, Objective, Teaching Method, Test Measure, Impact Timeframe Education -- Why, Insight, Understanding, Discussion/Seminar/reading, Essay, Long-term Training -- How, Knowledge, Skill, Lecture/case study/hands-on, Problem solving, Intermediate Awareness -- What, Information, Awareness, Interactive/video/posters/games, True or False/multiple choice, Short-term

Written by the vendor to document product specification (used by the Common Criteria)

Security Target

This category of patch is designed to fix a security vulnerability

Security Update

Application Restrictions

Security policies can be used to control application access - An application 'whitelising' policy allows only applications that are explicitly given permission to execute. All other applications are denied - An application 'blacklisting' policy allows all applications to execute with the exception of those that are explicitly denied

Scope

Selection of assessment objects are influenced by system criticality, information sensitivity, regulatory requirements, and contractual obligations. Relevant scoping elements include: - Size of the system being assessed - Complexity of the environment - Feasibility of sampling

Network Attached Storage (NAS)

Self-contained storage device that connects to the network via IP, supports direct access (mapping), and addresses files by file name

Semi-qualitative (Hybrid)

Semi-qualitative risk assessments assign a numeric weighted scale to the descriptive values (e.g. high=5, medium=3, low=1) and incorporates deterministic formulas

Information that is not classified but still needs distribution controls

Sensitive but Unclassified (SBU) Controlled Unclassified Information (CUI)

When a task is broken down into processes and the processes are assigned to different parties

Separation of duties (SoD)

Recovery Strategies

Should be based on the outcome of a business impact analysis. - The business impact analysis (BIA) identifies the impact of a disruption on 'essential' services, systems, and infrastructure - The outcome of a business impact analysis (BIA) is a prioritized matrix of services, systems, and infrastructure - Recovery strategies encompass facility, technology, data recovery, people, and processes

Online Storage

Should be secured in accordance with its classification and handling standards. The following should be considered: - Location (on-site/off-site) - Country (polotocal and regulatory considerations) - Environmental controls - Physical security - Logical security - Sovereignty/ownership

Covert observation social engineering technique

Shoulder Surfing

Asymmetric encryption is best suited for this relative block size

Small

This type of access card includes integrated circuitry

Smart card

Traditional Backup Rotation Cycles

Son - One full backup cycle (generally daily) - The daily full backups are rotated on a daily basis Father-Son - Two full backup cycles (generally weekly and monthly) - The daily (incremental or differential) backups are rotated on a daily basis - The weekly backups are rotated on a weekly basis Grandfather-Father-Son - Three or more full backup cycles (generally weekly, monthly, and annually) - The daily (incremental or differential) backups are rotated on a daily basis - The weekly backups are rotated on a weekly basis - Monthly backups are rotated on a monthly basis

This is when a neutral, trusted 3rd party holds the source code

Source code escrow

Source Code Vulnerability

Source code vulnerabilities (code weakness) can affect functionality, performance, and security. - Examples of source code vulnerabilities include improper or weak input/output validation, memory vulnerabilities, time and communication issues, and developer access

Match the following items: Terms: Spoofing Poisoning Denial of Service Hijacking Definitions: -Impersonating an address, system, or person -Intercepting and manipulating communications -Overwhelming system resources -Manipulating a trusted source of data

Spoofing - Impersonating an address, system, or person Poisoning - Manipulating a trusted source of data Denial of Service -Overwhelming system resources Hijacking - Intercepting and manipulating communications

Types of Changes (ITIL terminolog)

Standard - Changes that are anticipated in the normal course of business and have established policies and procedures (e.g. patch management) Normal - Changes that must go through the change process before being approved and implented Emergency Changes - Emergency changes are ones which the timing is critical and is subject to the change management process post-implementation

Standards, Baselines, and Guidelines

Standards serve as specifications for the implementation of policy and dictate Mandatory requirements. Baselines are the aggregate of standards for a specific category or grouping such as a platform, device type, ownership or location. Guidelines help people understand and conform to a standard. Guidelines are customized to the intended audience and are not mandatory.

Cipher technique that uses XOR operation and works with one bit at a time

Stream

Access Control Models & Techniques

Subject based - Mandatory access control (MAC) - Discretionary access control (DAC) - Role-based access control (RBAC) - Attribute-based access control (ABAC) Objective based - Rule based access control - Content based access controls - Context based access control - Constrained interfaces

This cipher technique replaces one character or bit for another

Substitution

Cipher Techniques

Substritution Cipher - Replaces one character or bit for another character or bit. The key is the shift pattern Transposition Cipher - Moves characters or bits to another place within the block. The key is the transposition code. Confusion - The process of changing the values. Complex substitution functions are used to create confusion. Diffusion - The process of changing the order. Sending bits through multiple rounds of transposition is used to create diffusion.

Change Management KPIs

Successful Changes - The number of changes that have been completed successfully compared to the total number of completed changes. The higher the percentage of successful changes, the better Backlog of Changes - The number of changes that are not yet completed. While this absolute number depends on the size of the organization, it should not grow over time Emergency Changes - The number of completed "emergency" changes. This absolute number depends on the size of the organization and should not increase over time.

ISO/27005

Supports the requirements of an ISO 27000 information security management system - Does not specify a specific methodology but does detail a structured sequence of iterative processes

Systems Security Engineering [NIST SP 800-160]

System Security Engineering -A specialty engineering disipline of systems engineering -Applies scientific, mathematical, engineering, and measurement principles, concepts, and methods to coordinate, orchestrate, and direct the activities of various security engineering and other contributing engineering specialties -Provides a fully integrated system-level perspective of system security Security and other Specialties -Performs and contributes to systems security engineering activities and tasks -Contributions are seamlessly integrated through the systems security engineering activities and tasks -Reflects the need and means to achieve a miltidiciplinary, SE-oriented approach to engineering trustworthy secure system

Roles and Responsibilites

System custodians are generally tasked with configuring activity and error reporting and responding to output. - Access to reports may be dependent upon system privileges Security analysts are responsible for analyzing security-related activity and error reporting. They generally are not responsible for authorizing or implementing change - Security analysts typically report to the C/ISO

Procurement Evaluation Criteria

System response time - Time that a system takes to respond to a user query System reaction time - Time it takes to log in to a system or application System throughput - Quality of useful work per unit of time (i.e. data transfer - Mbps) System workload - Ability to handle the anticipated volume of work System utilization - System availability vs system downtime Turnaround time - Time that a vendor takes to 'fix' a problem (post report) Research and Disclosure - Identification of vulnerabilities and public notification Vulnerability Management - Frequency of patch release and post-implementation support End of Life (EOL) - EOL cycle, notification and support **In addition to vendor due dilligence, contractual terms and SLA evaluation

The product or system to be rated (used by the Common Criteria)

TOE Target of Evaluation

Hardware chip responsible for protecting keys, certificates, and hashes specific to the system hardware

TPM Trusted Platform Module

Anti-Remanence Techniques Recap

Technique / Description / Result Wiping - Overwrites all addressable storage and indexing location multiple times --Clearing Degaussing - Using an electromagnetic field to destroy all magnetically recorded data --Purging Shredding - Physically breaking media into pieces --Destruction Pulverizing - Reducing media to dust --Destruction Pulping - Chemically altering media --Destruction Burning - Incinerating media --Destruction

Remote Access Applications

Telnet Terminal Emulation Port 23. Telnet facilitates the connection to a remote system and the execution of commands. - Telnet provides basic authentication (user name and password) - Telnet communication is clear text Secure Shell (SSH) Terminal Emulation Port 22 - SSH facilitates the connection to a remote system and the execution of commands. - SSH creates a secure encrypted tunnel to the remote system Remote Desktop Software (RDP) Port 3389 - Software or OS feature that allows a desktop environment to be run remotely Virtual Private Network (VPN) Port depends upon protocol - VPN is a secure private connection between two endpoints - Host-to-Host, Host-to-Network, or Network-to-Network

Testing Objectives

Testing is used to identify vulnerabilities (weakness), substantiate strengths, and predict the likelihood of exploitation - Testing techniques may include vulnerability assessments, penetration testing, password cracking, and social engineering as well as incident response and disaster response/business continuity exercises. - Testing can be intrusive and can have an operational impact

Archiving

The 'process' of 'securely' storing 'unaltered data' for later potential retrieval. Data should be: -Retained in accordance with a documented schedule -Stored securely in accordance with its classification -Securely disposed of at the end of the retention period NOTE: Backup and replication is the process of making copies of data to ensure recoverability. They are 'distinct' processes

Access Triple

The Clark-Wilson model uses a three-part relationship (subject/program/object) known as 'access control triple' -Users cannot access and manipulate objects directly but must access information through a program

Software End of Life (EOL)

The EOL date is when software is no longer supported by the publisher including features, features, functionality, and security updates - Publishers generally post their EOL policies and provide ample notice - EOL is a particularly vulnerable time if organizations continue to use unprotected operating systems and applications

Kerberos Security

The Kerberos Server should be a hardened single purpose server The Kerberos Server is a single point of failure and should be implemented in high availability mode

PCI DSS

The PCI DSS framework includes stipulation regarding storage, transmission, and processing of payment card data. Six core principles require technical nad operational security controls, testing requirements, and an attestation process.

Gramm-Leach-Bliley Act (GLBA)

The Safeguards Rule requires financial institutions to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Safeguards Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard cursomer information in their care.

Health Insurance Portability and Accounting Act (HIPPA) | Health Information Technology for Economic and Clinical Health (HITECH)

The Security Rule requires covered entitites implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information in their care and shared with business partners.

US Security Regulations

The US does not currently have a national information security standard. There are: Government information security requirements Sector-specific information security regulations State information security laws State data breach notification laws

Audit Report Executive Briefing

The audit report is delivered to the highest level of management (board of directors, audit committee, executive management) as stated by the Audit Charter - If management requests that auditor's assistance in implementing recommendations, the auditor has a duty to carefullt consider how such actions may adversely impact the auditor's independence

Crime Prevention through Environmental Design (CPTED)

The basic premise is that the proper design and effective use of the physical environment can lead to a reduction in the incidence and fear of crime

Normal / Forward Proxy

The clients (browsers) are configured to send requests to the proxy server. - The proxy server receives the request, fetches the content and stores a copy for future use. - The next time another client requests the same web page, the proxy server just replies to the request with the content in its cache thus improving the overal request-reply speed

Trusted Computing Base

The combination of all the security mechanisms within a computer including hardware, software, and firmware

Motivation

The driving force behind any attack. Organizations should identify what information, service, or power an organization possesses that is of value to an adversary

Plans (Programs)

The function of the plan (also known as program) is to provide strategic and tactical instructions and guidance on how to execute an initiative or how to respond to a situation within a certain timeframe, usually with defined stages and within designated resources. A detailed proposal for doing or achieving something

FIPS 199 Security Categories

The generalized format for expressing the security category is: -Security Category of information type (SC) = {(confidentiality, impact), (integrity, impact), (availability, impact)} -Based upon the security category the information system is subject to a set of security requirements

Bell-LaPadula

The goal of Bell-LaPadula model is 'confidentiality'. -'Simple (read) confidentiality rule': A subject cannot read data at a higher security level (No Read Up) as secrets may be revealed to them -'Star [*] (write) confidentiality rule': A subject cannot write information to a lower security level (No Write Down) as secrets may be revealed to others.

Harrison-Ruzzo-Ullman Model (HRU)

The goal of Harrison-Ruzzo-Ullman Model (HRU) is integrity. -A finite set of operations can be performed on an object to ensure integrity -Enforced by access permissions

Encryption

The goal of encryption is confidentiality Turn cleartext to ciphertext: Cleartext --> Cipher + Key -> Ciphertext Turn ciphertext to cleartext: Ciphertext --> Cipher + Key --> Cleartext

Biba

The goal of the Biba model is 'integrity' -Simple (read) integrity rule: A subject cannot read data at a lower security level (No Read Down) as they might be misled. -Star [*] (write) integrity rule: A subject cannot write information to a higher security level (No Write Up) as they might mislead others

Clark-Wilson

The goal of the Clark-Wilson model is data integrity. -Prevent unauthorized users from making modifications -Prevent authorized users from making improper modifications -Maintain internal and external consistency NOTE: See Access Triple

Supply Chain Risk Management (SCRM)

The implementation of strategies to manage uncertainty, identify vulnerabilities, and ensure continuity. Activities include: -Inclusion in the enterprise risk management program -Supply chain due dilligence -Clear and consistent communication rebaseline requirements and expectations -Contingency plans -Ongoing monitoring

Risk Appetite

The level of risk that an entity will accept in pursuit of its mission and objectives. Risk appetite can vary by category of risk

Lightweight Cryptography

The majority of modern cryptographic algorithms were designed for desktop/server environments. Many of these algorithms cannot be implemented in resource constrained devices (e.g. automotive systems, Internet of Things [IoT], smart grid). *Embedded systems -Emerging lightweight cryptographic algorithms are being developed to support low power devices as well as low latency and high resiliency requirements

Risk

The measurement of likelihood and impact of a threat event. Risk is inherently neight good nor bad. Risk taking can be beneficial and it's often necessary for advencement. Risk taking can be detrimental and result in undesireable consequences

Secure Staging

The process of planning, scheduling and controlling the movement of developed or acquired code. - The primary goal is to protect the integrity of the "live" production environment and ensure that security baselines are met. - Environment, in the context of secure staging, refers to the hose device (physical or virtual) including connectivity

Asset Classification

The purpose is to ensure that assets are properly identified and 'protected' throughout their lifecycles. Asset classification inform handling instructions, control decisions, audit scope, and regulatory compliance activities. -Information assets are generally classified by 'content' -Infrastructure and physical assets are generally classified by 'operational criticality'.

STAGE (aka Pre-PROD)

The staging environment (STAGE) is used to ensure that the application behaves as expected and confirms that is does not adversely impact existing applications - The staging environment should mirror the production environment - No actual code development should ever take place on a staging server (no developer permissions). - Security testing should always take place at this stage - Rolback procedures should be tested - Management approval (sign-off) should be given before an application moves into production

Attacker-centric

The threat models start with identifying an attacker and then evaluate the attacker's goals and potential techniques

Software Development Project Models

There are multiple models that can be used for software development - Models can be sequential, iterative, incremental, or a hybrid - A project plan may call for development of a prototype sample of the code for proof of conecpt purposes - Applications that are subject to a strict certification may need to include a 'cleanroom' approach, which is a structured and formal method of development and statistical quality control with the goal of eliminating defects prior to release

Information Security Policies

These codify the high-level requirements for protecting information and information assets and ensuring confidentiality, integrity, and availability. Written information security policies may be a regulatory or contractual compliance requirement. Each aspect of the information security program should have corresponding policy documents. Policies must be approved by executive management

Body that makes the final decision regarding (ISC)2 Code of Ethics complaints

(ISC)2 Board of Directors

What would be the best order to collect the following evidence types? Static data Dynamic data Dump files Log files

1: Dynamic data 2: Dump files 3: Log files 4: Static data

Which of the following Common Criteria components is written by the product vendor? 1: Security target 2: Assurance matrix 3: Protection profile 4: Target of evaluation

1: Security target

These asset inventory applications is used to discover and document devices and characteristics such as services, users, and groups. 1: Audit tools 2: Enumeration tools 3: Configuration tools 4: Mapping tools

2: Enumeration tools

This emerging connection method is primarily used in commerce. 1: ANT 2: RFID 3: NFC 4: Bluetooth

3: NFC

Content Distribution Network (CDN)

A large distributed system of servers, Internet service providers, and network operations. - The goal of a CDN is to serve content to end users with high availability and high performance

Indicator of Attack (IOA)

A proactive early warning sign that an attack may be imminent or already underway.

Access Management

Access management controls are security mechanisms that control how subjects and objects communicate and interact with each other and the flow of information. - A 'subject' is an 'active entity' that requests access to an object or to the data within an object - An 'object' is an entity being accessed or the item being acted upon.

Accountability

Accountability is the process of tracing actions to the source.

The process of an authority granting approval to operate a product, system, or process

Accreditation

An attack that uses a voltage glitch to cause a program to malfunction

Active Side Channel

Control Implementations

Administrative (Managerial) Physical Technical (Logical)

Audit opinion rendered when the target is not in conformance or when the evidence is misleading or misstated

Adverse opinion

A switch that provides connectivity for other switches

Aggregation switch

Compensating

Alternate controls designed to accomplish the intent of the original controls as closely as possible, when the originally designed controls cannot be used due to limitations of the environment or financial constraints

Audit Examination Opinions

An audit examination report can provide three types of opinions: unqualified, qualified, and adverse. - Unqualified opinion is rendered when the auditor does not have any significant reservations - Qualified opinion is rendered when there are minor deviations or scope limitations - Adverse opinion is rendered when the target is not in conformance with the control objectives or when the evidence is misleading or misstated.

Risk Management Framework

An information security risk management framework should complement the organizations' risk management framework and be in conformance with regulatory requirements.

This replication process considers "write" complete as soon as the local storage commits

Asynchronous replication

Organization that is leading the international fight against software IP theft

BSA

Model that states no simple down, no * up

Biba

US regulation that governs online collection and use of data for minors under 13

Children's Online Privacy Protection Act (COPPA)

CPU Protection Rings

Conceptual boundaries that control how processes are executed. A 'process' is a set of instructions and assigned resources. -Each process has a PID (process ID) and a level of trust (ring number) assigned to it. -The level of trust determines the level of access to system resources, drivers, and data

This type of assessment is known to a limited subset of personnel

Covert

Board of Directors | Equivalent

Decision-making body such as owners, managing partners, or applicable government officials' responsibilities include: Oversight and authorization Fiduciary, legal, and regulatory responsibilities Standards of due care and due dilligence

The term applied to a key or algorithm known to be "weak"

Deprecated

Dual Control & Separation of Duties

Dual control is the practice of having more than one subject or key required to complete a specific task (requestor and approver) Separation of duties is the breaking down of a task into processes that are assigned to different subjects so that no one subkect is in complete control

Legal term applied to the standard of care exercised by a prudent person

Due Care

The term used to describe the investigation of a business or person generally before entering into a contract.

Due Dilligence

This phase of incident response focuses on eliminating the threat

Eradication

In a BIA context, this means the absence of the service would cause irreparable harm

Essential

This occurs when a threat agent successfully takes advantage of a vulnerability

Exploit

This backup rotation has two full backup cycles

Father-son

Architecture that uses collaborative edge computing devices for local resource pooling

Fog computing

Directors & Executive Management

From a legal, regulatory, and fiduciary perspective, they are ultimately responsible for the actions (or inactions) of the organization.

EU Data Protection Regulation that also address the export of personal data outside of the EU

General Data Protection Regulation (GDPR)

Rights

Generally refer to the ability of a subject to take an action; for example, the right to log on remotely, install software, and create user accounts - Rights can be assigned to user accounts, group accounts, or resources

Device Tracking

Geolocation Geofencing

Application Layer Protocols (Not Inclusive)

HTTP - Formatting and transmitting FTP - File transfer SMTP - Email transmission DNS - Host/domain to IP translation RIP - Routing protocol SNMP - Remote host management

This port 443 protocol is used to encrypt data communications between a browser and a website

HTTPS

Cyber Threat Actors

Hacker / Script Kiddies Organized Crime Hacktivist Nation-states Insiders Competitors

Fingerprint for Authenticity & Integrity

Hash of the original media Hash of the examined media Hash of the cloned media

Intercepting communications between two or more systems

Hijacking

This cloud deployment model facilitates portability of data and applications between public and private cloud infrastructures

Hybrid Cloud

IP Convergence

IP Convergence is the use of the Internet Protocol (IP) for transmitting different types of traffic (e.g. voice, data, music, video, TV, teleconferencing) over a single network - Introduces standardization - Reduce the number of service providers - Introduces single point of failure (SPOF) - Introduces consolidated attack vectors

Full suite of VoiP enabled services previously provided by a PBX

IP Telephony

Information Systems Assets

Information and information system assets should be assigned to an 'owner' (steward) and a 'custodian'.

Principal that focuses on protection from unintentional, accidental, or inadvertent change

Integrity

A framework can also be the basis of a common evaluation by:

Internal stakeholders External auditors Third parties

Global Approach to Privacy

Internationally, the OECD Privacy Principles (www.oecd.org) is the most commonly used framework. Principles include collection limitation, data quality, purpose specification, use limitation, security safeguard, openness, individual participation, and accountability. Canadian - Personal Information Protection and Electronic Documents Act (PIPEDA) Mexican - The Protection of Personal Data Held by Private Companies European Union Data Protection Directive (EU DPD) / General Data Protection Regulations (GDPR)

Inherent Risk

Level of risk before treatment

Business Impact Metrics

Maximum Tolerable Downtime (MTD) Maximum Tolerable Outage (MTO) Recovery Time Objective (RTO) Recovery Point Objective (RPO)

Risk Managment

Mitigate risk to an acceptable level.

Complementary Organizational Roles

Privacy Officer Compliance Officer Physical Security Officer Internal Audit

Used by organizations to identify PI and determine how to treat the data

Privacy Threshold Assessment

Accounts that have the most powerful rights

Privileged

A device that does not comply with NAC policies is places in this zone

Quarantine

This entity offloads some of the work from the CA

RA Registration Authority

Testing that should be done after an update is implemented

Regression testing

Hypervisor

Software or firmware components that can virtualize system resources. - Type 1 (bare metal/native) hypervisors run directly on the system hardware - Direct access to hardware. No operating system to load as the hypervisor is the operating system (e.g VMWare VCenter) -Type 2 (hosted) hypervisors run on a host operating system that provides virtualization services - Type 1 is faster and more efficent but with greater hardware requirements and expense

Symmectric Encryption

Symmectric means the 'same' key is used to encrypt and decrypt -Symmetric key may also be referred to as 'single' key, 'shared' key, or 'session' key. The key dictates what parts of the algorithm will be used, in what order, and with what values.

This software controlled failover requires two primary systems. Each machine monitors the other (heartbeat) and takes over when a failure occurs

Symmetric High Availability

Use Case

Symmetric and Asymmetric ciphers work in tandem. - Symmetric encryption best suited for encrypting 'large data' blocks - Asymmetric encryption is best suited for encrypting 'small data sets' and is generally used for key exchange and digital signatures

Object-based Access Controls

Technique - Description - Enforcement Rule-based - Access based on situational if-then statements - Global policy, Rules Content Dependent - Filter based on the data being acted upon - Keywords, Categories Context Dependent - Access based on collection or sequence of actions - Rules, Security Policy Constrained Interface - Menus and shells - Database views - Access restricted by functionality - Design, configuration

VPN Tunneling

VPNs isolate the network frames from the surrounding network using a process known as 'encapsulation' or 'tunneling' - Full tunneling requires all traffic to be routed over the VPN - Split tunneling allows the routing of some traffic over the VPN while letting other traffic directly access the Internet

This process is used to track and document baseline configurations over time

Version control

Engineering for Success [NIST SP 800-160]

"Don't focus on what is 'likely' to happen--but instead, focus on what 'can' happen and be prepared. -This means proactively planning and designing to prevent the loss of an asset that you are not willing to accept; to be in a position to minimize the consequences should such a loss occur; and to be in an informed position to reactively recover from the loss when it does happen."

Code - Browser Specific Attacks to Know

'Cross-Site Scripting' --Injection of malicious code that executes in a browser - Resulting in session hijacking, redirection, or bypassing access controls 'Cross-site Request Forgery' --Exploiting the trust relationship between a website and a browser - Resulting in unauthorized access and theft and/or credential modification

Grid Computing

'Grid computing' is a sharing of CPU and other resources across a network (often the Internet - e.g. seti@home project) in a way that all machines function as one large computer. Grid participants can be heterogeneous and multitasking Security considerations: -Transmission between nodes -Authentication controls -Activity isolation

Spoofing Attacks to Know

'IP Address Spoofing' - Using a trusted IP address for authentication - Using a trusted IP address to receive a response - Using a fake IP address to disguise the sender - Using an appropriated IP address to redirect an attack 'MAC (Media Access Control) Address Spoofing' - Using a trusted MAC address for access - Using a trusted MAC address to circumvent licensing - Using a fake MAC address to mask the identity of a device

Detective

'Identify' and 'report' a threat agent, action, or incident

Code Attacks to Know

'Injection' --Tricking an application into including unintended commands - Executing unauthorized commands or obtaining access 'Buffer Overflow' --Writing excess data into system memory that overruns the buffers boundary and overwrites adjacent memory locations - Executing authorized commands 'Refactoring' --Restructuring code without changing external behavior - Manipulating code with malicious intent

Large-scale Parallel Systems

'Large-scale parallel systems' are disparate systems working in concert. Examples include cluster computing, grid computing, and cloud computing. Security considerations: -Distributed ownership and management -Dependencies (SPOF) -Force multiplier effect (dramatic increase efficiency and/or capability -Big data aggregation

Relationship (higher level) models

'Relationship' security models address the interaction between subjects and objects -'Subjects' are active entities, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state -'Objects' are passive entities that contain or teceive information or instructions

ICS/SCADA Threats and Vulnerabilities

'SCADA' usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (e.g. electrical grid, oil and gas pipelines) Security considerations: -Weak authentication -Use of outdated OS -Inability to patch systems -Unauthorized remote access

Preventative

'Stops' a threat agent from being successful

Notable US State Legislation

(2003) SB 1386 the California Security Breach Information Act (2010) 201 CMR 17 Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts Data protection requirements including encryption www.ncsl.org End of life destruction/disposal requirements www.ncsl.org Data breach disclosure and notification requirements www.ncsl.org

Body that investigates the opines on (SIC)2 Code of Ethics complaints

(ISC)2 Ethics Committee

Block Cipher Modes

**Electronic Codebook (ECB) - Each block is independent (doesn't hide patterns--not suitable for long messages). **Cipher Block Chaining (CBC) - Includes an initialization vector (IV) and a component of the previous ciphertext to leverage randomization. Counter (CTR) Mode - Does not have any dependencies. Converts block cipher to a stream cipher using XOR functions Galios/Counter Mode (GCM) - An efficient mode of operation for symmetric key cryptographic 128-bit blocks. GCM can take advantage of parallel processing **Most likely a question on test for ECB and CBC

Quantitative Risk Assessment Elements

- Asset value (AV) expressed in $ - Exposure factor (EF) expressed as a % - Single loss expectancy (SLE) expressed in $ - Annualized rate of occurence (ARO) expressed in # - Annualized loss expectancy (ALE) expressed in $ - Cost/benefit analysis (CBA) expressed in $

Alternate Site Contract Considerations

- Availability - Access - Priority - Usage - Equipment - Warranties - Audit - Testing - Security

Mobile Workplace Challenge

-The lack of traditional technical security - The lack of traditional physical security protections -Need for local storage -The mixing of personal and business use -The opportunity for mobile devices to be malicious code carriers

A Business Impact Analysis (BIA) is used by management to:

-Understand organizational continuity requirements -Make investment decisions -Guide the development of incident response, disaster recovery, and business contingency (continuity) plans

This dence is designed to deter casual intruders 1: 3-4 feet tall 2: 6-7 feet tall 3: Berm 4: Razor wire

1: 3-4 feet tall

Arrange the levels of a capabilities maturity model Quantitatively managed Defined Optimized Managed Ad hoc

1: Ad hoc 2: Managed 3: Defined 4: Quantitatively managed 5: Optimized

Which key should Bob use to send Alice a confidential encrypted message? 1: Alice's public key 2: Bob's private key 3: Bob's public key 4: Alice's private key

1: Alice's public key

Which of the following statements best describe the relationship between change management and configuration management? 1: Change management is a subset of configuration management 2: Change management and configuration management are unrelated 3: IT is responsible for configuration management and Audit is responsible for change management 4: Both change management and configuration management rely on documented baselines

1: Change management is a subset of configuration management

WSG Workflow

1: Client is configured to use WSG as proxy server 2: Client URL request is filtered through the WSG 3: The WSG analyzes the destination website files, content, and requests 4: Decision to connect or block

This software or appliance is tasked with enforcing security policies "in the cloud" 1: Cloud access security brokers 2: Proxy servers 3: Managed service providers 4: DLP

1: Cloud access security brokers

Test and Operational Data Flor

1: Collect Output 2: Analyze Data 3: Produce Actionable Intelligence 3 Types of actionable intelligence: Operational Metrics - Operational metrics drive vulnerability, threat, and risk management operational and control decisions Key Performance Indicatore - Inform management Business Intelligence - Supports alignment and long-term planning

"Read our hundreds of great reviews" is an example of this social engineering principle. 1: Concensus 2: Familiarity 3: Trust 4: Authority

1: Concensus

Which of the following is not an evidence collection imperative? 1: Creating a media clone 2: Maintaining an evidentiary chain 3: Acting in order of volatility 4: Avoiding contamination

1: Creating a media clone

Match the roles with the descriptions Roles: 1: Custodian 2: Internal Audit 3: Owner 4: Information Security Officer 5: Physical Security Officer 6: Compliance Officer Descriptions: 1: Responsible for a subset of information 2: Management and monitoring of protection mechanisms 3: Identifying building and facility risks and mitigation 4: Assessment of controls commensurate with policy 5: Ensuring conformity with laws and regulations 6: Managing the information security program

1: Custodian - Management and monitoring of protection mechanisms 2: Internal Audit - Assessment of controls commensurate with policy 3: Owner - Responsible for a subset of information 4: Information Security Officer - Managing the information security program 5: Physical Security Officer - Identifying building and facility risks and mitigation 6: Compliance Officer - Ensuring conformity with laws and regulations

Which of the following processes prevents injection attacks? 1: Input and output validation 2: Sanitization 3: Rejection of user supplies input 4: Encrypted session controls

