Domain 1 : General Security Concepts Flashcards
What is a firewall?
Firewalls are a common technical control used to protect computer networks from unauthorized access. They monitor incoming and outgoing network traffic, filter and block potential threats, and reduce the risk of unauthorized intrusion.
Security Controls
Security control is designed to give a system or data asset the properties of
confidentiality, integrity, availability, and non-repudiation
Technical Controls
the control is implemented as a system (hardware, software, or firmware. - Technical controls mitigate risk and are implemented by the security team.
Data Encryption
Data encryption is a technical control that converts sensitive information into a coded form, making it unreadable to unauthorized individuals. It reduces the risk of data breaches by ensuring that even if data is intercepted, it remains secure and inaccessible without the decryption key
Managerial controls
—the control gives oversight of the information system. Examples
could include risk identification or a tool allowing the evaluation and selection of
other security controls.
Performance Reviews
Performance reviews are a managerial control that involves regular assessments of employee performance. By providing feedback, setting goals, and identifying areas for improvement, performance reviews help align employee activities with organizational objectives and ensure that employees are performing effectively.
Risk Assessment
Risk assessments are a managerial control that involves the systematic identification, evaluation, and mitigation of potential risks within an organization. They help with identifying vulnerabilities, assessing the likelihood and impact of risks, and developing strategies to minimize or mitigate them. By conducting regular risk assessments, management can proactively identify and address potential threats, reducing the organization’s overall risk exposure.
Code of Conduct
A code of conduct is a set of guidelines and ethical standards established by management to govern employee behavior. It serves as a managerial control by defining acceptable behavior, promoting ethical conduct, and reducing the risk of misconduct within the organization.
Operational Controls
the control is implemented primarily by people. For example,
security guards and training programs are operational contro
Incident response procedures
Incident response procedures are operational controls that outline the steps to be followed in the event of a security incident or breach. These procedures provide a structured approach to detecting, responding to, and recovering from security incidents. By having well-defined incident response procedures in place, organizations can minimize the impact of security breaches, mitigate further risks, and restore normal operations more effectively.
Security Awareness Training
Security awareness training is an operational control that educates employees about security threats, best practices, and organizational policies.
User Access Management
User access management is an operational control that involves the management and control of user access privileges to systems, applications, and data. It includes processes for user provisioning, access requests, access revocation, and periodic access reviews.
Physical Controls
controls such as alarms, gateways, locks, lighting, and security
cameras that deter and detect access to premises and hardware are often
placed in a separate category to technical controls.
Access control vestibule
An access control vestibule is a small, enclosed area with two doors that creates a buffer zone between the outside environment and the secured area. It typically requires individuals to pass through multiple authentication steps (such as presenting an access card or undergoing biometric verification) before they can proceed into the secured area.
Mantraps
Mantraps are enclosed areas that allow only one person at a time to pass through. They typically consist of two interlocking doors or gates. The first door must close and lock before the second door opens, ensuring that only authorized individuals can proceed through the controlled area.
Tamper-evident seals
: Tamper-evident seals are used to secure containers, equipment, or sensitive areas. These seals are designed to show visible signs of tampering or unauthorized access, such as a broken seal or a change in color, indicating that someone has attempted to gain access or tamper with the secured item.
What are the security control types
Preventive
Detective
Directive
Deterrent
Compensating
Preventive control
These controls are designed to prevent problems or risks from occurring in the first place. They focus on eliminating or minimizing potential threats before they can cause harm. Examples of preventative controls include firewall installations to prevent unauthorized access to computer networks by using access control lists, employee training programs to educate staff about safety procedures and prevent workplace accidents, and quality control checks in the manufacturing process to prevent defects.
Deterrent Controls
Deterrent controls aim to discourage individuals from engaging in undesirable behaviors or activities. They create a perception of risk or negative consequences to deter potential offenders. Examples of deterrent controls include surveillance cameras in public areas to deter criminal activity, warning signs indicating the presence of a security system to discourage burglars, and strong passwords and multi-factor authentication to discourage unauthorized access to online accounts
Detective control
Detective controls are implemented to identify and detect problems or risks that have already occurred. They help uncover issues and anomalies promptly to initiate corrective actions. Examples of detective controls include regular financial audits to identify accounting irregularities or fraud and Security Information and Event Management (SIEM) systems that aggregate and correlate log data from multiple sources, providing a comprehensive view of network activities and enabling the detection of suspicious patterns or behaviors.
