Chapter 3 - Implementation Flashcards
1
Q
Domain Name System Security Extensions (DNSSEC)
A
Validates DNS responses such as origin authentication and data integrity
Prevents attackers from manipulating or poisoning the responses to DNS requests
2
Q
Secure Shell (SSH)
A
An encrypted terminal communication that provides secure terminal communication and file transfer features
3
Q
Secure/ Multipurpose Internet Mail Extensions (S/MIME)
A
Keep emails confidential
Allows to protect information and provide digital signatures
4
Q
Secure Real-time Transport Protocol (SRTP)
A
Take normal conversation across the network and add encryption so nobody can listen to your conversation
Uses AES
HMAC-SHA1
5
Q
Lightweight Directory Access Protocol Over SSL (LDAPS)
A
Used for reading and writing directories over an Internet Protocol network
Uses SSL and/ or Simple Authentication and Security Layer (SASL)
6
Q
File Transfer Protocol, Secure (FTPS)
A
Transferring files securely between devices
Uses SSL for encryption
7
Q
SSH File Transfer Protocol (SFTP)
A
Provides secure file system functionality
Resuming interrupted transfers, directory listings, remote file removal
Uses SSH for encryption
8
Q
Simple Network Management Protocol, Version 3 (SNMPv3)
A
Used for security when querying routers and switches
Provides confidentiality, integrity, and authentication
9
Q
Hypertext Transfer Protocol over SSL/TLS (HTTPS)
A
Secure version of HTTP
Used for making sure our browser communication is running over an encrypted connection
10
Q
IPSec
A
Communicating between two locations across the internet in a secure form - encryption and packet signing (integrity)
11
Q
IPSec - Authentication Header (AH)/ Encapsulating Security Payloads (ESP)
A
AH - provides integrity
ESP - provides encryption
12
Q
IPSec - Tunnel/ Transport
A
Tunnel mode is used to create virtual private networks for network-to-network communications
Transport mode, only the payload of the IP packet is usually encrypted or authenticated
13
Q
Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP)
A
A way to send and receive email securely
Both use SSL for encryption
14
Q
Protocol Use Cases - Voice and Video
A
Use SRTP
Keeps conversations private by using AES
15
Q
Protocol Use Cases - Time Synchronization
A
Use NTPsec
Secure network time protocol
16
Q
Protocol Use Cases - Email and Web
A
Email - Use S/MIME
Web - Use HTTPS over SSL/ TLS
17
Q
Protocol Use Cases - File Transfer
A
Use FTPS or SFTP (SSH File Transfer Protocol)
18
Q
Protocol Use Cases - Directory Services
A
Use LDAP
19
Q
Protocol Use Cases - Remote Access
A
Use SSH
20
Q
Protocol Use Cases - Domain Name Resolution
A
Use DNSSec
21
Q
Protocol Use Cases - Routing and Switching
A
Use SSH with SNMPv3 and HTTPS
22
Q
Protocol Use Cases - Network Address Allocation
A
Use DHCP
23
Q
Protocol Use Cases - Subscription Services
A
Use automation subscriptions with constant updates and check for encryption/ integrity checks
24
Q
Dynamic Host Configuration Protocol (DHCP)
A
Assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture
Starvation Attacks
25
The Endpoint
Physical devices that connect to a network system such as mobile devices, desktop computers, virtual machines, embedded devices, and servers
26
Antivirus
Software designed to detect and destroy computer viruses
Examples: Trojan horses, worms
27
Anti-malware
Software designed to detect and destroy computer viruses
Examples: Spyware, adware
28
Endpoint Detection and Response (EDR)
A method of threat protection that detects a threat, investigates the threat, and responds to the threat
29
Data Loss Prevention (DLP)
The detection of potential data breaches/data ex-filtration transmissions
Data "leakage"
30
Next-generation Firewall (NGFW)
Combining a traditional firewall with other network device filtering functions and controls
Application features, attacks and malware, encrypted data, and access to URLs
31
Host-based Intrusion Prevention System (HIPS)
Recognizes and blocks known attacks
Secure OS and application configs and validates incoming service requests
32
Host-based Intrusion Detection System (HIDS)
Uses log files to identify intrusions
Can reconfigure firewalls to block
33
Host-based Firewall
A personal software that runs on every endpoint that examines traffic and processes
34
Boot Integrity
Ensures that the operating system kernel has not been modified by any malware
Rootkits
35
Boot Security/ Unified Extensible Firmware Interface (UEFI) (BIOS)
A set of routines residing in firmware that boots the operating system and sets up the hardware
36
Measured Boot
Process of measuring each component, from firmware up through the boot start drivers to provide a way to inform the last software stage if someone tampered with the platform