1: Input and output validation

Threat Intelligence Program Workflow

1: Planning 2: Collection 3: Distribution 4: Analysis 5: Action

The Board of Directors votes affirmatively to allow the organization to operate an e-commerce site for the next twelve months. Which term below best describes this vote? 1: Acceptance 2: Affirmation 3: Accreditation 4: Authority

3: Accreditation

This group is responsible for determining maximum tolerable downtime (MTD). 1: Board of directors 2: IT department 3: Business unit 4: Information security department

3: Business unit

_________ best describes the use of the IP protocol to transmit a variety of formats including voice, data, multimedia, television, and music 1: Open standard 2: Unified communications 3: Convergence 4: Extensibility

3: Convergence

The term applied to a weak crypto component. 1: Broken 2: Downgraded 3: Deprecated 4: Exploitable

3: Deprecated

Which statement below best describes control effectiveness? 1: Effectiveness is how often a control is used 2: Effectiveness is what control does 3: Effectiveness is how well a control works 4: Effectiveness is how much value a control adds

3: Effectiveness is how well a control works

Reporting and ongoing security monitoring are emphasized in this regulation that specifically applies to federal agencies 1: GLBA 2: HIPAA 3: FISMA 4: FERPA

3: FISMA

This type of procedure is generally used if decision making is required. 1: Simple step 2: Graphic 3: Flow chart 4: Hierarchal

3: Flow chart

One of the mitigation strategies for this vulnerability is input and output validation 1: Broken authentication 2: Weak cryptographic controls 3: Injection 4: XSS

3: Injection

Which one of the following actions has the highest priority? 1: Destruction policy 2: Owner control 3: Legal hold 4: Retention schedule

3: Legal hold

This is the first canon of the (ISC)2 Code of Ethics. 1: Advance and protect the profession 2: Provide dillegent and competent service to principles 3: Protect society, the common good, necessary public trust and confidence, and the infrastructure 4: Act honorably, honestly, justly, responsibly, and legally

3: Protect society, the common good, necessary public trust and confidence, and the infrastructure

The objective of this type of disaster recovery exercise is accuracy and familiarity with plans and procedures 1: Parallel 2: Full-scale 3: Read-through 4: Walk-through

3: Read-through

A DLP solution is configured to quarantine any email that contains credit card numbers and notify the sender that the email has stopped. What control classification and implementation best apply to this scenario? 1: Technical control implementation, compensating control classification 2: Administrative control implementation, detective and deterrent control classification 3: Technical control implementation, detective and preventative control classification 4: Administrative control implementation, detective and corrective control classification

3: Technical control implementation, detective and preventative control classification

Which statement best describes the concept of privacy 1: The right of an individual to know how personal information is secured 2: The right of an individual to be compensated for use of personal information 3: The right of an individual to control the use of their personal information 4: The right of an individual to correct or delete their personal information

3: The right of an individual to control the use of their personal information

Symmetric algorithm that uses a 64 bit key and puts the block through 48 rounds of substitution and transposition

3DES

This family of malware can self-replicate and takes advantage of network transport to spread 1: Virus 2: Spyware 3: Trojan 4: Worm

4: Worm

-Data Encryption Standard (DES)

64-bit key size / 16 rounds of substitution and transposition -1977 established a US Government standard -1998 demonstrated that it could be "broken" in less than 56 hours

Arrange the policy lifecycle in the correct order. 1: Approve 2: Adopt 3: Reauthorize 4: Write 5: Publish 6: Plan

6: Plan 4: Write 1: Approve 5: Publish 2: Adopt 3: Reauthorize

Privacy Threshold Assessment (PTA)

To identify PII that has been acquired by the organization and to determine how to appropriately treat the data. PTAs generally include the following information: -Description of the system -What PII, if any, is collected or used -From whom is the PII collected and why -Archiving requirements -Protection requirements (regulatory, contractual, and ethical) NOTE: PTAs are used extensively by the US Federal Government

Enterprise Security Technologies

Tools - Purpose - Output Application whitelising - Explicitly specifies allowed applications - Application access (allowed and denied) Removable Media Control (RMC) - Controls access to and use of removable media (USB, CD/DVD) - Media access (allowed and denied) Advanced Malware Tools - Identify malicious code that could evade or subvert anti-virus software - Suspicious or malicious files. Suspicious or malicious endpoint activity. Suspicious or malicious traffic Patch Management Tools - Inventories patches, identifies missing patches, manages deployment - patch inventory, missiong patches, patch deployment schedule, patching errors

This US National Security classification is applied when disclosure is expected to cause exceptionally grave danger to national security

Top Secret

National Security Definitions

Top Secret (TS) - Expected to cause 'exceptionally grave' danger to national security. Sectet (S) - Expected to cause 'serious damage' to national security Confidential - Exprected to cause damage to national security Unclassified - No threat to national interest

Log Analysis Tools

Trend/Variance Detection Decision Engine - Identifies anomalies in system or user behavior Signature Detection Decision Engine - Identifies "known" event or sequence of events Security Information and Event Managment (SIEM) - Automation tool - SIEM solutions offer real time data capture (continuous monitoring), event correlation analysis, and reporting - SIEM produccts can analyze data from many sources, identify significant events, report outcomes, and send alerts - SIEM products can integrate with threat intelligence feeds - SIEM products can also include security knowledge bases, incident tracking, and reporting capabilities

Number of algorithms needed to produce a digital signature

Two *Hashing algorithm *Digital signature algorithm

Metadata

Type - Description - Examples File System Metadata - Created by the operating system and includes file attributes and security permissions - File size, location, creation date, date of last access, data of last write, and whether a file is hidden, compressed, or archived Application Metadata - Created by the specific application and includes user and file activity information - Title, author, subject, keywords, creation and modification dates, time in use, and revision history Pseudo Metadata - Created by the user and is hidden or embedded in the document - Comments, track changes, formulas, speakers notes, embedded graphics, and audio or video files

Smart Cards Types and Features

Type - Security features - Specific Use Smart Card - Embedded chip and one or more certificates - N/A Common Access Card (CAC) - Smart card that includes a picture of the user. Used for both visual identification and computer access. - DoD Personal Identity Verification (PIV) - Smart card that includes a picture of the user. Used for both visual identification and computer access. - Federal Agencies Contactless Card - Contactless smart card that can be read without inserting into a reader device (read range 1-3') - N/A Proximity Card - Contactless smart card that can be read without inserting into a reader device (Read range up to 15") - N/A

Point-in-time SSAE18 audit type

Type 1

This type of hypervisor has direct access to hardware

Type 1

Match the SSAE related term with the correct description Terms Type 1 Type 2 SOC3 SOC2 SOC1 Descriptions - Based on Trusted Service Principles - Measures effectiveness for a specific period - Designed for public distribution - Point in time report - Relevant to user entities financial statements

Type 1 - Point in time report Type 2 - Measures effectiveness for a specific period SOC3 - Designed for public distribution SOC2 - Based on Trust Service Principles SOC1 - Relevant to user entities financial statements

SSAE 18 Types

Type 1 - Reports on controls placed in operation as of a point in time. Evaluation of design and implementation; not operating effectiveness Type 2 - Reports on the design, implementation and operating effectiveness over a period of time (generally six or twelve months) - Includes test of operating effectiveness results - Emphasis on evidntial matter The cover of the report will either show an "as of" date or a period of time - e.g. September 1, 2018 - August 1, 2018

Sensitive but Unclassified (SBU)

US federal agencies use the Sensitive but Unclassified (SBU) designation when information is not classified but still needs to be protected and requires strict controls over its distribution. There are over 100 different labels for SBU including: -For official use only -Limited official use -Sensitive security information -Critical infrastructure information Executive order 13556 created a standard designation Controlled Unclassified Information (CUI). Implementation is in progress.

A border security device that performs multiple security functions including firewall, IDS/IPS, and filtering

UTM

Electronic Communications Privacy Act

Unauthorized access or damage to electronic messages in storage.

Computer Fraud and Abuse Act

Unauthorized access to federal government, financial institution system, or any system used for interstate or foreign commerce.

Something that must occur before the next task can successfully execute

Upstream dependency

Example of this SE principle "Act before it is too late"

Urgency

Threat Modeling

Use threat modeling to anticipate the threats to which the software will be subjected. Threat modeling involves identifying key assets, decomposing the application, identifying and categorizing the threats to each asset or component, rating the threats based on a risk ranking, and then developing threat mitigation strategies that are implemented in design, code, and test cases

x.509 v3 Digital Certificate Fields

Version - Version # of the certificate Serial Number - Unique identifier Signature - Algorithm used to sign the certificate Issuer - Name of isurer Validity - Valid date of certificate Subject Name * - Name of owner Public Key - Public key of named owner Issuer Unique ID - ID of the Certificate Authority Subject Unique ID - ID of subject **Some certificates will include a Subject Alternate Name (SAN) that allows the owner to specify additional host names (sites, IP addresses, common names)

Term applied to an environment when the number of virtual machines are out of control

Virtualization Sprawl

VM Sprawl and Avoidence

Virtualization sprawl occurs when the number of virtual machines is out of control -- potentially unmanaged, unnecessary, and not in compliance with licensing agreements. - Virtual machines should be treated the same as physical computers and subject to asset management, capacity, and configuration management

OWASP 20q7 #1 Injection

Vulnerability = Injection Description - Tricking an application into including unintended commands in the data sent to an interpreter (e.g. OS, LDAP, SQL) Flaw - Improper input/output validation Impact - Can result in unauthorized access, data exfiltration, and data corruption Mitigation - Use of "safe" API. Positive "whitelist" input and output validation

Cookie Law (EU)

Web cookies inform and consent requirements ec.europa.eu

Web Vulnerabilities

Web systems are paticularly vulnerable due to their level of exposure, accessibility, and rapid rate of change. -Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code -System owners, developers, and system administrators need to work together to ensure that the entire stack is configured properly. -Resource OWASP Top 10 owasp.org

High profile phishing target

Whale

Within Site

Within site includes: - The area within the perimeter up to the boundary of the asset or building

Digital certificate standard

X.509

This vulnerability allows an attacker to inject malicious code that runs in the victim's browser

XSS

Traditional Computing Environment

"Traditional" computing environments encompass a variety of architecture and processing models including: -Centralized -Client/Server -Distrubuted -Large Scale -Grid -ICS/SCADA

Poisoning Attacks to Know

'ARP Cache Poisoning' --MAC-to-IP address resolution - Using a poisoned ARP cache to redirect traffic to a malicious host - Using a poisoned ARP cache to stop traffic 'DNS Cache Poisoning' --Domain/host name-to-IP address resolution - Diverting website traffic to a malicious site - Diverting website traffic to a non-existent site

Deterrent

'Discourage' a threat agent from acting

Data abstraction, data hiding, and steganography can all be classified as this type of data protection control 1: Access managment 2: Obfuscation 3: State 4: Cryptographic

2: Obfuscation

Baseline Configuration (BC)

A set of specificaitons for a 'configuration item (CI)', that has been reviewed and agreed on (authorized), and which can be changed only through change control procedures

Mathematically complex modern cipher

Algorithm

Hybrid Solution

Alice wants to send Bob an encrypted message. Use a symmetric cipher and a session key to encrypt the message. Use asymmetric cipher and bob's public key to encrypt the session key. Both encrypted messages are sent at the same time. Bob's private key decrypts the session key which is then used to decrypt the encrypted message from Alice

Strategic Alignment

Aligning departmental strategies with business strategy to support organizational goals.

Privileged Escalation

Attacker focuses on obtaining elevated access to resources that are normally protected from an application or user

Opportunistic Attack

Attacker takes advantage of a vulnerable target (not previously known to them)

Amplification

Attacker uses an amplification factor to multiply its power

Threat Categorization Models

Attacker-centric Archietecture-centric Asset-centric

Examples of this inventory attribute include local, server, and cloud

Location

The process of keeping logs that normally would be discarded because they contain records of activity of particular interest

Log preservation

Another name for a technical control

Logical

Logistics

Logistical considerations include location, timing, and notification Location - Access to the target (physical and logical) - Account creation (physical and logical) Timing - Business vs nonbusiness hours - Production vs maintenance window Notification - Internal, third party, customer

Geolocation

Process of determining an objects position based on its latitude and longitude (GPS, cell triangulation, WiFi proximity, IP address) - Active device/user tracking - Locate a lost device - Multifactor authentication

The process of finding, acquiring, and buying goods and services

Procurement

Hashing

Produces a visual representation of a data set Variable Length Input --> Hash function --> Unique One-way Fixed Length Output (Fingerprint) *The original message remains intact

How non-statistical sampling selection is determined

Professional judgement

Employee Awareness Programs

Programs should include: -Onboarding (inital and at 3 months) which includes policies, best practices, social engineering, duress, and reporting suspicious activity. -Annual compliance and "hot topic" training (instructor-led, recorded, online) -Videos, demonstrations, examples, and interactive quizzes are very effective -On-going awareness program which includes posters, games, contests, prizes and surveys -As needed, situational awareness communications

Code of Ethics Canons

Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.

Contract with a 3rd party that specifies the level of performance that is expected

SLA Service Level Agreement

AV * EF = ?

SLE Single Loss Expectancy

NIST Special Publication Series #

SP-800

This secure protocol is used to minimize the impact of packet loss

SRTP Secure real-time Transport Protocol

Controls report standard designed by the AICPA

SSAE 18

Audit assessment standard commonly used by technology oriented service organizations

SSAE18 SOC2

Cross platform secure replacement for cleartext telnet, rlogin, rsh, and rsync

SSH

Remote access application that creates a secure encrypted terminal emulation session

SSH

Protocol developed in 1995 to establish a secure TCP communications - now considered deprecated

SSL

VPN protocol that uses a client side browser

SSL (TLS)

This environment should mirror the production environment

STAGE

This log analysis tool identifies "known" events

Signature Detection

Card with integrated circuitry used in conjunction with a card reader

Smartcard

A class of techniques used to manipulate people by deception

Social Engineering

Software Security

Software (application security) is based on the CIA objectives - Confidentiality of the information stored, processed, and transmitted - Integrity of the data and the system - Availability of the application to authorized subjects and objects

Software Encryption

Software encryption generally relies on symmetric block ciphers. - Software encryption can be applied at different layers in the storage stack including disk, partition, operting system, application, database, folder, and file level.

Potentially intrusive activity used to identify vulnerabilities (weakness), substantiate strengths, and predict the likelihood of exploitation

Testing

This intellectual property mechanism is designed to protect a brand or product representation

Trademark

Cost vs Complexity vs Availability

Traditional Recovery - Tape backup - Low complexity - Low cost - Recovery measured in hours to days Enhanced Recovery - Automated Solutions - Medium complexity - Low cost - Recovery measured in hours to days - More recoverable data Rapid Recovery - Asynchronous replication - High complexity - Moderate cost - Recovery measured in hours Continuous Availability - Synchronous replication - High complexity - High cost - Recovery measured in seconds

Attribute = how Objective = skill

Training

Assigning risk to other parties

Transference

Risk Assessment

Used to identify the level of risk. Risk is assessed by evaluating the combination of the 'likelihood of occurence', and the 'impact' if the circumstance or event occurs. The target of a risk assessment can be internal systems/process or external supply chain relationships (e.g. vendors, business partners)

Group responsible for interacting with information systems in accordance with organizational policies and standards

Users

This function explicitly enforces the convenience principle of allow all and restrict only what is harmful

Blacklist

Type of sampling that includes all items in a certain time period or sequence

Block sampling

The Bluetooth attack exploits a protocol weakness to takeover a device

Blueborne

Requiring more than one subject or key to complete a task

Dual control

Requiring more than one subject to complete a specific task

Dual control

Policy Attributes

Endorsed Relevant Realistic Attainable Adaptable Enforceable Inclusive

Endpoint IDS/IPS

Endpoint ISD/IPS (known as HIDS - host IDS) monitors and analyzes local behavior as well as network connectivity and can (if IPS functionality is available) be configured to take a corresponding action

Colorless, odorless gaseous halocarbon fire suppression with no residue. Safe for human beings

FM-200

Regulation that requires safeguarding electronic health information

Health Insurance Portability and Accountability Act (HIPPA)

This detection approach continually trains itself on behavior and accumulates learned knowledge

Heuristic

Cloud based service related to creating and managing accounts

IDaaS Identity-as-a-Service

Demonstrated reason for access

Need to know

Who should be allowed to alter log files

No one

The term applied to the use of IP for transmitting different types of traffic over a single network

IP convergence

This multidisciplinary management technique was pioneered by the DoD

IPPD Integrated Product and Process Development

This device can monitor, report on, and respond to intrusions

IPS

Defacto standard protocol for VPN connections

IPsec

IPsec Modes

IPsec can be implemented in two modes: - Transport mode is used for end-to-end protection between client and server. - The IP payload is encrypted - Transport is the default mode of IPsec - Tunnel mode is used between server-server, server-gateway, or gateway-gateway (two direct endpoints) - The entire packet is encrypted

In this cloud service model, the customer is provided with "bare metal" resources

IaaS Infrastructure-as-a-Service

User Name

Identification is generally expressed as a user name - User names should conform to an adopted naming convention - User names should be unique for accountability - User names should be nondescriptive

This type of test evaluates performance in normal and peak conditions

Load

Distribution of workloads across multiple computing resources

Load balancing

Load Balancer

Load balancing improves the distribution of workloads across multiple computing resources and prevents resource overload (resulting in a denial of service) - One of the most commonly used applications of load balancing is to provide a single internet service from multiple servers, sometimes known as a server farm

Load Balancer Scheduling

Load balancing scheduling techniques include affinity, round-robin DNS, and persistence. - Affinity is the process of associating a user's IP address with a single server. - Persistence is the process of associating application layer information with a single server - Round-robin DNS associates multiple IP addresses with a single domain name. Clients are given IP addresses in a round-robin fashion

Denial of Service (DoS)

Overwhelming system resources Enables an attacker to make services unavailable for their intended use

Role responsible for decisions related to classification

Owner

Their responsibilities include assigning an asset value, classifying the asset, and authorizing access permissions

Owner (Steward)

Members of management responsible for protecting a subset of information and/or systems

Owners

Examples include Social Security number and biometric data

PI, PII, or NPII Personal Information Personally Identifiable Information Non-public Personal Information

In this cloud service model, the computing resources and the underlying operating system is provided

PaaS Platform-as-a-Service

The term used to describe the social engineering technique of entering a building close behind or with authorized personnel

Piggybacking / Tailgating

When an unauthorized person enters a checkpoint close behind or in concert with authorized personnel

Piggybacking/Tailgating

Term used to describe the use of unlicensed software

Piracy

The unauthorized copying or distribution of software

Piracy

First step in a threat intelligence program workflow

Planning

High-level governance documents

Policies

High-level statement intended to communicate rules and expectations and to provide direction

Policy

The outcome when operational synergies and efficiencies are achieved

Process Integration

Data Mining

Process of analyzing data with tools that look for trends, correlations, or anomalies resulting in metadata.

This type of media storage should be physically separated from other hardware and access to switches restricted 1: SAN 2: Mobile 3: Removable 4: DAS

1: SAN

Group responsible for approval of BCP policies and oversight or strategies

Board of Directors (or equivilent)

This intellectual property mechanism is designed to protect a novel invention

Patent

Right of an individual to control use of their personal data

Privacy

This development methodology is built on the premise that collaboration between developers and operational teams is essential 1: Secure DevOps 2: DevOps 3: Zachman 4: SABSA

2: DevOps

Which of the following is a true statement? 1: Incremental restore is faster 2: Differential backs up all files created or modified since the backup 3: Incremental has a higher restore success rate 4: Differential resets the archive bit

2: Differential backs up all files created or modified since the backup

Which of the following penetration testing approaches provides the mose useful assessment of incident response capabilities? 1: White box 2: Double blind 3: Grey box 4: Blind

2: Double blind

Which IDS/IPS determination is the most problematic? 1: False positive 2: Fase negative 3: True negative 4: True positive

2: Fase negative

An organization should have very mature processes in place before initiating this type of disaster recovery test. 1: Tabletop 2: Interruption 3: Parallel 4: Functional

2: Interruption

In this access control model, access is based on the relationshop between the subject's clearance and need to know and the object's classification level 1: DAC 2: MAC 3: RBAC 4: ABAC

2: MAC

__________ is a suite of technical specifications for communicating security flaws and configuration information 1: DOD 5220:22M 2: SCAP 3: ISCM 4: CVE

2: SCAP

This solution generally provides real time data capture, event correlation analysis, and reporting 1: NAC 2: SIEM 3: UTM 4: DLP

2: SIEM

The US public sector labels "for official use only", "limited official user", and "critical infrastructure information" are used for this classification 1: Confidential 2: Sensitive but unclassified 3: Proprietary 4: Unclassified

2: Sensitive but unclassified

Which of the following best describes a zero day threat? 1: A threat that is in the wild and has the potential to cause significant harm 2: The potential exploit of a vulnerability for which a fix has not yet been released 3: Denotes the day a threat was identified 4: A vulnerability that has been publicly announced

2: The potential exploit of a vulnerability for which a fix has not yet been released

A web application authenticates and connects to an e-commerce backend database and updates the order entry table. Identify the relationship. 1: The web application is the object and the e-commerce database is the subject 2: The web application is the subject and the e-commerce database is the object 3: The web application and the e-commerce database are both subjects 4: The web application and the e-commerce database are both objects

2: The web application is the subject and the e-commerce database is the object

This issue arises when the number of VM devices spiral "out of control" 1: VM Escape 2: VM Sprawl 3: NSX 4: VDI

2: VM Sprawl

The objective of __________ software testing is to determine if the application can gracefully handle invalid output or unexpected behavior 1: unit 2: negative 3: validation 4: multi-condition coverage

2: negative

Which of the folliwing is not a true statement about archiving? 1: Archived documents should not be modified. 2: Archived documents should be securely disposed of at the end of the retention period 3: Archived documents should not be backed up 4: Archiving documents should be stored securely in accordance with its classification level

3: Archived documents should not be backed up

Which authentication system does Active Directory incorporate? 1: Federated Identity 2: Shared Credentials 3: Kerberos 4: Enterprise SSO

3: Kerberos

Term that describes the use of IT solutions that are managed outside of and without the knowledge of the IT department 1: Outsourcing 2: SecaaS 3: Shadow IT 4: CASB

3: Shadow IT

* and simple properties describe what a subject can to to an obkect. What are the * and simple properties? 1: *=delete, simple =write 2: *=modify, simple=read 3: *=read, simple=write 4: *=write, simple=read

4: *=write, simple=read

This agreement generally includes a no expectation of privacy and electronic monitoring clauses. 1: Remote Access Agreement 2: Nondisclosure Agreement 3: Service Level Agreement 4: Acceptable Use Policy Agreement

4: Acceptable Use Policy Agreement

This sampling method might include all items in a selected time period, numerical sequence or alphabetical sequence. 1: Statistical 2: Stop and Go 3: Fixed 4: Block

4: Block

Which of the following is generally not included in an ROE document? 1: Data handling requirements 2: Target environment 3: Reporting expectations 4: Engagement fee

4: Engagement fee

Which of the following is not a significant ICS/SCADA issue? 1: Difficulty patching systems 2: Weak authentication 3: Unauthorized remote access 4: Excessive power consumption

4: Excessive power consumption

An organization wants to ensure that in an emergency situation all exits will default to unlocked. This approach is best described as? 1: Shelter in place 2: Evacuation friendly 3: Fail secure 4: Fail safe

4: Fail safe

The primary motivation of this threat actor is making a political statement. 1: Hacker 2: Cyber-terrorist 3: Nation-state 4: Hacktivist

4: Hacktivist

This concept promotes using automation to replace rather than fix 1: Baselining 2: Infrastructure as code 3: Continuous integration 4: Immutable systems

4: Immutable systems

Which statement best describes the use of KPIs? 1: KPI's drive risk management decisions 2: KPI's support long term planning 3: KPI's measure threat levels 4: KPI's measure progress towards meeting performance targets

4: KPI's measure progress towards meeting performance targets

In this type of attack, the attacker takes advantage of a vulnerable target 1: Targeted 2: Zero day 3: Amplification 4: Opportunistic

4: Opportunistic

This exploitation technique uses a weakness on one system to access a better protected system 1: Persistence 2: Teaming 3: Escalation of privileges 4: Pivoting

4: Pivoting

These are high level statements intended to communicate rules and expectations. 1: Baselines 2: Guidelines 3: Standards 4: Policies

4: Policies

A business unit has determined that their application has a MTD of 2 hours. Which statement below supports this requirement 1: MTO = 2 2: RTO = 2 3: RPO < 2 4: RTO < 2

4: RTO < 2

Influencing the state of the resource between time of checks and time of use is known as? 1: Code reuse 2: Maintenance hook 3: Covert channel 4: Race condition

4: Race condition

__________ access controls are based on situational if-then statements. 1: DAC 2: Role-based 3: Constrained Interface 4: Rule-based

4: Rule-based

Which secure protocol minimizes the risk of VoIP denial of service attack? 1: SMTP 2: SSH 3: SSL 4: SRTP

4: SRTP

This is the practice of concealing a file within another file 1: Encryption 2: Aggregation 3: Cryptanalysis 4: Steganography

4: Steganography

Internet of Things (IoT)

"The Internet of Things is the network of physical objects or 'things' embedded with electronics, software, sensors, and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator, and/or other connected devices. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure" --Wikipedia -Consumer-oriented devices with bias towards usability and ease of access. -Architected, deployed, and managed with a noticeable lack of attention to security

Type of biometric marker that includes fingerprints and retina scans

Physiological

Hijacking Attacks to Know

'Man-in-the-Middle (MiTM)' --Spoofing and/or poisoning - Exploiting real-time processing of transactions, conversations or data transfer 'Replay' --Capturing and reusing packets - Reusing authentication data / credentials - Replaying the packe over and over causing a denial of service 'Man-in-the Browser (MitB) --Internet version of MiTM - Manipulating the browser to control a session including what is displayed 'Session Hijacking' - Stealing session cookies to "take over" a user's active session

Inventory Tools

'Network mapping tools' are used to create physical and logical diagrams. -Popular network mapping tools include Solarwinds, Spiceworks, ManageEngine, and Nmap 'Network enumeration tools' discover and document devices and characteristics such as operating systems, open ports, listening network application and services, shares, users, and groups. -Popular enumeration tools include DumpSec and Nessus 'Audit tools' are designed to track licenses and unlicensed software. -www.bsa.org/anti-piracy/tools-page

Mobile Device Ownership & Deployment

- Company-owned Business Only (COBO) - Choose Your Own Device (CYOD) - Company-owned Personal Enabled (COPE) - Bring Your Own Device (BYOD)

Local Storage Primer

- Direct Attached Storage (DAS) - Network Attached Storage (NAS) - Storage Area Network (SAN) - Network Unified Storage (NUS)

Business Impact Analysis Process

- Identify Essential Services & Dependencies (Business) - Determine Maximum Tolerable Downtime (MTD) - Determine Recovery Point Objective (RPO) (DATA) - Identify Infrastructure and Dependencies - Determine Current RTO & RPO - Gap analysis - Report to Management

Penetration Test Phases

- Passive Reconnaissance - Active Reconnaissance - Attack Planning - Attack and Exploitation - Reporting - Remediation and Retesting

Data Breach Disclosure & Notification Requirements

- Sector-specific federal security legislation have breach notification requirements. - 48 states, DC, Guam, Puerto Rico, and the Virgin Islands have data breach notification requirements related to the disclosure of PII. - Data Protection Directive / GDPR (EU) has breach disclosure and notification standards and requirements - PCI-DSS has breach notification requirements.

Digital Infrastucture Attack Categories

- Spoofing - Poisoning - Hijacking - Denial of Service (DoS) - Code

Cyber Attack Terms to Know

- Targeted Attack - Opportunistic Attack - Amplification - Privileged Escalation - Advanced Persisten Threat (ATP) - Zero-day

Company-owned Personal Enabled (COPE)

- Users get issued a device for both professional and personal use - Company owned

Company-owned Business Only (COBO)

- Users get issued a device for professional use - Company owned

Choose Your Own Device (CYOD)

- Users get to select their own device for professional use - Company owned

Bring Your Own Device (BYOD)

- Users get to select their own device for professional use - User owned

Symmetric Algorithms

-Data Encryption Standard (DES) -Triple DES (3DES) -Advanced Encryption Standard (AES) (Rijndael) Others to recognize: Blowfish, IDEA (used on PGP), Twofish (open source), RC4 (stream cipher - considered insecure. Used in WEP)

Sourcing Decision Making Process

-Define the product, function, or service to be outsourced. -Define the requirements -Define the associated metrics -Identify any legal, regulatory or contractual obligations -Identify risks and risk mitigation strategies -Conduct due dilligence reviews -Codify the relationship -Monitor the supply chain

Why are embedded devices vulnerable?

-Devices are desiggned for functionality and convenience -- not security -Devices are powered by specialized computer chipts/RTOS. The chips are inexpensive and profit margins slim. Strong incentive to use open source operating systems and components. Often the software is outdated. -Little incentive to maintain chips/RTOS. Often, patches are not available. If available, expertise to install is rare or the incentive nil.