Corrective controls
Corrective controls are put in place to address problems or risks after they have been identified. They aim to rectify the situation, mitigate the impact, and restore normalcy. Examples of corrective controls include implementing a backup and recovery system to restore data after a system failure and implementing fixes or patches to address software vulnerabilities
Compensating Controls
Compensating controls are alternative measures implemented when primary controls are not feasible or sufficient. They help offset the limitations or deficiencies of other controls.
Directive Controls
Directive controls involve providing specific instructions or guidelines to ensure compliance with policies, procedures, or regulations. They establish a clear framework for employees to follow
Authentication Header(IPSEC Packet)
This feature consists of either SHA-1 or MD5 hashing algorithms, which provide data integrity to ensure the packet has not been tampered with in transit
Encapsulated Security Payload (ESP)
Encapsulated Security Payload (ESP): ESP is the part of the IPSec packet in which the data is stored and encrypted using symmetric encryption via DES, 3DES, or AES. It comprises several key elements:
Header: ESP adds an additional header to the IP packet. The header contains information necessary for the proper processing of the packet during transmission and reception.
Payload data: This is the actual data that is being transmitted and can be any type of network traffic, such as email, web browsing, or file transfers.
ESP trailer (optional): This is an optional component that may be added to the end of the payload data for padding or integrity checks.
Always on VPN
This mode is applied during the creation of a site-to-site VPN, the purpose of which is to build a point-to-point connection between two sites in possession of their own VPNs
How does MIB work?
Management Information Base, also known as MIB, is a hierarchical database that contains configuration and other vital management information of SNMP devices in the form of data objects. An SNMP management system uses these database files to interpret the messages sent by the managed devices.
DKIM
DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.
Virtualization
Virtualization allows multiple virtual machines (VMs) to run on a single physical server,
Always on mode tunneling
This mode is applied during the creation of a site-to-site VPN, the purpose of which is to build a point-to-point connection between two sites in possession of their own VPNs. The session is set to always on to ensure the connection is available all the time. While a site-to-site VPN is active, both the AH and the ESP are encrypted.
Tunnel mode
This mode is used during the creation of an IPSec tunnel with an internal network using client/server-to-server communication. During transport mode, only the ESP is encrypted.
Regression Testing
a type of testing in the software development cycle that runs after every change to ensure that the change introduces no unintended breaks.
MAC access control
MAC is a stringent access strategy that employs classification levels to regulate access to information based on the sensitivity of the data and the user’s clearance level. The classification levels (Top Secret, Secret, Confidential, and Restricted) serve to prevent unauthorized access, protecting national interests from varying degrees of potential damage. The classification is not solely about the potential impact on national interests but also applies to organizations for which data sensitivity and confidentiality are paramount.
RBAC
RBAC restricts system access to authorized users. It is often employed within departments where specific roles require access to resources, helping to minimize the risk of unauthorized access to sensitive information. For example, there may be only two people within the finance department who are allowed to sign checks. Similarly, in the IT department, only two people may be allowed to administer the email server, as others may not have the skills.
DAC access control
DAC is an access control model in which the owner of the object (typically a file or directory) determines who is allowed to access assinged via ACL list
ABAC
ABAC restricts access based on user attributes, allowing organizations to grant permissions on a granular level.
OTP(Onet time password)
An OTP is a short-lived password that is sent to your phone as an additional factor of authentication.
Knowledge based authentication
KBA is based on knowledge factors such as security questions, which are considered soft because they rely on information only the user should know. For example, when being authenticated by your bank, you may be asked to list the last three transactions on your account.
Password Complexity
Often referred to as “strong passwords,” complex passwords contain elements from at least three out of four groups: lowercase letters, uppercase letters, numbers, and special characters not commonly used in programming.
Password Expiry
: Password expiry is a security measure that requires users to change their passwords after a set period to reduce the risk of unauthorized access.
Password Vaulting
This refers to the process by which administrative and privileged accounts are removed from the Active Directory environment and stored in password vaults (normally a software solution). When a request for PAM has been authorized, the ticket is released for the approved period.
IAM
Identity and Access Management (IAM), and examining the role of password managers in generating and securely storing complex passwords. The concept of passwordless access using SSH keys in Linux environments was also introduced to enhance security while eliminating traditional passwords.
Cyber Kill Chain
Stages of the Cyber Kill Chain
Reconnaissance
Calling employees, sending emails, social engineering, dumpster diving
Weaponization
Create malware payload
Delivery
Delivery medium, such as USB, email, web page
Exploitation
Executing code via a vulnerability
Installation
Installing malware on the asset
Command and Control
Infected system sends back information to the attacker
Action on Objectives
Hands-on keyboard—attack complete
Diamond Model
Adversary: This is the threat actor group. The MITRE ATT&CK framework can be used to identify who they are and what attacks they use.