37
Boot Attestation
Receives the boot report and changes are identified and made if there have been malware infections
38
Database Security
Protecting stored data and the transmission of data
39
Application Security
The process of developing, adding, and testing security features within applications to prevent security vulnerabilities
40
Input Validations
Process of checking to see if all input is correct and making the change if it isn't
Normalization
41
Secure Cookies
Information used for tracking, personalization, and session management that is stored on your computer by the browser
42
Hypertext Transfer Protocol (HTTP) Headers
An additional layer of security that ensures encrypted communication
Prevents XSS attacks
43
Code Signing
Code digitally signed by the developer to show the code has not been altered
44
Allow List
Nothing can run unless it's approved
45
Block/ Deny List
Nothing on this list can be executed
46
Secure Coding Practices
A balance between time and quality
Make sure to test - QA
47
Static Code Analysis
The analysis of computer programs performed without executing them
48
Manual Code Review
The process of reading the source code line by line to look out for possible vulnerabilities
49
Dynamic Code Analysis
Designed to test a running application for potentially exploitable vulnerabilities
50
Fuzzing/ Fuzzers
The injection of invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities
51
Hardening
Minimizing the attack surface and removing all possible points of exploitation
52
Open Ports and Services
Possible point of entry
Controlled with firewall
0-65,535
53
Registry
Primary configuration database used to know when applications are modified
54
Disk Encryption
The prevention of access to application data files
55
Operating System (OS) Hardening
Doing regular updates, managing user accounts, limiting network access, and keep anti-malware and antivirus up to date
56
Patch Management
The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions
57
Patch Management - Third Party Updates
Process of installing patches to third-party applications, that are installed on your company's endpoints
58
Patch Management - Auto-update
Not very good because an update might not be what you want
Test first
59
Self-encrypting Drive (SED)
A hardware based full disk encryption that does not need an operating system software
60
Opal
Standard specification of SED
Defines a way of encrypting the stored data so unauthorized person who gains possession of the device cannot see the data
61
Hardware Root of Trust
The ability to trust that the system is going to be safe and secure
62
Trusted Platform Module (TPM)
Designed to help with cryptographic functions that are used within the operating system
63
Sandboxing
Gives users a safe, lightweight environment to execute code and run applications to test
64
Full-disk Encryption (FDE)
Encrypting everything on the drive
65
Load Balancing
Process of distributing a set of tasks over multiple servers, with the aim of making their overall processing more efficient
66
Active/ Active Load Balancing
Having two or more load balancer servers running at the same time
67
Active/ Passive Load Balancing
Having some servers on standby and when the active server fails, the passive server takes over
68
Load Balancing Scheduling
Round-robin - each server is selected in turn
Weighted round-robin - prioritizing the server use
Dynamic round-robin - Monitor server load and send to server with the lowest use
69
Load Balancing Persistence
Directing a client's requests to the same backend web or application server for the duration of a “session” or the time it takes to complete a task or transaction
70
Network Segmentation
An architectural approach that divides a network into multiple segments or subnets, each acting as its own small network
71
Segmentation w/ Virtual Local Area Networks (VLANs)
Creates a collection of isolated networks within the data center
Severely hinders access to system attack surfaces
72
Screened Subnet
Additional layer of security between the internet and you
73
East-west Traffic
Traffic between device in the same data center
74
Extranet
A private network for partners and authorized users
Examples: vendors, suppliers
75
Intranet
Private network for employees within a company only
76
Zero Trust
A framework that assumes a complex network's security is always at risk to external and internal threats
77
Virtual Private Network (VPN)
Mechanism for creating a secure connection between a computing device and a computer network or internet
78
Virtual Private Network (VPN) - Always-on