Qualitative Methodologies

-NIST SP 800-30 -Facilitated Risk Analysis Process (FRAP) -The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) -ISO/27005

This plan addresses the overall strategy and plan for sustaining a business 1: BCP 2: DRP 3: CCP 4: OEP

1: BCP

Disaster Recovery Plan (DRP) Lifecycle

1: BIA 2: Assess current environment 3: Select and define strategies 4: Develop plans and procedures 5: Train users 6: Exercise the plan 7: Review/update the plan 8: Audit the plan

Arrange the DRP life cycle components in the correct order - Develop plans and procedures - Review and update the plan - Define strategies - Train users - BIA - Exercise the plan

1: BIA 2: Define strategies 3: Develop plans and procedures 4: Train users 5: Exercise the plan 6: Review and update the plan

Secure Aquisition & Implementation

1: Business and resiliency requirements 2: Define selection criteria 3: Review security documentation 4: Understand configuration options 5: Conduct an initial risk assessment 6: Make GO | STOP decision 7: Conduct a vendor assessment 8: Make GO | STOP decision 9: Evaluate in test environement (dummy data) 10: Update risk assessment 11: Business unit decision 12: Install and test 13: Move into production and monitor 14: Vulnerability and patch management support

This type of mobile device is owned by the organization and is configured for both personal and professional use. 1: COPE 2: COBO 3: CYOD 4: BYOD

1: COPE

Trusted Certificate Lifecycle

1: CSR - Certificate Signing Request (CSR) 2: Certificate is issues 3: Certificate is published 4: Certificate is received 5: Certificate Installed 6: Certificate renewed, suspended, revoked or expired 7: Key is destroyed

This social engineering technique is accomplished when an intruder enters a building in the company of others 1: Tailgating 2: Covert observation 3: Whaling 4: Impersonation

1: Tailgating

This type of assessment is used to identify personal information that has been acquired by the organization and to determine how to treat the data 1: Privacy threat assessment 2: Privacy threshold assessment 3: Privacy risk assessment 4: Privacy impact assessment

2: Privacy threshold assessment

This secure protocol does not use SSL/TLS 1: Secure POP3 2: SFTP 3: HTTPS 4: FTPS

2: SFTP

Minimum fence height to deter determined intruders

8 feet

This 802.11 standard addresses security

802.11i

Rules of Engagement

A rules of engagement (ROE) document details the parameters and expected assessor conduct of the assessment (exam/test) ROE components include: - Scope - Level of expertise / methodology - Logistics and communication plan - Data handling requirements - Reporting expectations - Assessor responsibilities - Legal considerations

Bluetooth

A shortwave radio low power technology for exchanging data based on the 802.15 standard. Bluetooth uses include headsets, hearing aids, wireless speakers, PC input/out, health sensors, real-time location systems, GPS receivers, bar codes, traffic control devices, and game consoles -Range is 10-24m depending on the version Subject to bluejacking, bluesnarfing, and Blueborne -Bluejacking is injecting an unsolicited message -Bluesnarfing is unauthorized device pairing -Blueborne exploits protocol weakness to "take over" the device

Kerberos

A single sign-on (SSO) system that can be embedded in operating systems and directory services (including Microsoft Active Directory) to provide secure 'mutual' authentication - Mutual authentication is when both the subject and the object (resource) identify themselves to each other

Shibboleth

A standards-based, open source software for web SSO across or within organizational boundaries - The Shibboleth software implements widely used federated identity standards, primarily SAML to provide a federated SSO and attribute exchange framework. - Shibboleth also provides 'extended privacy functionality' allowing a user and their home site to control the attributes released to each application

Agreement that details proper use of information and information systems

AUP Agreement Acceptable Use Policy Agreement

These locks have complex and difficult to reproduce keys

Pick Resistant

Infernence

Ability to derive information that is not explicitly available.

This policy allows only applications that are explicitly given permission to execute

Application whitelisting

Emanations Security (EMSEC)

Attackers can use radio signals, sounds, and vibrations to obtain information. Protection mechanisms include shielding, filtering, and masking. - TEMPEST is a NSA and NATO emanation certification program that includes both classified and unclassified protection standards - Fiber optic has no electromagnetic emanations

Weak Implementation

Attackers take advantage of misconfigurations, weak keys, broken or deprecated versions. - 'Deprecated' means that the use of the algorithm and key length is allowed, but the user must accept some risk (weakness). - 'Broken' means that the algorithm and/or key length is exploitable

Windows Update Service is an example of this patch management approach

Automated

This disk image can be used to restore operating system files

Automated System Recovery (ASR)

Fuzzing

Automated testing technique used to discover coding errors and security loopholes by inputting invalid, unexpected, or semi-random data, called fuzz, and monitoring the application response

Principle that relates to operations and accessibility

Availability

This change management KPI tracks the number of changes that are not yet completed

Backlog

Three principles of physical security

Deter, detect, and delay

Asymmetric algorithm primary used for key exchange

Diffie-Hellman

The outcome of this drives the recovery strategy

BIA Business Impact Analysis

Process of making copies of data for recoverability purposes

Backup or Replication

Group ultimately responsible for the actions of the organization from a fiduciary perspective

Board of Directors

Governance Ecosystem

Board of Directors Executive Management Organizational Roles Functional Roles

Network Unified Storage (NUS)

Consolidate file based and block based access in one storage platform, combining the NAS and SAN model

Configuration Guidance

Can be in the form of a narrative, checklist, spreadsheet, or installation files. Changes should be subject to configuration management and change control processes.

Power Protection

Category / Description / Mitigating Control Blackout - Prolonged period without power / Battery backup (UPS), Alternate power supply (generator), Supplier diversity [ Brownout - Prolonged period of low voltage Sag - Moment of low voltage Surge - Prolonged period of high voltage Spike - Moment of high voltage - Voltage regulators, surge protectors, power line conditioners, battery backups (UPS) ] Power Supply Failure - Failure of internal power supply or fan / Redundant power supply

Optimal location within a building for a Data Center

Center of the facility

Class of fire that involves live electrical equipment

Class C

Online Backup Strategies

Cloud Backup Services - Scheduled backup to an Internet location Disk Shadowing - Data is written to (and read from) two or more independent disks. Process is transparent to the user Electronic Vaulting - Files copies as they changed and periodically transmitted to a backup location Remote Journaling - Transaction logs copied and periodically trasmitted to a backup location Automated System Recovery (ASR) - Disk image that can be used to restore OS files

Software Security Assessment Options

Code assessment - Examination and testing of code Vulnerability assessment - Identification of known vulnerabilities Configuration assessment - Review of configuration and audit settings Security testing - Testing to identify potential exploits Risk assessment - Determaning the application inherent and residual risks Application audit - Independent review of functionality and effectiveness Logging and monitoring - Ongoing activity review Regression test - Testing conducted whenever a change is made to the code

This type of control is substituted when another control cannot be used due to organizational or environmental limitations

Compensating

CASE Tools

Computer-aided Software Engineering (CASE) suites include diagramming aids, a library of standard function source code, tools to define application programming interfaces (APIs), version control tools, code review tools, and project management tools

Environmental Impact

Computers, electronic equipment, and transmission media are sensitive to environmental factors such as heat, humidity, air flow, and power quality - Environmental imbalance can impact stability, availability, and integrity - HVAC systems should be continually monitored and set to alarm for deviations - HVAC system access to controls should be restricted and changes logged

Principle that only authorized subjects have access

Confidentiality

Security principle related to encryption

Confidentiality

Security-focused CM

Configuration management has trafitionally been the domain of the IT department - Security-Focused Configuration Management (SecCM) builds on the general concepts, processes, and activities of configuration management and focuses on the security requirements of the organization and information systems

This cipher outcome used complex substitution functions

Confusion

Role tasked with responding to activity and error reporting

Custodian

Their responsibilities include implementing protection mechanisms and monitoring for violations

Custodian

Functional role responsible for implementing, managing, and monitoring protection mechanisms

Custodians

Convergence

Cyber (information) and physical security controls and responsibilities overlap. A convergence model recogizes the relationship and promotes cooperation and coordination - The consequences of unauthorized (malicious) physical access to information systems and devices can be significant

The anti-remanence result of pulverizing, pulping, burning, and shredding

Destruction

Forcing a system to use a lesser crypto mode

Downgrade attack

This environment is used for experimentation, proof of concept, and code development

DEV

This filter blocks certain files from being exfiltrated

DLP

Data Emanation

Data emanation (or signal emanation) is the electromagnetic (EM) field generated by a coax or copper cable or network devices, which can be manipulated to eavesdrop on conversations or to steal data. - A Faraday cage or shield is an enclosure used to block electromagnetic (EM) fields (incoming and outgoing) - Faraday bags are often used in digital forensics to prevent remote wiping and alteration of criminal digital evidence

Software Piracy

Defined by the Business Software Alliance as the "unauthorized copying or distribution of copyrighted software Piracy includes copying, downloading, sharing, selling, or installing multipple copies on to personal or work computers The Digital Millennium Copyright Act (DMCA) makes it illegal to create products that circumvent copyright protections such as a license key

The desired result of a "jamming" attack

Denial of Service

Departmental Considerations

Departmental business continuity plans should be reviewed in light of the following considerations: - Are cybersecurity and data protection requirements taken into account? - Have recovery sites (including work from home) been evaluated for technical and physical security? - Have 3rd parties and external resources been vetted and do they have appropriate agreements in place? - Does the department know how to "speak" to cybersecurity issues?

National Framework

Designed for use in a specific country or consortium (e.g. USA, EU) Well known Framework: NIST Cybersecurity Framework

Control classification used to discourage a threat agent

Deterrent

Control Classifications

Deterrent Preventative Detective Corrective Compensating **Note: A control can (and often does) have miltiple classifications depending upon context.

Control Cross-Over Examples Door Alarm (Physical Control)

Deterrent - Discourages use of an alarmed door Preventative - N/A Detective - Reacts to the door being opened or threshold crossed Corrective - Sounds an alarm that might scare off the intruder

The term used to describe when software will no longer be supported

End of Life (EOL)

Match the following cryptographic objectives Terms: Digital certificate Encryption Digital signature Hashing Objectives: Integrity Nonrepudiation Confidentiality Authentication

Digital certificate - Authentication Encryption - Confidentiality Digital signature - Nonrepudiation Hashing - Integrity

A message digest that has been encrypted with a private key

Digital signature

Cryptographic technique used for non-repudiation

Digital signature

Roles and Responsibilities

Directors & Executive Management Compliance Officer, Information Security Officer, Privacy Officer Owners Stewards Custodians Users

DRP Training Objectives

Disaster recovery requires a team effort. Disaster recovery training objectives vary by audience. - BOD, executives, and business line management objective is insight and endorsement - DR teams objective is knowledge and competency - General population objective is awareness and instruction

A confirmed (or high probability) breach may trigger this public-facing activity

Disclosure and notification

This sampling approach is used when illegal activity is suspected

Discovery (or Exploratory) sampling

Data is written to (and read from) two or more independent disks

Disk shadowing

Clearing technique that overwrites addressable storage multiple times

Disk wiping

Physical Infrastructure

Disruption or destruction of physical structures and facilities.

Rummaging through trash in search of information

Dumpster Diving

Duress

Duress is the threat of harm that may result in a person taking an action that they would not normally do. - Scenario analysis can be used to identify potential situation, determine controls, and provide training to potential targets - Enforcing least privilege, dual control, and separation of duties minimizes the impact of duress - In all cases, personnel safety is paramount

Each block is independent in this block cipher mode

ECB Electrionic Codebook

Power

Electrical power supplied to electronic devices must have consisten voltage and a minimum of interference. - Devices need to be protected against surges, spikes, sags, brownouts and blackouts

This process copies files as they are changed and periodically transmits them to a backup location

Electronic vaulting

This is the release of static electricity when two objects touch

Electrostatic discharge (ESD)

Secure Deletion

Ensures that the deleted file or file fragments cannot be retrieved and/or reconstructed. Techniques to counter data remanence include: 'Clearing' - The removal of data in such a way that data cannot be recovered using 'normal system functions of recovery utilites' 'Purging' The removal of data that 'cannot' be reconstructed by 'any known technique' 'Destruction' - The physical act of destroying media in such a way that it cannot be reconstructed.

Storage Area Network (SAN)

Enterprise-level storage network of devices. They are connected by a high speed private network using fiber channel, FCoE, or iSCSI connections

The term used to describe services that must be provided during a disruption of services

Essential

Incident Response (IR) Process - Preparation

Establish incident management capability

Threat Intelligence

Evidence-based knowledge about an emerging threat that can be used to inform control decisions. The true value of threat intelligence is in its application. Changing the security model from reactive to proactive - if you understand your adversaries, you can develop tactics to combat current attacks and plan better for future threats.

This attack uses a rouge access point to spoof an SSID

Evil Twin

Spoofing Attack

Evil Twin - Rogue access point with the same SSID - Enables an attacker to "trick" a user into connecting to an attacker controlled network - May also impersonate a "captive portal" to capture credentials and/or payment information - Can be used as a stepping stone to a MiTM attack

Passive assessment activity with minimal anticipated operational impact

Examination

Supply Chain Risks

Examples: -Loss of control (process, product, service) -Degradation or disruption of service -Single point of failure (SPOF) -Non-compliance -Poor vulnerability management -Limited visibility -Unreported incidents -Business failure

Code

Exploiting weaknesses in server or client side code or applications. Enables an attacker to take control

When a threat agent successfully takes advantage of a vulnerability

Expoit

A system or software configuration issue or lack of a control that could contribute to a successful exploit or compromise

Exposure

This type of certificate verifies a domain and an organization subject to additional vetting (aka "green bar")

Extended Validation

Additional functionality or the modification of existing functionality without significantly altering the original structure or data flow

Extensibility

US federal law that requires consumer report adverse action disclosure

FCRA Fair Credit Reporting Act

This arrangement makes a "portable identity" possible

FIM Federated Identity Management

This US regulation requires federal agencies to undergo periodic assessments

FISMA

The combination of FTP and SSL

FTPS

Authenication Factors

Factor - Description - Implementation Knowledge - Something a user knows - Password/Passphrase, PIN Possession - Something a user has - Token, smartcard Biometric - Something a user is and something a user does - Physiological, behavioral Location - Somewhere a user is - GeoIP, Facility, Device proximity

This principle implies that in an emergency situation, controls will default to locked

Fail-secure

Biometric Accuracy

False Reject Rate (FRR) - Type 1 Error False Accept Rate (FAR) - Type 2 Error Crossover Error Rate (CER)

US regulation that requires educational institutions to protect the privacy of student records

Family Educational Rights and Privacy Act (FERPA)

An enclosure that blocks electromagnetic fields

Faraday cage

Relative computational efficiency of symmetric encryption

Fast

Symmetric vs Asymmetric

Feature / Symmetric / Asymmetric # of keys / Single shared key / Key pair Block Sizes / Large / Small Processing / Computationally efficient / Computationally intensive Strength / Difficult to break (large keys) / Smaller key sizes Scalability / Not scalable / Scalable Key Exchange / Key exchange is inherently insecure / Key exchange distribution system

Regulation that requires federal agencies to secure their systems and data

Federal Information Security Management Act (FISMA)

What an aggregation of resources that dramatically increases efficiency or capability is known as

Force multiplier effect

The process of collecting, preserving, examining, analyzing, and presenting evidence

Forensics

Number of mandatory canons in the (ISC)2 Code of Ethics

Four Canons

Supporting Processes

Four important internal processes support the software development process: - 'Configuration management' is used to support the development of baselines and standards/ - 'Version control' tracks files, source code, and configurations over time - 'Change control' manages changes to artifacts, such as code changes or documentation changes - 'Provisioning' deploys (makes available) versions to various resources for simultaneous development

Relationship to a subcontractor used by a third party

Fourth party

A logical structure used to document and organize processes

Framework

Disclosure

Full disclosure is when a publisher notifies users as soon as a vulnerability is confirmed (even if a patch is not yet available) - The publisher response to a software flaw that creates a security vulnerability is (should be) to develop and distribute fixes known as updates or security patches

Hardware-based mechanism for automatically encrypting all data written to the drive

Full disk encryption (FDE) / Self encrypting drives (SED)

Validation that a security control exists

Functionality

What a control does

Functionality

Functionality & Effectiveness

Functionality is what a control does. Effectiveness is how well a control works. - Effectiveness is a reflection of the control's consistent, complete, reliable, and timely operation

RTO are tied to this time frame

Future

DR Plan Audit (verification and validation)

Governance - Authorized by the Board of Directors (or equivalent body) Management - Supported by management inclusive of funding and resourcing Documentation - Up to date written plan, procedures, and supporting documentation Compliance - Conformance with regulatory requirements, contractual obligations, and SLAs Responsibilities - Individual, team, and departmental responsibilities assigned and understood 3rd Parties - 3rd party contracts match plan requirements Testing - Plan and procedures exercised, results documented, and modifications made Review - Plan in its entirety subject to a scheduled review

Regulation that requires safeguarding consumer financial data

Gramm-Leach-Bliley Act GLBA

This sofware monitors and analyzes local behavior as well as network connectivity

HIDS

This type of IDS runs on a local device

HIDS

US regulation that protects the privacy of patient health information

HIPPA Health Insurance Portability and Accountability Act

Vulnerability Notification

Identification of vulnerabilities in protocols, OSs, utilities, applications, and firmware is an on-going process conducted by software publishers, security researchers, and testers - Public notification is based on a number of factors including severity, ease of exploit, availability of a fix, and intent to exploit - In the US, identified flaws can be reported to the CERT Coordination Center (CERT/CC) - CERT/CC serves as a coordinating body that works with affected vendors to resolve vulnerabilities

Define Requirements

Identify and document security requirements early in the development life cycle and make sure that subsequent development artifacts are evaluated for compliance with those requirements. When security requirements are not defined, the security of the resulting systme cannot be effectively evaluated

Level of risk before treatment

Inherent Risk

Secure DevOps concept of having an image of a system preconfigured to a desired "known good" state (using automation to replace rather than fix)

Immutable system

This attack tricks an application into sending unintended commands to the interpreter

Injection

This vulnerability allows an attacker to include commands that are sent to an interpreter

Injection

Standards and Best Practice Guidance

International Organization for Standardization (ISO) 2700x National Institute of Standards & Technology (NIST) Special Publication 800 Series Industry (e.g. SANS, WiFi Alliance, CSA, BSA, ISACA, AICPA) Vendors (e.g. Microsoft, Cisco, Apple)

Power or right of a legal or political agency to exercise its authority over a person, subject matter, or territory

Jurisdiction

Secret value used with an algorithm

Key / Cryptovariable

Networking Devices (Conceptual Example)

Layer 1 - Physical - Hubs and Repeaters Layer 2 - Data Link - Bridges, Wireless Access Points, Switches Layer 3 - Network - Multilayer Switches, Router, Firewall (IP Filtering) Layer 4 - Transport - Load Balancer, Firewall (port filtering) Layer 7 - Application - Firewall (protocol or data filtering)

FCoE OSI Layer

Layer 2

Bridges, wireless access points and switches operate at this OSI layer

Layer 2 Data Link

Encryption occurs at this layer in the OSI model

Layer 6 Presentation

This access control concept requires that only the minimal rights and permissions needed to accomplish a task are assigned

Least Privilege

This principle means to assign only the rights and permissions necessary to accomplish a task

Least Privilege

Retention and Preservation

Logs might need to be preserved to meet legal or regulatory requirements - Log retention is the archiving of logs in accordance with organizational retention (and destruction) policies - Log preservation is keeping logs that normally would be discarded because they contain records of activity of particular interest - Log preservation is typically performed in support of incident handling or investigations - Log data used as evidence must be shown to be tamper proof and follow chain of custodyprocedures

Availability Ladder

Low to High Availability - Spare Parts - Passive Fault Tolerance - Active Fault Tolerance - Asymmetric High Availability - Symmetric High Availability

These devices emulate a production environment in order to entice attackers

Low-interaction honeypot

In this model, access is based on the relationship between subject clearance and need to know and the object classification

MAC Mandatory Access Control

Scalable protocol-independent transport technique for high performance networks

MPLS

Complete reproduction of a physical network in software

NSX Network Virtualization

This Microsoft suite of authentication protocols is vulnerable to pass-the-hash attacks

NTLM

Types of Filters

Malware - Scanning incoming data and/or headers for indication of malware File Type - Blocking incoming file types (e.g. .exe, .mp3, .zip) Anti-Spam - Identification of incoming SPAM email by comparing to a database of known SPAM, public blacklists, URL blocklists, Bayesian filtering, and/or reputation services Message Content - Outbound message blocking or quarantining of specific content (e.g. SSN) Auto encryption of outbound messages based on content DLP - Outbound blocking of identified files or file types URL - Blocking URLs from being accessed (generally by category, e.g. gambling sites)

Data Acquisition Tools

Memory Imaging - used to acquire (dump) short term volatile data (RAM/Virtual memory) Write Blocker - Tool that intercepts inadvertent drive writes Bit Stream Image - bit by bit copy of the source material that preserves all latent data in addition to files and directory structure. Accessing an image does not modify its data Clone - exact copy of the entire physical hard drive including all active and residual data and unallocated or slack space. A cloned hard drive can be installed into the computer, and the computer will reboot and function as if the original drive were still installed.

This vulnerability is the failure of a program or OS to free up dynamically requested memory

Memory Leak

Hashing Algorithms

Message Digest (MDx) - MD5 has been shown to be subject to collision attacks and is "broken" Secure Hash Algorithm (SHA) - Created by the NSA - SHA-1 has been shwon to be subject to collision attacks - SHA-2 family is widely used and includes SHA-256, SHA-384, and SHA-512 RIPEMD - Based on MD4; it has been replaced by RIPEMD-160

This common type of IDS detects physical disturbance

Motion

Driving force behind an attack

Motivation

Threat Modeling (Simplified)

Motivation - Why and how would an adversary target my organization? Workfactor = How hard would it be for an adversary to achieve their objective? Threat Intelligence Information Sharing - Are we aware of the latest threats, tools, and techniques? Do we share what we know? Threat Detection - Would we know if we were being attacked? Resiliency - Are we prepared to respond to an attack? Can we maintain continuity of operations?

When two or more of the same type of factors are required for authentication

Multilayer

Multilayer Protocols

Multilayer network communication protocols provide standards that allow diverse systems to communicate. Examples include MPLS, DNP3, and FCoE

The process of both the subject and object authenticating to each other

Mutual Authentication

Need-to-KNow & Least Privilege

Need-to-know means that the subkect has a demonstrated and approved reason for being granted access Least privilege means assigning subjects only the rights and permissions needed to complete the assignment - Once need-to-know has been established, least privilege should be enforced

Network Access Control (NAC)

Network Access Control (NAC) is an agent or agentless approach to network security that attempts to unify endpoint security technology, user or system authentication, and network security enforcement. - An 'agent' is code that performs a function on behalf of an application

DLP Location

Network based (On premise) -- Network based (hardware or virtual applicane) deals with data in motion and is usually located on the network perimeter. Storage based -- Storage based (software) operates on long-term storage (archive) Endpoing based -- Endpoint based (software) operates on a local device and focuses on data-in-use Cloud based (off premise) -- Cloud based operated in "the cloud" data in use, in motion, and at rest.

This risk assessment methodology was developed at the Carnegie Mellon SEI

OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation

Virtual environment that share the kernel of the host operating system but provide user space isolation

OS Container

Connectivity Devices

OSI Layer / Device / Description 1 / Hubs / Hubs retransmit a signal received on one connection point to all ports 1 / Repeaters / Repeaters amplify signals 2 / Bridges, Wireless Access Points / Bridges/WAPs filter traffic based on MAC address, amplify signals, and can connect dissimilar media 2 / 3 // Switch / Switches are used to create connections between two ports and eliminate collisions 3 / Routers / Routers forward packets using IP addresses and routing protocols

Intelligence data collected from publicly available sources

OSINT Open Source Threat Intelligence

Non-profit that publishes the Top Mobile Application Flaws

OWASP

Open community dedicated to software safety and security

OWASP

The act of making a data set difficult to find or understand

Obfuscation

This type of assessment is generally cooperative and known to all relevant personnel

Overt

Provisioning / Deprovisioning Lifecycle

Onboarding, Account Request, User Agreement, Credential Management Authorization, Assignment of rights and permissions, User training User account auditing, User access auditing, Change requests, User training Termination, Offboarding

How many keys used in symmetric encryption?

One

A standard that is publicly available and can be freely adopted and extended

Open standard

Identity layer on top of the OAuth 2.0 protocol which facilitates authentication

OpenID Connect

Identify the technologies that support Federated Identity Management. Choose all that apply: OpenID Connect OAuth 2.0 MPLS Active Directory Kerberos SAML

OpenID Connect OAuth 2.0 SAML

Asset criticality generally relates to this characteristic

Operations

This type of attack occurs when an attacker takes advantage of a vulnerable target (not previously known to them)

Opportunistic attack

Value Delivery

Optimize investments in support of business objectives.

BIA report should prioritize this order

Order of restoration

Knowledge - Password/PIN Controls

Password controls include: - Strength (length, complexity, and uniqueness), limited login attempts, and aging - Hashing, hashing with salt, and encryption - User training Even with the above controls, passwords alone provide minimal protection and are considered the 'weakest' form of authentication

Infrastructure-as-a-Service (IaaS)

Provisioned: -"Bare metal" Computing Resources Customer Impact -The customer does not manage or control the underlying cloud infrastructure -The customer can provision processing, storage, networks, and other fundamental computing resources -The customer has control over the operating system, storage, and deployed applications and possibly limited control of select networking components (e.g. host firewalls) Considerations: -Availability -Maintenance -Vulnerability Management -Confidentiality -Privacy

Process of creating user accounts and credentials

Provisioning

This well-known symmetric stream cipher used in WEP is considered deprecated due to multiple vulnerabilities

RC4

This software or OS feature allows a desktop to be accessed remotely on port 3389

RDP

Defacto commercial standard asymmetric cipher

RSA

Digital Signature Algorithms

RSA - Widely implemented - Defacto commercial standard - Works with both encryption and digital signatures Digital Signature Algorithm (DSA) - Published by NIST in cooperation with the NSA. - US Government Digital signature standard NOTE: Digital signatures require two algorithms--a hashing algorithm and a digital signature algorithm

Metric for the amount of time allocated for system recovery

RTO Recovery Time Objective

This software development project model combines prototyping and iterative processes

Rapid Application Development (RAD)

Disaster Recovery Exercises

Read-through (Desk check) - Personnel or departments review their plans and procedures for accuracy and completeness - Accuracy & Familiarity Walk-through (Tabletop) - Scenario-based group workshop focuses on the application of plans and procedures as well as participant readiness. Promotes coordination and communication - Coordination & Communication

Metric related to acceptable data loss

Recovery Point Objective (RPO)

Privilege

Relates to overriding capabilities - Administrative, root, and super user - Privilege trumps rights and permissions Privileged credential theft and privilege escalation are two of the most serious attacks - Pass-the-Hash is a technique in which an attacker captures hashed account credentials on one computer and reuses the credentials to authenticate to another computer

The term used to describe the level of risk after controls have been applied

Residual risk

Buzz word that describes the capability to continue operating even when there has been a fault, incident, or abnormal operating conditions

Resiliency

Capability to continue operating in abnormal conditions

Resiliency

Owners Stewards

Responsible for decisions related to classification, access control, and protection.

