Domain 1 : Security Concepts Flashcards
Confidentiality
Confidentiality ensures that sensitive information remains shielded from prying eyes and that access is granted solely to those with the appropriate authorization.
Integrity
Integrity ensures that your data remains unaltered and trustworthy. It prevents unauthorized changes or manipulations to your information, maintaining its accuracy and reliability
Availability
This principle guarantees that your digital assets and services are accessible when needed. Availability ensures that your systems are up and running, that your data can be accessed promptly, and that your online services remain accessible.
What is the CIA triad
Confidentiality
Integrity
Availability
Non-Repudiation
Non-repudiation prevents denial of actions, ensuring accountability and reliability in electronic transactions and communications
AAA server
An AAA server is a server program that handles user requests for access to computer resources and, for an enterprise, provides authentication, authorization and accounting (AAA) services.
Authentication systems use …
At the forefront of modern authentication strategies stand the AAA framework and the 802.1X protocol
AAA protocols are..(LIST)
Radius
Diameter
TACAS
RADUIS
RADIUS is a cornerstone in network security, particularly in remote access scenarios. RADIUS clients encompass a variety of devices, including wireless access points, routers, and switches.
Diameter
Diameter has stepped in as RADIUS’s evolved successor, extending its capabilities to modern network technologies. In this realm, network elements such as 4G and 5G infrastructure devices, including LTE and WiMAX access points, serve as Diameter clients
TACAS+
TACACS+, created by CISCO, is used to grant or deny access to network devices. TACACS+ clients often include routers, switches, and firewalls. Just as with RADIUS and Diameter, the shared secret’s role remains pivotal, as it forms the bedrock of secure interactions between TACACS+ clients and servers.
What is Gap Analysis?
Gap analysis is a strategic process that evaluates an organization’s security practices against established security standards, regulations, and industry best practices.
Gap analysis requires
Assessment: A thorough assessment is conducted to understand the organization’s current security measures, policies, procedures, and technologies.
Benchmarking: This involves comparing the existing security practices against established industry standards, frameworks, and compliance regulations.
Identification: Gaps are pinpointed by identifying areas where security measures fall short of the desired or required level.
Prioritization: Not all gaps are equal in terms of risk. Prioritization involves ranking the identified gaps based on their potential impact and likelihood of exploitation.
Remediation strategy: With prioritized gaps in mind, a comprehensive remediation strategy is developed. This strategy outlines actionable steps to close the identified gaps and enhance the organization’s security posture.
Infrared Sensor
Infrared
These detect heat signature changes, effectively identifying human or animal presence. They find applications in perimeter protection and indoor security.
Pressure sensor
Sensing changes in pressure from touch or step, these provide reliable indicators of movement, both indoors and outdoors.
Microwave sensors
Emitting microwave pulses and detecting frequency alterations caused by moving objects, these sensors excel in diverse security scenarios.
Ultrasonic Sensors
Operating with sound waves, ultrasonic sensors “see” around corners or within concealed areas, proving valuable in challenging environments.
Physical Security
encompasses a range of measures designed to deter, detect, and respond to potential risks. From robust barriers to cutting-edge surveillance, each element contributes to the creation of a security framework that safeguards people, assets, and critical information.
Deception and Disruption
these technologies intend to deceive attackers so that we can find out more information about them as well as to disrupt their attacks.
Honeypot
When security teams are trying to find out the attack methods that hackers are using, they set up a website similar to a legitimate website with lower security, known as a honeypot.
Honeynets
Honeynets are a group of honeypots that give the appearance of a network
Honeyfile
In the world of deception, even individual files can become artful lures. The honeyfile stands as an elegant ruse; it may well be a file titled password that is saved onto a desktop.
Honeytoken
Honeytokens play a vigilant role in the realm of cybersecurity, designed to ensnare digital intruders in their tracks. Crafted with precision, these tokens house deceptive markers—dummy data that presents itself as a prized possession to potential thieves.
