Chapter 3 - Implementation Flashcards
Domain Name System Security Extensions (DNSSEC)
Validates DNS responses such as origin authentication and data integrity
Prevents attackers from manipulating or poisoning the responses to DNS requests
Secure Shell (SSH)
An encrypted terminal communication that provides secure terminal communication and file transfer features
Secure/ Multipurpose Internet Mail Extensions (S/MIME)
Keep emails confidential
Allows to protect information and provide digital signatures
Secure Real-time Transport Protocol (SRTP)
Take normal conversation across the network and add encryption so nobody can listen to your conversation
Uses AES
HMAC-SHA1
Lightweight Directory Access Protocol Over SSL (LDAPS)
Used for reading and writing directories over an Internet Protocol network
Uses SSL and/ or Simple Authentication and Security Layer (SASL)
File Transfer Protocol, Secure (FTPS)
Transferring files securely between devices
Uses SSL for encryption
SSH File Transfer Protocol (SFTP)
Provides secure file system functionality
Resuming interrupted transfers, directory listings, remote file removal
Uses SSH for encryption
Simple Network Management Protocol, Version 3 (SNMPv3)
Used for security when querying routers and switches
Provides confidentiality, integrity, and authentication
Hypertext Transfer Protocol over SSL/TLS (HTTPS)
Secure version of HTTP
Used for making sure our browser communication is running over an encrypted connection
IPSec
Communicating between two locations across the internet in a secure form - encryption and packet signing (integrity)
IPSec - Authentication Header (AH)/ Encapsulating Security Payloads (ESP)
AH - provides integrity
ESP - provides encryption
IPSec - Tunnel/ Transport
Tunnel mode is used to create virtual private networks for network-to-network communications
Transport mode, only the payload of the IP packet is usually encrypted or authenticated
Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP)
A way to send and receive email securely
Both use SSL for encryption
Protocol Use Cases - Voice and Video
Use SRTP
Keeps conversations private by using AES
Protocol Use Cases - Time Synchronization
Use NTPsec
Secure network time protocol
Protocol Use Cases - Email and Web
Email - Use S/MIME
Web - Use HTTPS over SSL/ TLS
Protocol Use Cases - File Transfer
Use FTPS or SFTP (SSH File Transfer Protocol)
Protocol Use Cases - Directory Services
Use LDAP
Protocol Use Cases - Remote Access
Use SSH
Protocol Use Cases - Domain Name Resolution
Use DNSSec
Protocol Use Cases - Routing and Switching
Use SSH with SNMPv3 and HTTPS
Protocol Use Cases - Network Address Allocation
Use DHCP
Protocol Use Cases - Subscription Services
Use automation subscriptions with constant updates and check for encryption/ integrity checks
Dynamic Host Configuration Protocol (DHCP)
Assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture
Starvation Attacks
The Endpoint
Physical devices that connect to a network system such as mobile devices, desktop computers, virtual machines, embedded devices, and servers
Antivirus
Software designed to detect and destroy computer viruses
Examples: Trojan horses, worms
Anti-malware
Software designed to detect and destroy computer viruses
Examples: Spyware, adware
Endpoint Detection and Response (EDR)
A method of threat protection that detects a threat, investigates the threat, and responds to the threat
Data Loss Prevention (DLP)
The detection of potential data breaches/data ex-filtration transmissions
Data “leakage”
Next-generation Firewall (NGFW)
Combining a traditional firewall with other network device filtering functions and controls
Application features, attacks and malware, encrypted data, and access to URLs
Host-based Intrusion Prevention System (HIPS)
Recognizes and blocks known attacks
Secure OS and application configs and validates incoming service requests
Host-based Intrusion Detection System (HIDS)
Uses log files to identify intrusions
Can reconfigure firewalls to block
Host-based Firewall
A personal software that runs on every endpoint that examines traffic and processes
Boot Integrity
Ensures that the operating system kernel has not been modified by any malware
Rootkits
Boot Security/ Unified Extensible Firmware Interface (UEFI) (BIOS)
A set of routines residing in firmware that boots the operating system and sets up the hardware
Measured Boot
Process of measuring each component, from firmware up through the boot start drivers to provide a way to inform the last software stage if someone tampered with the platform