Automated service that establishes a connection between the client and the VPN with no user interactions whatsoever
79
Full VPN Tunnel
Remote user sends everything to the VPN concentrator
80
Split VPN Tunnel
Remote user sends some information to VPN concentrator and separate website
81
Remote Access VPN
Enables users to connect to a private network remotely using a VPN
82
Site-to-site VPN
If you want to connect to location together with two concentrators
Example: corporate network and remote site
83
Layer 2 Tunneling Protocol
Connecting sites over a layer 3 network as if they were connected at layer 2
84
SSL/ TLS VPN
Created using the SSL protocol to create a secure and encrypted connection over a less-secure network, such as the Internet
85
Hypertext Markup Language Version 5 (HTML5) VPNs
Creates a VPN tunnel without a separate VPN application
86
Network Access Control (NAC)
The process of restricting unauthorized users and devices from gaining access to a corporate or private network
87
Agent Network Access Control
The process of restricting unauthorized users and devices from gaining access to a corporate or private network
88
Agentless Network Access Control
Uses the Active Directory to make checks of user device during login and logoffs actions
89
Out-of-band Management
The management of devices and IT assets remotely without using the corporate LAN
90
Port Security
Help secure the network by making sure to block foreign devices from forwarding packets
91
Bridge Protocol Data Unit (BPDU) Guard
Prevent attacks on a network by blocking Bridge Protocol Data Units (BPDUs) that are sent from unauthorized devices
Enabled port shuts down as soon as a BPDU is received
92
Loop Prevention
The sending of traffic between two switches forever
The use of IEEE standard 802.1D prevents loops
93
Dynamic Host Configuration Protocol (DHCP) Snooping
Layer 2 security technology incorporated into the operating system of a capable network switch that filters DHCP traffic determined to be unacceptable
94
Media Access Control (MAC) Filtering
A security access control method whereby the MAC address assigned to each network interface controller is used to determine access to the physical hardware address
95
Jump Servers
A hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them
96
Proxy Server
A system that sits between the users and external network to receive and send user requests as well as catching information, access control, URL filtering, and content scanning
97
Forward Proxy Server
Used to protect and control user access to the internet
"Internal Proxy"
98
Reverse Proxy Server
Used to protect inbound traffic from the internet to your internal service
99
Network-based Intrusion Detection System (NIDS)
Detects and reports network security problems by monitoring network or system activities for malicious or anomalous behavior
100
Network-based Intrusion Prevention System (NIPS)
A network security tool that continuously monitors a network for malicious activity and takes action to prevent it
101
Signature-based Intrusion Prevention
Monitors inbound network traffic to find sequences and patterns that match a particular attack signature
102
Anomaly-based Intrusion Prevention
An intrusion detection system for detecting both network and computer intrusions and building a baseline of what's "normal"
103
Behavior-based Intrusion Prevention
An intrusion detection system for recording expected patterns concerning the entity being monitored and reporting it
104
Heuristic Intrusion Prevention
A system that uses artificial intelligence to scan for malicious behavior from a program either within the system, or trying to access the system
105
Passive Monitoring Intrusion Prevention
The examination of a copy of the network traffic
Cannot block or prevent the traffic
106
Inline Monitoring Intrusion Prevention
Sits in the middle or inline the network traffic and monitors and control in real-time
107
Hardware Security Module (HSM)
A device specifically designed to manage and control a large environment
Safeguards and manages cryptographic keys and provides cryptographic processing
108
Collectors
A console(s) that receives all censored data and provides output of what is going on on the network
109
Web Application Firewall (WAF)
Filters, monitors, and blocks HTTP/ HTTPS traffic to and from a web service
110
Stateful Firewall
Keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks
111
Stateless Firewall
Does not keep track of traffic flows and examines each packet individually regardless of history
112
Unified Threat Management (UTM)
When multiple security features or services are combined into a single device within your network
