D1 Ch1 Flashcards
Domain 1
GAPP stands for
Generally Accepted privacy Principals
Difference between security and privacy
Security - how the org protects its own data
Privacy - how the org is allowed to collect, process, and share the data of individuals
The 10 principals of GAPP and what they mean
Management
The org must have a privacy policy and other docs to govern the use of data
Notice
The org must notify individuals about what info is collected and how it is collected
Choice and consent
Individuals must consent to the storage, use, and sharing of their PII
Collection
Info may only be collected for the purposes identified in the notice and consent
Use, retention, and disposal
The org may not use the info for undisclosed purposes
Access
The individual can request access to their PII at any time
Disclosure
The org may disclose the PII only when consistent with the notice and consent
Security
The org must protect the data from unauthorized access
Quality
The org must maintain accurate and complete info
Monitoring and enforcement
The org must maintain compliance with their security policy
A weakness in a device, system, app, or process that may allow an attack to take place
This is under the CS professionals’ control
Vulnerability
An outside force that may exploit a vulnerability
This is NOT under the CS professionals’ control
Threat
A combination of threat and corresponding vulnerability
Risk
True/False:
Both vulnerability and threat must be present for there to be any risk
True
For example, if a datacenter is vulnerable to earthquakes, but the building is not in an area that is prone to earthquakes, there is no threat - therefore no risk.
Risk equation
Risk = Vulnerability x Threat
What type of threat?:
An individual, group, or org deliberately undermining the security of an org
Adversarial
What type of threat?:
An individual performing routine work who makes a mistake that undermines the security of the org
Accidental
What type of threat?:
The failure of equipment, software, or environmental controls
Structural
What type of threat?:
Natural or human-made disasters outside of the control of the org (ex. flooding, power outage)
Environmental
What type of graph is used to create a qualitative analysis of risk?
Risk matrix
What 2 measurements are used to create a qualitative analysis of risk?
Likelihood and impact
What type of control?:
Systems, devices, software, and settings that enforce CIA requirements
Technical
What type of control?:
Practices and procedures (ex. pen testing, reverse engineering software for analysis)
Operational
NAC stands for
Network Access Control
A security solution that limits network access to authorized individuals
NAC
What are the 3 elements that comprise an 802.1X comm?
Supplicant (client computer), authenticator, RADIUS server
What is the difference between agent-based and agentless NAC solutions?
Agent-based
Involves software that is installed on the client computers that communicates with the NAC service
Agentless
Authentication happens via web browser, and no installed software is needed
What is the difference between in-band and out-of-band NAC solutions?
In-band
Dedicated NAC appliances sit between devices and resources. These appliances deny/limit network access. (ex. A captive portal)
Out-of-band
Existing network devices are used to communicate with authentication servers. The devices then reconfigure the network to grant/deny access accordingly. (ex. 802.1X)
NAC may deny access to a computer because that computer does not have the adequate updates or security measures.
How does the NAC authenticator tell that this is the case?
Agents installed on the computer
What does it mean when a firewall is called “triple-homed”?
The firewall connects to 3 networks
ACL stands for
Access Control List
A firewall rule base is called
ACL
A principal common to firewalls where, if a packet does not meet any of the predetermined rules, it is automatically dropped
Default deny
A type of firewall that checks packets against the ACL, and does not have any further intelligence. Very rudimentary.
Packet filtering
A type of firewall that maintains information about the state of each connection passing through the firewall. The most basic firewall sold as a stand-alone product.
It keeps track of which internal requests use which port numbers; any packets that don’t match what the firewall was expecting get dropped. This all but eliminates IP spoofing.
Stateful inspection
NGFW stands for
Next Generation Firewall
A type of firewall that uses contextual information about users, apps, and business processes. Currently, it is the state-of-the-art firewall.
NGFW
WAF stands for
Web Application Firewall
A type of firewall that is specialized for web app attacks (ex. SQL injection, XSS)
WAF
A security solution that separates networks of different security levels from each other
Network segmentation
An intermediary system used to access a secure network segment or device from an insecure network segment or device, safely. This way, the insecure does not directly access the secure.