Development Security Issues

Retrofitting is expensive and reputation damaging. It is absolutely critical to integrate security into the development lifecycle including: - Considering security during each phase - Conducting code reviews throughout the process - Not allowing development teams to test their own work - Requiring regression testing for new features and fixes

SLE = AV * EF

Revenue from one hour of e-commerce is $20,000 (AV) A DDoS attack could disrupt 85% (EF) of online activity. $20,000 (AV) * .85 (EF) = $17,000 (SLE) The cost of an hour of DDoS disruption is $17,000

This is the process of analyzing and understanding malware characteristics

Reverse Engineering

This type of proxy server appears to the client to be an ordinary web server

Reverse proxy

OS Kernel and device drivers operate at this ring

Ring 0

Protected Rings Illustrated

Ring 3 - Applications Ring 2 - OS Utilities Ring 1 - Operating system Ring 0 - OS Kernel and Device Drives

Measurement of likelihood and impact of a threat event

Risk

Level of risk an entity will accept in pursuit of its mission and objectives

Risk Appetite

Acceptable variation in outcomes related to specific performance measures

Risk Tolerance

Process used to identify and measure risk

Risk assessment

This risk management options requires that the risk-related activity cease

Risk avoidance

Tool used to document risk and ancillary details such as treatment measures and monitoring tasks

Risk register

Secure DevOps Concepts

Security Automation - Automating attacks against pre-production code and continuous vulnerability testing against production code Continuous Integration (CI) - A continuouse merging of source code updates from all developers on a team into a shared mainline. - If a failure is seen, the development team is expected to refocus and fix the build before making any additional code changes Baseline - A consistent, agreed upon version of software that serves as the basis for further development Immutable Systems - Image of a system preconfigured to a desired "known good" state - Uses automation to replace rather than fix Infrastructure as Code - Using code to manage configurations and automate provisioning of infrastructure (e.g. build testing and staging servers)

Statement on Standards for Attestation Agreements #18 (SSAE18)

Service Organization Control (SOC) Reports are internal control reports on the services provided by a service organization. -Standard designed and maintained by the American Institute of Certified Public Accountants (AICPA)

Acceptable Use Policy (AUP) Agreement

Sets forth proper use of information systems, handling standards, monitoring, and privacy expectations -An AUP should be written in language that can be easily and unequivocally understood -By signing the associated agreement, the user acknowledges, understands, and agrees to the stated rules and obligations

Number of layers in the OSI model

Seven

Technology solutions that are implemented without the knowledge or consent of the IT department

Shadow IT

Order that personnel must stay where they are

Shelter-in-place

This open source FIM compatible software allows a user to control the attributes released to each application

Shibboleth

Securing Code Repositories

Source code needs to be protected from unauthorized access, inadvertent modification, sabotage, and IP theft. Source code protection mechanisms include: - Use of a centralied source code repository - Configuration management program that includes change control procedures, bug tracking, release management and documentation - Multiple levels of access control including encryption, dual control, and separation of duties - Secure communication protocols - Backup, rollback, and restoration procedures

Industry Specific Framework

Specific to an industry. Developed, promoted, and enforce by industry memebers. Well known Framework: HITRUST Common Security Framework (Voluntary) PCI DSS Payment Card Industry Data Security Standard (Enforced)

802.11 IEEE Standards

Specification / Data Rate / Frequency / Distance 802.11 / 2 Mbps / 2.4 GHz / 100M 802.11b / 11 Mbps / 2.4 GHz / 140M 802.11a 54 Mbps / 5 GHz / 120M 802.11g 54 Mbps / 2.4 GHz / 140M 802.11n 150 Mbps / 2.4 / 5 GHz / 250M 802.11i - Security for 802.11 technologies 802.11e - Quality of Service (QoS) for priority and time sensitive data

Impersonating an address, system, or purpose

Spoofing

Foundational (lower level) models

State - Conceptual model that ensures no matter what activity is taking place within a system, it is always trustworthy Non-interference (multilevel) - Whatever happens at one security level does not directly or indirectly affect the security environment of other levels Information Flow (multilevel) - Information will flow only in ways that do not violate the security policy of the system NOTE: If any of the lower level (foundational) models are proven false, then the security of the system cannot be relied upon regardless of the implementation of higher level security models

This type of firewall evaluates each datagram individually

Stateless

Sampling Techniques

Statistical Sampling - An objective method for determining sample size and selection criteria - Each item should have an equal probability of selection Non-statistical Sampling - A subjective method for determining which items are the most material, relevant and/or risky - Including items are based on professional judgement Block Sampling - All items in a selected time period, numerical sequence, or alphabetical sequence

The practice of concealing a file within another file

Steganography

Testing performance with an abnormal number of users or operations

Stress testing

Log Analysis Processes

Synchronization - The process of synchronizing with an external time source with a time stamp protocol (e.g. NTP) Normalization - The process of standardizing the log details into a consistent structure Aggregation - The process of consolidating events from disparate devices and systems Deduplication - The process of filtering out duplicate entries or excessive noise Correlation - The process of tying individual log entried together based on related information Identification - The process of identifying normal and abnormal activity

This replication strategy guarantees zero data loss

Synchronous replication

Recorded actions that emulate activity

Synthentic transactions

Code Security Assessment

Synthetic Transactions Security Code Review Static Code Analysis Dynamic Analysis Fuzzing Use Case

Protection Profile

The Common Criteria evaluates product against protection profiles -A 'protection profile' is a specific set of functional and 'assurance requirements' for a 'category of products'. A protection profile can be written by several different groups including vendors, customers, and accreditation agencies -A 'security target' is written by a product 'vendor' or 'developer' that explains the specifications of the product including 'functionality' and 'assurance' requirements -A 'target of evaluation (TOE)' is the product or system that will be rated.

DevOps

The DevOps development methodology is built on the premise that collaboration between 'developers' and the 'operations' team is essential -The intial push for DevOps stemmed from the need to integrate operation to make software development more efficient and of higher quality -'Integrated DevOps' mandates that the operations team remains involved throughout the software development lifecycle to ensure a smooth, efficient process through transition and deployment

The Ethics Working Group provides an ethics framework for adoption by information security organizations including (ISC)2, ISSA, and GIAC

The Unified Framework for Information Security Ethics clearly states expectations of ethical and professional conduct that pertain to information security work while also addressing the interests of those who rely on information security specialists and the public at large.

Business Continuity

The ability for a business to operate in adverse conditions. It may be a contractual obligation and may be a regulatory requirement.

Dev

The development environment (DEV) is used for code development, proof of concept, experimentation, and customization - The environment can be a developer's desktop, dedicated server, or a server shared by several developers working on the same project - If software is being acquired rather than developed, the DEV environment is used to preview, configure, and customize the application - The development environment MUST be segregated from the production environment

Secure Protocols

The function of a secure protocol is to ensure confidentiality, integrity, authentication, nonrepudiation, or any combination thereof - Secure protocols are commonly used in network management and communications; often replacing older insecure protocols

Risk Monitoring

The objective is to track known risks, evaluate treatment effectiveness, identify new risks, and schedule ongoing assessments

Archietecture-centric

The threat models focus on system design and potential attacks against each component

Workfactor

The time, effort, and resources needed for an attacker to successfully achieve their objective. The intensity of the workfactor should match the criticality and/or sensitivity of the asset you are protecting. Workfactor is a powerful offensive weapon and can be used to dissuade all but the most motivated of adversaries. Due to attack tools and techniques constantly evolving, assessing workfactor should be an iterative process.

Sequential Project Models

The traditional software development models are structurally linear (sequential). - The 'Waterfall' model requires that each phase must be completed before emoving on to the next phase. - The 'V-model' emphasizes 'verification and validation' at each phase and testing to take place throughout the project

Evidence-based knowledge about a threat

Threat Intelligence

This process is used to anticipate threats

Threat modeling

Business Impact Analysis Objective

To identify the impact of a disruption on mission-Essential services, systems, and infrastructure. Essential means that the absence of or disruption of services would result in significant, irrecoverable, or irreparable harm to the organization, employees, business partnets, constituents, community, or country.

This protection approach replaces sensitive data with non sensitive substitutes

Tokenization

Decision States

True Positive - Normal activity is correctly identified False Positive - Normal activity is incorrectly identified as abnormal True Negative - Abnormal activity is correclty identified False Negative - Abnormal activity is incorrectly identified as normal

Cyber Attack Impact

Unauthorized access to or theft of data, which is a violation of 'confidentiality' Modification of data, which is a violation of 'integrity' Inaccessibility of data or disruption of service which is a violation of 'availability'

Wiretap Act

Unauthorized interception of digital communications.

Audit opinion rendered when the auditor does not have any significant reservations

Unqalified opinion

Quality & Performance Testing

Use Case (Positive) - Determine if the application works as expected under normal operating conditions Misuse Case (Negative) - Determine if the application can gracefully (and securely) handle invalid input or unexpected behaviro Load Testing - Performance in normal and peak conditions Volume Testing - Impact of incremental volume of records (not users) Stress Testing - Performance with an abnormal number of users or simultaneous operations Synthetic Transactions - Recorded actions that emulate a specific interaction which are used to measure availability and response time

Malware Use Cases

Use Cases include using malware to: - Facilitate extortion schemes (ransomware) - Weaponize computers and devices - Collect authentication credentials - Exfiltrate data and intellectual property (IP) - Distribute SPAM, pron, and other illegal materials - Carry out information warfare or sabotage

Direct Attached Storage (DAS)

Use of one or more locally attached (internal or external) disks

Facilitated Risk Analysis Process (FRAP)

Used to analyze one system at a time. Stresses prescreening activities

Privacy Violations

Violation of privacy principles and regulations

Mechanism to pool storage resources so they appear to be one unit

Virtual Storage

Term applied to a situation where a virtual machine and the host operating system interact

Virtual machine escape

Technology that creates multiple environments from a single physical host

Virtualization

OWASP 2017 #2 Broken Authentication

Vulnerability - Broken Authentication Description - The attacker uses flaws in the authentication or session management functions to impersonate users. Privileged accounts are frequently targeted Flaw - Weak authentication and session management controls Impact - Can result in user session hijacking, redirection to malware distribution site, or bypassing access controls Mitigation: -Do not use default credentials -Do not expose session IDs -Store password using a hash function -Implement weak password checks -Harden credential recovery and API pathways -Implement multi-factor authentication -Log authentication failure / configure alerts

Automated tools used to look for vulnerabilities and exposures

Vulnerability scanner

Data Deletion

When a file is deleted, the corresponding entry in the Master File Table (MFT) is removed and the MFT entry is marked as ready to be re-used. The data for the file is separate from the MFT entry. -The original file remains intact until the space is used and the original file is overwritten. Potentially, all or part of the deleted file and/or MFT entry can be recovered. -'Data remanence' is the residual representation of digital data that remains even after attempts have been made to delete or erase the data.

Whitelist / Blacklist

Whitelisting enforces the zero trust principle of 'deny all' and allow only what's necessary. - Enforcement via a list of "allowed" entities (e.g. applications, IP addresses, URLs, email senders) Blacklisting enforces the convenience principle of 'allow all' and restrict only what is harmful - Enforcement via a list of "restricted or denied" entities (e.g. applications, IP addresses, URLs, email senders)

Wireless Network Configurations

Wireless Personal Area Network (WPAN) (aka Bluetooth) - 802.15 standard. Interconnects devices within a limited range (e.g. keyboard) Wireless Local Area Network (WLAN) - 802.11 standard Wireless Metropolitan Area Network (WMAN) - 802.16 standard Wireless Wide Area Network (WWAN) - Point-to-point microwave links

OSI Model

[ HOST LAYERS Application - Network process to application Presentation - Data Representation and Encryption Session - Interhost Communication Transport - End-to-End Connections and Reliability ] [ MEDIA LAYERS Network - Path Determination and IP (Logical Addressing) Data Link - MAC and LLC (Physical Addressing) Physical - Media, Signal, and Binary Transmissions ]

The AES algorithm requires this number of keys to encrypt and decrypt a message block 1: 1 2: 3 3: 4 4: 2

1: 1

ISCM Process

1: Define 2: Establish 3: Implement 4: Analyze/report 5: Respond 6: Review/Update

The objective of which type of forensic investigation is to provide a 'preponderance of evidence' 1: Customary 2: Compliance 3: Civil 4: Criminal

3: Civil

The firewall rule "DENY ANY ANY ANY ANY" should be where in the rule set sequence? 1: After all ALLOW statements 2: At the beginning 3: Doesn't matter where 4: At the end

4: At the end

Supporting Activities (Five A's)

Accountability, Authentication, Authorization, Accounting, Assurance

Assurance

Assurance is the processes we use to develop confidence that our security measures are working as intended.

Framework for designing, establishing, implementing, maintaining, and monitoring an information security program

ISMS Information Security Management System

Board of Directors Duties

Promoting effective governance Determining organizational risk tolerance Contributing to and authorizing strategic plans Allocating funds Approving policies and significant projects Ensuring appropriate monitoring Ensure compliance with laws, regulations and contracts Reviewing audit and examination results Honoring the legal constructs of due dilligence and due care.

Internal Audit

Responsible for ensuring that management has established a framework of specific internal controls commensurate risk, regulation, and Board directives

Compliance Officer

Responsible for identification of and ensuring compliance with applicable statutory, regulatory, and contractual requirements.

Custodians

Responsible for implementing, managing, and monitoring controls.

Custodians

Responsible for implementing, managing, and monitoring the protection mechanisms based on what the Owners has told them.

Users

Responsible for treating data and interacting with information systems in accordance with organizational policy and standards.

The term used to describe the responsibility of leadership to determine, articulate, authorize, and fund the desired state of security.

Security Governance

Confidence that the system will act in a correct and predictable manner in every situation

Trustworthy Computing

The outcome when investments in suppost of business objectives are optimized

Value Delivery

The final step of an exercise or test

After action Report

NIST SP 800-30

Federal government standard. Used extensively in the private sector

This examination is an independent review of functionality and effectiveness

Application audit

Media hash

Fingerprint

Number of possible key combinations

Key space

Organization that defined SCAP requirements

NIST

IDS that measures magnetic field

Proximity IDS

The process of verifying an identity (e.g passport)

Registration

Mobile Scope

-Variety of endpoints including tablets, smartphones, laptops, and emerging technologies such as wearables -Variety of platforms such as Windows, Apple IOS, and Android and associated security models -Variety of applications including rich content websites using Flash and Javascript -Variety of transmission methods including wired, wireless, cellular, Bluetooth, RFID, and NFC -Variety of locations -- wherever the user is

Process used to develop confidence that security measures are working as intended.

Assurance

What can not happen if the only Kerberos server in a network fails

Authentication

Aggregate of standards for a specific grouping

Baseline

When two different hash inputs produce the same hash output

Collision

Information assets are generally classified by this attribute

Content

The desired result or puspose to be achieved by implementing the control

Control Objective

A network segment within a trusted segment

Enclave

Voluntary cybersecurity framework designed specifically for the healthcare sector

HITRUST

Unique fixed length representation of data

Hash/Fingerprint/Message Digest

Objective of the Clark-Wilson model

Integrity

Notice to preserve all forms of relevant information

Legal hold

The acronym for open source intelligence

OSINT

Sniffing Attacks

Replay - Capturing and reusing packets - Reusing authentication data/credentials - Replaying the packet over and over causing a denial of service IV Attack - Capturing weak initialization vector (IV) - Knowledge of the IV can be used to decrypt data packets RFID Eavesdropping - Intercepting communication between RFID Tags and Readers - Interception, manipulation, and reuse of data

Permanent withdrawal of trust by issuing authority before scheduled expiration date

Revocation

Document that details the parameters of an assessment

Rules of Engagement (ROE)

Automation tool that offers real time data capture and analysis

SIEM

Digital Forensics Investigation Process

1: Evidence Collection 2: Data Acquisition 3: File Recovery 4: Examination 5: Analysis and Reporting 6: Testifying (if necessary) 7: Archiving

Which metric represents a high point in user frustration? 1: False Reject Rate (FRR) Type 1 Errors 2: False Accept Rate (FAR) Type 2 Errors 3: Crossover Error Rate (CER)

1: False Reject Rate (FRR) Type 1 Errors

The processing of analyzing data with tools that look for trends and correlations. 1: Data warehousing 2: Data mining 3: Inference 4: Aggregation

2: Data mining

Mathematical expression used for eposure factor (EF)

% Percentage

ANT

'ANT' is a proprietary (but open access) multicast wireless sensor network technology designed for Internet of Things (IoT) -ANT is primarily incorporated into sports and fitness sensors (wearables) -The transceivers/receivers are embedded in equipment such as heart rate monitors, watches, cycling power meters, cadence meters, and distance and speed monitors monitoring a user's performance (e.g Fitbit) -Range is approximately 30 meters -Security concerns eavesdropping, interception, impersonation and location identification

Auditing Controls

'Assurance' is the process we use to develop confidence that our security measures are working as intended. Audit methodoligies include: - COBIT - SSAE 18 - Commercial/proprietary 'Audit fieldwork generally' includes proof that the control is working as intended. 'Audit reports' generally include findings and recommendations

Availability and Resiliency

'Availability' is a measure of a system's uptime -- the percentage of time that a system is actually operational and providing its intended service - For example, "five nines" means the device should be up 99.999% of the time and experience no more than 5.26 minutes of downtime per year 'Resiliency' is the capability to continue operating even when there has been a disruption or abnormal operating conditions

Denial of Service Attacks to Know

'DoS' --Transmitting malformed packets or unusual requests - Shutting down a specific service or resource 'DDoS' --Massive volume of service requests from multiple sources, often "bots" configured in a bonet - Shutting down a resource and/or denying service to legitimate users - Causing downstream degradation and/or malfunction of compromised "bots"

Hijacking - Web Specific Attacks to Know

'Domain Hijacking' --Unauthorized modification of a domain name registration - Using a legitimate website for malicious purposes 'URL Squatting' --Registering or using an Internet domain name with bad faith. Intent to profit from the goodwill or a trademark belonging to someone else - Directing users to fraudulent sites 'Typo Squatting' --Taking advantage of common typos to create fraudulent websites - e.g. gooogle.com - Redirecting users to malicious sites often to steal credentials or obtain personal information 'Clickjacking' --Tricking a user into clicking on a button, picture, or link - Redirecting users to a malicious site to download malicious code

Assessment Methodologies

'Examination (E)' is the process of interviewing, reviewing, inspecint, studying, and observing to facilitate understanding, comparing to standards or baselines, or to obtain evidence 'Testing (T)' is the process of exercising objects under specified conditions to compare actual and expected behaviors

Hardware Encryption

'Full disk encryption (FDE) / self-encrypting drives (SED)' is a hardware-based mechanism for automatically encrypting all data written to the magnetic media. -Factory set encryption (curcuit built into the disk drive controller chip) -Drive powers up locked -Key is never present in memory -Transparent to the user with the exception of required boot-up password -Does not effect performance -Use case: Securing data at rest

Incident Management Governance

'Policy' - Definition of security incident and related terms, Roles and responsibilities, Prioritization or severity rating, Performance measurements, Reporting structure. 'Plan' - Strategies, Organizational approach, Assigned roles and responsibilities, Reporting mechanisms, Incident handling and escalation roadmap, Contracts, Contact information 'Procedures' - Technical process, Techniques, Checklists, Forms

SETA Maturity Model (Deveoping Secuirty and Awareness Programs)

-Non-Existent -Compliance Focused -Promoting Awareness & Behavior Change -Long Term Sustainment & Culture Change -Metrics Framework

Framework components generally include:

-Policies that assign risk management roles, responsibilities, authorities, parameters, reporting structure, and monitoring criteria. -Standards that address assessment methodology, inclusion criteria, and frequency -Project plan that includess scope, schedule, and resource allocation

Business Continuity Planning Phases

-Project Initiation and Assessments -Business Impact Analysis -Threat Analysis -Strategy Development -Plan Development -Execution / Procurement -Training -Testing -Auditing -Monitoring -Maintenance Review & Update

Confidentiality / Non-disclosure Agreement (NDA)

-Protects data from unauthorized disclosure -Establish data ownership -Protect information from disclosure -Prevent forfeiture of patent rights -Define handling standards including disposal

Configuration Management Process

-Research/Plan -Approve Baseline Configuration -Assign CM Version and Update Library -Implement -Control Changes -Monitor -Report -Repeat

The objective of which software development process is to minimize probability of failure, cost, and risk? 1: Statement Coverage 2: DevOps 3: CMM 4: Agile

2: DevOps

Injection Illustrated (SQL)

1: Application presents a form to the attacker 2: Attacker sends an attack string (SQL query) in the form data 3: Application forwards the attack string to the DB in a SQL query 4: DB runs the query and sends the results back to the application 5: Application sends results to the attacker

This data protection control can be used to enforce "copy and paste" restrictions 1: DLP 2: FDE 3: DEP 4: ACL

1: DLP

Place the ISCM iterative process in the right order 1: Review/Update 2: Analyse/Report 3: Establish 4: Repeat 5: Define 6: Respond 7: Implement

1: Define 2: Establish 3: Implement 4: Analyse/Report 5: Respond 6: Review/Update 7: Repeat

Quantitative Risk Assessment Process

1: Determine Asset Value (AV) 2: Determine Exposure Factor (EF) 3: Calculate Single Loss Expectancy (SLE) 4: Determine Annual Rate of Occurence (ARO) 5: Calculate Annualized Loss Expectancy (ALE) 6: Identify Mitigation Controls 7: Calculate the ALE with Mitigating Controls (ALE2) 8: Cost/Benefit Analysis (CBA)

Risk Assessment Workflow

1: Determine the risk assessment approach (quantitative, qualitative, hybrid) 2: Identify the inherent risk based on relevant threats and related vulnerabilities 3: Assess the impact if the threat source was successful 4: Identify applicable controls and their effectiveness 5: Assess the likelihood of occurrene, taking into consideration the control environment 6: Determine the level of residual risk

This situation is described as a person taking an action that they would not normally do due to a threat of harm 1: Duress 2: Collusion 3: Social engineering 4: Fraud

1: Duress

This data access control is often cited in regulations and may provide "safe harbor" 1: Encryption 2: Logging 3: Capabilities tables 4: ACL

1: Encryption

Match the regulation and its constituents Regulations: 1: GLBA 2: HIPPA 3: COPPA 4: FISMA 5: GDPR Constituents: 1: Minors 2: Patients 3: Federal Agencies 4: Financial services customers 5: EU citizens

1: GLBA - Financial services customers 2: HIPPA - Patients 3: COPPA - Minors 4: FISMA - Federal agencies 5: GDPR - EU citizens

Arrange the following Incident Response phases in the correct order Resumtion Containment Recovery Identification Eradication

1: Identification 2: Containment 3: Eradication 4: Recovery 5: Resumtion

Audit Workflow (Auditor Perspective)

1: Identify the Audit Objective (purpose) 2: Establish work paper documentation 3: Determine audit procedures including data collection and testing 4: Collect and evaluate evidence 5: Analyze evidence and prepare report 6: Discuss with Management . Gain Agreement whenever possible 7: Present Audit report to the Audit Committee or equivalent

Which of the following is a true statment? 1: If a lower level security model fails, the security of the system cannot be relied upon 2: The non-interference and the information flow models only support single level security 3: State machine model incorporates both secure and insecure states 4: Foundational security models are irrelevant as long as relationship level security models are working

1: If a lower level security model fails, the security of the system cannot be relied upon

Kerberos Process

1: Initial CHAP-based authentication between the user and the Kerberos Server 2: The Kerberos Ticket Granting Service (TSG) generates a Ticket Grating Ticket (TGT) Access Token 3: The TGT Access Token is provided to the user. The TGT is protected using symmetric key cryptography 4: When the user attempts to access a trusted resource, the user sends a copy of the TGT back to the KDC with details of the request 5: The KDC validates the TGT and generates a limited lifetime Session Ticket. The KDC sends the Session Ticket back to the user 6: The Session Ticket has 2 encrypted halves (one for the user and one for the resource) containing authentication details and symmetric session key 7: The user decrypts his half of the session ticket, writes (again) the details of resource request, encrypts it with the session key, and sends the session ticket to the resource server 8: The resource server decrypts its half of the ticket, verifies the details of the request, and uses the decrypted session key to decrypt the user request. If matching, the user is authenticated to the resource server 9: Using the session key, the resource server encrypts a portion of the user's authentication data and sends the encrypted data back to the user 10: If the user can successfully decrypt the message, then the mutual authentication is successful

Which statement best relates to the mobile application flaw "insecure communications"? 1: Insufficient handshaking 2: Session management weakness 3: Misuse of a platform feature 4: Unintended distribution of data

1: Insufficient handshaking

Vulnerability Management Process

1: Inventory 2: CVE Intake 3: Assessment 4: Prioritize 5: Change Control 6: Deploy 7: Verify 8: Monitor

This principle states that systems and devices should be configured to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports. protocols, and services. 1: Least functionality 2: Hardening 3: Least privilege 4: Default deny

1: Least functionality

Which one of these authentication factors is considered "emerging"? 1: Location 2: Biometric 3: Knowledge 4: Possession

1: Location

Which one of the following is not a supply chain security risk? 1: Lower pricing 2: Limited visibility 3: Business failure 4: Non-complience

1: Lower pricing

Which statement best descibes MPLS? 1: MPLS is a protocol-independent transport mechanism 2: MPLS is designed specifically for small networks 3: MPLS is an IP-based protocol 4: MPLS uses labels for both internal and IP routing

1: MPLS is a protocol-independent transport mechanism

Which protocol verifies the status of an extended validation certificate? 1: OCSP 2: CRL 3: OSPF 4: CRC

1: OCSP

Incident Response (IR) Process

1: Preparation 2: Identification 3: Containment 4: Eradication 5: Recovery 6: Lessons Learned *NIST SP 800-61r2 - Computer Security Incident Handling Guide

Why should media evidence hash fingerprints be created? 1: Prove integrity 2: Establish non-repudiation 3: Identify the examination technique 4: Maintain confidentiality

1: Prove integrity

Which type of metadata includes comments, track changes, formulas, and embedded files? 1: Pseudo 2: File system 3: Application 4: Stenographic

1: Pseudo

During the BIA process, a business unit stated that they could not afford to lose more than 30 minutes of data. Which statement best expresses this requirement? 1: RPO=30 2: RTO<30 3: MTO>30 4: MTD=30

1: RPO=30

Which statement below is not true as related to traveling with mobile devices? 1: Report lost or stolen devices upon return 2: Upon return, have the device inspected 3: Do not leave devices unattended 4: Encrypt mobile devices

1: Report lost or stolen devices upon return

Configuration Management Workflow

1: Research | Plan | Update 2: Approve Baseline Config 3: Assign CM Version and Update Library 4: Implement 5: Control Changes | Update Baseline if applicable 6: Monitor

Operating system Kernel and device drivers conceptually execute in this protection ring. 1: Ring 0 2: Ring 2 3: Ring 1 4: Ring 3

1: Ring 0

Risk Management Flowchart

1: Risk Appetite 2: Risk Assessment 3: Risk Treatment 4: Risk Monitoring 5: Repeat the process

Level of risk than an organization is comfortable with in pursuit of its mission. 1: Risk appetite 2: Risk mitigation 3: Risk tolerance 4: Risk vaiance

1: Risk appetite

This environment should mirror the go-live environment 1: STAGE 2: POST-PROD 3: DEV 4: TEST

1: STAGE

Looking for known malicious instructuon sequences is an example of which type of detection? 1: Signature 2: Pattern 3: Behavioral 4: Anomaly

1: Signature

Change Management Process (Normal Changes)

1: Submit Request 2: Evaluate Request 3: Test (if applicable) 4: Identify Rollback Options 5: Approve Requests 6: Document Changes 7: Determine Change Window 8: Implement (Consider separation of duties) 9: Verify 10: Update CM Version (if applicable) 11: Close and Archive Request

Order the data recover options beginning from the slowest (bottom) to the fastest (top) 1: Incremental tape backup 2: Synchronous replication 3: Electronic vaulting 4: Full tape backup 5: Asynchronous replication

1: Synchronous replication 2: Asynchronous replication 3: Electronic vaulting 4: Full tape backup 5: Incremental tape backup

OAuth 2.0 Process

1: The Application requests authorization to access service resources from the User 2: If the User authorizes the request, the Application receives an authorization grant 3: The Application requests an access token from the Authorization Server (API) by presenting its credentials and the user authorization grant 4: If the Application identity is accepted and the authorization grant is valid, the Authorization Server issues an Access Token to the Application 5: The Application presents the Access Token to the resource from the Resource Server and requests access. If valid, the Resource Server serves the resource to the Application

Which statement is not true about a Hash Message Authentication Code (HMAC)? 1: The input for a HMAC is a concatenated message and asymmetric key 2: Key distribution and knowledge of concatenation is a challenge 3: An HMAC cannot be reproduced without knowing the key 4: An HMAC provides integrity and origin authentication

1: The input for a HMAC is a concatenated message and asymmetric key

The distinguishing feature of this type of intellectual property is that it remains undisclosed. 1: Trade secret 2: Trademark 3: Copyright 4: EULA

1: Trade secret

MS Secure Development Lifecycle

1: Training 2: Security and Pricacy Requirements 3: Define Quality Gates / Bug Bars 4: Security and Privacy Risk Assessment 5: Establish Design Requirements 6: Attack surface Analysis 7: Threat Modeling 8: Development 9: Static Analysis 10: Dynamic Analysis 11: Attack Surface Review 12: Create Incident Response Plan 13: Conduct Final Security Review 14: Certify Release and Archive 15: Response

SAML Process

1: User (Principal) uses a web browser to access a web application and attempts to authenticate 2: The web application Servie Provider (SP) requests an assertion from the Identity Provider about the User 3: The Identity Provider (idP) prompts the User for credentials (single or multifactor) 4: User provides credentials 5: If the User credentials are accepted, the Identity Provider (idP) submits an assertion (secure token) to the Service Provider (SP) 6: The Service Provider (SP) identifies the authorization level of the user and provides the appropriate level of access

SEI CERT Top 10 Secure Coding Practices

1: Validate input 2: Heed compiler warning (use the highest warning level available) 3: Architect and design for security polies 4: Keep it simple 5: Default deny 6: Adhere to the principle of least privilege 7: Sanitize data sent to other systems 8: Practive defense in depth 9: Use effective quality assurance techniques 10: Adopt a secure coding standard for your language and platform

Which one of the following project models is linear? 1: Waterfall 2: RAD 3: Spiral 4: Agile

1: Waterfall

Business Intelligence Questions

1: What happened? 2: What is happening? 3: Why did it happen? 4: What will happen? 5: What do we want to happen?