Includes: web security gateway, URL filter, malware inspection, spam filter, CSU/ DSU, Router, switch, firewall, IDS/ IPS, bandwidth shaper, VPN endpoint
113
Network Address Translation (NAT) Gateway
Used to enable instances present in a private subnet to help connect to the internet or AWS services
114
Content/ URL Filter
Blocks users from loading questionable websites or hosted files via corporate device or network resources
115
Open-source Firewall
Provides traditional firewall functionality
116
Proprietary Firewall
Traditional firewall with features like application control and high-speed hardware
117
Hardware Firewall
Provides efficient and flexible connectivity options
118
Software Firewall
Can be installed on own hardware from anywhere
119
Appliance Firewall
Has the fattest throughput
120
Host-based Firewall
Application-aware and can view non-encrypted data
121
Virtual Firewall
Provides valuable East/ West network security
122
Access Control List (ACL)
Specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resources
123
Quality of Service (QoS)
Describes the process of controlling traffic flows and ensuring the performance of critical applications with limited network capacity
124
Implications of IPv6
Most recent version of the Internet Protocol
Secures most attacks but new attacks will occur since this is new
125
Port Mirroring/ Port Spanning
Cross connecting two or more ports on a network switch so that traffic can be simultaneously sent to a network analyzer or monitor connected to another port
126
Port Taps
A simple device that connects directly to the cabling infrastructure to split or copy packets for use in analysis and security
127
Monitoring Services
Ongoing security checks that identify threats, respond to evets, and maintain compliance
128
File Integrity Monitors
Identifying when changes to operating system and application files occur
Some should NEVER change
129
North-south Traffic
Traffic between the data center and the rest of the network
130
Wi-Fi Protected Access 2 (WPA2)
An encrypted security protocol that protects internet traffic on wireless networks
Uses encryption called CCMP block cipher mode
131
Wi-Fi Protected Access 3 (WPA3)
Update of the WPA2 security
Uses GCMP cipher mode encryption - stronger encryption
132
Counter-mode/ CBC-MAC Protocol (CCMP)
A security protocol used by WPA2 for encryption
CCMP uses AES for confidentiality and CBC-MAC for integrity
133
Galois/ Counter Mode Protocol
A security protocol used by WPA3 for encryption
A strong encryption than WPA2
GCMP uses AES for confidentiality and GMAC for integrity
134
Simultaneous Authentication of Equals (SAE)
A Diffie-Hellman derived key exchange with an authentication component
Everyone uses different session key, even with same PSK
Fixes WPA2 PSK problem
135
Extensible Authentication Protocol (EAP)
A authentication framework
Integrates with 802.1X to prevent access to network until the authentication succeeds
Uses RFC standards
136
Protected Extensible Authentication Protocol (PEAP)
Protected EAP
Uses TLS and uses a digital certificate or a generic token card instead of a PAC
137
EAP-FAST
EAP Flexible Authentication via Secure Tunneling
Authenticates by means of a protected access credential (PAC)
Negotiates and TLS tunnel and needs a RADIUS server
138
EAP-TLS
Requires digital certificates on all devices and a TLS tunnel is built for the user authentication process
Need a PKI
139
EAP-TTLS
EAP Tunneled Transport Layer Security
Support other authentication protocols in a TLS tunnel
Requires digital certificate on the AS
140
IEEE 802.1X
Port-based Network Access Control (NAC)
You do not get access to the network until you authenticate
Used with RADIUS, LDAP, TACACS+
141
Remote Authentication Dial-in User Service (RADIUS) Federation
Links a user's identity across multiple organization's networks
Uses 802.1X
142
Wireless Security Mode - Pre-shared Key (PSK)
Everyone uses same key
Unique WPA3 session key is derived from the PSK use SAE
143
Wireless Security Mode - Enterprise
Uses WPA3/ WPA3 802.1X
Authenticates users individually with an authentication server
Example: RADIUS
144
Wireless Security Mode - Open System
No password is required to configure the authentication on your wireless access point/ router
145
Wi-Fi Protected Setup (WPS)
The allowing of "easy" setup of a mobile device
Example: PIN, NFC, Push button
146
Captive Portals
Web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources
147
Site Surveys
Inspections of an area where work is proposed, to gather information for a design or an estimate to complete the initial tasks required
Examples: access points, frequencies, etc.