Boot Attestation
Receives the boot report and changes are identified and made if there have been malware infections
Database Security
Protecting stored data and the transmission of data
Application Security
The process of developing, adding, and testing security features within applications to prevent security vulnerabilities
Input Validations
Process of checking to see if all input is correct and making the change if it isn’t
Normalization
Secure Cookies
Information used for tracking, personalization, and session management that is stored on your computer by the browser
Hypertext Transfer Protocol (HTTP) Headers
An additional layer of security that ensures encrypted communication
Prevents XSS attacks
Code Signing
Code digitally signed by the developer to show the code has not been altered
Allow List
Nothing can run unless it’s approved
Block/ Deny List
Nothing on this list can be executed
Secure Coding Practices
A balance between time and quality
Make sure to test - QA
Static Code Analysis
The analysis of computer programs performed without executing them
Manual Code Review
The process of reading the source code line by line to look out for possible vulnerabilities
Dynamic Code Analysis
Designed to test a running application for potentially exploitable vulnerabilities
Fuzzing/ Fuzzers
The injection of invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities
Hardening
Minimizing the attack surface and removing all possible points of exploitation
Open Ports and Services
Possible point of entry
Controlled with firewall
0-65,535
Registry
Primary configuration database used to know when applications are modified
Disk Encryption
The prevention of access to application data files
Operating System (OS) Hardening
Doing regular updates, managing user accounts, limiting network access, and keep anti-malware and antivirus up to date
Patch Management
The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions
Patch Management - Third Party Updates
Process of installing patches to third-party applications, that are installed on your company’s endpoints
Patch Management - Auto-update
Not very good because an update might not be what you want
Test first
Self-encrypting Drive (SED)
A hardware based full disk encryption that does not need an operating system software
Opal
Standard specification of SED
Defines a way of encrypting the stored data so unauthorized person who gains possession of the device cannot see the data
Hardware Root of Trust
The ability to trust that the system is going to be safe and secure
Trusted Platform Module (TPM)
Designed to help with cryptographic functions that are used within the operating system
Sandboxing
Gives users a safe, lightweight environment to execute code and run applications to test
Full-disk Encryption (FDE)
Encrypting everything on the drive
Load Balancing
Process of distributing a set of tasks over multiple servers, with the aim of making their overall processing more efficient
Active/ Active Load Balancing
Having two or more load balancer servers running at the same time
Active/ Passive Load Balancing
Having some servers on standby and when the active server fails, the passive server takes over
Load Balancing Scheduling
Round-robin - each server is selected in turn
Weighted round-robin - prioritizing the server use
Dynamic round-robin - Monitor server load and send to server with the lowest use
Load Balancing Persistence
Directing a client’s requests to the same backend web or application server for the duration of a “session” or the time it takes to complete a task or transaction
Network Segmentation
An architectural approach that divides a network into multiple segments or subnets, each acting as its own small network
Segmentation w/ Virtual Local Area Networks (VLANs)
Creates a collection of isolated networks within the data center
Severely hinders access to system attack surfaces
Screened Subnet
Additional layer of security between the internet and you
East-west Traffic
Traffic between device in the same data center
Extranet
A private network for partners and authorized users
Examples: vendors, suppliers
Intranet
Private network for employees within a company only
Zero Trust
A framework that assumes a complex network’s security is always at risk to external and internal threats
Virtual Private Network (VPN)
Mechanism for creating a secure connection between a computing device and a computer network or internet
Virtual Private Network (VPN) - Always-on