This is the time, effort and resources needed for an attacker to successfully achieve their objective. 1: Workfactor 2: Investment 3: Resiliency 4: Motivation

1: Workfactor

Adherence to the (ISC)2 Code of Ethics is a condition of certification. This group makes the final decision on ethics violations and decertification 1: (ISC)2 CEO 2: (ISC)2 Board of Directors 3: (ISC)2 Certification Board 4: (ISC)2 Ethics Committee

2: (ISC)2 Board of Directors

This wireless network specification details security mechanisms 1: WPA2 2: 802.11i 3: 802.15 4: 802.11e

2: 802.11i

This type of embedded system attack makes use of a voltage glitch on the power supply to cause a program malfunction. 1: Memory and bus 2: Active side channel 3: Brownout 4: Injection

2: Active side channel

A computer or network that does not connect to the Internet or any computer or network that connects to the Internet. 1: Enclave 2: Air-gap 3: Clean room 4: Physically isolated

2: Air-gap

Which statement best describes authorization? 1: Authorization is when accountability is maintained 2: Authorization is granting permission to perform a specific action 3: Authorization is when activity is accounted for 4: Authorization is when both subject and object identify themselves

2: Authorization is granting permission to perform a specific action

Which authority issues and revokes digital certificates? 1: Validation Authority (VA) 2: Certification Authority (CA) 3: Issuing Authority (IA) 4: Registration Authority (RA)

2: Certification Authority (CA)

Handling standards are generally organized by ______? 1: Ownership 2: Classification level 3: Location 4: Retention Schedule

2: Classification level

This security evaluation program evaluates products against a protection profile 1: ISO 27001 2: Common Criteria 3: ITSEC 4: TCSEC

2: Common Criteria

Which of the following is not a consideration when evaluating large scale parallel systems such as cloud computing? 1: Distributed management and ownership 2: Common use of outdated operating systems 3: Force multiplier effect 4: Big data aggregation

2: Common use of outdated operating systems

Which statement describes the cryptographic objectives of substitution and transposition? 1: Padding and randomization 2: Confusion and diffusion 3: Secrecy and block chaning 4: Initialization and workfactor

2: Confusion and diffusion

Which of the following most directly influences the choice of data protection controls? 1: Encryption options 2: Data classification 3: Privacy principles 4: Cost

2: Data classification

Which statement about self encrypting drives is true? 1: Performance is degraded 2: Use casee is securing data-in-process 3: The key is stored in memory 4: Transparent to user with the exception of boot-up password

4: Transparent to user with the exception of boot-up password

This security component includes support for Secure Boot, network authentication, and universal graphics drivers. 1: BIOS 2: TPM 3: HSM 4: UEFI

4: UEFI

This OECD Privacy Principle states that "personal data should not be disclosed, made available, or otherwise used for purposes other than those specified". 1: Collection limitation 2: Individual participation 3: Data quality 4: Use limitation

4: Use limitation

Workstations being configured to only allow applications that are explicitly given permission to execute is an implementation of this practice 1: Least functionality 2: Default allow 3: Blacklisting 4: Whitelisting

4: Whitelisting

Trusted System

A 'Trusted System' has undergone sufficient benchmark testing, verification, and validation (by an independent third party) to ensure that the product meets the user requirements -'Funtionality' is verification that a security control exists and that it works correctly at least once. -'Assurance' is a degree of confidence that the system will act in a correct and predictable manner in every computing situation (trustworthy computing)

Isolated Networks and Clean Room

A 'physically isolated' network is completely disconnected from any other network, period. "Clean room" network/computer is located in a secure room or facility.

Diabling Servies

A 'service' is a utilite that runs in the background. Disabline unneccessary services minimizes exposure and enhances performance - A service can be configured to start Automatic, Manual, Disabled, or Automatic (Delayed Start) - A service is independent of the logged in user and will continue to run even if there are no logged in users .

Advanced Persistent Threat (APT)

A 'sophisticated' attack in which an attacker gains access to a network and stays there undetected for a long period of time.

Trust Models (Chain of Trust)

A Trust Model defines how users trust other users, organizations, CAs and RAs within the PKI Web of Trust - No central authority. Each user creates and signs their own certificate. Users sign each others public key indicating "trust" Third party (Single Authority) Trust - A central third-party Certificate Authority (CA) signs a key and authenticates the owner Hierarchical Model - Extension of third party in which root CAs issues certificates to lower level "intermediate" CAs who can then issue certificates. Trust is inherited. - Offline root CA is one that is isolated from a network and is often kept powered down to prevent compromise. - A Registration Authority (RA) offloads some of the work from the CA. The RA can accept and process registration requests and distribute certificates. - A Local Registration Authority (LRA) requires physical identification

Disk Wiping

A clearing technique that overwrites all addressable storage and indexing locations multiple times. -US DoD 5220.22-M method requires overwriting all addressable storage and indexing locations on the drive three times: with zeros (0x00), complement (0xFF), and random characters; and then verifies all writing procedures. Exception: Solid state drives may require a manufacturer-specific utility

Asset Management

A complete set of activities that focus on the protection, accounting and integrity of infrastructure and physical assets Asset management = classification + inventory + configuration management

Copyrights

A copyright covers the expression of an idea rather than the idea itself (which is protected by a patent) The intent is to protect artistic property such as a writing, recording, or a computer program. The protections are intended to allow the creator to benefit from being credited for the work and to control the distribution, duplication, and use of the work. The copyright protection is weaker than patent protection, but the duration of protection is considerably longer. Copyrights are good for the entire life of the creator +50 to 100 years

Cloud Computing [NIST SP800-145]

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction -Service models (SaaS, PaaS, and IaaS) -Deployment models (private cloud, community cloud, and public cloud) -Security model (CASB, SecaaS)

Network-based IDS/IPS

A network-based IDS (NIDS) analyzes and reports on network traffic. A network-based IPS (NIPS) can take responsive action A network IDS/NIPS can be situated out-of-band or in-band - Out-of-band plaement utilizes a passive tap that receives a copy of the network traffic and can process samples. Generally, NIDS will be out-of-band - In-band (inline) placement is directly in the flow of trafic and must process (inspect) every packet. Generally, NIPS will be in-band

Remote Authentication Dial-in User Service (RADIUS)

A networking protocol that provides centralized AAA management services. - RADIUS became an IETF Internet Standard in 1997. - RADIUS does not separate authentication and authorization transactions - RADIUS is used mainly for network access (e.g. ISP, wireless 802.1x, remote) - RADIUS reporting includes who joined the network, how they authenticated, how long they were on, and what types of endpoints are on the network

Terminal Access Controller Access Control System (TACACS+)

A networking protocol that provides centralized AAA management services. - TACACS+ was developed by Cisco and is proprietary - TACACS+ does separate authentication and authorization transactions - TACACS+ uses TCP for transport and encrypts the entire packet - TACACS+ is used mainly for device administration (e.g. router, switch)

Key Escrow

A proactive arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.

Project Management

A project managment framework establishes the scope and boundaries of managing projects and the consisten method to be applied. - The project management approach defines guidelines for prcesses and deliverables - The project manager provides day to day facilitation and coordination

Retention

A protocol (set of rules) within an organization that dictates types of unaltered data that must be kept and for how long. Data retention strategies must be aligned with business and legal requirements

Proxy Server

A proxy server is an intermediary machine, between a client and a server, which is used to filter or cache requests made by the client. - A proxy server can be single purpose -- supporting one protocol, (e.g. http) or multipurpose -- supporting multiple protocols

Recovery Point Objective (RPO)

Acceptable Data loss. The point in time prior to a disruption or system outage that data can be recovered.

Reverse Proxy

A reverse proxy appears to the client just like an ordinary web server. - The proxy caches all the static answers from the web server and replies to the clients from its cache to reduce the load on the web server - This tye of setup is also known as 'Web Server Acceleration'

Security Evaluation Objectives

A security evaluation process assesses products against defined security requirements in a consisten and repeatable manner. Third party labs rely on standard evaluation criteria.

Configuration Management (CM)

A set of activities focused on establishing and maintaining the integrity of systems through control of the processes for initializing, changing, and monitoring the configurations including: -Establishing baselines -Monitoring for anomalies -Controlling configuration changes

Handling standards should be associated with this user facing agreement

Acceptable Use Policy (AUP) Agreement

Control Objective

A statement of desired result or purpose to be achieved by implementing the control. Control objectives may relate to: - Security (confidentiality, integrity, availability) - Privacy - Compliance - Effectiveness - Efficiency

NT Lan Manager (NTLM)

A suite of Microsoft protocols used for authentication. - NTLM uses challenge-response (similar to CHAP) for authentication - Hashed password values are stored on the server 'not salted' and are vulnerable to brute force attacks - NTLM is vulnerable to "Pass-the-Hash" attacks where captured credentials from one machine can be successfully used to gain control of another machine - Microsoft recommends not using NTLM. Kerberos is the preferred authentication method.

Open Source Threat Intelligence (OSINT)

A term used to refer to the data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available resources (as opposed to covert or clandestine sources) www.osintframework.com

Acknowledging the level of risk and not requiring any further treatment

Acceptance

Zero Day

A vulnerability that is previously unknown and does not yet have a fix - The time from when an exploit first becomes active to when the number of vulnerable systems shrink to an insignificant number is known as the 'window of vulnerability (WoV)'

Wireless Access Point

A wireless access point (WAP or AP) bridge wireless and wired IP traffic - An AP act as a central transmitter and receiver of wireless signals - An AP can either be a stand-alone device or integrated with a router. - Fat (thick) access points have 802.11 security, management, and performance 'standalone' functionality built-in - Thin access points minimize device intelligence and offload configuration features and management to an associated 'controller'.

In this model, complex Boolean rules can be used to evaluate subject and object attributes, operations and environment

ABAC Attribute-based Access Control

Malware Eradication Techniques

AV and Anti-malware software - Disinfection, quarantine, and deletion capabilities Regedit command - Windows registry editor Bootrec / fixmbr - Windows boot sector repair utility Specialized bootable software - Eg. Microsoft Sysinternals Rootkit Revealer. chkrootkit for Linux/ OS X Restoration - Reimage and/or rebuild impacted system Disposal - Remove, sanitize, and securely dispose of infected device

Malware Detection & Analysis Techniques

AV and anti-malware software - Signatures (DAT files), known characteristics, and behaviors Post-infection Scanner - Second generation AV (e.g. Malwarebytes) Log analysis - Use of a SEIM or equivalent Malware Intelligence - Knowledge of infection characteristics, C&C IP address, or distribution URLs Malware Verification - Analysis of suspicious files and URLs (e.g. Virustotal) Reverse Engineering - Process of analyzing and understanding characteristics - Behavioral analysis - Code analysis

Wireless Attack Categories

Access - Authentication exploit - Enables unauthorized or unsolicited access to an end-user device Spoofing - Impersonating a wireless device - Enables an attacker to act as the trusted source and redirect/manipulate actions Sniffing - Capturing wireless data packets - Enables an attacker to evesdrop, manipulate, and/or reuse data packets Denial of Service - Overwhelming system resources - Enables an attacker to make services unavailable for their intended use

Logging of access and use of information resources

Accounting

Authentication Protocol Overview

Acronym - Protocol name - Service PAP - Password Authentication Protocol - Authentication CHAP / MS-CHAP - Challenge Handshake Authentication Protocol / Microsoft Challenge Handshake Authentication Protocol - Authentication EAP - Extensible Authentication Protocol - Authentication NTLM - NT Lan Manager - Authentication RADIUS - Remote Authentication Dial-in User Service - A-A-A TACACS - Terminal Access Controller Access Control System - A-A-A Kerberos - Authentication System - Mutual Authentication

The load balancing technique of associating a user's IP address with a single server

Affinity

Inventory Management

Also referred to as inventory control, is a set of policies, standards, and procedures used to maintain optimum inventory levels, track assets, and schedule replacements. Inventory management benefits include: -Tracking (including termination and loss) -Providing context for vulnerability and patch management -Facilitating recovery or replacement

Non-employee Relationships

Also referred to as third parties, include vendors, service providers, business partners, consultants, and contractors. Third-party oversight activities include (but are not limited to): - Conducting a due dilligence investigation related to service provider selection and subsequent business activities - Requiring acceptable use and nondisclosure agreementss and codifying service relationships - Monitor the service provider through appropriate audits and tests - Reviewing, on a scheduled basis adherence to contractual obligations

Alternate Business Process Strategies

Alternate business process stategies assume that normal dependencies (technology, facilities, personnel) may not be available - Alternate locations should be established and appropriate contracts entered into - Cross-trained or outsourced personnel should be identified - Manual processes should be documented - "Notification of delay" communication channel should be documented Alternate business process strategies must be aligned with the BIA, disaster tolerance, and budget allocation.

Recovery Time Objective (RTO)

Amount of time allocated for System Recovery. Must be less than the maximum amount of time a system resource can be unavailable before the is an unacceptable impact on other system resources or business products.

Incident Mgmt. Plan and Playbook

An 'incident management plan' includes roles and responsibilities, strategies, and procedures for preparing for, responding to, and managing incidents. - An 'incident playbook' is a set of instructions for planning for and responding to specific types of event, attacks, or scenarios. Generally, playbooks are developed for high-risk events (measured in terms of likelihood and impact). For example, malware, DDoS attacks, ransomware, and payment card compromise

Authorization & Access Control

An Access Control Model is a framework that dictates how subjects access objects or how objects access objects Access control models are built in to operating systems and some applications

Configuration Item (CI)

An aggregation of information system components and treated as a single entity thoughout the CM process A configuration item may be: - A specific information system component (e.g. server) - A group of information system components (e.g. all switches) - A noncomponent object (e.g. documentation) - An information system as a whole (network)

OpenID Connect

An identity layer on top of the OAuth 2.0 protocol which facilitates authentication. - OpenID connect verifies the identity of the end user. - The id-token (secure token) includes information about the user. - Can be used by both mobile and static applications

High Availability (HA)

Applies mainly to software failover capability which reduces or eliminated the need to activate redundant hardware. - 'Asymmetric HA' (active/passive) requires primary and standby systems. When a failure occures, the standby device takes over - ' Symmetric HA' (active/active) requires two primary systems. Each machine monitors the other (hearbeat) and takes over when a failure occurs

Asymmetric Encryption - Two Keys

Asymmetric means two 'different but related keys' are used. - Known as a key pair (M1, M2) - One key is used to encrypt; the other is used to decrypt - The key pairs are commonly referred to as a 'private key' and a 'public key' -Asymmetric encryption is computationally intensive

The three states of data

At rest, in process, and in transit

Three states of data

At rest, in use, and in transit

All of the points where an attacker can try to enter or extract data from

Attack Surface

Targeted Attack

Attacker chooses a target for a specific objective.

Audit Conclusion

Auding standards require that sufficient, relevant, and reliable evidence is obtained to to support audit conclusions and opinions - An audit examination report can also include a disclaimer that the auditor was not able to render an opinion due to named circumstances

Disabling Default Accounts

Are accounts that are created by the operating system or application. Well known default accounts are vulnerable to exploitation. - Review default account (e.g. admin, guest, SA, servie accounts). - If the account is required, create an account with equivalent privileges and disable the original account. If it is not possible to create an equivalent account, then rename the original and change the default password - If the account is not required, disable (delete if possible) the account

Key Performance Indicators (KPIs)

Are business metrics used by management. - Effective KPIs focus on the business processes and functions that management sees as most important for measuring progress toward meeting strategic goals and performance targets

Audit and Event Logs

Are chronological records of events and actions - Critical log sources include firewalls, IDS/IPS devices, proxy servers, authentication servers and devices, OSs, and key applications

Audit and Event Log Control Objective

Audit logs are both a near-time and historical detective control - Routine log analysis is beneficial for monitoring access, identifying security incidents, policy violations, fraudulent activity, and operational issues. - Logs are critical components or internal investigations and forensic analysis

High level description of audit work to be performed

Audit plan

Cloud Access Security Brokers (CASBs)

Are security policy points (software or appliance) placed between "the cloud" and enterprise users. -Security policies are interjected as cloud-based resources are accessed. For example, authentication, encryption, visibility, and DLP -Provides control over 'shadow IT' applications -Shadow IT is used to describe the use of IT solutions that are managed outside of and without the knowledge of the IT department -CASBs proxy traffic and use auto discovery to identify cloud applications

Functional Roles

Are tactical and relate to specific datasets, information systems, assets or processes. Owners Custodians Users

SETA program objective for end users

Awareness

Containers

Are the products of operating system virtualization without a hypervisor. - Containers provide a lightweight virtual environment (instances) - OS containers are virutal environments that share the kernel of the host operating system but provide user space isolation - Application containers are virtual environments that share the kernel of the host operating system designed to package and run a single service

Asset Ownership Responsibilities

Asset (system, data, resource) ownership responsibilities include: -Defining the asset -Assigning value (AV) -Classifying the asset -Confirming the level of protection required -Authorizing access rights and permissions -Authroizing disclosure -Ongoing governance

This is the term used to describe the objective of developing confidence that security measures are working as intended. 1: Accounting 2: Trustworthy Computing 3: Assurance 4: Integrity

Assurance

API Security

Application programming interfaces (APIs) are connectors that allow applications and devices to work together. - Use strong API authentication options (e.g. Oauth 2.0 w/TLS) - Use encryption whenever possible - Use a framework or existing vetted library to implement security solutions

Regression Testing

Application testing that ensures that a change (e.g. patch, update, configuration modification) does not introduce a fault or vulnerability that would impact performance, functionality, security, or interaction. - A 'fault' is a failure, incorrect proccess, defect, or error

This software controlled failover requires primary and standby systems. When a failure occurs, the standby device takes over

Asymmetric High Availability (Active/Passive)

TCP/IP Model

Application - (Protocol Suite) HTTP, FTP, SMTP, DNS, RIP, SNMP Transport - (Protocol Suite) TCP, UDP Internet - (Protocol Suite) ARP, IP, IGMP, ICMP Link - (Protocol Suite) Ethernet, Token Ring, Frame Relay, ATM

Application & Content Management

Application Mgt - Control application installation (APP Catalogue) - Enforce user permission required to install and/or update APPs - Automate transparent downloads and uploads Content Mgt - Control access to business content - Enforce user permissions required to access / annotate content - Automatically push files to device Push Notification - Control push notifications - Push notifications are pop-up -- alerts or customized messages Remote Wipe - Clean the device - Command sent to a remote device to delete selected content - Reset to factory setting

Audit Evidence

Auditing standards require that sufficient, relevant and reliable evidence is obtained to support audit conclusions and opinions. - "Audit evidence is all the information, whether obtained from audit procedures or other sources, that is used by the auditor in arriving at the conclusions on which the auditor's opinion is based" - The amount of evidence collected is directly related to the purpose, objective, and scope of an audit

Auditor Professionals

Audits should be conducted by qualified audit professionals. It is the responsibility of the auditor to: - Adhere to professional standards - Be faiir, competent, and accurate - Understand the audit target environment - Report any conflict of interest or independence

Authentication

Authentication is the positive indentification of a person or system who is seeking access to information or to a system.

Provisioning Lifecycle Phase 2

Authorization, Assignment of rights and permissions, User training - Authorization is granted by data/resource owner - Rights and permissions are assigned by the data/resource custodian - User receives initial and ongoing training (SETA)

Match the MDM control category and control type Categories: Auto wipe Geofencing Containerization Push notification Controls: - Data protection - Application and content management - Device tracking - Authentication

Auto wipe - Authentication Geofencing - Device tracking Containerization - Data protection Push notification - Application and content management

Vulnerability Scanning

Automated tools that scan devices, OSs, applications, databases, and so on to look for known vulnerabilities and exposures. - Commercial and open source tools are available - Two modes: 'Unauthenticated' and 'authenticated' - CVE knowledgebase must be maintained

Sending unsolicited messages via Bluetooth

Bluejacking

The term used to describe mobile devices used in the workplace that are personally owned

BYOD Bring Your Own Device

Investigative report that may include employment and educational history, credit check, workers compensation claims, and criminal record

Background check

Backup Media Storage

Backup media should be secured in accordance with its classification and handling standards. The following should be considered: - Location (on-site/off-site) - Distance - Accessibility - Environmental controls - Physical security - Logical security

Sampling Rules of Thumb

Based on profession judgement - Low risk targets generally require a small sample - High risk targets generally require large sameple or complete check - Strong controls generally require small sample. - Weak controls generally expande sample size

Set of specifications for a configuration item

Baseline

A set of agreed upon specifications for a configuration item

Baseline Configuration (BC)

This configuration management element should be updated if the change applies to all current and future systems

Baseline Configuration (BC)

Aggregate of standards for a specific category or grouping

Baselines

Model that states no read up and no write down

Bell-Lapadula

This type of metric is intended to help an organization compare themselves to peers

Benchmark

Access Attack

Bluejacking - Bluetooth Discovery - Enables an attacker to send an unsilicited/unwanted message to a bluetooth device Bluesnarfing - Bluetooth Authentication - Discovering and connecting to a bluetooth device with weak or non-existent authentication requirements Blueborne - Device takeover - Exploits protocol weakness NFC (Near Field Communication) Bump - Enables an NFC-enabled attacker to connect to an NFC device by being in close enough range

Unauthorized device access by exploiting a Bluetooth pairing option

Bluesnarfing

This model is designed to defend against conflict of interest

Brewer-Nash

A wireless access point is this type of connectivity device

Bridge

Bridge

Bridges are OSI Layer 2 two port (input and output) devices that connect LANS using the same protocol. - Bridges filter traffic based on MAC address, amplify signals, and can be used to connect dissimilar media - Wireless access points are bridges for wireless and wired IP traffic

Key Attacks

Brute Force - Every possible key is tested (online/offline) Dictionary - List of known kets tested Frequency - Looking for patterns to reveal the key Replay - Attacker tries to reuse a cryptographic transmission

This vulnerability allows an attacker to write to non-allocated system memory

Buffer Overflow

Writing excess data into system memory

Buffer Overflow

Memory / Buffer Vulnerabilities

Buffer Overflow - Overrunning the memory allocated (buffer) for data input and writing the excess data into non-allocated system memory - Impact - The excess data can contain instructions that the processor will execute Memory Leak - Failure of an OS or program to free up dynamically requested memory - Impact - Slow response time (sluggishness). Denial of Service Memory or Code Reuse - Repurpose existing executable code towared malicious purposes - Impact - Elevated privileges

This attack can occur if two NFC devices are in close enough range

Bumping

This type of plan describes the overall strategy for sustaining the business

Business Continuity Plan (BCP)

This process precedes the development of a Business Continuity Plan

Business Impact Analysis (BIA)

Used to support decision making through data-driven insight

Business Intelligence (BI)

Business Alignment

Business alignment mandates that secure design principles are supported throughout the entire organization and incorporates various viewpoints. Business alignment frameworks include: -Zachman Framework -Sherwood Applied Business Security Architecture

This wireless security protocol has been broken and is considered insecure

WEP

This wireless network configuration is based on the 802.11 standard

WLAN

This block cipher mode includes an initialization vector and a component of the previous block ciphertext

CBC Cipher Block Chaining

In this model, content is served using both dedicated and peer computers

CDN Hybrid Mode Content Distribution Network

The term used to describe company issued mobile devices to be used only for business purposes

COBO Company-owned Business Only

The term used to describe a company-owned mobile device that can be used for both professional and personal use

COPE Company-owned Personal Enabled

US regulation that governs the online collection and data use for minors under 13

COPPA Children's Online Privacy Protection Act

The premise of this philosophy is that the proper design and effective use of the physical environment can lead to a reduction in the incidence and fear of crime

CPTED

CPTED Constructs

CPTED relies on psychological and sociological responses - People protect territory they feel is their own, and people have a certain respect for the territory of others. - Intruders do not want to be seen - Limiting access discourages intruders and/or marks them as intruders

This vulnerability is used to execute malicious code on a site by exploiting the trust relationship between a browser and the site

CSRF/XSRF

Well-known database of vulnerabilities and exposures

CVE

The term used to describe giving users a choice of company owned devices for professional use only

CYOD Choose Your Own Device

In this architecture, the processing is distributed between servers and endpoints

Client/Server

Removable Media

Can pose a significant threat to confidentiality and has been the source of numerous data breaches. Best practices include: - Removable media should always be encrypted - Users should be trained in the proper use of removable media including incident reporting for lost, stolen, or misplaced devices. - Removable media used for backup or archival purposes should be catalogued and movement logged - Controls should be implemented to prohibit use of unauthorized meda including restricting USB and other external ports

This methodology is used to assess, develop, and refine a process

Capabilities Maturity Model (CMM)

Certificate Expiration and Renewal

Certificate expiration dates are determined at time of issuance. - Renewal is the responsibility of the owner. If renewal doesn't happen, the certificate becomes invalid. - Renewal options include maintaining the same key pair or generating new keys - The longer keys are in service--the more vulnerable they become.

The process of ensuring that a system meets specific standards

Certification

CHAP and MS-CHAP

Challenge Handshake Authentication Protocol (CHAP) relies on challenge text and a hashing algorithm. - Authentication is initialized by the server and can be performed repeatedly throughout the session - Server sends a random string of characters (challenge text). The user appends the string to their password, hashes the result, and sends it to the server. The server applies the same function. If the results match, the user is authenticated. - MS-CHAP is Microsoft's version of CHAP that extends functionality for Microsoft networks.

Classification Schemas

Classification schemas vary by sector. Governement and military classification schemes include: -US Federal government classification system (FIPS 199) -Military and national security classification (systems and information) Classification schemes are discretionary for the private sector

Requirement to never leave confidential data (paper, monitor, whiteboard) unattended or within view of unauthorized personnel

Clean desk

Structured development approach used for applications that are subject to strict certifications requirements

Cleanroom

Bootable exact copy of a drive

Clone

File Recovery

Cluster - Fixed length blocks of disk space. Documented in a File Allocation Table or equivalent Slack space - Spaces between the end of a file and the end of the cluster. Slack space can contain data from RAM or segments of deleted files Unallocated space - Clusters that are not allocated to a file. Clusters can contain deleted file fragments. 'Carving' is the process by which deleted files or fragments are recovered Metadata - Data about data - file system, application, pseudo

Alternate Locations & Processing Sites

Cold Site - Has basic HVAC and power infrastructure; no server-related or communications equipment Mobile Site - Is a transportable modular unit. The delivery site must provide access roads, water, waste disposal, power, and connectivity Warm Site - Has an HVAC, server, and communications infrastructure and equipment. Systems might need to be configured. Data needs to be restored. Hot Site - Has an HVAC, servers, and communications infrastructure and equipment. Systems are preconfigured. Data is generally near-time Mirrored Site - Is fully redundant with real-time replication from production site. Can assume processing with virtually no interruption Reciprocal Site - Is based on an agreement to have access to/use of another organization's facilities

Frequency

Collection, assessment, and monitoring frequency are influenced by a number of static and dynamic factors and events including: - Security control volatility - System categorization and classification - Security controls with identified weaknesses - Organizational risk tolerance - Threat information - Vulnerability information - Results of testing and examinations - Change triggers

Hash Attacks

Collision - Using a mathematical technique to force two inputs into producing the same hash value. - The hash method used cannot be relied on anymore to identify different data. Birthday - Exploits the mathematics behind the birthday problem in probability theory to cause a collision Pass-the-Hash - Using captuered hashed credentials from one machine to successfully gain control of another machine.

Primary objective of data labeling

Communicate classification level

Alternate control designed to accomplish the intent of the original control

Compensating

This type of audit compares the control environment to established policies, standards, or rules

Compliance Audit

IPsec Components

Component - Function Authentication Header (AH) - Integrity, Origin Authentication, Replay Attack Protection (HMAC) Encapsulating Security Payload (ESP) - Intrgrity, Origin Authentication, Replay Attack Protection, and Confidentiality (HMAC & Symmetric Encryption) Internet Key Exchange (IKE) - Device authentication and establishing Security Association Security Association (SA) - A negotiation that includes the algorithms that will be used (hasjing and encryption), key length, and key information Security Parameter Index (SPI) - Security Association Identifier

Term used to describe commonly used suite of development tools

Computer-aided Software Engineering (CASE)

Personnel Agreements

Confidentiality / Non-disclosure Agreement (NDA) Acceptable Use Policy (AUP) Agreement

An aggregation of elements treated as a single configuration management entity

Configuration Item (CI)

Data Protection

Containerization - Use of a secure virtual container. - Used to segregate "high risk" applications (e.g. email, browser) and confidential data Storage Segmentation - Segmenting personal and coporate data - Enforcing different access and encryption policies based on folder and storage location (internal v. removable) Full Device Encryption - Requiring the entire device to be encrypted including removable media DLP - Enforces DLP policies - Control what applications can be used to open ("open-in") files - Copy and paste restrictions

This wireless security protocol uses AES for encryption

WPA2

Logging and Monitoring

Continuous logging, analysis, and monitoring can uncover security weakness that may have not been apparent or may have gone unreported - In addition, configuration changes are recorded and can be checked to ensure that they were authorized and that they do not introduce security issues

In an SSAE18 SOC2 audit, the target organization chooses the TSP categories but cannot specify these

Controls

Layered Security

Controls are typically applied in multiple layers because no one control can protect an asset from every type of threat. - This architecture is referred to as defense-in-depth or layered security

Technical (Logical)

Controls provide through the use of technology and/or a digital device Example: Encryption, ACLs, firewall rules, anti-virus software, biometric authentication

Administrative (Managerial)

Controls relating to oversight, laws, rules, regulations, and policies. Example: Policies, procedures, training, audits, compliance reporting

Physical

Controls that can have a material structure (seen, heard, touched) Example: Gate, alarm, guard, barricade, door, lock, CCTV, ID card

This type of lock has a key controlled cylinder

Conventional

EU regulation that requires website inform and consent actions

Cookie Law

The anticipated relationship between the testing team and taget personnel in a white box penetration test

Cooperative

This intellectual property mechanism is designed to protect the expressio n of an idea

Copyright

Type of Investigations

Criminal / Civil / Internal Basis - Law must be broken / Contact violation or dispute / Incident Intent - Intent required / Intentional or accidental / Intentional or accidental Burden of Proof - Beyond a reasonable doubt / Preponderance of evidence / N/A Litigation - Government / Individuals or companies / Administrative Investigation - Assist law enforcement to obtain evidence / Provide evidence of wrongdoing or damage / Prove/disprove event and/or impact

One of the objectives of this plan is to minimize rumors and misinformation

Crisis Communication Plan

This category of patch fixes significant non-security related bugs that can impact performance or cause a malfunction

Critical Update

This type of plan includes procedures for mitigating a cyber attack

Cyber Incident Response Plan (CIRP)

Patents

Designed to protect an invention The invention must be a novel, not obvious, and provide some utility. A patentable invention must be something that can be produced. For all participating members of the World Trade Organization (WTO), a patent is good for 20 years.

In a firewall ACL, this refers to where the traffic is going to

Destination

Data Warehousing

Data warehousing combines data from multiple sources into a large database with the purpose of extensive retrieval and trend analysis.