Capabilities: This refers to the exploit an adversary develops to carry out their attack. These are also laid out in the MITRE ATT&CK model.
Infrastructure: This is the path or means by which the attacker can get to the victim. This could be via USB, email, IP address, or remote access.
Victim: This is the person targeted by the adversary.
Legal Hold
To implement a legal hold, organizations identify the pertinent data and notify relevant personnel, legally obligating them to safeguard and retain the specified information. This preservation effort extends throughout the legal proceedings or until the hold is lifted upon resolution of the matter.
Record time offset
When gathering evidence from computers, capture the regional time setting or time zone (the essence of time offset). This becomes important in investigations as it enables the seamless determination of the sequence of events.
Time normalization
Time normalization is the process where evidence that is collected across multiple time zones can be placed into a common time zone (such as GMT) in order to place the series of events in a meaningful chronological sequence.
Layer 4 irewall
A Layer 4 firewall (often referred to as a “stateless firewall”) is the gatekeeper of network traffic, entrusted with the straightforward yet critical mission of basic packet filtering. It’s primarily focused on determining whether incoming or outgoing packets should be permitted based on predefined rules. It ensures that the TCP/IP three-way handshake takes place and determines access on the type of packets coming in. It is therefore known as a packet filtering firewall. It does not provide deep packet inspection.
Least utilised host
The load balancer monitors the health of all web servers within the server farms and identifies the least utilized host (that is, the host with the lightest current workload) using a smart scheduling algorithm. This method is effective for applications where server load varies, and the goal is to optimize resource utilization.
Mircowave sensor
Emitting microwave pulses and detecting frequency alterations caused by moving objects, these sensors excel in diverse security scenarios.
Infrared Sensor
These detect heat signature changes, effectively identifying human or animal presence. They find applications in perimeter protection and indoor security.
Quorum Disk
a shared storage resource that members of the cluster share. It acts as a neutral arbiter, storing critical configuration and state information that both the active and passive nodes access.
Witness server
Adding an additional layer of reliability, the witness server is an impartial entity that assists in determining the state of the cluster. The witness server helps prevent split-brain scenarios and ensures that the cluster operates smoothly.
Heartbeat Communication
Communication between the active and passive nodes is facilitated through a heartbeat mechanism. This heartbeat—analogous to the rhythmic pulse of a living organism—involves regular exchanges of status updates, or a “node heartbeat.” The passive node continuously monitors the active node’s heartbeat. If it detects an absence or irregularity in the node heartbeat, it knows that the active node has failed
Zero Redundant Storgae
ZRS takes redundancy a step further by replicating data between three separate availability zones within your primary cloud region. It provides enhanced availability within the region, making it a suitable choice for primary storage. However, ZRS does not protect against a regional catastrophe that affects all availability zones simultaneously and would leave data inaccessible.
GEO redundant Storage
GEO Redundant Storage (GRS): Similarly to LRS, GRS offers robust redundancy by creating three copies of your data within a single physical location in the primary region. However, GRS takes this a step further by also storing one copy of the data in a secondary region, often located at a considerable geographical distance. This approach provides protection against regional disasters while maintaining high availability within the primary region.
TACAS port number
49
Remote Desktop protocol
3389
DMARC
(DMARC): DMARC stands as a robust secure email security protocol, empowering domain owners to precisely dictate the actions taken when their emails fail authentication tests. It provides instructions to email receivers (such as ISPs and email providers) on how to deal with messages that do not pass authentication – for example, a directive to quarantine or delete them.
DKIM
DKIM is an email authentication method that enables a sender to digitally sign their email messages. These signatures are then validated by the recipient’s email server to confirm the message’s authenticity. This way, DKIM prevents email tampering when an email is in transit.
File Integrity Monitoring (FIM)
safeguards systems by establishing a baseline of normal file and system configurations. It continuously monitors these parameters in real time, promptly alerting the security team or IT administrators when unauthorized changes occur. FIM helps mitigate threats early, ensures compliance with regulations, detects insider threats, protects critical assets, and provides valuable forensic assistance after security incidents.
Data Loss Prevention (DLP
DLP prevents unauthorized or inadvertent leakage of PII and sensitive information, whether it’s through email or a USB drive. DLP operates on a foundation of pattern recognition and regular expressions.