Automated service that establishes a connection between the client and the VPN with no user interactions whatsoever
Full VPN Tunnel
Remote user sends everything to the VPN concentrator
Split VPN Tunnel
Remote user sends some information to VPN concentrator and separate website
Remote Access VPN
Enables users to connect to a private network remotely using a VPN
Site-to-site VPN
If you want to connect to location together with two concentrators
Example: corporate network and remote site
Layer 2 Tunneling Protocol
Connecting sites over a layer 3 network as if they were connected at layer 2
SSL/ TLS VPN
Created using the SSL protocol to create a secure and encrypted connection over a less-secure network, such as the Internet
Hypertext Markup Language Version 5 (HTML5) VPNs
Creates a VPN tunnel without a separate VPN application
Network Access Control (NAC)
The process of restricting unauthorized users and devices from gaining access to a corporate or private network
Agent Network Access Control
The process of restricting unauthorized users and devices from gaining access to a corporate or private network
Agentless Network Access Control
Uses the Active Directory to make checks of user device during login and logoffs actions
Out-of-band Management
The management of devices and IT assets remotely without using the corporate LAN
Port Security
Help secure the network by making sure to block foreign devices from forwarding packets
Bridge Protocol Data Unit (BPDU) Guard
Prevent attacks on a network by blocking Bridge Protocol Data Units (BPDUs) that are sent from unauthorized devices
Enabled port shuts down as soon as a BPDU is received
Loop Prevention
The sending of traffic between two switches forever
The use of IEEE standard 802.1D prevents loops
Dynamic Host Configuration Protocol (DHCP) Snooping
Layer 2 security technology incorporated into the operating system of a capable network switch that filters DHCP traffic determined to be unacceptable
Media Access Control (MAC) Filtering
A security access control method whereby the MAC address assigned to each network interface controller is used to determine access to the physical hardware address
Jump Servers
A hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them
Proxy Server
A system that sits between the users and external network to receive and send user requests as well as catching information, access control, URL filtering, and content scanning
Forward Proxy Server
Used to protect and control user access to the internet
“Internal Proxy”
Reverse Proxy Server
Used to protect inbound traffic from the internet to your internal service
Network-based Intrusion Detection System (NIDS)
Detects and reports network security problems by monitoring network or system activities for malicious or anomalous behavior
Network-based Intrusion Prevention System (NIPS)
A network security tool that continuously monitors a network for malicious activity and takes action to prevent it
Signature-based Intrusion Prevention
Monitors inbound network traffic to find sequences and patterns that match a particular attack signature
Anomaly-based Intrusion Prevention
An intrusion detection system for detecting both network and computer intrusions and building a baseline of what’s “normal”
Behavior-based Intrusion Prevention
An intrusion detection system for recording expected patterns concerning the entity being monitored and reporting it
Heuristic Intrusion Prevention
A system that uses artificial intelligence to scan for malicious behavior from a program either within the system, or trying to access the system
Passive Monitoring Intrusion Prevention
The examination of a copy of the network traffic
Cannot block or prevent the traffic
Inline Monitoring Intrusion Prevention
Sits in the middle or inline the network traffic and monitors and control in real-time
Hardware Security Module (HSM)
A device specifically designed to manage and control a large environment
Safeguards and manages cryptographic keys and provides cryptographic processing
Collectors
A console(s) that receives all censored data and provides output of what is going on on the network
Web Application Firewall (WAF)
Filters, monitors, and blocks HTTP/ HTTPS traffic to and from a web service
Stateful Firewall
Keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks
Stateless Firewall
Does not keep track of traffic flows and examines each packet individually regardless of history
Unified Threat Management (UTM)
When multiple security features or services are combined into a single device within your network