The function of this type of control is identification

Detective

This type of control identifies and reports a threat agent, action, or incident

Detective

DLP Endpoint Port Blocking

DLP solutions can be used to identify and control end-point ports as well as block access to removeable media. -Identify removable devices / media connected to your network by type (e.g., USB thumb drive, CD burner, smart phone), manufacturer model number, and MAC address -Control and manage removable devices through endpoint ports, including USB, FireWire, Wi-Fi, Modem / Network NIC, and Bluetooth -Require encryption, limit file types, limit file size -Provide detailed forensics on device usage and data transfer by person, time, file type, and amount

The US law that makes it illegal to create products that circumvent copyright protections

DMCA Digital Millennium Copyright Act

Open standards protocol used in process automation environments

DNP3 Distributed Network Protocol

Algorithm that is the US government standard for digital signatures

DSA Digital Signature Algorithm

"At a glance" data visualization tool

Dashboard

Data Center Considerations

Data centers (and equivalent) should be strategically located and whenever possible: - Located in the center of a facility with no external windows or doors - Located on floors other than the basement, first floor, and top floor - Full walls extended from floor to ceiling - Nonpartitioned ceiling

Data Protection -- Obfuscation

Data obfuscation is the act of making a data set difficult to find or understand. 'Data Abstraction' is the concept of separating interface and implementation Data "hiding' is when known data is not accessible to certain processes or users 'Steganography' is the practice of concealing a file within another file

Data Protection Directive / GDPR (EU)

Data protection for all individuals within the European Union. EU Data Protection Directive (EU DPD) and it's successor the GDPR (General Data Protection Regulations) is based upon the Organization for Economic Cooperation and Development (OECD) Privacy Principles. GDPR also addresses the export of data from the EU www.oecd.org

Data Control Decisions

Data security control decisions are generally related to: -Data classification (e.g. protected, confidential, and public) --owner Data state (point in time - rest, use, or transit) -Data at rest (persistent storage (e.g. disk, tape) -Data in use (CPU processing or in RAM) -Data in transit (transmission) Common data protection controls include access management, cryptography, and obfuscation

Private Sector

Deciding upon classification schemes, definitions, and number of levels is a management function. Classification schemes that should be codified in policy and communicated throughout the organization Handling and protection standards should be developed for each classification and communicated throughout the organization

Authentication Decisioning

Decisions regarding the type and number of factors should always be commensurate with the business value of what is being protected, regulatory requirements, and contractual obligations. - Authentication controls should be subject to periodic risk assessments

Match the log analysis techniques Terms Deduplication Correlation Aggregation Normalization Definitions - Consolidating log entried - Relating log entries - Standardizing log details - Removing duplicate entries

Deduplication - Removing duplicate entries Correlation - Relating log entries Aggregation - Consolidating log entried Normalization -Standardizing log details

The principle requires explicit allows

Default Deny

Any action that isnt explicitly denied is allowed

Default allow

Default Allow and Default Deny

Default allow means any access or action not explicitly forbidden is allowed Default deny means any access or action not explicitly allowed is forbidden

Star and Simple Properties

Describe what a subject can do to an object Star [*] implies "write" Simple implies "read"

Social Engineering (SE)

Describes a class of techniques used to manipulate people by deception, into divulging information or performing an action (e.g. unwitting malware distribution) -The information or action may in itself be useful or be a stepping stone -A significant number of security incidents and data breaches have included a social engineering component -Attack vectors include email, phone, text, and physical presence

Single Sign-on (SSO)

Describes a unified login experience in which the user provides a set of credentials one time and is allowed to access multiple systems without needing to authenticate - SSO systems intercepts requests for identification and authentication - SSO can be a bottleneck or single point of failure (SPOF) - Legacy SSO rarely is a true enterprise solution

Identity Management Systems (IdM)

Describes the technical management of user identities (including authentication and authorization) within and/or across enterprise boundaries. Technologies include: - Directory services (LDAP, AD) - on/off premis - Single sign-on (SSO) - on/off premise - Identity-as-a-Service (IDaaS) - cloud - Federated identity management (FIM) - distributed

Trusted Computing System Evaluation Criteria (TCSEC)

Description: -Developed in 1983, TCSEC was used to evaluate, classify, and select systems for the DoD based upon confidentiality requirements. Superseded by the Common Criteria Function: -Original publication as the 'orange book'. Expanded to 20+ books known as the 'rainbow series'

IT Security Evaluation Criteria (ITSEC)

Description: -Developed in 1991 by a consortium of European nations, ITSEC is used to evaluate the functionality and assurance of a computer system based upon a vendor-defined set of requirements Function: -Functionality and assurance evaluated independently and separately.

Common Criteria

Description: -Developed in 1993 by the ISO, the "Common Criteria' provides a universal structure and language for expressing product and system requirements Function: -The Common Criteria evaluates products against a protection profile and results are published

Information | Cybersecurity governance is the responsibility of leadership to:

Determine and articulate the organization's desired state of security Provide the strategic direction, resources, funding, and support to ensure that the desired state of security can be achieved and sustained. Maintain responsibility and accountability through oversight.

Control Cross-Over Examples Firewall (Technical Control)

Deterrent - "Hardened" appearance discourages opportunistic attacks Preventative - Rule-set blocks certain ingress and egress traffic Detective - Activity is logged and alerts can be configured Corrective - N/A

Control Cross-Over Examples Security Awareness Training (Administrative Control)

Deterrent - Advises participants of penalties and consequences Preventative - Teaches participants what NOT to do Detective - Trains participants on what to be "on the lookout for" suspicious activity and how to report it Corrective - Instructs participants on how to respond to threat

Methodology that promotes collaberation between developers and operations personnel

DevOps

Policy Lifecycle Responsibilities for Board of Directors or Executive Management

Develop - Communicate guiding principles. Review and authorize policy. Publish - Champion the policy Adopt - Lead by example Review - Reauthorize or approve retirement

Policy Lifecycle Responsibilities for Operational Management

Develop - Plan, research, write, vet, review and approve. Publish - Communicate, disseminate, and educate Adopt - Implement, evaluate, monitor and enforce Review - Provide feedback and make recommendations

Policy Lifecycle

Develop: Plan, Write, Approve Publish: Communicate, Disseminate, Educate Adopt: Implement, Monitor, Enforce Review: Solicit Feedback, Reauthorize or Retire

Integrated Product and Process Development (IPPD)

Developed by the DoD and is described as a multidisciplinary management technique that uses design tools such as modeling and simulation, teams and best commercial practices to develop products and their related processes concurrently - The core of the IPPD process is integrated product teams - Integrated product teams (IPTS) are composed of representatives from all appropriate functional disciplines working together to build successful programs and enabling decision-makers to make the right decisions at the right time

SSL

Developed in 1995, Secure Socket Layer (SSL) is used to establish a secure communication channel between two TCP sessions by negotiation. Default SSL port is 443 Steps: 1 - Client sends connection request. 2 - Server responds saying Secure connection is needed 3 - Client requests security capabilities 4 - Encrypted Session Established. **In 2015, SSL 3.0 was deprecated. New vulnerabilities continue to be discovered. SSL 2.0 and 3.0 should be diabled

This backup strategy backs up all files created or modified since the last full backup

Differential

This cipher outcome sends bits through multiple rounds of transposition

Diffusion

Primary Attack Vectors

Digital Infrastructure Human Physical Infrastructure

Digital Infrastructure

Disruption, manipulation, or compromise of network or host hardware, services, application, data, or transmission. Subst is crytographic which is disruption, manipulation, or compromise of crytographic algorithms, protocols, services, applications, or data

In this penetration test approach, neither the testing team nor the target have been given any information

Double blind

Potential liability incurred by a company whose computer systems are compromised

Downstream Liability

Current US government standard asymmetric algorithm

ECC Elliptic Curve Cryptosystem

Automated testing technique that inputs data in a program and monitors the response

Fuzzing

Secure Coding Incentive

Eliminating vulnerabilities during development can result in a two to three orders-of-magnitude reduction in the total cost of repairing the code vs making the repairs afterwards

Contains a microprocessor and software designed to perform a specific task

Embedded System

Mobile Device Management (MDM)

Encompasses deploying, securing, monitoring, integrating, and managing mobile devices in the workplace - The intent of MDM is to optimize the functionality and security of mobile devices, while simultaneously protecting the corporate network - MDM solutions can be local or cloud based

Control that transforms plaintext to ciphertext

Encryption

Cryptographic technique used to protect confidentiality

Encryption

Data protection control recommended for all mobile devices

Encryption

The process of making data "unreadable" without the key

Encryption

Endpoint Firewalls

Endpoint firewalls (known as 'local, host-based, or software' firewall) is a protective boundary for the local device that monitors and restricts ingress and egress access. - Endpoint firewalls generally employ stateful packet filtering that examine source and destination addresses, source and destination ports, and protocol number and compares them to predefined rules

Endpoint Security

Endpoint security is the process of securing various endpoints on a network including: - Mobile devices - Desktop devices - Data center devices Endpoint security management is a standards-based approach that requires devices to comply with specific criteria

Session Management

Ensures that any instance of identification and authentication to a resource is managed properly - 'Broken Authentication' attacks use leaks or flaws in the authentication or session management functions (e.g. exposed accounts, passwords, session IDs) to impersonate users and gain system access

This automated code testing technique is used to discover coding error and security loopholes by inputting invalid or unexpected data

Fuzzing

These tools are used to discover and document information such as running services, users, and groups

Enumeration Tools

EMI and RFI

Equipment and copper cable are sensitive to electromagnetic interference (EMI) and radio frequency interference (RFI). - EMI is due to electromagnetic conduction or radiation. Almost any type of electrical device can cause EMI - RFI is due to AM/FM and cellular tower transmissions - Equipment should have limited exposure to magnets, fluorescent lights, electrical motors, space heaters, and wireless access points. - Copper cable should be shielded

Chain of Custody

Establishes the proof that the items of evidence collected at the crime scene is the same evidence that is being presented in a court of law (integrity). The chain of custody log would contain: - Identifying information - Handlers - Time and date (including time zones) of each occurrence of evidence handling - Locations where the evidence was stored

Establishing an ISCM Program

Establishing an ISCM program requires the organization to define criteria and processes including (but not lmited to): - Metrics - Frequency of data collection, assessment, and reporting - ISCM implementation tools and methodologies

Examination & Testing Comparison

Examination Strengths - May gain insight not otherwise available - Broad scope of coverage with limited resources Examination Weaknesses - May not provide assurance that the security controls are working as intended Testing Strength - Can provide a real-world picture of an organization's security posture - Can evolve over time and mimic current attacker techniques Testing Weaknesses - May not provide a comprehensive evaluation due to limitations of time. resources. or tester - May be intrusive

Approach

Examinations and tests may be conducted by internal or external personnel. Examinations and testing may be covert or overt - Overt assessments are generally cooperative and are known to all relevant personnel - Covert assessments can be adversarial and are known to a limited subset of personnel. Often, personnel associated with the target are not read in. Visibility and accessibility is often determined by who is conducting the assessment

Examination Objectives

Examinations are used to determine if the assessment object is properly documented and to gain operational insight regarding effectiveness, suitability, and survivability - Examinations generally focus on policies, standards, baselines, procedures, plans, probrams, configuration settings, output, and reports - Examinations are considered a passive activity with minimal (if any) anticipated operational impact

The audience for simulation exercise topics of extortion, intellectual property theft, and exposure of customer information

Executives

Federal Information Security Management Act (FISMA)

FISMA requires federal agencies to implement a program to provide security for their information and information systems including those provided by or managed by another agency.

US Federal Agency responsible for responding to and coordinating the response to a disaster that has occured in the United States

Federal Emergency Management Agency (FEMA)

FTPS

File Transfer Protocol (FTP) is used for file access, file transfer, and file management. Authentication data and payload are transmitted in clear text and subject to eavesdropping, replay, and MiTM attacks - FTPS (File Transfer Protocol Secure) is an extension to FTP that adds support for SSL and TLS in order to encrypt the file transfer channel (TCP port 990 or 21) - Don't confuse FTPS with SFTP. SFTP uses SSH and runs on port 22 - Use case: Secure file transfer

Fire

Fire protection is comprised of three elements: - Fire prevention is the first line of defense - Fire detection is realizing there is a fire while it is still small and controlable - Fire suppression and containment is actually dealing with the fire

This devicee reports on ingress and egress traffic

Firewall

Detective and Preventative Solutions

Firewall - Ingress and egress traffic Filters - Data access IDS/IPS - Intrusion attempts NAC - Connections to the network DLP - Data exfiltration Honeypot - Knowledge and investigation Sandbox - Isolation Anti-malware - Malicious code *Honeypot is not a Preventative solution

Sampling Approaches

Fixed Sample Plan - % of occurrence in a defined population (how many) Stop and go Sampling - Sampling model that allows the auditor to stop once a reasonable conclusion can be drawn or hypothesis supported Discovery / Exploratory Sampliung - Used when evidence of a single error or instance would be material (e.g. fraud, illegal activity)

Examination

Forensic examination should be conducted by trained personnel. It is easy to contaminate or destroy evidence The examiner should document all activity including action taken, tools or procedures used, and results - There are a number of open source and commercial forensic products available - Whenever possible, examinations should be conducted on exact images or replicas and not on the original data source

Categories of Software Licensing

Freeware, Shareware, Commercial (Academic being a subset of commercial) Within each of these categories are specific types of agreements that are legally enforceable including master agreements and end-user license agreements (EULAs)

Traditional Backup Strategies

Full Backup - Backs up all files - Full backup media Differential - Backs up all files created or modified since last full backup. Does not reset archive bit - Full backup + most recent differential Incremental - Backs up all changed files. Does reset archive bit. - Full backup + all subsequent incremental

This traditional backup strategy has the fastest recover

Full backup

This category of patch corrects non-security related operational issues

Functional Update

Permissions

Functions that a subject can perform on an object, a file or a folder; for example, read, write, modify, and delete - Access control lists are generally used to assign permissions - Permissions can be assigned to user accounts, group accounts, or resources depending upon the system or device - Permissions are generally cumulative - Permissions can be explixit or inherited - Permissions should be audited on a regular basis

Invalid, unexpected, or semi random data used by automated testing

Fuzz

Match the quality and performance testing type and condition Type: Fuzzing Stress Testing Synthetic transactions Use Case Conditions - Availability and response time emulation - Injection of invalid data - Abnormal condition response - Normal operating condition response

Fuzzing - Injection of invalid data Stress Testing - Abnormal condition response Synthetic transactions - - Availability and response time emulation Use Case - Normal operating condition response

US regulation that protects the privacy of consumer financial information

GLBA Gramm-Leach-Bliley Act

Executive Continuing Education

General Contraints -Time is limited -Technical expertise may be minimal -Patience for not understanding is limited Objective is insight and understanding for the long-term -Know your audience presentation preferences -Provide a discussion framework and pre-reading materials -Be specific to institutional goals (including regulatory requirements) -Use business language -Cover a limited number of topics - stay focused

Configuration Guidance Examples

Government (Public Sector): NIST SP 800 Publications NIST Checklist Program Repository Vendor (Private Sector): Microsoft Security Compliance Manager Cisco Guide to Harden Cisco ISO Devices

This procedure format works well in global contexts

Graphic

Fire suppression gas that was banned by the Montreal Protocol of 1987

Halon

These inform users how to protect and interact with data and systems

Handling standards

Rules associated with making a connection

Handshake

Match the alternate locations with their descriptions Locations: Hot site Mirrored site Warm site Cold site Mobile site Descriptions: - Self contained unit - Basic HVAC and power infrastructure - Fully redundant site - Systems are preconfigured, data is neartime - HVAC, communications infrastructure and equipment

Hot site - Systems are preconfigured, data is neartime Mirrored site - Fully redundant site Warm site - HVAC, communications infrastructure and equipment Cold site - Basic HVAC and power infrastructure Mobile site - Self contained unit

The number one workplace safety priority

Human life and safety

Trusted, sector-specific entities established by PDD63

ISACs

Internationally recognized Information Security Framework

ISO 27000

ISO Quality Management Certification

ISO 9001

Incident Response (IR) Process - Identification

Identify and analyze indicators of attack (IOA) and indicators or compromise (IOC) - Examples include IDS, SIEM, AV, File integrity checking, logs, network flows, threat intelligence, people

Identity and Access Services

Identity and access services is a term used to describe authentication, authorization, and accounting functions. - An authentication protocol is used solely for user validation (authentication) - AAA architecture protocols are used for validating the user (authentication), controlling access to server data (authorization), and monitoring network resources use (accounting)

Identity and Authentication

Identity is a distinguishing characteristic (e.g. user name) Registration is the process of verifying an identity (e.g. drivers license) Authentication is the process of proving an identity to an authentication system - The proof is referred to as a 'factor' - The combination of a user name and factor is referred to as 'credentials'

SE Physical Presence Techniques

Impersonation - Impersonating a "trusted" source in order to gain access Shoulder Surfing - Covert observation Piggybacking/Tailgating - When an unauthorized person enters a checkpoint close behind, or in concert with authorized personnel Dumpster Diving - Rummaging through trash and recycling in search of information

OWASP Top 5 2016 Application Flaws

Improper Platform Usage - Misuse of a platform feature or failure to use platform security controls Insecure Data Storage - Insecure data storage and unintended distribution of data (data leakage) Insecure Communication - Poor handshaking (rules to establish a connection), incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc Insecure Authentication - Failure to identify the user, weakness in session management or bad session management Insufficient Cyptography - The code applies cryptography to a sensitive information asset; however, the cryptography is insufficient in some ways

Centralized

In a 'centralized computing environment', processing occurs within mainframe or terminal host and clients (terminals, thin clients) are limited to simple interaction and emulation -Security advantage is controls can be implemented and tightly controlled -Security disadvantage is that configuration errors and unaddressed vulnerabilities can impact all client systems.

Distributed Systems

In a 'distributed systems environment', there is no central authority. Security considerations: -Each node is responsible for its own security -Distributed ownership and management -Local data stores -Peer-to-Peer (P2P) access -Malware distribution

Disaster Recovery Planning

In a business context, disasters are disruptive events that significantly impact an organization's capability to operate. The cause can be environmental, operational, accidental, or willful - The goal of disaster recovery planning is to minimize the impact of a disaster and restore normal operating conditions as soon as possible - Disaster recovery planning includes response, recovery, and resumption plans - A business continuity plan takes a broader approach and addresses how to operate in abnormal operating conditions

Trial Witness

In a court trial, witnesses can be called to testify by either the defense or prosecution - Factual witness is an individual who is knowledgeable about the facts of the case through direct participation or observations - Expert witness is a preson who has knowledge beyond that of an ordinary lay person enabling them to give testimony regarding an issue that requires expertise to understand. Experts are allowed to give an opinion

Client | Server

In a hterogeneous client/server environment, processing is distributed and there is inherent trust, which makes every endpoint a potential target and every connection a potential conduit. Security considerations: -Privileged use -Outdated operating systems and applications -Malware distribution -Unauthorized remote access

Hash Function Characteristics

In order to be considered secure, cryptographic hash functions must meet three criteria: -Output must not be reversible (one-way representation) -Variable length input must produce fixed length output -Output must be unique to the input. If a hash function produces the same value for two different inputs, the result is known as a 'collision'

Location term when an intrusion prevention device is placed directly in the flow of traffic

In-band / In-line

This phase of incident management focuses on monitoring

Incident detection

Data Breach Disclosure & Notification

Incidents classified as a confirmed or high probability breach may trigger disclosure and notification requirements.

Incident Management

Includes incident prevention, preparation, detection, and response. - 'Incident prevention' includes threat modeling, risk assessment, controls implementation, monitoring, and assurance activities - 'Incident preparation' includes planning, documenting, assignin responsibilities, training, and practicing response capabilities - 'Incident detection' inlcudes monitoring, incident reporting, analysis, and participation in threat intelligence and information sharing activities - 'Incident response' includes containment, eradication, and recovery

Firewall Configuration Planning

Ingress/Egress Filtering - Default allow - if not explicitly denied, then access is allowed - Default deny - if not explicitly allowed, the access is denied NAT - private to public IP address mapping Business Rules - By IP address, protocols, ports, users or groups, and time or day Approvals and Administration - Process for approving a new rule. Process for approving an exception Monitoring / Logging - Configuration of logs, log review, and log archive Review / Testing - Review of configuration and rule-set, identifying vulnerabilities, testing access, and exploits

What the process of restricting input and output based on specific parameters is known as

Input/output validation

Web Security

Insecure code is 'more often than not' the result of a flawed process, competing priorities, or rush to market: -Web security is the result of a deliberate process that prioritizes security from the initiation of the project through the end of the lifecycle

The motivation for this adversary may include grievance, morality, coercion, and/or financial pressure

Insider

Instant Messaging and Chat

Instant messaging and chat services were initially designed for real-time text communication but have expanded to include voice, video, screen sharing, and file exchange. - Threats include packet sniffing, eavesdropping, unauthorized participation, data leakage, malware distribution, and social engineering - Corresponding mitigating controls include firewall restrictions, encryption, authentication and password security, and user awareness training

Secure DevOps

Instead of security operating as an isolated discipline, 'Secure DevOps' aims to integrate security into the development processes from inception. -The Secure DevOps approach enables developers to learn more about how what they are developing can be exploited. -Secure DevOps proactively focuses on survivability by providing reliable software with a reduced attack surface

Procedures

Instructions for how a policy, standard, baseline, or guideline is carried out in a given situation. Procedures focus on discrete actions or steps, with a specific starting and ending point. Four commonly used formats: Simple step - 1, 2, 3, 4 Hierarchy - High level then sublevels Graphic - Using pictures Flowchart - Decisions

Framework Focus

International National Regulatory Industry specific

Publisher of 22301:2012 Business Continuity Management Systems Requirements

International Organization for Standardization (ISO)

Internet and Transport Layer Protocols

Internet - IP - Addressing and routing Internet - ARP - MAC to IP translation Internet - ICMP - Error control and troubleshooting Internet - Internet Group Management Protocol (IGMP) - Multicasting Transport - TCP - Connection oriented delivery Transport - UDP - Connectionless delivery

Privacy Impact Assessment (PIA)

Is a decision-making tool used to identify and mitigate privacy risks at the 'beginning of and throughout the development life cycle' of a program or system. PIAs generally include the following information: -Description of the system -What PII, if any, is collected or used -Why it is being collected -From whom is the PII collected -Privacy requirements (regulatory, contractual, ethical) -How it will be used, accessed, secured, shared and stored.

Capability Maturity Model (CMM)

Is a methodology used to develop and refine an organization's software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes 1: Initial - Process is unpredictable, poorly controlled, and reactive 2: Managed - Project-oriented management but still reactive 3: Defined - Project-oriented, basic standardization, proactive 4: Quantitatively Managed - Processes are measured and controlled 5: Optimized - Focused on process improvement

Hardware Security Module (HSM)

Is a physical device whose function is secure cryptoprocessing. -HSMs take the form of adapter cards, USBs, or appliances -HSMs can be clustered for high availability -Fast, scalable, and expensive -Use case: Used for encryption during secure login/authentication processes, during digital signings of data (e.g. certification authority), and for payment security systems (e.g. ATMs)

Trusted Platform Module (TPM)

Is a special hardware chip installed on a computer's motherboard that is responsible for protecting passwords, symmetric and asymmetric keys, hashes, and digital certificates that are specific to that system hardware -The chip contains an RSA key used for encryption and authentication -TPMs are compatible with most operting systems -Use case: encrypting hard drives independent of the drive itself

Security Content Automation Protocol (SCAP)

Is a suite of specifications to enable automated vulnerability management, measurement, and policy compliance - Protocol specifications are published and maintained by NIST - NIST SP 800-126 is the Technical Specification for the Security Content Automation Protocol (SCAP)

Exposure

Is a system or software configuration issue or lack of a control that could contribute to a successful exploit or compromise Common examples of exposure include: - Default settings - Running unnecessary services that are common attack points (e.g. HTTP, FTP, or SMTP) - Weak passwords - End of life applications and devices - System sprawl

Information Sharing and Analysis Center (ISAC)

Is a trusted, sector-specific entity that provides sector-specific information sharing about vulnerabilities, threats, and incidents - ISACs are a concept that was introduced in Presidential Decision Directive 63 to promote critical infrastructure information sharing - ISACs range from the Aviation ISAC to the Water ISAC

Certification and Accreditation (C&A)

Is a two-step process that relates to the trustworthiness and acceptance of a product, system, or process. -'Certification' is the process of evaluating, testing, and examining security controls. The evaluation compares the current systems' security posture with specific standards. -'Accreditation' is the process of an authority (management) granint approval to operate a system for a specified period of time with the understanding of the residual risks identified during the certification process.

Federated Identity Management (FIM)

Is an arrangement made among multiple enterprises that allows users (and sometime objects) to use the same identification data to obtain access to disparate resources (aka "portable identity") - Technologies used for federated identity include Security Assertion Markup Language (SAML), OAuth, OpenID Connect, and Shibboleth

Security Incident

Is an event or action that endangers the confidentiality, integrity, or availability of information or information systems - A 'data breach' is when data is exfiltrated or extracted or there is a loss of internal control. A data breach may trigger reporting and notification requirements

Unified Extensible Firmware Interface (UEFI)

Is an open standard interface layer between the firmware and the operating system that requires firmware updates to be digitally signed -Designed as a replacement for traditional PC BIOS -Additional functionality includes support for Secure Boot, network authentication, and universal graphics drivers -Protects against BIOS malware attacks including rootkits

Distributed Network Protocol (DNP3)

Is an open standards-based communications protocol used between components in process automation systems. - Operates at Layers 2, 4 and 7 - Used primarilty in the electric, water, waste water, transportation, oil, and gas industries - DNP3 was developed to meet the need for a standard protocol that would allow SCADA system components developed by differing vendors to talk - DNP3 ensures the reliability of communications within the harsh environment of utilities (error checking - no security)

Malware Distribution Channel

Is designed to entice users to unwittingly install the malicious code by employing enticing tactics including: - Phishing emails with embedded web links or attachments - Social media web links - Web drive-by downloads - Embedded in pictures, movies, or advertising - Embedded in portable media (USB)

Basic Input Output System (BIOS)

Is non-volatile firmware used to perform hardware initialization during the booting process, and to provide runtime services for operating systems and programs. A password is generally required to access the BIOS and perform the following functions: -Authorize boot up sequence -Make changes to the BIOS configuration

Security-as-a-Service (SecaaS)

Is the delivery of managed security services for public, private, and hybrid cloud environments -SecaaS relieves the burden of relying on the SaaS, PaaS, or IaaS vendor for security protection and enforcement. -Services include encryption, activity monitoring, DLP, malware detection, filtering, firewall, policy enforcement, email security, intrusion detection, authentication, and more. -The cloud security market is expected to reach $8.71 billion by 2019.

Unified Threat Management (UTM)

Is the evolution of the traditional firewall into an all inclusive device performing multiple security functions such as firewall, IDS/IPS, gateway anti-virus and anti-spam content filtering, data loss prevention, and user activity audit reporting - Advantages include reduced operational complexity and overhead cost - Disadvantages include single point of falure and vendor dependency

Data Transmission

Is the physical transfer of data over a communication channel. - Network data transmission components include transmission media, connectivity devices, and circuits

Secure Coding

Is the practice of following secure coding standards couples with the use of testing tools to detect code vulnerabilities - In order for applications to be designated and implemented with proper security requirements, secure coding practices and focus on security risks must be integrated into day-to-day operations and the development processes - Three precursors to secure coding are application security training, defining requirements, and threat modeling

Input Validation

Is used to detect unauthorized input before it is processed by the application. - Input validation should be applied to all input data - Synactic validation enforces correct syntax of structured fields (e.g. SSN, data, currency symbol) - Semantic validation enforces correctness of values (e.g. start date is before end date, price is within expected range)

Sampling

Is used to infer characteristics about a population based upon the characteristics of a sample. - Evidence sampling is applying a procedure to less than 100% of the population - Sampling risk is risk where the assessor's conclusion is baed on a sample that might be different ifthey examined or tested the entire population

Desktop Virtualization (VDI)

Is virtualization technology that hosts a desktop operating system on a centralized server in a data center. - Persistent VDI provides each user with his or her own desktop image, which can be customized and saved for future use, much like a traditional physical desktop - Nonpersistent VDI provides a pool of uniform desktops that users can access when needed. Nonpersistent desktops revert to their original state each time the user logs out.

