Chapter 1 - Getting Started: Essential Knowledge

Question 1

hack value

Answer 1

The idea a hacker holds about the perceived worth or interest in attacking a target.

Question 2

vulnerability

Answer 2

Weakness in an information system, system security procedure, internal controls, or implementation that could be exploited or triggered by a thread source.

Question 3

zero day attack

Answer 3

An attack carried out on a system or application before the vendor becomes aware and before a patch or fix action is available or correct underlying vulnerability.

Question 4

payload

Answer 4

the contents of a packet. A system attack requires the attacker to deliver a malicious payload that is acted upon and executed by the system.

Question 5

exploit

Answer 5

Software code, a portion of data, or a sequence of commands intended to take advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software or hardware.

Question 6

Daisy-chaining

Answer 6

A method of external testing where by several systems or resources are used together to make an attack.

Question 7

Security Controls

Answer 7

Safeguards or counter measures to avoid, counteract, or minimize security risks.

Question 8

Security Controls Types

Answer 8

Physical (Guards, lights, camera)
Technical (Encryption, Smart Cards, ACLs)
Administrative (Training, Awareness, Policy)
Preventative (Authentication)
Detective (Audits, Alarm Bells, Alerts)
Corrective (Backups)

Question 9

Business impact analysis (BIA)

Answer 9

An organized process to gauge the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency.

Question 10

maximum tolerable downtime

Answer 10

A measurement of potential cost due to a particular asset being unavailable, used as a means to prioritize the recovery of assets should the worst occur.

Question 11

business continuity plan

Answer 11

A set of plans and procedures to follow in the event of a failure or a disaster security related or not to get business services back up and running. BCPs include a disaster recovery plan (DRP) that addresses exactly what to do to recover any lost data or services.

Question 12

disaster recovery plan

Answer 12

A documented set of procedures to recover business infrastructures in the event of a disaster.

Question 13

CIAA

Answer 13

securities holy trinity triad; confidentiality, integrity, availability. Also, authenticity (guarantee someone is who they say they are i.e. digital signature)

Question 14

National Computer Security Center (NCSC)

Answer 14

In 1983, some guys from DoD and NSA worked to create security manuals and steps known as “Rainbow Series”. “Orange Book” held “Trusted Computer System Evaluations Criteria”.

Question 15

Trusted Computer System Evaluation Criteria (TCSEC)

Answer 15

Old DoD standard with a goal to set security controls built into a computer system. Lasted until 2005.

Question 16

Common Criteria for Information Technology Security Evaluation (CC)

Answer 16

Been around since 1999, but started in 2005. Provides a way for vendors to follow a set of standard of controls and testing methods resulting in (Evaluation Assurance Level (EAL))

Question 17

Target of Evaluation (TOE)

Answer 17

Term associated with Common Criteria (CC) .What is being tested.

Question 18

Security target (ST)

Answer 18

Term associated with Common Criteria (CC). The documentation describing the TOE and security requirements.

Question 19

Protection profile (PP)

Answer 19

Term associated with Common Criteria (CC). A set of security requirements specifically for the type of product being tested.

Question 20

Access Control

Answer 20

Restricting access to a resource in some selective manner.

Question 21

Mandatory access control (MAC)

Answer 21

A method of access control where security policy is controlled by a security administrator. (i.e. users can’t set the access controls.)

Question 22

Discretionary access control (DAC)

Answer 22

A method that allows users to set access controls on the resources they own or control. (e.g. Linux users, groups,other read/write/execute permissions)

Question 23

Access Control Policy

Answer 23

This identifies the resources that need protection and the rules in place to control access to those resources.

Question 24

Information Security Policy

Answer 24

This identifies to employees what company systems may be used for, what they cannot be used for, what they cannot be used for, and what the consequences are for breaking the rules. Generally employees are required to sign a copy before accessing resources. Version of this policy are also known as an Acceptable Use Policy.

Question 25

Information Protection Policy

Answer 25

This defines information sensitivity levels and who has access to those levels. It also addresses how data is stored, transmitted, and destroyed.

Question 26

Password Policy

Answer 26

This defines everything imaginable about passwords within the organization, including length, complexity, maximum and minimum age, and reuse.

Question 27

E-mail Policy

Answer 27

Sometimes also called the E-mail Security Policy, this addresses the proper use of the company e-mail system.