Health authority
: Following user authentication, the HAuth diligently inspects the client device’s registry to determine whether it is fully patched. A device that is up to date with all the necessary patches is labeled “compliant” and granted seamless access to the LAN. If a device has missing patches, it is categorized as “non-compliant” and redirected to what’s often referred to as a boundary network or quarantine network, where it will encounter a remediation server.
Time normalization
Time normalization is the process where evidence that is collected across multiple time zones can be placed into a common time zone (such as GMT) in order to place the series of events in a meaningful chronological sequence.
Record time offset
When gathering evidence from computers, capture the regional time setting or time zone (the essence of time offset). This becomes important in investigations as it enables the seamless determination of the sequence of events.
User Behavior Analytics (UBA)
(UBA) observes the digital footprints left by users within an organization’s network. UBA doesn’t merely focus on the superficial; it looks into the depths of user interactions to scrutinize patterns and anomalies that might signal potential threats. Like a skilled detective, UBA seeks to uncover the subtle deviations from the norm, recognizing that threats often disguise themselves as normal daily activities. Any abnormality is reported to the security operation center.
POP3S
Post Office Protocol 3 Secure (POP3S) 995 Secure version of POP that uses TLS for encryption
Exposure Factor
EF is a measure of the magnitude of loss or damage that can be expected if a risk event occurs. It is represented as a percentage, reflecting the portion of an asset’s value likely to be affected. By determining the EF, organizations can assess the extent of damage a specific risk can inflict to produce more accurate risk valuations.
PCI-DSS
PCI-DSS is a robust security standard designed to safeguard payment card data during transactions. It sets stringent requirements for organizations to protect sensitive financial information, ensuring secure commerce in an evolving digital landscape.
Chemical decomposition
This involves using chemicals to break down the asset’s components.
Crushing
This means applying great force to render the asset unusable.
Volume Encryption
BitLocker’s integration with the TPM introduces a robust layer of security, enhancing the process of volume-level encryption. By utilizing the TPM chip, BitLocker ensures the integrity of a system’s boot process and authentication mechanisms
Password-Based Key Derivation Function 2 (PBKDF2)
This widely used method iterates through a hash function multiple times, effectively slowing down the key derivation process
Bcrypt
Specifically designed to address password hashing, Bcrypt incorporates salt and multiple rounds of hashing to amplify the time required for each iteration
Public Ledger
open public ledger is a foundational element of blockchain systems. It’s essentially a digital record of all transactions that have ever occurred within the blockchain network
CA types
CAs come in two types: online and offline. Online CAs swiftly verify keys in real time, matching the pace of the digital world. Offline CAs prioritize security by working in isolated environments, away from online threats.
Wildcard Certificate
For a wildcard certificate for a domain called securityplus.training, the wildcard certification would be *.securityplus.training on multiple public-facing web servers
Asymmetric Algorthims
Examples of asymmetric algorithms include RSA, Diffie–Hellman, and Elliptic Curve Cryptography (ECC).
Asymmetric Encryption
asymmetric encryption, the heart of asymmetric encryption, there are two keys, the private and the public keys, each of which has a unique role. The private key, as its name suggests, remains confidential and closely guarded by the entity it belongs to
Suppliers
Suppliers, often referred to as third-party contributors who provide goods or services, are an integral part of the process but can also introduce risks. Therefore, it’s important to scrutinize suppliers’ security practices as part of a comprehensive supply chain risk management strategy.
Vendors
The relationships between organizations and their vendors often involve the sharing of sensitive information. Yet, vendors can unwittingly serve as vectors for cyber threats.
Spear Phishing
is a more targeted variant of phishing. It involves attacks directed at specific groups, such as the board of directors at a company. These emails are tailored to create a sense of authenticity and urgency, enticing the victim to click on a link embedded in the email, which typically leads to a malicious website or triggers a malware download.
/var/www/html
These are web application directories where source code, configuration files, and potentially sensitive data could be stored.
SSL/TLS downgrade
SSL/TLS downgrade attack is where an attacker exploits vulnerabilities in the communication between a client (such as a web browser). The attacker suggests using an older, less secure encryption method instead of the stronger ones that both parties support. The server is thus tricked into using less secure encryption protocols or algorithms, making it easier for the attacker to intercept and decrypt the data being transmitted, thereby compromising the security and confidentiality of the connection.
SSL stripping
SSL stripping is an attack in which a malicious actor intercepts a secure HTTPS connection and downgrades it to an unsecured HTTP connection, allowing them to eavesdrop on sensitive information exchanged between a user and a website without detection.
