Assets, Threats, and Vulnerabilities Flashcards
Asset classification
The practice of labeling assets based on sensitivity and importance to an organization. This helps prioritize security measures.
Asset inventory
A catalog of assets that need to be protected.
It is essential for effective asset management.
Asset management
The process of tracking assets and the risks that affect them.
It ensures that assets are secure and effectively utilized.
Data
Information that is translated, processed, or stored by a computer.
Data can be structured or unstructured.
Data at rest
Data not currently being accessed.
Examples include files stored on a hard drive.
Data in transit
Data traveling from one point to another.
This includes data sent over the internet or a network.
Data in use
Data being accessed by one or more users.
This is often the most vulnerable state of data.
Information security (InfoSec)
The practice of keeping data in all states away from unauthorized users.
It encompasses various security measures and policies.
Policy
A set of rules that reduce risk and protect information.
Policies guide the organization’s security posture.
Procedures
Step-by-step instructions to perform a specific security task.
They ensure consistent execution of security measures.
Regulations
Rules set by a government or other authority to control the way something is done.
Regulations can dictate compliance requirements.
Standards
References that inform how to set policies.
They provide a baseline for compliance and best practices.
Likelihood x Impact = Risk
One way to interpret risk is to consider the potential effects that negative events can have on a business. A way to present this idea is with a specific calculation.
Restricted, confidential, internal-only, and public
The 4 most common classification schemes.
Restricted
Highest level classification scheme. This category is reserved for incredibly sensitive assets, like need-to-know information.
Confidential
Second highest classification scheme. This scheme refers to assets whose disclosure may lead to a significant negative impact on an organization.
Internal-only
Third highest classification scheme. This scheme describes assets that are available to employees and business partners.
Public
This is the lowest level classification scheme. These assets have no negative consequences to the organization if they’re released.
Risk register
A central record of potential risks to an organization’s assets, information systems, and data.
Access controls
Security controls that manage access, authorization, and accountability of information.
Access controls are essential for protecting sensitive data from unauthorized access.
Algorithm
A set of rules used to solve a problem.
Algorithms are fundamental to programming and data processing.
Application programming interface (API) token
A small block of encrypted code that contains information about a user.
API tokens are commonly used for authentication in web services.
Asymmetric encryption
The use of a public and private key pair for encryption and decryption of data.
Asymmetric encryption enhances security by using two keys instead of one.
Basic auth
The technology used to establish a user’s request to access a server.
Basic auth is a simple authentication scheme built into the HTTP protocol.
Bit
The smallest unit of data measurement on a computer.
A bit can be either 0 or 1.
Brute force attack
The trial and error process of discovering private information.
Brute force attacks are often used to crack passwords.
Cipher
An algorithm that encrypts information.
Ciphers can be symmetric or asymmetric.
Cryptographic key
A mechanism that decrypts ciphertext.
Cryptographic keys are crucial for data security.
Cryptography
The process of transforming information into a form that unintended readers can’t understand.
Cryptography ensures the confidentiality and integrity of data.
Data custodian
Anyone or anything that’s responsible for the safe handling, transport, and storage of information.
Data custodians play a vital role in data governance.
Data owner
The person that decides who can access, edit, use, or destroy their information.
Data owners have the ultimate responsibility for data security.
Digital certificate
A file that verifies the identity of a public key holder.
Digital certificates are essential for establishing secure communications.
Encryption
The process of converting data from a readable format to an encoded format.
Encryption is critical for protecting sensitive information.
Hash collision
An instance when different inputs produce the same hash value.
Hash collisions can lead to security vulnerabilities.
Hash function
An algorithm that produces a code that can’t be decrypted.
Hash functions are used in data integrity verification.
Hash table
A data structure that’s used to store and reference hash values.
Hash tables allow for efficient data retrieval.
Identity and access management (IAM)
A collection of processes and technologies that helps organizations manage digital identities in their environment.
IAM is essential for maintaining security and compliance.
Information privacy
The protection of unauthorized access and distribution of data.
Information privacy concerns are increasingly important in the digital age.
Non-repudiation
The concept that the authenticity of information can’t be denied.
Non-repudiation ensures that a sender cannot deny sending a message.
OAuth?
An open-standard authorization protocol that shares designated access between applications.
OAuth is widely used for securing APIs.
Payment Card Industry Data Security Standards
What does PCI DSS stand for?
PCI DSS is a set of security standards designed to protect card information.
Principle of least privilege
The concept of granting only the minimal access and authorization required to complete a task or function.
This principle helps minimize potential damage from security breaches.
Public key infrastructure (PKI)?
An encryption framework that secures the exchange of online information.
PKI is essential for secure communications over the internet.
Rainbow table
A file of pre-generated hash values and their associated plaintext.
Rainbow tables are used to crack password hashes.