Certificate of Destruction

Issued by commercial services upon destruction of media (for example, paper, CD/DVD, tape, and drives). The certificate should at a minimum include: -Date of destruction -Description of media (including serial number, if appropriate) -Method of destruction -Witnesses -Company Name

User Secuirty Controls

Job Rotation - Rotating assignments (fraud deterrent and detection) Mandatory Vacation - Requiring employees to take a set amount of vacation time (fraud deterrent and detection) Separation of Duties - Breaking a process into takss so that no one subject is in complete control (fraud prevention/deterrent - would require collusion) Dual Control - Requiring more than one subject of key to complete a specific task (fraud prevention/deterrent - would require collusion) Clean Desk - Requirement to never leave confidential data (paper, monitor, whiteboard) unattended or within view of unauthorized personnel)

Business process metrics used by management

KPIs Key Performance Indicators

Administrative Forensic Procedures

Keep a log - Record all investigative activity - date, time, details Record Time Offset - Record any differential between true and evidence time stamp Talk to Winesses - Record witness statements as soon as possible (recollections change with time) Take pictures (screenshots) and videos - Capture information without chance of contamination Track Resources - Track man-hours, expenses and equipment costs Retention Policy - Determine how long evidence must be retained for and under whose control

Kerberos Components

Kerberos Server - Key Distribution Center (KDC) - Authentication Server (AS) - Ticket Granting Service (TGS) Resource - Trust Principal

Cryptographic Terminology - Key

Key / Cryptovariable - Secret value used with an algorithm - The key dictates what parts of the algorithm will be used, in what order, and with what values Key Space - Number of possible key combinations - e.g. 256-bit = 2^256 = 1.1578 * 1077 possible keys Key Stretching - The inital key is fed into an algorithm that outputs an 'enhanced' (stronger) key Symmetric - Using a single key Asymmetric - Using two mathematically related keys (public / private)

In this cryptanalysis approach, a sample of the ciphertext is available without the plaintext associated with it

Known Ciphertext

High-risk targets generally require this sample size

Large

In this architecture, multiple systems work in concert

Large-scale Parallel System

An expression of how much time it takes for a packet of data to get from one designated point to another

Latency

Layers

Layers reference specific functions. - Layers provide 'encapsulation' - Higher levels envelope lower levels Layers provide abstraction - Layers provide a stream of data. The underlying implementation is irrelevant Layers provide decoupling - Technologies can be substituted as long as they communicate with upper and lower levels the same way (e.g. substitute IPv6 for IPv4

This principle states that information systems should have only essential services, ports, and accounts enabled

Least functionality

The minimum set of permissions needed to perform a task

Least privilege

An order that suspends the modification, deletion, and/or destruction of records and media

Legal Hold

Legal Considerations

Legal considerations include authorization, liability, indemnification, nondisclosure, and privacy - Authorization is often required from third parties that host assessment objects; not doing so is a violation of a contract - Contracts with external assessors may include SLAs, limitation of liability, and indemnification clauses that should be reviewed by legal counsel - Potential privacy violations should be identified - Nondisclosure contracts or agreements should protect disclosure of data collection and findings

RAID Configurations

Level 0 - Data written (striped) across multiple disks - Performance only Level 1 - Data mirrored on two identical drives - Fault Tolerance Level 5 - Data is written (striped) across three or more drives with one parity strip. Can auto-recover one drive - Fault Tolerance and Performance Level 6 - Data is written (striped) across three or more drives with two parity stripes. Can auto-recover two drives - Fault Tolerance Level 10 (1+0) - Data is simultaneously mirrored and striped across several drives (min 4 drives) - Fault Tolerance and Performance

Residual Risk

Level of risk after treatment

Examples of this inventory attribute include subscription, contract, perpetual

License

Site Security Controls

Lighting - can be continuous, motion triggered, random, times, or standby - Lighting should be tamper proof and have a backup power supply Signs - Signs for personnel safety and intruder deterrence Physical Barrier - Fences, walls, gates, barricades, and bollards define the perimeter Security Guards - Security personnel may be stationed at checkpoints, patrol the area, manage surveillance, and respond to breaches and/or suspicious activity

Windows Service Accounts (example)

Local System - Very high privileged built in account Local Service - Built in account that has the same level of access to resources and objects as members of the Users group Network Service - Built in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account

Intrusion Detection Response

Logging - Recording information about the event - Passive Notification - Communicating event-related information - Passive Shunning - Ignoring the event as it is not applicable - Passive Terminating - Ending the impacted process or session (e.g. forced RST) - Active/Inline Instructing - Making a configuration change (e.g. shut down port 80) - Active/Inline Deception - Allowing the attacker to think the attack was successful in order to gather information about the intrusion (e.g. honeypot) - Active/Inline

Log Security

Logs might contain confidential information including: - Device and architecture identification - User and group information and membership - Application and patch data - Evidence of wrongdoing - PII or payment card data if transaction data is captured Logs should always be securely transmitted and stored

Developer

Maintenance Hook (Backdoor) - A hidden mechanism that bypasses access control measures. Used by programmers during the development stage to gain access to the program in case the access control malfunctions - Impact - Unauthorized access & Elevated privileges

This is a hidden mechanism used by a programmer to gain system access

Maintenance hook (Backdoor)

Managed Switches

Managed switches provide the ability to configure, manage, and monitor the device via: - Serial console command-line interface - Remote Telnet, SSH, HTTP, or HTTPS interface - Embedded simple network management protocol (SNMP)

Subject Based Access

Mandatory access control (MAC) - Access is based on relationship between subject clearance and need to know and the object classification label - Security Labels Discretionary access control (DAC) - Data owners decide subject access - Access Control Lists, Capabilities, Tables Role-based access control (RBAC) - Access is based on the subject's assigned roles. Many-many relationships allowed - Access Control Lists, Capabilities, Tables, Security Policy

Poisoning

Manipulating a trusted source of data (e.g. DNS) Enables an attacker to act as the trusted source and redirect/manipulate actions

Two-tier barrier with an entry door on one side and an exit door on the opposite side

Mantrap

These tools are used to create physical and logical diagrams

Mapping Tools

Maximum Tolerable Downtime (MTD) Maximum Tolerable Outage (MTO)

Maximum time a process/service can be unavailable without causing significant harm to the Business.

Compliance Examinations

May be conducted by regulatory agencies or on behalf of certification bodies to gauge statutory or contractual compliance - Examination reports may include an opinion, detailed findings, related recommendations, and as applicable, required next steps - Examiners will expect to have direct access to executive managment and the Board of Directors - Failure can result in decertification, files, or other penalties

Synthetic Transactions

Measurement of availability and response times using recorded actions that emulate a specific interaction

Data Encryption

Media containing legally protected, sensitive, or confidential data should always be encrypted. Numerour regulations and contractual obligations require encryption including: - PCI DSS requires encryption of payment card data - MA 201 CMR 17 requires encryption of all personal information stored on laptops or other portable devices - HIPPA/HITECH offers safe harbor for notification for incidents in which the ePHI is encrypted

Owners

Members of management responsible for the protection of a subset of information.

Incident Mgmt. Team Membership

Membership if the 'incident management team (IMT)' is generally composed of internal personnel and adjunct (as needed) external resources. - Internal personnel should represent a cross-section of the organization including operations, information security, information technology, risk management, marketing, legal and compliance, and executive management - External resources include forensic experts, legal counsel, insurance representatives, public relations, and law enforcement

External Relationships

Might include (but are not limited to) moving assistance, equipment procurement, personnel augmentation, physical security, and public relations. - Contracts should clearly state the type of service, expenses, activation and notification requirements, response protocols, length of service, and compliance requirments

MDM Control Categories

Mobile device management software is used to control deployment, manage settings (policies), and report on activity and usage. MDM control categories include: - Device tracking - Data protection - Authentication - Application and content management

Mobile Controls

Mobile workplaces should be considered a logical and physical extension of the internal network and secured accordingly. -Administrative controls such as remote computing policy, standards and agreements, and training -Technical controls that mimic internal design and ensure secure connections -Physical controls such as locks and cases

Corresponding key to a "public key"

Private key

In a broken authentication attack, this type of account is frequently targeted

Privileged

NAC Policies

NAC 'pre-admission policies' determine if a device is allowed on the network and if so, what segment based on 'host health' (e.g. AV, patch level, firewall and IDS status, configuration settings). - Depending upon the result, the device is allowed network access or is quarantined - NAC 'post-admission policies' regulate and restrict access once the connection is allowed

The process of mapping private internal IP addresses to public IP addresses

NAT

This program is the US government repository of publicly available security guidance

NCP National Checklist Program

Agreement to protect the confidentiality of information

NDA Non-disclosure Agreement

Short range wireless technology used in commerce

NFC Near field communication

Publusher of the SP800 series

NIST National Institute of Standards and Technology

This controls framework is designed for public and private use to enhance and measure cyber resilience

NIST Cybersecurity Framework

This NIST publication describes the US federal government risk assessment methodology

NIST SP 800-30

At what layer in the OSI model do switches that can filter traffic by IP addresses operate? Application Presentation Session Transport Network Data Link Physical

Network

Embedded System Attacks

Network Attack - Exploit the protocol or implementation (e.g. open ports) -Injection (e.g. persistent malware) -Privilege escalation -Packet capture Active Side Channel - Using a voltage glitch on the power supply to cause a program malfunction Memory and Bus - Physically connect to the hardware and read the contents of the memory Weak Authentication - Using the known default administrator password to gain access. Botnet - Weaponization of devices (bots) for use in DDoS attacks Stepping Stone - Embedded devices such as HVAC systems, printers/MFDs, and camera systems are often connected to a network "unmanaged"

Set of CPU instructions and assigned resources

Process

Network Performance Metrics

Network latency is an expression of how much time it takes for a packet of data to get from one designated point to another - Throughput is the quality of work made by the system per unit of time - Transmission throughput = # bytes/sec

Authentication framework that enables application to obtain limited access to user accounts on an HTTP service

OAuth 2.0

This process queries the status of certificates in real-time

OCSP Online Certificate Status Protocol

Internationally recognized privacy framework

OECD Privacy Principles

Civil Case

Objective of the civil investigation is to provide evidence of wrongdoing or damage. - Civil litigation includes (but is not limited to) intellectual property theft, contract violations, and patent infringements - In a civil case, the standard for burden of proof if a "preponderance of evidence"

This type of plan includes procedures for minimizing loss of life and property

Occupancy Emergency Plan (OEP)

Remote location in the same geographic area as a contracing organization

Off-site

Process of transitioning an employee out of an organization

Offboarding

Acquisition of evidence before it disappears, is overwritten, or is no longer useful

Order of volatility

Personnel Privacy

Organizations have an obligation to collect only what is required and to protect personnel records (e.g. personnel files, PII, medical records) in accordance with all applicable laws and regulations - However, privacy does not extent to use of corporate assets or company related activites - Organizations can (and frequently do) monitor personnel activity. Including in the AUP aggreement should be a "no expectation of privacy" statement

Supply Chain Agreements

Organizations should exercise due care for supply chain vendors which include the following: -Contractual obligations specific to responsibilities, compliance, controls, coordination of incident response and business continuity, reporting and 'audit access' -Nondisclosure / confidentiality agreements -Service level agreements (SLA) committing to a required level of service and support - May include incentives, penalty provisions, and enforcement actions

The primary motive for this adversary is financial gain

Organized Crime

Use of more than one communication channel for authentication

Out-of-Band

This type of challenge question is derived from subscription databases

Out-of-wallet

Term used to describe when services are to be performed by third parties

Outsourcing

VPN Protocols

PPTP - Microsoft's implementation of secure communication over a VPN - Designed to secure Point-to-Point protocol (PPP) - No longer considered secure L2TP - Cisco's implementation of secure communication over a VPN - Combines Layer 2 Forwarding and PPTP - Can be used on IP and non IP networks SSL - Uses SSL or its successor TLS for single or multiple connections using a browser - User connects to an SSL Gateway or endpoint - SSL VPN Portal is a single connection to multiple services IPsec - Defacto standard for IP-based VPNS

Geofencing

Process of defining a cirtual boundary ("geofence") around a specific physical area - Define where devices can be used - Identify when a device enters a secure earea - Multifactor authentication

Firewall Security Features

Packet Filtering (all) - Analyzes network packet addressing for malformed packets, attacks, and spoofed IP addresses Access Control Lists (all) - Restrict access including IP address, port, protocol, time/day, and custom rules State - 'Stateless' firewalls treat datagram individually. 'Stateful' firewalls are able to associate packets with previous and future packets Application Layer Filtering - Apply rules that are specific to applications and services Network Address Translation (NAT) - Map internal private IP addresses to public IP addresses

Packet Loss

Packet loss is disruptive to voice and video and will degrade the communication channel - VoIP uses 'Real-time Transmission Protocol (RTP)' which does not guarantee delivery but is designed to request redelivery of a packet - 'Secure Real-time Transport Protocol (SRTP)' is an extension of RTP that incorporates enhanced security features. - SRTP uses encryption and authentication to minimize risk of denial of service and replay attacks

In this configuration, redundant components are inactive until a failure occurs

Passive (standby) fault tolerance

Match the physical security IDS characteristics and system Systems: Passive infrared Proximity Motion Photometric Contact Characteristics - Detects changes in light - Detects break in electrical circuit - Detects physical disturbance - Measures magnetic field - Detects changes in heat

Passive infrared - Detects changes in heat Proximity - Measures magnetic field Motion - Detects physical disturbance Photometric - Detects changes in light Contact - Detects break in electrical circuit

Authentication

Passwords & PINs - Enforce password policies and lockout functionality Biometrics - Enforce biometric policies - Enable biometric authentication - Control enrollment Context-aware - Authentication requirement based on activity (e.g. access to a specific resource or application) Auto Wipe - Wipes a mobile device after a pre-specified number of failed logins or moves outside of a defined physical boundary. Screen Locks - Requirement that the screen lock after "x" minutes of inactivity - Forced Deauthentication

Reporting

Penetration test reports should include vulnerability findings, exploit activities, and recommendations for mitigation. - Vulnerability findings should be categorized and referenced appropriately with CVE notation - Exploit activities should be documented with enough detail so that they are reproducible - Mitigation recommendations should be prioritized and as applicable, include risk reduction and security enhancement recommendations

Configuration Assessment

Performs checks against guidance, best practices, and applicable standards. - Reviewed components including (but not limited to) improper configuration, authentication and session tracking strength, encryption implementation and strength, input and output validation, error messaging, traversal paths, and sensitive content

Peripheral Security

Peripherals are ancillary devices that are either plugged in or attached via network connection, Bluetooth or 802.11. Best practices for securing peripherals include: - Rejecting "unknown" devices (disallow using policies) - Change the default password - Using secure communications protocols (e.g. SSH instead of Telnet) - Disabling unnecessary services (e.g. remote management) - Configure access controls - Use secure wireless protocols - Dispose of securely

The load balancing technique of associating application layer information with a single server

Persistence

Type of VDI that provides each user with his or her own desktop image, which can be customized and saved for future use

Persistent

NAC Agents

Persistent or Permanent - Installed on a device and runs continuously Dissolvable - Downloads and runs when required (one time authentication) and then disappears Agentless - Integrates with a directory services (e.g. Active Directory)

Types of Digital Certificates (Use)

Personal - verifies a user identity (generally used for email) Server (Machine/Computer) - verifies a device identity Domain Validation - verifies a domain - Wildcard certificate can be used with multiple subdomains of a domain (e.g. *.example.com) Organization - verifies a domain and an organization Extended Validation - Verifies a domain and an organization subject to additional vetting (aka "green bar") Code / Object signing - verifies organization/ownership as well as object integrity Trusted/Intermediate - identifies root and intermediate Certificate Authorities

Examples include Social Security, passport and driver's license numbers

Personal Information (PI, PII, NPPI)

Defining Personal Information

Personal information (PI, PII, NPII) may include discrete information such as a Social Security number, financial account number, password and PIN, driver's license number, passport number, medical record, educational records and biometric data. Personal information can also include, but is not limited to, shopping habits, search engine queries, browsing history, email, pictures, location, commerce, and GPS travel.

Information Security Management (ISM)

Personnel generally having the authority to interpret strategic direction and are held accountable for the success or failure of their area.

Travel

Personnel often travel with mobile devices and/or connect back to network resources. Personnel should be provided with travel requirements and guidelines including but not limited to: - Encrypt all mobile storage - Have no expectation of privacy - Do not connect to unknown wireless networks - Never leave devices unattended - Do not hand your device to strangers - Report a lost or stolen device immediately - Upon return, have the device inspected

SE Technical Techniques

Phishing - Pretexting using email Spear Phishing - Targeted version of phishing (mass vs group/individual) Whale - High profile phishing target Vishing - Pretexting using voice (phone) Hoax - Warning of a non-existent threat or offer - designed to defraud Watering Hole - Compromising a website or social media application frequented by the target

Fences, mantraps, bollards, and locks are examples of this control implementation

Physical

This access control category focuses on facilities, equipment and devices

Physical

Cyber and Physical Convergence

Physical and cyber security are no longer separate disciplines. There is a significant overlap in controls. For example, using a picture ID badge to identify myself to physical security, then using the card to "swipe" into the building, then using the same card to log into my computer with proximity technology that automatically locks down the computer when I walk away from my desk and produces an audit trail of my whereabouts and activities

Physical Security Controls

Physical security principles of deter, detect, and delay supported by a response plan are designed to frustrate and disrupt an adversary's attack timeline Deter - Stop or displace an attack Detect - Verify an attack, initiate a response Delay - Prevenet the attack from reaching the asset (including measures to minimize the consequence of an attack)

The act of using a weakness on one system to access a more secure system

Pivoting

This is a detailed proposal for doing or achieving something

Plan

Switch Port Security

Port security is a dynamic feature that can be used to limit and identify the MAC addresses of the stations that allow access to the same physical port. - Limiting the number of allowable MAC addresses on a switch port using port security effectively shuts down a MAC address-flooding DDoS attack

Key Properties of Virtual Machines

Portioning - Run multiple operating systems on one physical machine. Divide system resources between virtual machines (automatic resource allocation) Isolation - Provide fault and security isolation at the hardware level. Preserver performance with advanced resource controls Encapsulation Recovery - Save the entire state of a virtual machine to files. Move and copy virtual machines as easily as moving and copying files. Hardware Independence - Provision or migrate any virtual machine to any physical server High Availability - Support application high availability (failover clustering) and ensure that services are always available when running inside VMs

Use Case

Positive testing determines if the application works as expected [use case]. Negative testing ensures that the application can gracefully (and securely) handle invalid input or unexpected behavior [misuse case]

Match the control classification and description Classification: Preventative Compensating Corrective Detective Deterrent Description: - Discourages a threat agent from acting - Alternate control - Minimizes the impact of the threat agent - Identifies and reports a threat agent - Stops a threat agent from being successful

Preventative - Stops a threat agent from being successful Compensating - Alternate control Corrective - Minimizes the impact of the threat agent Detective - Identifies and reports a threat agent Deterrent - Discourages a threat agent from acting

Malware Prevention and Disruption

Prevention controls and techniques include: - Ingress and egress filtering and restrictions - Forbidding the receipt or execution of certain file types - Restricting the use of removable media - Restricting cookies, pop-ups, mobile code execution, access to webmail and social media sites - Employing least privilege at the local level - Internet access sandboxes - Educating users

Data Protection -- Cryptographic

Primary cryptographic data use cases and corresponding techniques include: -Confidentiality (encryption) -Integrity (hashing) -Non-repudiation (digital signature) -Authentication (digital certificate)

Cryptography

Primary cryptographic use cases and corresponding techniques include: -Confidentiality (encryption) -Integrity (hashing) -Non-repudiation (digital signature) -Authentication (digital certificate)

National Information Infrastructure Protection Act of 1996

Primary federal antihacking statue.

Law Enforcement

Primary forcus is to identify, catch and prosecute criminals. They have no obligation to recover stolen funds or property. - Consult with legal counsel before calling law enforcement. - Once contacted, the institution is a crime scene and they are allowed to confiscate evidence. - They may ask you to allow the attack to continue while they investigate. Unless court ordered, you do not have to comply with this request. - They have no obligation to keep you updated and probably won't.

Availability

Principle that information, systems and supporting infrastructure are operating and accessible when needed.

Confidentiality

Principle that only authorized people, processes, or systems have access to information and that information must be protected from unauthorized disclosure.

Log Management Workflow

Prioritize Configure Collect Secure Analyze Respond Archive Destroy

The right of an individual to control their personal information

Privacy

Decision making tool used to identify privacy related issues at the beginning of a project

Privacy Impact Assessment

Privacy Concerns

Privacy Violation Data Compilation Data Warehousing Data Mining Aggregation Inference

Defining Privacy

Privacy is the right of an individual to control the use of their personal information. In contrast, information security is the process by which we safeguard information and system and ensure confidentiality, integrity, and availability.

This cloud deployment model is provisioned for exclusive use

Private Cloud

Match the following items: Terms Private cloud Community cloud IaaS SaaS Public cloud PaaS Definitions -Customer deploys onto the cloud infrastructure -Customer provisions "bare metal" resources -Provisioned for a well-defined group -Provisioned for public use -Customers use the provider's application -Provisioned for single organization exclusive use

Private cloud - Provisioned for single organization exclusive use Community cloud -Provisioned for a well-defined group IaaS - Customer provisions "bare metal" resources SaaS - Customers use the provider's application Public cloud - Provisioned for public use PaaS - Customer deploys onto the cloud infrastructure

International Framework

Promoted globally. Developed by representatives from participating areas. Well known Framework: ISO 27000 Family

Private Sector Classification Examples

Protected - Protection required by regulation or contractual obligation (e.g. PI, PHI) Proprietary - Intellectual property or process; significant impact if disclosed Confidential/Sensitive/Internal Use Only - Internal use only - limited use; negative impact if disclosed Public - Available for distribution

A specific set of functional and assurance requirements for a category of products (used by the Common Criteria)

Protection Profile

Secure Communications Protocols

Protocol - Description - Objective SSL/TLS - Securing web based protocols and transmissiong - Confidentiality, Authentication, Integrity HTTP - Layer SSL/TLS on top of HTTP - Confidentiality, Authentication, Integrity FTPS - Layer SSL/TLS on top of HTTP - Confidentiality SSH - Secure channel between a local and remote device - Confidentiality, Integrity SFTP - File transfer component of SSH - Confidentiality S/MIME - Securing web based protocols and transmissions - Confidentiality, Integrity, Nonrepudiation Secure POP3 - Secure Post Office Protocol 3 (SSL-POP, POP3) - Authentication Secure IMAP - Secure Internet Message Access Protocol (IMAP4-SSL) - Authentication

Sherwood Applied Business Security Architecture (SABSA)

Provides a context for understanding a complex environment by intersecting views and lifecycle layers -Views: What, why, how, where, who, and when -Lifecycle layers: Contextual, conceptual, logical, physical, component, and operational

Zachman Framework

Provides a context for understanding a complex environment by intersecting views and viewpoints -Views: What, why, how, where, who, and when -Viewpoints: developer, systems engineer, security officer, application administrator, and end user

Platform-as-a-Service (PaaS)

Provisioned: -Computing Resources + Operating System + (optionally, database) Customer Impact: -The customer does not manage or control the underlying cloud infrastructure, operating system, and platform -The customer deploys onto the cloud infrastructure created or aquired applications -The customer has control over deployed applications and possibly configuration settings for the application-hosting environment Considerations -Availability -Maintenance -Vulnerability Management -Confidentiality -Privacy -Data Ownership

Process in which electronic data is located and searched for used in litigation

eDiscovery

Software-as-a-Service

Provisioned: -Computing Resources + Operating System + Applicaion Customer Impact: -The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities -The customer uses the provider's applications running on a cloud infrastructure -The customer has control over limited user-specific application configuration Considerations: -Availability -Maintenance -Vulnerability Management -Confidentiality -Privacy -Data Ownership -Multitenancy -Testing

Cloud Deployment Models

Public Cloud - Provisioned for 'public' use. Considerations are Location, Multitenancy Community Cloud - Provisioned for the exclusive use by a 'well-defined group'. Considerations are Multitenancy Private Cloud - Provisioned for the exclusive use of a 'single organization'. Considerations are Scalability Hybrid Cloud - The public and private cloud infrastructures communicate over an encrypted connection, using technology that allows for the portability of data and applications. Considerations are the Security of the connection

Public Key Infrastructure

Public Key Infrastructure (PKI) consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working together in a comprehensive manner to enable secure communication. - Public Key Infrastructure x.509 (PKIX) is the working group formed by the IETF to develop standards and models (known as X.509) - Public Key Cryptography Stanards (PKCS) is a set of voluntary standards created by RSA and other industry leaders.

Match the anti-remanence technique Terms: 1: Pulverizing 2: Pulping 3: Wiping 4: Shredding 5: Degaussing Definitions: 1: Using an electromagnetic field to destroy data 2: Reducing media to dust 3: Overwriting all addressable storage and indexing locations 4: Physically breaking the media into pieces 5: Chemically altering the media

Pulverizing - Reducing media to dust Pulping - Chemically altering the media Wiping - Overwriting all addressable storage and indexing locations Shredding - Physically breaking the media into pieces Degaussing - Using an electromagnetic field to destroy data

Risk Assessment Approaches

Qualitative Quantitative Semi-qualitative (hybrid) *Key elements are 'likelihood of occurance' and 'impact'

This protocol provides centralized AAA services and is used primarily for network access authentication

RADIUS

Asymmetric Ciphers

RSA - Widely implemented - Defacto commercial standard - Works with both encryption and digital signatures Elliptic Curve Cryptosystem (ECC) - Similar function to RSA but with smaller key sizes (requires less computing power) - Current US government standard Diffie-Hellman - Primarily used for key agreement (key exchange) - Allows two parties (in the same DH group) that have no prior knowledge of each other to jointly establish a shared secret key - DHE uses modular arithmetic to compute the shared secret - ECDH uses algebraic curves to generate keys El Gamel - Primarily used for transmitting digital signatures and key exchanged

Timing and Communication

Race Condition - Is a flaw that produces an unexpected result when the timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data - Impact - Unauthorized access Covert Channel - The use of a malicious script to transfer information objects between processes that are not supposed to be allowed to communicate - Impact - Unauthorized access

This vulnerability is related to timing issues (Time of Use / Time of Check)

Race condition

Team exercise that simulates an attack in order to exercise and evaluate preparedness and response capabilities

Red team / Blue team

Primary stength of DNP3

Reliability (error checking)

Remote Meeting Technology

Remote (sometimes referred to as virtual) meetings are designed to connect participants in real-time and support audio and video conferencing, file and desktop sharing, and remote control - Threats include eavesdropping, spying, unauthorized participation, data leakage, unintentional access and bandwidth utilization (unavailability) - Corresponding mitigating controls include firewall restrictions, encryption, authentication and password security, equipment management controls, user awareness training, and adequate bandwidth

This command is sent to the device to delete all or selected content or reset to factory configuration

Remote Wipe

This process copies transaction logs and periodically transmits them to a backup location

Remote journaling

Physical Security Officer

Responsible for ensuring that appropriate physical security procedures have been established and physical security devices installed, commensurate with the identified risk exposure.

Incident Response (IR) Process - Recovery and Lessons Learned

Restore systems to normal operations and document lessons learned - Identify root causes, lessons learned, and update playbook

Statuatory Requirements

Retention requirements may apply to various types of electronic files. This includes but is not limited to email, documents, databases, and application-generated records: -Financial, accounting, and tax records -Corporate and legal records -Human resources, including payroll records -Insurance records -Policies and regulatory-related files (e.g.IRS, SEC, HIPPA, GLBA)

Role-based Awareness Training

Role: Executive User Focus: Strategy, policy, and organizational impact (risk) SETA: Education Role: System Owner Focus: Business process and impact SETA: Education Role: Data Owner Focus: Data protection and privacy SETA: Education Role: System Admin Focus: Implementing, managing and monitoring controls SETA: Training Role: Privileged User Focus: "Privileged" functions SETA: Training Role: User Focus: Responsible use (AUP) and best practices SETA: Awareness

In this model, access is based on situational if-then statements

Rule-based Access Control

Protocol for sending digitally signed and encrypted emails

S/MIME

Email Security -- S/MIME

S/MIME is a protocol for sending digitally signed and encrypted emails - Use case: encryption (confidentiality), and digital signature (integrity and nonrepudiation)

The negotiation between two IPsec endpoints

SA Security Association

Framework that provides contect for understanding a complex environment by focusing on different lifecycle layers

SABSA Sherwood Applied Business Security Architecture

The practice of managing the lifecycle of software assets

SAM Software Asset Management

Open standard that provides user authentication and authorization services -- components include idP and SP

SAML

This enterprise level storage uses fiber channel, FCoE, or iSCSI connections

SANS

A significant vulnerability for this architecture is the use of outdated operating systems due to long life expectancy

SCADA

These ISC systems are used to monitor and control entire sites and/or complex environments

SCADA

Suite of specifications to enable automated vulnerability management, measurement, and policy compliance

SCAP Security Content Automation Protocol

Leading multimedia open protocol

SIP Session Initiation Protocol

This contract specifies performance and response parameters

SLA

Quantitative Formulas

SLE ($) = AV ($) x EF (%) Single Loss Expectancy = Asset Value x Exposure Factor ALE ($) = SLE ($) x ARO (#) Annualized Loss Expectancy = Single Loss Expectancy x Annualized Rate of Occurence

When the failure of one device impacts the operation of the entire system

SPOF Single Point of Failure

SSL Decryptors

SSL decryptors are controversial perimeter devices (either built into the firewall or standalone appliance) used to decrypt SSL/TLS packets, inspect the contents, re-encrypt, and forward the packet

SSL/TLS Accelerators

SSL/TLS encryption/decryption is a processor-intensive operation. - SSL/TLS Application Specific Integrated Circuits (ASIC) are processors that are specifically designed to perform SSL.TLS operations - SSL/TLS Accelerator is an ASIC applicance that sits between a user and a server, accepting SSL/TLS connections from the client and sending them via private network to the server unencrypted

In this cloud service model, the computing resources, operating system and application are all managed by the provider

SaaS Software-as-a-Service

Workplace Access

Safety and security dictate that access to workplaces must be controlled - Access control including but are not limited to entry/exit systems, guards, employee badges, and visitor management systems - Employees need to understand that they should never circumvent access control systems, which includes sharing badges or key codes

Inferring characteristics about a population based on a subset

Sampling

Type of risk where the assessor's conclusion might be different if the entire population was examined

Sampling risk

Sandbox

Sandboxing is a mechanism used for safely executing untrusted code, files, or programs. - The sandbox environment is isolated from all other running processes - URL sandboxes can be used to inspect URL connections before allowing user access - Email sandboxing can be used to inspect attachments before allowing the user access - Sandboxes can be used by developers to examine and test code

Scoping and Tailoring

Scoping instructs an organization how to apply and implement security controls (baselines) Tailoring allows an organization to align common security controls with specific objectives

SecCM Activities

SecCM activities compliment traditional CM activities and include: - Identification and recording of configurations that impact the security posture of the information system and the organization - The consideration of security risk in approving the intial configuration - The analysis of security implications of changes to the information system configuration - Documentation of the approved/implemented changes

Managed security services in the cloud environment

SecaaS Security-as-a-Service

Secure Boot Attestation

Secure Boot requires that all boot loader components (e.g. OS kernel, drivers) attest to their identity (digital signature) and the attestation is compared to the trusted list. -When a computer is manufacured, a list of keys that identify trusted hardware, firmware, and operating system loader code (and in some instances, known malware) is embedded in the UEFI -Ensures the integrity and security of the firmware -Prevents malicious files from being loaded -Can be disabled for backware compatibility

Metholdology that promotes intergrating security into the development process from inception

Secure DevOps

The methodology of integrating development, operations, and security

Secure DevOps

This methodology is a marriage of security and DevOps

Secure DevOps

Patch Categories (can vary by vendor)

Security Update - An update which fixes security vulnerability. Security updates generally have a defined security level. (e.g. Microsoft categories include critical, important, moderate, low, unspecified) Critical Update - An update which fixes specific, non-security related, critical bugs. That bug can cause for example serious performance degradation, interoperability malfunctions or disturb application compatibility. Functionality Patch - Correct a non-security related functional issue Feature Patch - Introduce new features

Assessor Challenges

Security assessors often face technical, operational, and political challenges - Resistance from business owners, system and network admins, and end users - Pre-assessment fixes - In-the-moment mitigation - Restrict time windows - Evolving technology - Risk of operational impact

Activity and Error Reporting

Security devces generate reports applicable to their function - Understanding context is important for identifying indicators of attack/compromise (IOA/IOC), performance and resource utilization, and post-incident forensics - An 'indicator of attack' (IOA) is a proactive early warning sign that an attack may be imminent or already underway - An 'indicator of compromise' (IOC) is reactive based on substantive or corroborating evidence that a system or network has been exploited

Investigation Triggers

Security related scenarios that may trigger a legal or internal investigation include (but are not limited to): - Harm - Disruption - Theft - Unusual or suspicious activity - Situation at a connected 3rd party - Threat intelligene (FS-ISAC) - External notification (FBI, Secret Service, customer)

A system utility that runs in the background

Service

Incident Mgmt. Training

Should be included in organization-wide security education, training and awareness (SETA) programs. - All personnel should be aware of potential incident scenarios and reporting procedures. - First responders and Computer Incident Response Team (CIRT) members should receive training related to their assigned tasks - Executives should be educated on incident-related organizational risks.