148
Heat Maps
Identification of wireless signal strengths
149
Wi-Fi Analyzers
Provides information about wireless networks, including their signal strength, coverage, names, and security configuration
150
Channel Overlaps
The overlapping of channels that cause frequency conflicts
151
Wireless Access Point (WAP) Placement
Placing routers strategically to avoid overlap, interference, and excessive signal distance while maximizing coverage and minimizing access points
Examples of interference: microwaves, building materials
152
Controller and Access Point Security
Controllers - Strong encryption with HTTPS, automatic logout after no activity
Access Points - Strong passwords and firmware updates
153
Wireless Controllers
Centralized management of wireless access points that manage system configuration and performance
154
Cellular Network
Mobile devices - "Cell phones"
Separates land into "cells" - antenna coverages a cell with certain frequencies
155
Wi-Fi
An internet connection that's shared with multiple devices in a home or business via a wireless router
156
Bluetooth
High speed communication over short distances
Connects our mobile devices to other electronics
157
Near Field Communication (NFC)
Two-way wireless communication
Helps with Bluetooth pairing
Examples: payment systems
158
Infrared (IR)
A wireless mobile technology used for device communication over short ranges
Requires light-of-sight - control entertainment system
159
Universal Serial Bus (USB)
Physical connectivity to device that is used to store and extract files or other documents
160
Point-to-Point Communication
One-to-one connection - conversation between two devices
161
Point-to Multipoint Communication
802.11 wireless
One-to-many connection
162
Global Positioning System (GPS)
Precise navigation that determines location based on timing differences - latitude, longitude, altitude
4 satellites at a time
163
Radio Frequency Identification (RFID)
Radar technology that uses electromagnetic fields to automatically identify and track tags attached to objects
164
Mobile Device Management (MDM)
The managing of company-owned and mobile-owned devices by setting policies and access control
165
Mobile Device - Application Management
Managed through allow lists that only approve apps that can be installed and that are not malicious
166
Mobile Device - Content Management
Mobile Content Management (MCM)
Secure access to data and protect data from outsiders by securing file sharing and viewing
167
Mobile Device - Remote Wipe
Removing all data from a mobile device
168
Mobile Device - Geofencing
Restricting or allowing features when the device is in a particular area
Examples: cameras, logins, etc.
169
Mobile Device - Geolocation
The precise tracking details that can track within feet to either find your phone or you
170
Mobile Device - Screen Locks
Used to lock your phone to secure you data so nobody can get in without the use of a password
171
Mobile Device - Push Notifications
Information that appears on the mobile device screen
172
Mobile Device - Passwords and PINs
Used to protect against unauthorized access
Recovery of a password or PIN can be initiated with the MDM
173
Mobile Device - Biometrics
You are the authentication factor
174
Mobile Device - Context-aware Authentication
Combination of multiple contexts
Where you normally login (IP address)
Where you normally frequently are (GPS location)
Other devices that may be paired (Bluetooth)
175
Mobile Device - Containerization
A way to separate personal data from corporate data by creating a logical container to enhance corporate data security
176
Mobile Device - Storage Segmentation
Keeps data separate
Isolate the device's OS and preinstalled apps from user-installed apps and user data
177
Mobile Device - Full Device Encryption
Encrypting all of the data on the mobile device
178
Mobile Device - MicroSD Hardware Security Module (HSM)
Provides security services such as encryption, key generation, digital signatures, authentication
Now in MicroSD card form
179
Mobile Device - MDM/ Unified Endpoint Management (UEM)
Class of software tools that provide a single management interface for mobile, PC and other devices
180
Mobile Device - Mobile Application Management (MAM)
Monitor, provision, update and remove apps
Create an enterprise app catalog so users can pick what to install
181
Mobile Device - SEAndroid
Security enhancements for Android
A security solution for Android that identifies and addresses critical gaps
182
Third-party Application Stores
App Store/ Google Play
Not all apps are secure of appropriate for business
183
Rooting/ Jailbreaking
Rooting - Android
Jailbreaking - Apple
Able to gain complete control of the operating system and remove some restrictions present in the software
184
Sideloading
Installing unapproved software/ app from a third-party source or transferring files between two devices
185
Custom Firmware
Unofficial new or modified version of firmware created by third parties
186
Carrier Unlocking
Allowing consumers to move their cell phone from one carrier to another
187
Firmware Over-the-air (OTA) Updates
Operating system updates that can be significant that can be installed without using a cable
188
Monitoring of Camera Use
Could be used for espionage or inappropriate use
MDM can disable or enable in certain locations
189
Monitoring of SMS/ Multimedia Messaging Service (MMS)
Text messages, video, audio that can be exposed to data leaks and phishing attempts