Includes: web security gateway, URL filter, malware inspection, spam filter, CSU/ DSU, Router, switch, firewall, IDS/ IPS, bandwidth shaper, VPN endpoint
Network Address Translation (NAT) Gateway
Used to enable instances present in a private subnet to help connect to the internet or AWS services
Content/ URL Filter
Blocks users from loading questionable websites or hosted files via corporate device or network resources
Open-source Firewall
Provides traditional firewall functionality
Proprietary Firewall
Traditional firewall with features like application control and high-speed hardware
Hardware Firewall
Provides efficient and flexible connectivity options
Software Firewall
Can be installed on own hardware from anywhere
Appliance Firewall
Has the fattest throughput
Host-based Firewall
Application-aware and can view non-encrypted data
Virtual Firewall
Provides valuable East/ West network security
Access Control List (ACL)
Specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resources
Quality of Service (QoS)
Describes the process of controlling traffic flows and ensuring the performance of critical applications with limited network capacity
Implications of IPv6
Most recent version of the Internet Protocol
Secures most attacks but new attacks will occur since this is new
Port Mirroring/ Port Spanning
Cross connecting two or more ports on a network switch so that traffic can be simultaneously sent to a network analyzer or monitor connected to another port
Port Taps
A simple device that connects directly to the cabling infrastructure to split or copy packets for use in analysis and security
Monitoring Services
Ongoing security checks that identify threats, respond to evets, and maintain compliance
File Integrity Monitors
Identifying when changes to operating system and application files occur
Some should NEVER change
North-south Traffic
Traffic between the data center and the rest of the network
Wi-Fi Protected Access 2 (WPA2)
An encrypted security protocol that protects internet traffic on wireless networks
Uses encryption called CCMP block cipher mode
Wi-Fi Protected Access 3 (WPA3)
Update of the WPA2 security
Uses GCMP cipher mode encryption - stronger encryption
Counter-mode/ CBC-MAC Protocol (CCMP)
A security protocol used by WPA2 for encryption
CCMP uses AES for confidentiality and CBC-MAC for integrity
Galois/ Counter Mode Protocol
A security protocol used by WPA3 for encryption
A strong encryption than WPA2
GCMP uses AES for confidentiality and GMAC for integrity
Simultaneous Authentication of Equals (SAE)
A Diffie-Hellman derived key exchange with an authentication component
Everyone uses different session key, even with same PSK
Fixes WPA2 PSK problem
Extensible Authentication Protocol (EAP)
A authentication framework
Integrates with 802.1X to prevent access to network until the authentication succeeds
Uses RFC standards
Protected Extensible Authentication Protocol (PEAP)
Protected EAP
Uses TLS and uses a digital certificate or a generic token card instead of a PAC
EAP-FAST
EAP Flexible Authentication via Secure Tunneling
Authenticates by means of a protected access credential (PAC)
Negotiates and TLS tunnel and needs a RADIUS server
EAP-TLS
Requires digital certificates on all devices and a TLS tunnel is built for the user authentication process
Need a PKI
EAP-TTLS
EAP Tunneled Transport Layer Security
Support other authentication protocols in a TLS tunnel
Requires digital certificate on the AS
IEEE 802.1X
Port-based Network Access Control (NAC)
You do not get access to the network until you authenticate
Used with RADIUS, LDAP, TACACS+
Remote Authentication Dial-in User Service (RADIUS) Federation
Links a user’s identity across multiple organization’s networks
Uses 802.1X
Wireless Security Mode - Pre-shared Key (PSK)
Everyone uses same key
Unique WPA3 session key is derived from the PSK use SAE
Wireless Security Mode - Enterprise
Uses WPA3/ WPA3 802.1X
Authenticates users individually with an authentication server
Example: RADIUS
Wireless Security Mode - Open System
No password is required to configure the authentication on your wireless access point/ router
Wi-Fi Protected Setup (WPS)
The allowing of “easy” setup of a mobile device
Example: PIN, NFC, Push button
Captive Portals
Web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources
Site Surveys
Inspections of an area where work is proposed, to gather information for a design or an estimate to complete the initial tasks required
Examples: access points, frequencies, etc.