Question 28

Information Audit Policy

Answer 28

This defines the framework for auditing security within the organization. When, where, how, how often, and sometimes even who conducts information security audits are described here.

Question 29

promiscuous policy

Answer 29

Wide Open

Question 30

permissive policy

Answer 30

blocks only things that are dangerous.

Question 31

prudent policy

Answer 31

maximum security, but allows some potentially dangerous services because of business needs.

Question 32

paranoid policy

Answer 32

locks everything down, not even allowing to open the browser.

Question 33

Standards

Answer 33

mandatory rules used to achieve consistency.

Question 34

Baselines

Answer 34

provide minimum security level necessary.

Question 35

Guidelines

Answer 35

flexible recommended actions users are to take in event there is no standard.

Question 36

Procedures

Answer 36

step by step instructions for accomplishing a task or goal.

Question 37

Infowars

Answer 37

use of offensive and defensive techniques to create an advantage over your adversary.

Question 38

Tiger Team

Answer 38

A group of people gathered together by a business entity working to address a specific problem or goal.

Question 39

HIPAA

Answer 39

Health Insurance Portability and Accountability Act

Question 40

Information Assurance

Answer 40

(IA) refers to the integrity, availability, confidentiality, and authenticity of information and information systems is protected during usage, processing, storage, and transmission of information.

Question 41

Processes that help achieve IA

Answer 41

1. Developing local policy, processes, and guidance
   2 Designing network and user authentication strategies.
2. Identify network vulnerabilities and threats.
3. Identifying problems and resource requirements.
4. Creating a plan for identified resource requirements.
5. applying appropriate IA controls
6. Performing cert and accreditation.
   8 provide Information Assurance training.

Question 42

Advanced Persistent Threats (APT)

Answer 42

Focuses on stealing user information without the user being aware.

Question 43

Internet of Things (IoT)

Answer 43

Internet for all the small smart devices out there (e.g. toilets, phones, thermostats, etc.)

Question 44

Internet

Answer 44

Outside the boundary and uncontrolled. You don’t apply security polices on the Internet.

Question 45

Internet DMZ.

Answer 45

Demilitarized Zone controlled buffer network between you and the uncontrolled chaos of the internet.

Question 46

Production Network Zone

Answer 46

A very restricted zone that strictly controls direct access from uncontrolled zones. PNZ does not hold users.

Question 47

Intranet Zone

Answer 47

A controlled zone that has little-to-no heavy restrictions. This is not to say everything is wide open on the Intranet Zone, but communcations requires fewer strict controls internally.

Question 48

Management Network Zone

Answer 48

Usually an area you’d find rife with VLANs and maybe controlled via IPSec and such. This is a highly secured zone with very strict policies.

Question 49

Misconfiguration Vulnerabilities

Answer 49

A misconfiguration of the service or application settings.

Question 50

Default Installation Vulnerabilities

Answer 50

Sometimes the installation of an application or service using default locations and settings opens a vulnerability (sometimes discovered well after the release of the application or service).

Question 51

Buffer Overflows

Answer 51

Covered later in this book, buffer overflows are flaws in execution allowing an attacker to take advantage of bad coding.

Question 52

Missing Patches (Unpatched Servers) Vulnerabilities

Answer 52

Despite patching for a known security flaw being available, many systems are not patched for a variety of reasons, leaving them vulnerable to attack.

Question 53

Design Flaws Vulnerabilities

Answer 53

These are flaws universal to all operating systems things like encryption, data validation, logic flaws, and so on.

Question 54

OS Flaws

Answer 54

These are flaws in a specific OS

Question 55

Application Flaws

Answer 55

Flaws inherit to the application coding and function itself.

Question 56

Open Services

Answer 56

Services that are not actively used on the system but remain open anyway (usually due to negligence or ignorance) can be targets.

Question 57

Default Passwords

Answer 57

Leaving a default password in place on a system is asking for trouble.

Question 58

Risk Identification

Answer 58

Identifies the sources, causes, consequences, etc. of internal and external risks affecting security of organization

Question 59

Risk Assessment

Answer 59

Assesses organizations risks and determines likelihood and impact of a risk

Question 60

Risk treatment

Answer 60

Selects and implements appropriate controls on identified risks

Question 61

Risk Tracking

Answer 61

Ensures appropriate controls are implemented.

Question 62

Risk Review

Answer 62

Evaluates the performance of implemented risk management and strategies