Salting
An additional safeguard that’s used to strengthen hash functions.
Salting helps prevent rainbow table attacks.
Security assessment
A check to determine how resilient current security implementations are against threats.
Security assessments help identify vulnerabilities.
Security audit
A review of an organization’s security controls, policies, and procedures against a set of expectations.
Security audits ensure compliance with regulations and standards.
Security controls
Safeguards designed to reduce specific security risks.
Security controls can be technical, administrative, or physical.
Separation of duties
The principle that users should not be given levels of authorization that would allow them to misuse a system.
This principle helps prevent fraud and errors.
Session
A sequence of network HTTP basic auth requests and responses associated with the same user.
Sessions help maintain stateful interactions with users.
Session cookie
A token that websites use to validate a session and determine how long that session should last.
Session cookies are essential for user experience in web applications.
Session hijacking
An event when attackers obtain a legitimate user’s session ID.
Session hijacking is a serious security threat.
Session ID
A unique token that identifies a user and their device while accessing a system.
Session IDs are crucial for tracking user sessions.
Symmetric encryption
The use of a single secret key to exchange information.
Symmetric encryption is faster than asymmetric encryption but less secure.
User provisioning
The process of creating and maintaining a user’s digital identity.
User provisioning is critical for effective identity management.
Payment Card Industry Data Security Standards (PCI DSS)
A set of security standards formed by major organizations in the financial industry.
Application programming interface
What does API stand for?
Identity and access management
What does IAM stand for?
Public key infrastructure
What does PKI stand for?
Single Sign-On
What does SSO stand for?
Data steward
The person or group that maintains and implements data governance policies set by an organization.
Knowledge, ownership, and characteristic
What are three factors that can be used to authenticate a user?
Knowledge
A factor used to authenticate a user:
something the user knows.
Ownership
A factor used to authenticate a user:
something the user possesses.
Characteristic
A factor used to authenticate a user:
something the user is.
Single sign-on (SSO)
A technology that combines several different logins into one.
Guest accounts, user accounts, service accounts, and privileged accounts.
What are the most common types of user accounts?
Guest account
A type of account provided to external users who need to access an internal network, like customers, clients, contractors, or business partners.
User account
A type of account assigned to staff based on their job duties.
Service account
A type of account granted to applications or software that needs to interact with other software on the network.
Privileged account
A type of account that elevates permissions or administrative access.
Advanced persistent threat (APT)
An instance when a threat actor maintains unauthorized access to a system for an extended period of time.
Attack surface
All the potential vulnerabilities that a threat actor could exploit.
Attack tree
A diagram that maps threats to assets.
Attack vector
The pathways attackers use to penetrate security defenses.
Common Vulnerabilities and Exposures (CVE®) list
An openly accessible dictionary of known vulnerabilities and exposures.
Bug bounty
Programs that encourage freelance hackers to find and report vulnerabilities.
Common Vulnerability Scoring System (CVSS)
A measurement system that scores the severity of a vulnerability.
CVE Numbering Authority (CNA)
An organization that volunteers to analyze and distribute information on eligible CVEs.
Defense in depth
A layered approach to vulnerability management that reduces risk.
Exploit
A way of taking advantage of a vulnerability.
Exposure
A mistake that can be exploited by a threat.
MITRE
A collection of non-profit research and development centers.
Security hardening
The process of strengthening a system to reduce its vulnerability and attack surface.
Vulnerability assessment
The internal review process of a company’s security systems.
Vulnerability management
The process of finding and patching vulnerabilities.
Vulnerability scanner
Software that automatically compares existing common vulnerabilities and exposures against the technologies on the network.
Zero-day
An exploit that was previously unknown.
Perimeter layer, Network layer, Endpoint layer, Application layer, and Data layer
Name five attack surfaces
Perimeter layer
An attack surface like authentication systems that validate user access.
Network layer
An attack surface which is made up of technologies like network firewalls and others.
Endpoint layer
An attack surface which describes devices on a network, like laptops, desktops, or servers.
Application layer
An attack surface which involves the software that users interact with.
Data layer
An attack surface which includes any information that’s stored, in transit, or in use.
External scan
A scan that tests the perimeter layer outside of the internal network.
Internal scan
A scan that starts from the opposite end by examining an organization’s internal systems.
Authenticated scan
A scan that tests a system by logging in with a real user account or even with an admin account.
Unauthenticated scan
A scan that simulates external threat actors that do not have access to your business resources.
Limited scan
A scan that analyzes particular devices on a network, like searching for misconfigurations on a firewall.
Comprehensive scan
A scan that analyzes all devices connected to a network.
Patch update
A software and operating system update that addresses security vulnerabilities within a program or product.