Cloud Storage

Should be subject to the same controls as local storage. - The cloud storage physical location may span multiple servers and locations (fault-tolerant distributed resources) - 'Virtual storage' is a mechanism to pool resources so that they appear as one unit - Due dilligence and oversight of cloud storage is critical

This objective of this social engineering technique is covert observation

Shoulder surfing

This detection pattern matching approach is based on known information

Signature-based

IDS Detection Approach

Signature-based - Pattern matching decisions are based on established known signatures - Signatures must be updated frequently Rule-based - Analyzes behavior for violation of preconfigured rules Behavior-based - Behavior based anomaly detections rely on predicted norms and deviations - Can be learned over time and/or start with a set of assumptions and adapt to local conditions - Requires fine tuning Heuristic - Continually trains on network behavior and can continually alter detection capabilities based on learned knowledge

Disaster Recovery Testing

Simulation (Parallel, Functional, Prepardness) - Localized scenario that simulates an actual event and limits material and equipement to what would be possible if the situation were an actual event. - Generally parallel tests are component-, device-, or system-level - Primary systems may remain active - Objective - Evidence of localized readiness Full scale (Interruption) - Tests all components of the designated plan simultaneously - Primary environment is not operational - Objective - Evidence of enterprise readiness

This scenario test simulates an actual event and is generally component- or system focuses

Simulation (Parallel, Functional, Preparedness)

ALE = SLE * ARO

Single Loss Expectancy (for an hour of DDoS disruption) is $17,000 Based on the current threat and controls environment it is expected that there will be 5 hours (ARO) of DDoS disruption per year $17,000 (SLE) * 5 (ARO) = $85,000 (ALE)

Factor Requirements

Single-factor - Only one factor is required for authentication Multi-layer - Two or more of the 'same type' of factor is required for authentication Multi-factor - Two or more 'different types' of factors are required for authentication Out-of-Band - Use of more than one communication channel required for authentication

The outcome when security decision making is tied to organizational objectives

Strategic Alignment

Governance Outcomes

Strategic Alignment Risk Management Value Delivery Resource Management Performance Measurment Process Integration

This type of attack occurs in the time period between when an exploit is developed and when a patch has been released or a compensating control identifies

Zero-day

This governance objective is that cybersecurity programs support and compliment organizational goals. 1: Risk management 2: Strategic alignment 3: Performance measurement 4: Value delivery

Strategic alignment

Executive Management Duties

Strategic alignment Risk management Value delivery Performance measurement Resource management Process assurance

Symmetric Ciphers

Stream Cipher - Works with one bit at a time. - Algorithms: RC4 Block Cipher - Works with blocks of data. - Algorithms: DES, 3DES, AES, Blowfish, Twofish, IDEA

Strength & Workfactor

Strength of a cryptosystem is a combination of the 'algorithm', the 'algorithmic process', the 'length' of the key, and the 'secrecy' of the key. If one element is weak, the cryptosystem can potentially be compromised. - The 'work factor' is the amount of time and effort it would take to penetrate (break) a cryptosystem. -'Depricated' means that the use of the algorithm and key length is allowed, but the user must accept some risk (weakness). -'Broken' means that the algorithm and/or key length is exploitable

System Hardening

The objective of system or device hardening is to reduce the attack surface and make it more resilient to attack - Hardening is the process of configuring security settings, rules, and policies and removing unnecessary applications and services in order to minimize vulnerabilities and exposure to threats

Wireless Attacks

The objective of wireless attacks is the disruption, manupulation, or compromise of wireless transmission or devices - War Driving is the physical scanning for unprotected wireless networks - War chalking is marking a physical area to indicate a free, open, and/or insecure wireless network or access point

Perimeter

The perimeter includes: - The line demarcating the extent of a site/building/asset - Access point within the demarcation line providing a means of entering and exiting - Sterile zones consisting of two perimeter lines (attack side and defended side)

Framework that provides contect for understanding a complex environment by focusing on different viewpoints

Zachman Framework

Active entites and passive entites

Subjects and objects

Term used to describe reliance on a source to provide a product or service

Supply chain dependency

Term used to describe the disruption of the normal flow of goods, materials, and services

Supply chain disruption

Surveillance

Surveillance technologies such as closed circuit TV (CCTV) and camera systems can be used to monitor and detect suspicious, abnormal, or unwanted behavior A surveillance system can: - Identify the presence of an intruder - Trigger an alarm or an alert - Provide enough detail to determine the type of incident response - Provide evidence

Certificate Revocation

Suspention - Temporary revocation of a certificate until a certificate problem can be resolved. Revocation - Permanent withdrawal of trust by issuing authority before scheduled expiration date. Certificate Revocation List (CRL) - CA maintained list of certificates that have been revoked. - Pull model - CRL is downloaded by the user or organization - Push model - CRL is automatically sent out by the CA at regular intervals Online Certificate Status Protocol (OCSP) - Process designed to query the status of certificate in real time. - OCSP stapling is a time stamped (cached) OCSP response

This multiport forwarding device can operate at Layer 2 and/or 3 depending upon the configuration

Switch

Switches

Switches are multiport forwarding devices that enable high-speed passing of data and error checking. - Layer 2 switches filter traffic by MAC addresses - Layer 3 switches filter traffic by IP address and have routing capabilities - Aggregation Layer 2 switch provides connectivity for other switches

An HMAC is a hashed value that includes this

Symmetric key

Provisioning Lifecycle Phase 4

Termination, Offboarding - Termination tasks include reclaiming assets, disabling/removing account and access, archiving documents and email - Offboarding tasks include reassigning file and folder permissions and ownership

Infrastructure Assessments

System Configuration Examination - Identify weakness in security configurations, baseline variations, and nonconformance with industry standards and recommendations Log Review - Ensure adherence to log monitoring and management policies, standards and procedures Vulnerability Assessment - Identify host attributes, known Common Vulnerabilities and Exposures (CVEs), outdated software versions, missing patches, misconfigurations and security policy, or standards deviations Penetration Testing - Evaluate the security of a target by identifying and attempting to exploit (or provide proof of concept) vulnerabilities, improper configurations, and hidden points of entry Red Team / Blue Team Exercise - Simulated attack designed to exercise preparedness and response capabilities

NIST SP 800-160

System Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems -SP 800-160 addresses the engineering-driven actions necessary to develop more defensible and 'survivable' systems--including components that compose and the services that depend on those systems. -Aliged with the international standard ISO/IEC/IEEE 15288

The focus of NIST SP 800-160

Systems Security Engineering

This Cisco protocol provides centralized AAA services and is used primarily for device administration

TACACS+

Combination of all security mechanisms within a computer system

TCB Trusted Computing Base

This protocol provides for connection oriented delivery

TCP

Non-IP Networking

TCP/IP is the communications protocol of the Internet. To traverse the Internet, non-IP network protocols must either be encapsulated, translatable, or used for non-Internet niche purposes

Protocol used to establish a secure communication channel between two TCP sessions using a cryptographic key exchange on port 443

TLS

Termination

Tasks include recovering physical and access control assets, deleting or disabling local and remote access, deleting or disabling user accounts and access permission, archiving documents and email, and reassigning file folder permissions. Termination related tasks should be documented (checklist/procedure)

The intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying evidence

Spoliation

An account that is no longer being used

Stale

This term describes changes that are required in the normal course of business and have established policies and procedures

Standard Changes

Specifications for the implementation of policy and dictate 'mandatory' requirements

Standards

Conceptual model that ensures that the system is always trustworthy

State

Firewalls that are able to associate packets with previous and future packets

Stateful

Code Testing and Analysis

Static Code Analysis - Examination of non-running code (static) for vulnerabilities Dynamic Analysis - Examination of running code for vulnerabilities (automated) Fuzzing - Automated testing technique used to discover coding errors and security loopholes by inputting invalid, unexpected, or semi-random data, called 'fuzz', and monitoring the application response Quality and Performance Testing - Evaluates application response to use the misuse as well as performance under various conditions Regression Testing - Evaluates functionality and security post-change

An objective method for determining sample size and selection criteria - each item should have an equal probability of selection

Statistical sampling

The process of concealing data within a file

Steganography

A perimeter area consisting of two lines dividing an attack side and a defended side

Sterile zone

In this sampling approach, the assessment stops once a reasonable conclusion can be reached

Stop and Go sampling

Posession - Something You Have

Something you have requires physical possession of a device. - A secure token is a handheld device with an LED that displays a number and the number is synchronized with an authentication server - A smart card is a credit card-sized card that has an integrated circuit and a certificate used to identify the holder

Momentary high voltage

Spike

Key Management

The activities involving the handling of crytographic keys and other related security parameters (e.g. passwords) during their entire lifecycle. -A key should only be used for one purpose (e.g. encryption) -Keys should be frequently changed to increase workfactor -Private keys must be securely stored - A 'hardware security module' (HSM) can be used to store cryptographic keys in tamper-resistant hardware providing logical and physical protection

Asset

The asset includes: - Any item of value to the organization which does not rely on protective perimeter or building security measures.

Integrity Measurement

The best case scenario is for developers to identify bugs and issues during the development state. Early identification is more efficient and less expensive. - 'Integrity measurement' is a measure of the quality of the source code before it moves to the test environment - 'Unit testing' evaluates a module for specification compliance (including security baseline) - 'Interface testing' evaluates the connection between two or more components

Resiliency

The capability to continue operating even when there has been a fault, incident, or abnormal operating conditions. Preventative and detective controls reduce the likelihood of disruption. Corrective controls mitigate the consequences.

Ethernet

The defacto physical layer networking technology. - Ethernet is a Carrier Sense Multiple Access / Collision Detection (CSMA/CD) Protocol - Current versions include Fast Ethernet (100 Mbps), Gigabit Ethernet (up to 100 Gbit/s), and Terabit Ethernet (above 100 Gbit/s)

After action Report

The final step of an exercise/test is an After action Report which documents the success or failure of the exercise/test and details followup tasks and if required, modifications

Business Continuity Planning

The objective is to prepare for continued operation of Essential functions and services during disruption of normal operating conditions. To support this objective: - Threat scenarios are evaluated - Essential services and processes are identified - Response, recovery, and contingency plans are developed - Strategies, plans, and procedures are tested

Criminal Case

The objective of a criminal investigation is to assist law enforcement to obtain evidence. - In a criminal case, a law must be broken - Only the government can prosecute a criminal case - In a criminal case, the standard for burden of proof is "beyond a reasonable doubt." - Compliance with the Fourth Amendment regarding search and seizure of evidence is required

Crisis Communication Plan

The objective of a crisis communication plan is to prepare for and coordinate internal and external communication - Identify those parties that should be informed about the situation and when - Communicate facts - Minimize rumors and misinformation - Restore order and/or confidence

DRP Exercise and Testing Objectives

The objective of a disaster recovery exercise and testing should be to evaluate strategies, plans, and procedures; not institutional knowledge - The outcome of disaster recovery exercises and testing should be strategym plan, and procedure modifications (if necessary), and an enhanced participant familiarity with the facets of the plan

Access Control

The objective of access control is to protect information and information systems from unauthorized access (confidentiality), modification (integrity), and disruption (availability) - Physical access focuses on facility equipment and devices - Logical access focuses on software and data

Audit

The objective of an audit is to provide 'independent' assurance based on evidence (examination and testing) Internal Controls - Evaluation of the design of the controls to address control objectives, verification that the controls are in place, and assessment of the operational effectiveness and efficiency of the controls Compliance - Comparison of the control environment to established policies, standards, or rules Forensic - Identifying fraudulent and criminal activity

Internal Case

The objective of an internal investigation is to respond to questions, concerns, disputes, or findings. - Internal investigations can lead to an administrative hearing. - An administrative hearing is a trial-like process before an administrative agency (quasi-judicial) - Internal investigations can morph into civil or criminal investigations

Business Intelligence

The objective of business intelligene (BI) is to support decision making through data-driven insight and predictive analytics - Business intelligence (BI) is the intersection of what happened and why - Prefictive analytics is when data is mined to predict the likelihood of future outcomes

Destruction

The physical act of destroying media in such a way that it cannot be reconstructed. Shredding - physically breaking media to pieces Pulverizing - reducing media to dust Pulp = chemically altering media Burning - incinerating media

Steganography

The practice of concealing a file within another file - Watermarking is a hidden message that is used to prove or claim ownership - Hidden binary files are most often found embedded in image and audio files - Steganalysis is the detection of steganography by a third party

Software Asset Management (SAM)

The practice of managing the lifecycle of software assets within an organization. The two significant benefits of a SAM program are cost control and risk reduction. Processes include: -Developing policies and procedures -Documenting software usage -Determining authorization status -Remediating (if necessary) -Establishing a routine audit process

Layered Defense (Defense-in-Depth)

The premise of a layered defense model is that if the intruder can bypass one layer of controls, the next layer of controls should provide additional deterrence or detection capabilities. Layered defense is both physical and psychological

Firewalls

The primary objective of a firewall is to isolate network segments by controlling ingress and egress access. - Ingress means incoming and egress means outgoing - Firewalls are preventive controls because they can be configured to restrict ingress and egress network traffic, repel known attacks, manage nonroutable IP addresses, and anonymize internal addresses - Firewalls can be detective controls because they can be configured to log events and send alerts

Least Functionality

The principle of 'least functionality' is that systems and devices should be configured to provide only 'essential capabilities' and specifically 'prohibit' or 'restrict' the use of functions, ports, protocols, and services In practice this means: - Removing unused programs - Disabling services - Disabling (removing, if possible) default accounts - Setting security policies (if available) - Pay attention to peripherals

Physical Security Zones

The principles of deter, detect, and delay extend to the following security zones: -Beyond the perimeter -Perimeter -Within site -Building -Asset

Offboarding

The process for transitioning employees out of an organization. Tasks include: -Documenting separation details - Tasks and responsibilities prior to departure - Knowledge transfer - Exit interview

Forensics

The process of collecting, preserving, examining, analyzing, and presenting evidence. - Invariably there is tension between response (find and fix) teams and forensic investigators

Threat Detection

The process of identifying artifacts (e.g. virus signatures, IP address, malicious URL, command and control connection, file changes, unexpected activity, behavioral anomalies) that are indicative of an attack ('IOA') or active exploit ('IOC')

Patch Management

The process of identifying, acquiring, installing, and verifying patches. - 'Security patches' are designed to correct security issues and functionality problems in software and firmware. - Timely deployment of security patches reduces the likelihood of exploitation

Onboarding

The process of integrating a new employee with a company and culture as well as getting the tools and information they need to be successful. User orientation is the intial task of completing paperwork (including Confidentiality and Acceptable Use Policy agreements), introductions, and initial training. User provisioning is the process of creating user accounts and credentials, assigning access rights and permissions, and providing assets.

PROD

The production environment (PROD) is the "live" environment that hosts the application. It is the endpoint in the release management process. - PROD planning should include deployment, maintenance, backup, and disaster recovery strategies - Developers should never have rights to a PROD environment (segregation of duties) - New functionality and bug fixes should go through the release management cycle before being deployed to PROD - Emergency changes should be subkect to change management procedures

Occupant Emergency Plan (OEP)

The purpose of the Occupant Emergency Plan (OEP) is to create a safe environment for building occupants. The OEP functions include: - Provide a coordinated response to incidents occuring in the facility - Provide particulars regarding what steps should be taken in the event of an emergency - Identify specific routes of entry into and exit from the facility in response to emergencies - Clearly designate assembly areas and shelter facilities where building occupants can gather to be accounted for

Indicator of Compromise (IOC)

The reactive substantive or corroborating evidence that a system or network has been expoited.

Legal Hold

The requirement for an organization to preserve all forms of relevant information when litigation, audit, or government investigation is reasonably anticipated. The objective is to avoid evidence spoliation. -A legal hold supersedes organizational retention policies.

Transparent Proxy

The same as a forward proxy except that the client (browser) does not neet ot be configured. The proxy server resides on the gateway and intercepts requests

Due Care

The standard of care that a prudent person would have exercised under the same or similar conditions. In a cybersecurity perspective, action taken by an organization to protect its stakeholders, incestors, employees, and customers from harm.

Hardware Inventory

Useful Attributes: Identifier - Name, model, serial number Supplier - Warranty, SLA (if applicable), support contract (if applicable) Location - On premise, remote, cloud Assignments - User, custodian, department, asset owner Connections - Ingress, Egress OS/Firmware - Manufacturer, version

TEST

The testing environment (TEST) is used to merge code, ensure quality, isolate bugs, and measure performance and functionality. Testing and development are iterative processes - The testing environment should match the production environment as closely as possible - User acceptance testing (UAT) can be multi-stage (e.g. alpha, beta) - 'Alpha' versions are early versions submitted for feature and functionality testing and feedback - 'Beta' versions are late stage versions submitted to a limited set of users for testing and feedback

Software Licensing

The use of software generally requires a license that contains provisions relating to the use terms and conditions

Logging Challenges

There are five primary challenges to working with log data: volume, noise, variety of formats, interpretation, and privacy - A single device can easily generate hundreds of events per minute - Logs can contain significant amounts of useless data that needs to be parsed before processing. - Logs must be converted to a standard format and their data normalized to ensure consistency - Logs are cryptic and require interpretice processes - Logs might contain sensitive data

Patch Management Challenges

There are several challenges inherent in the patch management process including: - Prioritization, timing, and testing - Patch management approach (automated, manual, hybrid) - Access to unmanaged, mobile, or remote devices - Firmware impacts - Side effects Patch management delays should be evaluated in light of organizational risk tolerance and if applicable brough to management's attention

Client-side vs Server-side Validation

There are two types of validation: server-side and client-side - Server-side validation takes place on the server, during a postback (roundtrip to a server) - Client-side validation takes place in the browser and does not require a postback - Where client-side and server-side validation types are used together, the validation on the server acts as a second barrier that stops malicious bypass of client-side validation

Risk Management Concepts terminology

Threat - Potential danger Threat agent - Individual or group that can manifest a threat Threat event - Specific instance of a threat Vulnerability - Weakness Exploit - When a threat agent successfully takes advantage of a vulnerability Impact - Magnitude of harm caused by a threat source Likelihood (of occurence) - A weighted factor that a given threat agent is capable of exploiting a given vulnerability

Evidence-based information about threats, vulnerabilities, and exploits

Threat Intelligence

Plan Components

Threat Modeling - Anticipated threats and associated controls Incident types and Categorization - Based on severity and used to determine response times, resource assignments, and preparation requirements Roles and responsibilities - Assignments including first responders, incident handlers, and designated spokespersons Reporting requirements - How incidents are internally reported, documented, and reviewed as well as when notification requirements are triggered Escalation requirements - Definitions for escalation thresholds Incident Team - Membership, preparation, skill requirements, external resources Exercise Requirement - Training and exercise requirements and reporting

Information Sharing

Threat intelligence is the 'receiving' of information Information sharing is the 'giving' of information Sharing information about cybersecurity incidents, threats, vulnerabilites, best practices, mitigationsm and other topics.

Decision Factors

Three factors should inform information security decisions: - Strategic alignment with the organization's objectives - Legal, regulatory, or contractual requirements - Level of risk

Supporting Processes

Three supporting processes are critical to the success of a Configuration Management program: - 'Asset and Inventory Management' to ensure configuration item visibility - 'Change control' to manage configuration item changes - 'Version control' to track and document baseline configurations over time

The quality of useful work made by the system per unit of time

Throughput

This term describes the quality of useful work per unit of time

Throughput

Host Security Technologies

Tools - Purpose - Output HIDS/HIPS - Host intrusion detection and prevention - Local suspicious activity. Response taken (if HIPS) Antivirus - Blocks malicious code. Scans for signatures - Malicious files identified. Blocked, quarantined, deleted files File Integrity Checker - Identifies changes in files or file structure - File changes including time, date and file size Firewall - Controls ingress and egress traffic - Allowed and denied traffic (including attacks) Data Execution Prevension (DEP) - Monitors program memory use - Denied/blocked executables

Border Security Technologies

Tools - Purpose - Output Unified Threat Management (UTM) - Multiple (network firewalling, network intrusion detection/prevention (IDS/IPS), gateway antivirus (AV), etc) - Depends upon what the device is being used for Data Loss Prevention (DLP) - Prevents malicious and accidental data exfiltration - Allowed and denied activity, quarantined activity (queued) Web Application Firewall (WAP) - Filters, monitors, inspects, and blocks HTTP traffic to and from a web application - Suspicious traffic requests including SQL injections and XSS

Proprietary business and technical information that can be legally protected

Trade Secret

Transmission Medium

Transmission medium can be wired (cabling) or wireless (radio waves or microwave). Transmission characteristics include: - Throughput - Signal strength - Environmental sensitivity - EMI and RFI - Temperature fluctuations - Interception capability (emanation)

TLS

Transport Layer Security (TLS) is used to establish a secure communication channel between two TCP sessions using a cryptographic key exchange. Default TLS port is 443 Steps Client Server <--Session Establishment <-Cryptographic Key Exchange-> <-Encrypted Session Established -> **TLS is the successor and recommended replacement for SSL. TLS 1.1 or higher should be used. TLS 1.0 has been broken

This cipher technique moves characters or bits to another place within the block

Transposition

Testing to determine if the application works as expected under normal operating conditions

Use case

Software Inventory

Useful Attributes: Identifier - Name, publisher, version and serial number Supplier - SLA (if applicable), support contract (if applicable) Location - Local, server, cloud Assignments - User, custodian, department, owner License Info - Subscription, contract, perpetual Code - Activation keys or code

Provisioning Lifecycle Phase 3

User account auditing, User access auditing, Change requests, User training - User account is audited (validity, group membership, roles, access permissions) - User access is audited - Change request based on personnel requirements - Ongoing training

Defensive Controls

User education, including general awareness and understanding of the importance of following security procedures and reporting suspicious activity. Supported by: - Published policies and procedures including caller/visitor identification, document disposal, and incident reporting - Technical controls, including SPAM and content filtering, browser security settings, and sandboxing - Physical controls including surveillance, mantraps, anti-skimming and anti-shimming devices

Social Engineering Psychology

Using perception, persuasion, and influence, Social Engineers take advantage of basic human instincts and responses including: -The instinct to respond to authority -The tendency to trust people -The desire to be responsive -The fear of getting into trouble -The threat of harm -The promise of a reward

Virtualization technology that hosts a desktop operating system on a centralized server

VDI Virtual Desktop Infrastructure

Software configuration that allows endpoints to be logically grouped together even if they are not attached to the same network switch

VLAN

Virtual Local Area Network (VLAN)

VLAN management allows for the software configuration of endpoints to be logically grouped together even if they are not attached to the same network switch - This allows the grouping of hosts with a common set of requirements to communicate as if they were attached to the same broadcast domain

Malware Families

Virus - Code that requires a host to execute and replicate - Macro, boot sector, stealth, script Worm - Self contained program that can replicate on its own. Takes advantage of network transport to spread - Bot/zombie, crypto. APT, generic Trojan - Self contained program that appears legitimate. Spreads through user interaction - Embedded in music, video, game, greeting cards, and utilities Rootkit - Self contained program that has privileged system access - Firmware, kernel, boot record, legitimate (anti-theft) Spyware - Self contained program that collects user information and can manipulate configuration settings - Monitors, adware, tracking cookies, geolocator, click fraud

VoIP Security

VoIP is subject to eavesdropping, interception, spoofing and DDoS. VoiP security controls include: - Enclave VoIP servers - Implement VoiP IDS/IPS - Disable unnecessary services on VoiP devices - Include servers in vulnerability and patch management program - Include VoiP in threat intelligence program - Vendor SLA

VoIP Protocols

VoIP is used to transmit audio and video over IP networks: - VoIP systems employ session controls and signaling protocols for the notification, setup, and tear-down of calls - Codec software is used to convert audio and video into digital frames - There are a variety of proprietary and open VoIP protocols - H.323 was the first widely adopted protocol - Session Initiation Protocol (SIP) is the leading multimedia open protocol

OWASP 2017 #3 Sensitive Data Exposure

Vulnerability - Sensitive data exposure Description - Unauthorized access to personal, sensitive or proprietary data Flaw - Weak data protection controls Impact - Exposure of data (may have regulatory, contractual and/or reputational impact) Mitigation: -Classify data and apply appropriate handling standards -Don't store data that isn't needed -Encrypt sensitive data at rest and in transit -Use strong cryptographic components including managmenet -Hash passwords -Disable caching for responses that contain sensitive data

The objective of this assessment is to identify known weaknesses and exposures

Vulnerability assessment

This type of exercise is organized as a scenario based workshop

Walk through (Tabletop)

This alternate site has servers and communications infrastructure. Servers might need to be updated. Data will need to be restored

Warm Site

This swap process requires the system to be in a suspended state

Warm Swap

Fire Suppression

Water-based - Sprinkler system effective on Class A (ordinary combustible) fires Dry-pipe - Sprinkler system effective on Class A (ordinary combustible) fires. - Pipes do not have water in them until system is avtivated - Automatic shut-off Halon - Pressurized Halon gas that removes oxygen from the air with no residue. - Banned by the Montreal Protocol of 1987 FM-200 - Colorless, oderlss gaseous halocarbon with no residue - Safe for human beings Argonite - Mixture of argon and nitrogen gas - Although non-toxic, it can be dangerous to humans CO2 - Pressurized gas-- manual discharge required - Extremely dangerous to humans

This software development project model requires that each phase must be completed before moving to the next

Waterfall

An embedded label in a document

Watermark

Sourcing

Ways organizations obtain services to support the business. Insourcing - when functions are performed by internal personnel Outsourcing - when functions are performed by third parties Sourcing can be provided on-site, off-site and off-shore. Off-site (nearshore) - remote location in the same geographic area as the organization's physical location Off-shore - remote location in a different geographic location (generally refers to other countries)

This type of firewall identifies attacks such as SQL injection and XSS

Web Application Firewall (WAP)

Preservation

Whenever possible, potential evidence should be kept as 'pristine as possible' Contaminants include: - Installing or running any diagnostic tools or scanning software - Deleting files - Making any changes to the system including logging the user out - Turning off the device (memory forensics is possible if a device has not been turned off)

InfoSec Audit Standards

Widely used information security audit control standards and frameworks for internal and operational auditing include: - ISACA COBIT 5 IT Controls and Assurance Objectives - ISACA IT Assurance Framework (ITAF) - AICPA Statement on Standards for Attestation Engagements No. 18 (SSAE 18) - Formally known as a SSAE 16 and before then, SAS 70 - SSAE 18 SOC 2 report is the de facto assessment standard for technology-oriented service organizations

Wireless Architecture

Wireless networking is connectivity through radio frequency transmissions. Wireless modes include: - Ad Hoc mode is a wireless peer-to-peer relationship - Infrastructure mode topology includes wireless devices, access points, and wired routers connected to the Internet


Related study sets

The components of web applications

View Set

American Government Straighterline Module 2

View Set

(Learning Curve) Chapter 9: The Worlds of Islam: Afro-Eurasian Connection

View Set

Patho Ch. 27 - Intrarenal Disorders

View Set

Integrated Physics and Chemistry (IPC) Unit 8 Answers PHS

View Set

7.3 Ratio, Proportion, and Variation

View Set