Chapter 1 - Getting Started: Essential Knowledge Flashcards
hack value
The idea a hacker holds about the perceived worth or interest in attacking a target.
vulnerability
Weakness in an information system, system security procedure, internal controls, or implementation that could be exploited or triggered by a thread source.
zero day attack
An attack carried out on a system or application before the vendor becomes aware and before a patch or fix action is available or correct underlying vulnerability.
payload
the contents of a packet. A system attack requires the attacker to deliver a malicious payload that is acted upon and executed by the system.
exploit
Software code, a portion of data, or a sequence of commands intended to take advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software or hardware.
Daisy-chaining
A method of external testing where by several systems or resources are used together to make an attack.
Security Controls
Safeguards or counter measures to avoid, counteract, or minimize security risks.
Security Controls Types
Physical (Guards, lights, camera)
Technical (Encryption, Smart Cards, ACLs)
Administrative (Training, Awareness, Policy)
Preventative (Authentication)
Detective (Audits, Alarm Bells, Alerts)
Corrective (Backups)
Business impact analysis (BIA)
An organized process to gauge the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency.
maximum tolerable downtime
A measurement of potential cost due to a particular asset being unavailable, used as a means to prioritize the recovery of assets should the worst occur.
business continuity plan
A set of plans and procedures to follow in the event of a failure or a disaster security related or not to get business services back up and running. BCPs include a disaster recovery plan (DRP) that addresses exactly what to do to recover any lost data or services.
disaster recovery plan
A documented set of procedures to recover business infrastructures in the event of a disaster.
CIAA
securities holy trinity triad; confidentiality, integrity, availability. Also, authenticity (guarantee someone is who they say they are i.e. digital signature)
National Computer Security Center (NCSC)
In 1983, some guys from DoD and NSA worked to create security manuals and steps known as “Rainbow Series”. “Orange Book” held “Trusted Computer System Evaluations Criteria”.
Trusted Computer System Evaluation Criteria (TCSEC)
Old DoD standard with a goal to set security controls built into a computer system. Lasted until 2005.
Common Criteria for Information Technology Security Evaluation (CC)
Been around since 1999, but started in 2005. Provides a way for vendors to follow a set of standard of controls and testing methods resulting in (Evaluation Assurance Level (EAL))
Target of Evaluation (TOE)
Term associated with Common Criteria (CC) .What is being tested.
Security target (ST)
Term associated with Common Criteria (CC). The documentation describing the TOE and security requirements.
Protection profile (PP)
Term associated with Common Criteria (CC). A set of security requirements specifically for the type of product being tested.
Access Control
Restricting access to a resource in some selective manner.
Mandatory access control (MAC)
A method of access control where security policy is controlled by a security administrator. (i.e. users can’t set the access controls.)
Discretionary access control (DAC)
A method that allows users to set access controls on the resources they own or control. (e.g. Linux users, groups,other read/write/execute permissions)
Access Control Policy
This identifies the resources that need protection and the rules in place to control access to those resources.
Information Security Policy
This identifies to employees what company systems may be used for, what they cannot be used for, what they cannot be used for, and what the consequences are for breaking the rules. Generally employees are required to sign a copy before accessing resources. Version of this policy are also known as an Acceptable Use Policy.
Information Protection Policy
This defines information sensitivity levels and who has access to those levels. It also addresses how data is stored, transmitted, and destroyed.
Password Policy
This defines everything imaginable about passwords within the organization, including length, complexity, maximum and minimum age, and reuse.
E-mail Policy
Sometimes also called the E-mail Security Policy, this addresses the proper use of the company e-mail system.
Information Audit Policy
This defines the framework for auditing security within the organization. When, where, how, how often, and sometimes even who conducts information security audits are described here.
promiscuous policy
Wide Open
permissive policy
blocks only things that are dangerous.
prudent policy
maximum security, but allows some potentially dangerous services because of business needs.
paranoid policy
locks everything down, not even allowing to open the browser.
Standards
mandatory rules used to achieve consistency.
Baselines
provide minimum security level necessary.
Guidelines
flexible recommended actions users are to take in event there is no standard.
Procedures
step by step instructions for accomplishing a task or goal.
Infowars
use of offensive and defensive techniques to create an advantage over your adversary.
Tiger Team
A group of people gathered together by a business entity working to address a specific problem or goal.
HIPAA
Health Insurance Portability and Accountability Act
Information Assurance
(IA) refers to the integrity, availability, confidentiality, and authenticity of information and information systems is protected during usage, processing, storage, and transmission of information.
Processes that help achieve IA
- Developing local policy, processes, and guidance
2 Designing network and user authentication strategies. - Identify network vulnerabilities and threats.
- Identifying problems and resource requirements.
- Creating a plan for identified resource requirements.
- applying appropriate IA controls
- Performing cert and accreditation.
8 provide Information Assurance training.
Advanced Persistent Threats (APT)
Focuses on stealing user information without the user being aware.
Internet of Things (IoT)
Internet for all the small smart devices out there (e.g. toilets, phones, thermostats, etc.)
Internet
Outside the boundary and uncontrolled. You don’t apply security polices on the Internet.
Internet DMZ.
Demilitarized Zone controlled buffer network between you and the uncontrolled chaos of the internet.
Production Network Zone
A very restricted zone that strictly controls direct access from uncontrolled zones. PNZ does not hold users.
Intranet Zone
A controlled zone that has little-to-no heavy restrictions. This is not to say everything is wide open on the Intranet Zone, but communcations requires fewer strict controls internally.
Management Network Zone
Usually an area you’d find rife with VLANs and maybe controlled via IPSec and such. This is a highly secured zone with very strict policies.
Misconfiguration Vulnerabilities
A misconfiguration of the service or application settings.
Default Installation Vulnerabilities
Sometimes the installation of an application or service using default locations and settings opens a vulnerability (sometimes discovered well after the release of the application or service).
Buffer Overflows
Covered later in this book, buffer overflows are flaws in execution allowing an attacker to take advantage of bad coding.
Missing Patches (Unpatched Servers) Vulnerabilities
Despite patching for a known security flaw being available, many systems are not patched for a variety of reasons, leaving them vulnerable to attack.
Design Flaws Vulnerabilities
These are flaws universal to all operating systems things like encryption, data validation, logic flaws, and so on.
OS Flaws
These are flaws in a specific OS
Application Flaws
Flaws inherit to the application coding and function itself.
Open Services
Services that are not actively used on the system but remain open anyway (usually due to negligence or ignorance) can be targets.
Default Passwords
Leaving a default password in place on a system is asking for trouble.
Risk Identification
Identifies the sources, causes, consequences, etc. of internal and external risks affecting security of organization
Risk Assessment
Assesses organizations risks and determines likelihood and impact of a risk
Risk treatment
Selects and implements appropriate controls on identified risks
Risk Tracking
Ensures appropriate controls are implemented.
Risk Review
Evaluates the performance of implemented risk management and strategies