Fake Information
A DNS sinkhole, often playfully dubbed the “black hole of the internet,” is a tactic where DNS queries are deliberately redirected to different IP addresses
Zero Trust
never trust always verify
Control Plane
The control plane serves as an instrumental command center for cybersecurity. It uses the subject/identity with company policies and threat intelligence data to decide which users or devices can access the network. By centralizing control this way, organizations can regulate access, monitor activity, and swiftly respond to emerging threats.
Policy driven access control
The translation of security policies and guidelines into concrete action is a challenge faced by many organizations. Policy-driven access control offers a solution by automating the enforcement of these directives. Through a systematic approach, organizations can define access rights, permissions, and responses to specific scenarios. This not only ensures consistency but also eliminates the risk of human error in the execution of security protocols.
Control Plane features
policy engine determines who gains access to critical network resources on a per-user basis. It operates based on policies, written by the organization’s security team, which lay down the rules for access. Context is crucial, with data from SIEM, threat intelligence, user attributes, and device information informing decisions. Once the policy engine evaluates all the parameters, it communicates its decision to a policy administrator, who executes it on the ground.
The policy administrator executes the decisions made by the policy engine to control access to the network. They issue access tokens and can communicate with the data plane
Policy Enforcement - The policy enforcement point assumes the role of a vigilant gatekeeper. It’s like a security checkpoint that follows the rules set by the policy administrator and double-checked by the policy engine. This checkpoint ensures that only authorized actions get through and prevents potential breaches. It’s the ultimate decision-maker that verifies everything is safe and trustworthy before letting it in. Just like a bouncer at a club, it keeps out trouble and lets in only those who are allowed.
Data Plane
The data plane in cybersecurity is the operational core responsible for the actual movement and forwarding of data packets within a network
subjects( within the data plane)
Subjects in the data plane are the entities that initiate data communication
systems(data plane)
systems represent the collective infrastructure, resources, and devices that are responsible for processing and forwarding data packets as they traverse the network.
DMZ
The DMZ is an area that is neither fully trusted nor fully untrusted. It’s an intermediate zone that allows controlled access to certain services from the external network. Communication between the DMZ and the internal network might be subject to more stringent controls. This is also commonly known as a screened subnet, where resources that are accessed by untrusted and trusted networks reside.
Adaptive identity
he conventional approach to user identity is undergoing a revolutionary transformation with the emergence of adaptive identity. No longer confined to static roles and permissions, adaptive identity tailors user privileges based on contextual understanding. By analyzing user behavior, location, and device characteristics, this approach ensures that access rights are dynamically adjusted, drastically minimizing the risk of unauthorized activity while allowing for seamless user experiences.
Process of Change Management
Approval process: The approval process looks at the proposed change and the reasons behind it (for example, due to new technology or more stringent regulations). This change is sent to any affected stakeholders for input. This way, the approval process ensures that the project’s direction aligns with the organization’s goals. Following approval, those changes are thoroughly documented so that they can be tracked once completed. In simple terms, the approval process is how we ensure that important decisions and changes get the green light from the right people. These decisions could be big, such as upgrading the entire computer system of a company, or small, such as giving someone access to a restricted part of a network.
Ownership: Ownership in change management refers to a person within a department who has asked for a change and will be responsible for ensuring that it is carried out effectively. This could be a company director or a project manager. In terms of security, clear ownership is crucial; this change might be handled by the Chief Information Security Officer (CISO). The CISO ensures that security tasks are carried out effectively and that there is accountability. An example could be ensuring that the proper level of encryption has been implemented and security tasks have been monitored effectively.
Stakeholders: Stakeholders are individuals, groups, or entities that have a vested interest (or stake) in a company’s operations, activities, or outcomes. They can significantly influence or be influenced by the company’s decisions, actions, and performance. However, the concept of stakeholders is not limited to shareholders and investors. It encompasses a broader spectrum of parties that can impact or be impacted by how the company functions. Table 3.1 shows the primary categories of stakeholders in a company:
Impact Analysis
Before making changes, it’s important to analyze how they could impact the organization. In security, this means considering how a change could affect the overall safety of systems and data. This analysis helps in foreseeing potential security risks and finding ways to address them before they become real problems.
Test results
Whenever a new security measure or change is introduced, it’s smart to test it first. Just like a seatbelt is tested before a car hits the road, security measures need to be tested to ensure they work as intended. Test results give confidence that the security actions will protect the organization as expected.