Heat Maps
Identification of wireless signal strengths
Wi-Fi Analyzers
Provides information about wireless networks, including their signal strength, coverage, names, and security configuration
Channel Overlaps
The overlapping of channels that cause frequency conflicts
Wireless Access Point (WAP) Placement
Placing routers strategically to avoid overlap, interference, and excessive signal distance while maximizing coverage and minimizing access points
Examples of interference: microwaves, building materials
Controller and Access Point Security
Controllers - Strong encryption with HTTPS, automatic logout after no activity
Access Points - Strong passwords and firmware updates
Wireless Controllers
Centralized management of wireless access points that manage system configuration and performance
Cellular Network
Mobile devices - “Cell phones”
Separates land into “cells” - antenna coverages a cell with certain frequencies
Wi-Fi
An internet connection that’s shared with multiple devices in a home or business via a wireless router
Bluetooth
High speed communication over short distances
Connects our mobile devices to other electronics
Near Field Communication (NFC)
Two-way wireless communication
Helps with Bluetooth pairing
Examples: payment systems
Infrared (IR)
A wireless mobile technology used for device communication over short ranges
Requires light-of-sight - control entertainment system
Universal Serial Bus (USB)
Physical connectivity to device that is used to store and extract files or other documents
Point-to-Point Communication
One-to-one connection - conversation between two devices
Point-to Multipoint Communication
802.11 wireless
One-to-many connection
Global Positioning System (GPS)
Precise navigation that determines location based on timing differences - latitude, longitude, altitude
4 satellites at a time
Radio Frequency Identification (RFID)
Radar technology that uses electromagnetic fields to automatically identify and track tags attached to objects
Mobile Device Management (MDM)
The managing of company-owned and mobile-owned devices by setting policies and access control
Mobile Device - Application Management
Managed through allow lists that only approve apps that can be installed and that are not malicious
Mobile Device - Content Management
Mobile Content Management (MCM)
Secure access to data and protect data from outsiders by securing file sharing and viewing
Mobile Device - Remote Wipe
Removing all data from a mobile device
Mobile Device - Geofencing
Restricting or allowing features when the device is in a particular area
Examples: cameras, logins, etc.
Mobile Device - Geolocation
The precise tracking details that can track within feet to either find your phone or you
Mobile Device - Screen Locks
Used to lock your phone to secure you data so nobody can get in without the use of a password
Mobile Device - Push Notifications
Information that appears on the mobile device screen
Mobile Device - Passwords and PINs
Used to protect against unauthorized access
Recovery of a password or PIN can be initiated with the MDM
Mobile Device - Biometrics
You are the authentication factor
Mobile Device - Context-aware Authentication
Combination of multiple contexts
Where you normally login (IP address)
Where you normally frequently are (GPS location)
Other devices that may be paired (Bluetooth)
Mobile Device - Containerization
A way to separate personal data from corporate data by creating a logical container to enhance corporate data security
Mobile Device - Storage Segmentation
Keeps data separate
Isolate the device’s OS and preinstalled apps from user-installed apps and user data
Mobile Device - Full Device Encryption
Encrypting all of the data on the mobile device
Mobile Device - MicroSD Hardware Security Module (HSM)
Provides security services such as encryption, key generation, digital signatures, authentication
Now in MicroSD card form
Mobile Device - MDM/ Unified Endpoint Management (UEM)
Class of software tools that provide a single management interface for mobile, PC and other devices
Mobile Device - Mobile Application Management (MAM)
Monitor, provision, update and remove apps
Create an enterprise app catalog so users can pick what to install
Mobile Device - SEAndroid
Security enhancements for Android
A security solution for Android that identifies and addresses critical gaps
Third-party Application Stores
App Store/ Google Play
Not all apps are secure of appropriate for business
Rooting/ Jailbreaking
Rooting - Android
Jailbreaking - Apple
Able to gain complete control of the operating system and remove some restrictions present in the software
Sideloading
Installing unapproved software/ app from a third-party source or transferring files between two devices
Custom Firmware
Unofficial new or modified version of firmware created by third parties
Carrier Unlocking
Allowing consumers to move their cell phone from one carrier to another
Firmware Over-the-air (OTA) Updates
Operating system updates that can be significant that can be installed without using a cable
Monitoring of Camera Use
Could be used for espionage or inappropriate use
MDM can disable or enable in certain locations
Monitoring of SMS/ Multimedia Messaging Service (MMS)
Text messages, video, audio that can be exposed to data leaks and phishing attempts