SSL/TLS
SSL/TLS downgrade attack is where an attacker exploits vulnerabilities in the communication between a client (such as a web browser). The attacker suggests using an older, less secure encryption method instead of the stronger ones that both parties support.
Collision Attacks
Cryptography relies on the creation of unique signatures or hashes for data to ensure authenticity and integrity. A collision attack shatters this notion of uniqueness by manipulating the hash function
HASHING Options
Password-Based Key Derivation Function 2 (PBKDF2): This widely used method iterates through a hash function multiple times, effectively slowing down the key derivation process
Bcrypt: Specifically designed to address password hashing, Bcrypt incorporates salt and multiple rounds of hashing to amplify the time required for each iteration
Reason for hashing
The two main reasons to use hashing are as follows:
Data integrity: Hashing can help you ensure your data has not been altered in any way. If you hash a file before you download it from the internet and hash it afterward and the file remains the same, then data integrity has been maintained. If it does not, the file has been tampered with.
Password security: Hashing is a one-way function that turns passwords into unbreakable codes using complex rules. Hackers might try to crack the code, but the intricate design of hashing makes it incredibly difficult, like getting lost in a maze without being able to find the way out. This clever encryption keeps passwords safe, creating a world where the real password stays hidden, wrapped in a cloak of complexity.
Salting
VLSM
A VLSM (short for “variable length subnet mask”) is a computer networking technique to divide an IP network into subnets with different subnet masks.
SSL Decryption
SSL decryption allows the firewall to decrypt and inspect the traffic
Air-gapped network
An air-gapped network means that no devices within that network have cable or wireless connections from which data might be stolen. Therefore, the only way to place or remove data from the computer is by removable media such as a USB drive.
VLAN
A VLAN is established through the software on a network switch. It allows you to group multiple network ports together, effectively creating a distinct and separate network within the larger network. This method of network division aids in controlling traffic flow and segregating communications for distinct functions or device groups
EEC
Elliptic-curve cryptography (ECC) is type of public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys than to non-EC cryptography (i.e. RSA) to provide equivalent security, and is therefore preferred when higher efficiency or stronger security (via larger keys) is required.
Public Key
As its very name suggests, the public key is designed for widespread dissemination and can be freely shared without compromising security. The role of the public key is to encrypt data and validate digital signatures. For example, suppose George wants to send sensitive data to Mary. He requests a copy of Mary’s public key and uses it to encrypt the data by taking plaintext and converting it into unreadable ciphertext. If a malicious entity intercepts the encrypted data during transmission, it won’t be able to read the original message without Mary’s private key, as this is the only key that can decrypt it. To identify a public key, the format (also known as the Public-Key Cryptography Standards (PKCS) of the public key) is P7b
non credentialed scan
A non-credentialed scan operates with restricted privileges and can only identify vulnerabilities that are visible from the networ
credentialed scan
credentialed scan, by comparison, is a much more powerful version of the vulnerability scanner. It has elevated privileges, thereby providing more accurate information.
Wireless devices
Wireless devices normally join a wireless network via a connection made through a WAP. In a home environment, it is called a wireless router. Infrastructure in a wireless network refers to a WAP setup
POP3 secure
Post Office Protocol 3 Secure (POP3S) 995 TCP Secure version of POP that uses TLS for encryption
CYOD
CYOD is a policy in which the company provides employees with a selection of approved devices to choose from. These devices are owned and managed by the organization
COPE
In this model, organizations provide employees with corporate-owned devices that can be used for both business and personal use but must comply with company policie
RFID
Radio-frequency identification (RFID): This uses radio frequencies to identify electromagnetic fields in an RFID tag to track assets.
Jailbreakig
Jailbreaking applies specifically to Apple devices and allows users to bypass manufacturer or operating system restrictions, providing more control over the device
Program logic controller level 3
Program Logic Controller Level (Level 3): This level is responsible for managing and controlling the overall production process
LDAP Secure
636
LDAP insecure
389
VM escape
While virtualization is designed to isolate VMs, the hypervisor (that is, the essential software managing these VMs) introduces an unexpected challenge. It can unintentionally create a path for lateral movement, known as moving east to west, and enable potential attackers to move from a secluded VM to the host system or other interconnected VMs.
IMAP
143 insecure
993 secure
Port mirroring
Port mirroring, also known as SPAN (Switched Port Analyzer), is a method used on network switches to send a copy of network packets seen on one port (or an entire VLAN) to another port, where the data can be analyze