Open-box testing, Closed-box testing, Partial knowledge testing
Name three common penetration testing strategies
Open-box testing
A type of pen test when the tester has the same privileged access that an internal developer would have—information like system architecture, data flow, and network diagrams. This strategy goes by several different names, including internal, full knowledge, white-box, and clear-box penetration testing.
Closed-box testing
A type of pen test when the tester has little to no access to internal systems—similar to a malicious hacker. This strategy is sometimes referred to as external, black-box, or zero knowledge penetration testing.
Partial knowledge testing
A type of pen test when the tester has limited access and knowledge of an internal system—for example, a customer service representative. This strategy is also known as gray-box testing.
Proactive simulations
A simulation where one assumes the role of an attacker by exploiting vulnerabilities and breaking through defenses. This is sometimes called a red team exercise.
Reactive simulations
A simulation where one assumes the role of a defender responding to an attack. This is sometimes called a blue team exercise.
Identification, Vulnerability analysis, Risk assessment, and Remediation
Name the common steps of a vulnerability assessment.
Identification
A step in a vulnerability assessment. A vulnerable server is flagged because it’s running an outdated operating system (OS).
Vulnerability analysis
A step in a vulnerability assessment. Research is done on the outdated OS and its vulnerabilities.
Risk assessment
A step in a vulnerability assessment. After doing your due diligence, the severity of each vulnerability is scored and the impact of not fixing it is evaluated.
Remediation
A step in a vulnerability assessment. Finally, the information that you’ve gathered can be used to address the issue.
Competitors, State actors, Criminal syndicates, Insider threats, and Shadow IT
What are five typical categories of threat actors.
Competitors
A category of a threat actor. This refers to rival companies who pose a threat because they might benefit from leaked information.
State actors
A category of a threat actor. This refers to government intelligence agencies.
Criminal syndicates
A category of a threat actor. This refers to organized groups of people who make money from criminal activity.
Insider threats
A category of a threat actor. This can be any individual who has or had authorized access to an organization’s resources. This includes employees who accidentally compromise assets or individuals who purposefully put them at risk for their own benefit.
Shadow IT
A category of a threat actor. This refers to individuals who use technologies that lack IT governance. A common example is when an employee uses their personal email to send work-related communications.
Common Vulnerabilities and Exposures
What does CVE stand for?
Common Vulnerability Scoring System
What does CVSS stand for?
CVE Numbering Authority
What does CNA stand for?
Angler phishing
A technique where attackers impersonate customer service representatives on social media.
Adware
A type of legitimate software that is sometimes used to display digital advertisements in applications.
Attack tree
A diagram that maps threats to assets.
Baiting
A social engineering tactic that tempts people into compromising their security.
Cross-site scripting (XSS)
An injection attack that inserts code into a vulnerable website or web application.
Cryptojacking
A form of malware that installs software to illegally mine cryptocurrencies.
DOM-based XSS attack
An instance when malicious script exists in the webpage a browser loads.
Dropper
A type of malware that comes packed with malicious code which is delivered and installed onto a target system.
Fileless malware
Malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer.
Injection attack
Malicious code inserted into a vulnerable application.
Input validation
Programming that validates inputs from users and other programs.
Loader
A type of malware that downloads strains of malicious code from an external source and installs them onto a target system.
Process of Attack Simulation and Threat Analysis (PASTA)
A popular threat modeling framework that’s used across many industries.
Phishing kit
A collection of software tools needed to launch a phishing campaign.
Prepared statement
A coding technique that executes SQL statements before passing them onto the database.
Potentially unwanted application (PUA)
A type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software.
Quid pro quo
A type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money.
Reflected XSS attack
An instance when malicious script is sent to a server and activated during the server’s response.
Rootkit
Malware that provides remote, administrative access to a computer.
Scareware
Malware that employs tactics to frighten users into infecting their device.
SQL injection
An attack that executes unexpected queries on a database.
Stored XSS attack
An instance when malicious script is injected directly on the server.
Tailgating
A social engineering tactic in which unauthorized people follow an authorized person into a restricted area.
Threat modeling
The process of identifying assets, their vulnerabilities, and how each is exposed to threats.
Trojan horse
Malware that looks like a legitimate file or program.
Watering hole attack
A type of attack when a threat actor compromises a website frequently visited by a specific group of users.
Web-based exploits
Malicious code or behavior that’s used to take advantage of coding flaws in a web application.
Prepared statements, Input sanitization, and Input validation
What are three ways to escape user inputs?
Prepared statements
A coding technique that executes SQL statements before passing them on to a database.
Input sanitization
Programming that removes user input which could be interpreted as code.
Input validation
Programming that ensures user input meets a system’s expectations.
Cross-site scripting
What does XSS stand for?
Process of Attack Simulation and Threat Analysis
What does PASTA stand for?
Potentially unwanted application
What does PUA stand for?