MDM can allow only during certain time frames or locations
Rich Communication Services (RCS)
A communication protocol between mobile telephone carriers and between phone and carrier, aiming at replacing SMS messages with a text-message system that is richer
External Media
Data that is stored/ transferred onto external or removable devices
USB or flash drives
USB On-the-go (USB OTG)
Connect devices directly together by being both the host and a device
No computer or cable required
Usually mobile device and USB/flash drive
Monitoring of Recording Microphone
Useful for meetings and note taking
Can be a legal liability depending on states
MDM can disable or geo-fence
Geo-tagging/ GPS Tagging
Phone knows your exact location especially when you document to social media which can cause security concerns
WiFi Direct/ ad hoc
Ad Hoc - Connecting wireless devices directly without an access point
Wireless Direct - enables mobile phones, cameras, printers, PCs, and gaming devices to create their own Wi-Fi networks without an internet connection
Tethering
Turns your phone into a mobile WiFi hotspot, so your devices can use your phone’s data to establish an internet connection
Hotspot
A way to connect to the internet wirelessly when you are away from your home or office network
Monitoring of Payment Methods
Monitoring of Payment Methods
Apple Pay, Android Pay, Samsung Pay
Once primary authentication is bypassed, payment is allowed
Bring Your Own Device (BYOD)
Employee owns device but needs to meet the company’s requirements
Both a home device and a work device
Corporate-owned Personally Enabled (COPE)
Company buys the device but its used as both personal and corporate
Organization keep full control and is protected using corporate policies
Choose Your Own Device (CYOD)
Employee buys the device but its used as both personal and corporate
Organization keep full control and is protected using corporate policies
Corporate-owned
Company buys and owns the device and controls the content on the device
Not for personal use - no mixing business with home use
Virtual Desktop Infrastructure (VDI)/ Virtual Mobile Infrastructure (VMI)
Apps and data are separated from the mobile device and data is stored securely
High Availability (HA) Across Zones
Isolated locations with a cloud region that commonly spans across multiple regions
Can use load balancers
Cloud Resource Policies
Providing access to cloud resources to users who get access
Identity and Access Management (IAM)
Cloud Secrets Management
Cloud-based methods and tools that organizations use to secure and manage their digital credentials like signatures and keys
Cloud Security Integration and Auditing
Integrate security across multiple platforms and audit these security controls by validating them
Cloud Storage Permissions
One permission mistake can cause a breach
Public access should not be default
Identity and Access Management (IAM)
Cloud Storage Encryption
Data is more accessible that non-cloud data
Server-side - encrypt data in cloud and when stored on disk
Client-side - already encrypted when sent to cloud
Cloud Storage Replication
Copy data from one place to another
Can be real-time data duplication
Cloud Storage High Availability (HA)
Maintain up time if an outage or disaster occurs by having backups with constant duplication of data
Cloud Virtual Networks
The building of the network from the cloud console
Servers, databases, storage devices
Public Cloud Subnet
All external IP addresses
Connect to the cloud from anywhere
Private Cloud Subnet
All internal IP addresses
Connect to the private cloud over VPN
No access from internet
Network Segmentation
Data is separated from the application and adds security systems between application components
WAF, NGFW
API Inspection and Integration
Viewing specific API queries and monitoring incoming and outgoing data
Cloud Storage
Data stored on a public cloud
Cloud Network
Connecting cloud components within and outside the cloud
Cloud devices communicating with each other
Hybrid Cloud Subnet
Combine internal cloud resources with external
Combine public and private subnets
Cloud Access Security Broker (CASB)
On-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies
Next-Generation Secure Web Gateway (SWG)
A way to try and protect users and devices regardless of location and activity
Firewall Cost
Relatively inexpensive compared to appliances
Firewall Need for Segmentation
Deploying of a firewall at a desired network boundary so that all traffic crossing the boundary is routed through that firewall
Firewall Open Systems Interconnection (OSI) Layers
Layer 4 (TCP/ UDP), Layer 7 (application)
Cloud Native Controls
Security controls integrated and supported by the cloud provider that has many configuration options
Third-party Solutions
Compute Cloud Instances
Components performing calculations of instances
Amazon Elastic Compute Cloud (EC2)
Google Compute Engine (GCE)
Microsoft Azure
Dynamic Resource Allocation
Provisioning resources when needed - use of application
Scale up and down
Instance Awareness
Manage and identify data flows and make decisions based off of the data
Define and set policies of instances
Virtual Private Cloud (VPC) Endpoint
Allow private cloud subnets to communicate to other cloud services
Keep conversations private