MDM can allow only during certain time frames or locations
190
Rich Communication Services (RCS)
A communication protocol between mobile telephone carriers and between phone and carrier, aiming at replacing SMS messages with a text-message system that is richer
191
External Media
Data that is stored/ transferred onto external or removable devices
USB or flash drives
192
USB On-the-go (USB OTG)
Connect devices directly together by being both the host and a device
No computer or cable required
Usually mobile device and USB/flash drive
193
Monitoring of Recording Microphone
Useful for meetings and note taking
Can be a legal liability depending on states
MDM can disable or geo-fence
194
Geo-tagging/ GPS Tagging
Phone knows your exact location especially when you document to social media which can cause security concerns
195
WiFi Direct/ ad hoc
Ad Hoc - Connecting wireless devices directly without an access point
Wireless Direct - enables mobile phones, cameras, printers, PCs, and gaming devices to create their own Wi-Fi networks without an internet connection
196
Tethering
Turns your phone into a mobile WiFi hotspot, so your devices can use your phone's data to establish an internet connection
197
Hotspot
A way to connect to the internet wirelessly when you are away from your home or office network
198
Monitoring of Payment Methods
199
Monitoring of Payment Methods
Apple Pay, Android Pay, Samsung Pay
Once primary authentication is bypassed, payment is allowed
200
Bring Your Own Device (BYOD)
Employee owns device but needs to meet the company's requirements
Both a home device and a work device
201
Corporate-owned Personally Enabled (COPE)
Company buys the device but its used as both personal and corporate
Organization keep full control and is protected using corporate policies
202
Choose Your Own Device (CYOD)
Employee buys the device but its used as both personal and corporate
Organization keep full control and is protected using corporate policies
203
Corporate-owned
Company buys and owns the device and controls the content on the device
Not for personal use - no mixing business with home use
204
Virtual Desktop Infrastructure (VDI)/ Virtual Mobile Infrastructure (VMI)
Apps and data are separated from the mobile device and data is stored securely
205
High Availability (HA) Across Zones
Isolated locations with a cloud region that commonly spans across multiple regions
Can use load balancers
206
Cloud Resource Policies
Providing access to cloud resources to users who get access
Identity and Access Management (IAM)
207
Cloud Secrets Management
Cloud-based methods and tools that organizations use to secure and manage their digital credentials like signatures and keys
208
Cloud Security Integration and Auditing
Integrate security across multiple platforms and audit these security controls by validating them
209
Cloud Storage Permissions
One permission mistake can cause a breach
Public access should not be default
Identity and Access Management (IAM)
210
Cloud Storage Encryption
Data is more accessible that non-cloud data
Server-side - encrypt data in cloud and when stored on disk
Client-side - already encrypted when sent to cloud
211
Cloud Storage Replication
Copy data from one place to another
Can be real-time data duplication
212
Cloud Storage High Availability (HA)
Maintain up time if an outage or disaster occurs by having backups with constant duplication of data
213
Cloud Virtual Networks
The building of the network from the cloud console
Servers, databases, storage devices
214
Public Cloud Subnet
All external IP addresses
Connect to the cloud from anywhere
215
Private Cloud Subnet
All internal IP addresses
Connect to the private cloud over VPN
No access from internet
216
Network Segmentation
Data is separated from the application and adds security systems between application components
WAF, NGFW
217
API Inspection and Integration
Viewing specific API queries and monitoring incoming and outgoing data
218
Cloud Storage
Data stored on a public cloud
219
Cloud Network
Connecting cloud components within and outside the cloud
Cloud devices communicating with each other
220
Hybrid Cloud Subnet
Combine internal cloud resources with external
Combine public and private subnets
221
Cloud Access Security Broker (CASB)
On-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies
222
Next-Generation Secure Web Gateway (SWG)
A way to try and protect users and devices regardless of location and activity
223
Firewall Cost
Relatively inexpensive compared to appliances
224
Firewall Need for Segmentation
Deploying of a firewall at a desired network boundary so that all traffic crossing the boundary is routed through that firewall
225
Firewall Open Systems Interconnection (OSI) Layers
Layer 4 (TCP/ UDP), Layer 7 (application)
226
Cloud Native Controls
Security controls integrated and supported by the cloud provider that has many configuration options
227
Third-party Solutions
228
Compute Cloud Instances
Components performing calculations of instances
Amazon Elastic Compute Cloud (EC2)
Google Compute Engine (GCE)
Microsoft Azure
229
Dynamic Resource Allocation
Provisioning resources when needed - use of application
Scale up and down
230
Instance Awareness
Manage and identify data flows and make decisions based off of the data
Define and set policies of instances
231
Virtual Private Cloud (VPC) Endpoint
Allow private cloud subnets to communicate to other cloud services
Keep conversations private
232