Jump box
An attractive target to attackers due to vulnerability, services running, or sensitive info that actually secretly monitors the attacker after they have compromised the target. This may be used to feed network blacklists.
Honeypot
An IP address that is configured to be sent to a compromised device that is trying to connect to its C2 server. This device attached to this IP address is configured to detect and remediate the botnet-infected system.
DNS sinkhole
Software that centrally manages and monitors system patch levels throughout the enterprise
Patch management software
True/False
You should IMMEDIATELY apply patches as soon as the vendor releases them
False; you should always test patches before deployment
A security solution that allows an administrator to apply security settings to groups of devices based on their roles
Group policies
GPO stands for
Microsoft Group Policy Object
A type of control that is used when an organization is unable to implement all desired security controls due to technical, operational, or financial constraints.
Compensating
MAC stands for (no, the other one)
Mandatory Access Control
An access control method where administrators set all permissions, and individual users CANNOT change those permissions.
Used in highly secure areas, such as government or military networks.
MAC
An access control method where owners of files may choose who can access those files; the administrators do not set permissions for every single thing.
DAC
DAC stands for
Discretionary Access Control
What Linux distribution is an example of MAC?
SELinux
NIST 4 stages of penetration testing
Planning > Discovery > Attack > Reporting
3 things that must be discussed when Planning a penetration test
Timing, scope, authorization
What happens during the Discovery phase of pen testing?
Reconnaissance
NIST 4 phases of the attack phase of pen testing
Gain access
Discovery phase should have provided enough info to gain access
Escalate privileges
Reach admin-level privileges
System browsing
Gather more info on the mechanisms in order to gain more access
Install more tools
More pen testing tools gain more info/access
Then repeat the process
What happens during the Reporting phase of pen testing?
Communicate access that was achieved, and vulnerabilities that were exploited
What is the White team?
Referees, monitors of the wargame, the maintain the technical environment
What is reverse engineering as it applies to CS?
Working backwards from a finished product to figure out how it works
What method does reverse engineering use?
Decomposition - breaking down something into its smaller components
For what reason would a CS professional use reverse engineering? (2)
Make sure proprietary software is secure
Verify whether suspicious software is malicious
A method of detecting malware based on behavior, rather than based on signatures
Involves executing code in a controlled environment and watching how the code behaves
Sandboxing
Another term for sandboxing is
Code detonation
2 methods that computers use to process code
Interpreted language
Compiled language
Difference between interpreted language and compiled language
With interpreted language, the computer works directly from the source code. This code is human-readable. (ex. Ruby, Python)
With compiled code, the source code is converted to binary. This is NOT human-readable. (ex. C/C++, Java)
2 methods that can be used to reverse engineer compiled code
Use a decompiler to convert binary into the source code (this is not very reliable)
Use a specialized environment to monitor how the software responds to input, and attempt to discover its inner workings
What 2 things are done to make sure a piece of hardware is safe, without having to reverse engineer it?
Verify there has been no tampering
Verify source authenticity
Companies that were certified by the DoD and NSA to be secure manufacturers of systems. These systems are used for the US govt.
Trusted foundries
OEM stands for
Original Equipment Manufacturer
2 desired outcomes of creating standardized processes
Reduces time and effort required to react to a task
Ensures different team members respond consistently to similar situations
SOAR stands for
Security Orchestration, Automation, and Response
A security solution that allows the automation of tasks throughout multiple different platforms, tools, and apps
SOAR
A method of writing code to automate work
Scripting
A method of using vendor-provided interfaces to tie different products together
Integration
API stands for
Application Programming Interface
An interface that allows you to interact with a service w/out using web-based interfaces. It also allows you to write code to automate actions.
API
The primary means of integrating sec tools
API
A method for one application to automatically send real-time data via web request to another application when a specific event occurs
ex. Configuring the threat intelligence platform to send a request to the vulnerability scanner’s API each time a new vulnerability is reported
Webhook
Small programs that run inside of browsers
Plugins
What use do plugins have in a CS context?
Data enrichment
ex. Each time you hover over a link, a plugin can pull up Whois and a reputation check for that website
What technology will be increasingly used as CS develops? This will help identify patterns and extract knowledge from large volumes of data.
Machine learning