Cloud Security Groups
Manage access to compute engines
Container Security
Use an OS specifically built for containerization
Or group container types together on the same host
Application Security
Designing, coding and configuring your application to prevent and defend against cyber threats
Cloud Third-party Solutions
Support across multiple cloud providers that has more extensive reporting
Identity Provider (IdP)
A list of entities for users and devices that can provide authentication
Identity Attributes
An identifier or property of an entity that provides identification
Personal - name, email address
Other - job title, mail stop
Identity Certificates
Assigned to a person or device
Identity Token
Contains information about what happened when a user authenticated
Identity SSH Keys
Using a key instead of username and password
Identity Smart Cards
Integrates with devices that may require PIN
User Account
Account on a computer associated with a specific person
Data and files can be private to that user
Shared Account/ Guest Credentials
Used by more than one person that uses a guest login
Guest Account
Access to a computer for guests that do not have any controls of settings, but just the userspace
Service Account
Used exclusively by services running on a computer
Access can be defined for a specific service
Privileged Accounts
Elevated or complete access to a systems
Account Policies
Controlling access to an account
Password Complexity
Making your password stronger to prevent guessing or brute force attacks by increasing password entropy (predictability)
Password History
Passwords that a user has used previously in a system that the attacker may already have
Password Reuse
Links to password history - user cannot reuse a password that a user has already used
Network Location
Using location to set policies on whether a user has access to a system by using IP subnet or Geolocation and use Geofencing or Geotagging to restrict access to a user in certain areas
Time-Based Logins
Something trying to be accessed outside of normal working hours therefore preventing access to the user
Access Policies
Criteria for granting access to various servers, applications, and other resources on your network
Account Permissions
Authorization given to users that enables them to access specific resources on the network, such as data files, applications, printers and scanners
Account Audits
Should be performed routinely to make sure everyone has the correct permissions and are using the resources granted correctly
Impossible Travel Time/ Risk Login
A calculation made by comparing a user’s last known location to their current location, then assessing whether the trip is likely or even possible in the time that elapsed between the two measurements
Lockout
Too many unsuccessful login attempts will cause a lockout which in turn prevents brute force attacks
Disablement
When someone leaves organization or moves to a different part of the company
Makes account inaccessible but will still save the files and data that was on that account
Password Keys
A physical device that accounts as hardware based authentication
Password Vaults
Location where all passwords are stored in an encrypted format
Trusted Platform Module (TPM)
Hardware for cryptographic functions that help with encryption
Hardware Security Module (HSM)
A physical computing device that safeguards and manages cryptographic keys and provides cryptographic processing
Knowledge-based Authentication (KBA)
Using personal knowledge as an authentication factor
Static KBA - Pre-configured shared secrets - model of first car
Dynamic KBA - Identity verification service - street number in Florida
Challenge-Handshake Authentication Protocol (CHAP)
An authentication protocol originally used by Point-to-Point Protocol to validate users
Three-way handshake
Password Authentication Protocol (PAP)
Basic authentication method used in legacy systems
Sent in the clear and has a non-encrypted password exchange
802.1X
It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN and prevents access to network until the authentication succeeds
Remote Authentication Dial-in User Service (RADIUS)
More common AAA protocol
Client-server protocol enables remote access servers to communicate with a central server
Single Sign-on (SSO)
A session and user authentication service that permits a user to use one set of login credentials
Security Assertion Markup Language (SAML)
Primary role in online security and enables users to authenticate through a third-party to gain access to multiple applications
Terminal Access Controller Access Control System Plus (TACACS+)
A Cisco designed extension to TACACS that encrypts the full content of each packet
OAuth
Authorization framework that provides authorization between applications and determines what resources a user will be able to access
OpenID
A decentralized authentication protocol that allows users to authenticate with multiple websites using a single set of credentials
Kerberos
A network authentication protocol that only need to authenticate once and then it will be trusted by the system
Attribute-based Access Control (ABAC)
An authorization model that evaluates attributes (or characteristics), rather than roles, to determine access
Examples: IP address, time of day, desired action, etc.