Cloud Security Groups
Manage access to compute engines
233
Container Security
Use an OS specifically built for containerization
Or group container types together on the same host
234
Application Security
Designing, coding and configuring your application to prevent and defend against cyber threats
235
Cloud Third-party Solutions
Support across multiple cloud providers that has more extensive reporting
236
Identity Provider (IdP)
A list of entities for users and devices that can provide authentication
237
Identity Attributes
An identifier or property of an entity that provides identification
Personal - name, email address
Other - job title, mail stop
238
Identity Certificates
Assigned to a person or device
239
Identity Token
Contains information about what happened when a user authenticated
240
Identity SSH Keys
Using a key instead of username and password
241
Identity Smart Cards
Integrates with devices that may require PIN
242
User Account
Account on a computer associated with a specific person
Data and files can be private to that user
243
Shared Account/ Guest Credentials
Used by more than one person that uses a guest login
244
Guest Account
Access to a computer for guests that do not have any controls of settings, but just the userspace
245
Service Account
Used exclusively by services running on a computer
Access can be defined for a specific service
246
Privileged Accounts
Elevated or complete access to a systems
247
Account Policies
Controlling access to an account
248
Password Complexity
Making your password stronger to prevent guessing or brute force attacks by increasing password entropy (predictability)
249
Password History
Passwords that a user has used previously in a system that the attacker may already have
250
Password Reuse
Links to password history - user cannot reuse a password that a user has already used
251
Network Location
Using location to set policies on whether a user has access to a system by using IP subnet or Geolocation and use Geofencing or Geotagging to restrict access to a user in certain areas
252
Time-Based Logins
Something trying to be accessed outside of normal working hours therefore preventing access to the user
253
Access Policies
Criteria for granting access to various servers, applications, and other resources on your network
254
Account Permissions
Authorization given to users that enables them to access specific resources on the network, such as data files, applications, printers and scanners
255
Account Audits
Should be performed routinely to make sure everyone has the correct permissions and are using the resources granted correctly
256
Impossible Travel Time/ Risk Login
A calculation made by comparing a user's last known location to their current location, then assessing whether the trip is likely or even possible in the time that elapsed between the two measurements
257
Lockout
Too many unsuccessful login attempts will cause a lockout which in turn prevents brute force attacks
258
Disablement
When someone leaves organization or moves to a different part of the company
Makes account inaccessible but will still save the files and data that was on that account
259
Password Keys
A physical device that accounts as hardware based authentication
260
Password Vaults
Location where all passwords are stored in an encrypted format
261
Trusted Platform Module (TPM)
Hardware for cryptographic functions that help with encryption
262
Hardware Security Module (HSM)
A physical computing device that safeguards and manages cryptographic keys and provides cryptographic processing
263
Knowledge-based Authentication (KBA)
Using personal knowledge as an authentication factor
Static KBA - Pre-configured shared secrets - model of first car
Dynamic KBA - Identity verification service - street number in Florida
264
Challenge-Handshake Authentication Protocol (CHAP)
An authentication protocol originally used by Point-to-Point Protocol to validate users
Three-way handshake
265
Password Authentication Protocol (PAP)
Basic authentication method used in legacy systems
Sent in the clear and has a non-encrypted password exchange
266
802.1X
It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN and prevents access to network until the authentication succeeds
267
Remote Authentication Dial-in User Service (RADIUS)
More common AAA protocol
Client-server protocol enables remote access servers to communicate with a central server
268
Single Sign-on (SSO)
A session and user authentication service that permits a user to use one set of login credentials
269
Security Assertion Markup Language (SAML)
Primary role in online security and enables users to authenticate through a third-party to gain access to multiple applications
270
Terminal Access Controller Access Control System Plus (TACACS+)
A Cisco designed extension to TACACS that encrypts the full content of each packet
271
OAuth
Authorization framework that provides authorization between applications and determines what resources a user will be able to access
272
OpenID
A decentralized authentication protocol that allows users to authenticate with multiple websites using a single set of credentials
273
Kerberos
A network authentication protocol that only need to authenticate once and then it will be trusted by the system
274
Attribute-based Access Control (ABAC)
An authorization model that evaluates attributes (or characteristics), rather than roles, to determine access
Examples: IP address, time of day, desired action, etc.
275
Role-based Access Control
Access to resources based on your role in an organization
Examples: Manager, director, team leader, etc.
276
Rule-based Access Control
Manages access to areas, devices, or databases according to a predetermined set of rules or access permissions regardless of their role or position in an organization
277
Mandatory Access Control (MAC)
Each object is labeled with a confidential, secret, top secret, etc. label and the administrator decides what user gets access of what object
278
Discretionary Access Control (DAC)
An identity-based access control model that provides users with a certain amount of control over their data
279
Conditional Access
‘Just-in-time’ evaluation to ensure the person who is seeking access to content is authorized to access the content
280
Privileged Access Management (PAM)
A subset of IAM that allows you to control and monitor the activity of privileged users (who have access above and beyond standard users) once they are logged into the system
281
Filesystem Permissions
Control the ability of users to read, change, navigate, and execute the contents of the file system
282
Public Key Infrastructure (PKI)
Set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption
283
Key Management
Deal with key generation, certificate generation, distribution, storage, revocation, and expiration of keys
284
Certificate Authority (CA)
An entity that stores, signs, and issues digital certificates
285
Intermediate CA
A certificate that was issued as a dividing layer between the Certificate Authority and the end user's certificate
286
Registration Authority (RA)
An authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it
287
Certificate Revocation List (CRL)
List of digital certificates that have been revoked by the issuing certificate authority (CA) before their actual or assigned expiration date
288
Certificate Attributes
The common name, subject alternative name, and the expiration
289
Online Certificate Status Protocol (OCSR)
A way for a browser to check certificate revocation
290
Common Name (CN)
The Fully Qualified Domain Name (FQDN) for the certificate
291
Subject Alternative Name
Additional host name of the cert that is common on web servers
Examples: professormesser.com and www.professormesser.com
292
Expiration
The legally mandated date by which a certified proposed decision is due to be acted upon
Limit exposure to compromise
293
Wildcard Domain
Certificates are based on the name of the server and this will apply to all server names in a domain
294
Subject Alternative Name
Additional host name for the certificate
295
Code Signing Certificate
A signature from the developer who created the code for the application and validates the software hasn't been modified
296
Self-signed Certificate
Public key certificates that are not issued by a certificate authority that do not provide any trust value
297
Machine/ Computer Certificate
Provides authenticity on the devices that you physically manage/ see
298
Email Certificate
Proves to customers that the email is not a forged phishing attempt and their transactions will be safe
299
User Certificate
Used to associate a certificate with a user that can act as a powerful electronic "id card"
300
Root Certificate
The public key certificate that identifies the root CA and can issue other certificates such a intermediate
301
Domain Validation (DV) Certificate
Owner of the certificate has some control over a DNS domain
302
Extended Validation (EV) Certificate
Additional checks have verified the certificate owner's identity
303
Distinguished Encoding Rules (DER)
A binary format designed to transfer syntax for data structures
304
Privacy Enhanced Mail (PEM)
A de facto file format for storing and sending cryptographic keys, certificates, and other data and used to provide secure electronic mail communication over the internet
305
Personal Information Exchange (PFX)
A password protected file certificate commonly used for code signing your application
306
.cer
Primarily a Windows X.509 file extension
Responsible for storing some information about the owner certificate and the specific public key
307
P12 (PKCS #12)
Used to transfer a private and publics key pair that can be password protected
Container format for many certificates that store many X.509 certificates in a single .p12 file
308
P7B (PKCS #7)
Contains certificates and chain certificates that private keys are not included in a .p7b file
309
Online CA
Web browsers use them to authenticate content sent from web servers, ensuring trust in content delivered online
310
Offline CA
A certificate authority which has been isolated from network access, and is often kept in a powered-down state which in turn protects the CA
311
Stapling
OCSP stapling makes verifying the revocation status of an SSL/TLS certificate faster and easier for a client than ever before
312
Pinning
Putting the certificate inside of the application you are using and if the expected key does not match, the application can decide whether or not to shut down
313
Trust Model
Single CA, Hierarchal, mesh, web-of-trust, and Mutual authentication
314
Key Escrow
Someone else (3rd party) holding your decryption keys
315
Certificate Chaining
Listing all of the certs between the server and the root CA (intermediate certs) to ensure that only trusted software and hardware can be used while still retaining flexibility