Role-based Access Control
Access to resources based on your role in an organization
Examples: Manager, director, team leader, etc.
Rule-based Access Control
Manages access to areas, devices, or databases according to a predetermined set of rules or access permissions regardless of their role or position in an organization
Mandatory Access Control (MAC)
Each object is labeled with a confidential, secret, top secret, etc. label and the administrator decides what user gets access of what object
Discretionary Access Control (DAC)
An identity-based access control model that provides users with a certain amount of control over their data
Conditional Access
‘Just-in-time’ evaluation to ensure the person who is seeking access to content is authorized to access the content
Privileged Access Management (PAM)
A subset of IAM that allows you to control and monitor the activity of privileged users (who have access above and beyond standard users) once they are logged into the system
Filesystem Permissions
Control the ability of users to read, change, navigate, and execute the contents of the file system
Public Key Infrastructure (PKI)
Set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption
Key Management
Deal with key generation, certificate generation, distribution, storage, revocation, and expiration of keys
Certificate Authority (CA)
An entity that stores, signs, and issues digital certificates
Intermediate CA
A certificate that was issued as a dividing layer between the Certificate Authority and the end user’s certificate
Registration Authority (RA)
An authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it
Certificate Revocation List (CRL)
List of digital certificates that have been revoked by the issuing certificate authority (CA) before their actual or assigned expiration date
Certificate Attributes
The common name, subject alternative name, and the expiration
Online Certificate Status Protocol (OCSR)
A way for a browser to check certificate revocation
Common Name (CN)
The Fully Qualified Domain Name (FQDN) for the certificate
Subject Alternative Name
Additional host name of the cert that is common on web servers
Examples: professormesser.com and www.professormesser.com
Expiration
The legally mandated date by which a certified proposed decision is due to be acted upon
Limit exposure to compromise
Wildcard Domain
Certificates are based on the name of the server and this will apply to all server names in a domain
Subject Alternative Name
Additional host name for the certificate
Code Signing Certificate
A signature from the developer who created the code for the application and validates the software hasn’t been modified
Self-signed Certificate
Public key certificates that are not issued by a certificate authority that do not provide any trust value
Machine/ Computer Certificate
Provides authenticity on the devices that you physically manage/ see
Email Certificate
Proves to customers that the email is not a forged phishing attempt and their transactions will be safe
User Certificate
Used to associate a certificate with a user that can act as a powerful electronic “id card”
Root Certificate
The public key certificate that identifies the root CA and can issue other certificates such a intermediate
Domain Validation (DV) Certificate
Owner of the certificate has some control over a DNS domain
Extended Validation (EV) Certificate
Additional checks have verified the certificate owner’s identity
Distinguished Encoding Rules (DER)
A binary format designed to transfer syntax for data structures
Privacy Enhanced Mail (PEM)
A de facto file format for storing and sending cryptographic keys, certificates, and other data and used to provide secure electronic mail communication over the internet
Personal Information Exchange (PFX)
A password protected file certificate commonly used for code signing your application
.cer
Primarily a Windows X.509 file extension
Responsible for storing some information about the owner certificate and the specific public key
P12 (PKCS #12)
Used to transfer a private and publics key pair that can be password protected
Container format for many certificates that store many X.509 certificates in a single .p12 file
P7B (PKCS #7)
Contains certificates and chain certificates that private keys are not included in a .p7b file
Online CA
Web browsers use them to authenticate content sent from web servers, ensuring trust in content delivered online
Offline CA
A certificate authority which has been isolated from network access, and is often kept in a powered-down state which in turn protects the CA
Stapling
OCSP stapling makes verifying the revocation status of an SSL/TLS certificate faster and easier for a client than ever before
Pinning
Putting the certificate inside of the application you are using and if the expected key does not match, the application can decide whether or not to shut down
Trust Model
Single CA, Hierarchal, mesh, web-of-trust, and Mutual authentication
Key Escrow
Someone else (3rd party) holding your decryption keys
Certificate Chaining
Listing all of the certs between the server and the root CA (intermediate certs) to ensure that only trusted software and hardware can be used while still retaining flexibility