Backout plan
A backout plan is like having a safety net when conducting a risky activity. In security operations, it’s a plan to undo a change if things go wrong. If a new security update crashes a system, the backout plan helps return everything to the way it was, keeping an organization safe from prolonged security vulnerabilities.
Maintenance window
Think of a maintenance window as a scheduled time for fixing things. This would be carried out during silent hours so that it affects fewer people. In terms of security, this is a planned time to implement changes or updates that could impact the organization’s systems. By doing these during a maintenance window, disruptions are minimized, and security measures can be applied smoothly.
Standard Operating Procedure
A standard operating procedure (SOP) is like a rulebook that guides how things should be done. Imagine you’re a pilot preparing for takeoff. Before the engines roar to life, you follow a checklist that outlines every critical step. This is the essence of SOPs. They are meticulously crafted guidelines, akin to your preflight checklist, designed to ensure that complex tasks are executed consistently and accurately.
Restricted activities
Restricted activities prevent actions that could potentially lead to vulnerabilities or disruptions. These activities include unauthorized software installations, unauthorized system modifications, direct access to critical servers, and access to sensitive data or unauthorized data transfers.
Application restart
Application restart vulnerabilities encompass potential security weaknesses that can emerge when an application is restarted. Improper restart procedures can cause data inconsistencies or corruption, potentially affecting the integrity of the application and its security measures.
SNMP agents
SNMP agents are software modules or processes running on network devices, such as routers, switches, servers, and even IoT device
SNMP Traps
SNMP traps are asynchronous notifications sent by SNMP agents to SNMP managers without a prior request.
SCP protocol
SCP: This protocol is used to transfer files securely between hosts in a Linux environment. PORT 22
DNSSEC
To prevent unauthorized access to access to DNS records, DNSSEC was introduced to protect DNS traffic. Each DNS record is digitally signed, creating an RRSIG record to protect against attacks and guaranteeing that these records are valid and their integrity has been maintained. This prevents DNS poisoning.
DNS poisoning
happens when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website
site to site vpn
A site-to-site VPN, also known as a router-to-router VPN, is commonly employed by large companies
SSL VPN
SSL VPN (Secure Sockets Layer Virtual Private Network) employs the SSL protocol to secure the connection between the user and the VPN server. It allows remote users to access a private network securely by establishing an encrypted tunnel between the user’s device and the VPN server.
WPA2-Enterprise
Using WPA2-Enterprise-level encryption has a number of advantages that make it a good choice for a large company or enterprise networks, such as eliminating the security risks of shared passwords, enhanced security, and authentication methods and controls, the ability to dynamically assign VLANs and support for Network Access Protection (NAP).
It use 802.1x
WPA3-SAE
WPA3 uses Simultaneous Authentication of Equals (SAE) to provide stronger defenses against password guessing. SAE is a secure key establishment protocol
PEAP
PEAP (Protected Extensible Authentication Protocol) provides a method to transport securely authentication data, including legacy password-based protocols, via 802.11 Wi-Fi networks. PEAP accomplishes this by using tunneling between PEAP clients and an authentication server. better than all the others. udinh MSCHAP V2
EAP-FAST
EAP-FAST – EAP-FAST (Flexible Authentication via Secure Tunneling) uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified. EAP-FAST is Cisco replacement for LEAP.
TTLS-EAP-TLS
TTLS-EAP-TLS – Securely tunnels the EAP-TLS certificate within the TLS records.( SERVER CERT FOR AUTHEN) SECURE TUNNEL
EAP-TLS
CLIENT AND SERVER CERT FOR MUTAL AUTHENTICATION.
REQURIES PKI
COPE
Corporate-Owned, Personally Enabled (COPE):this model, organizations provide employees with corporate-owned devices that can be used for both business and personal use but must comply with company policies
SSID
Service set identifier (SSID) is the number that identifies your internet network
CYOD:Choose Your Own Device (CYOD)
CYOD is a policy in which the company provides employees with a selection of approved devices to choose from. These devices are owned and managed by the organization. This model allows for increased flexibility with company devices but still maintains security control
WPS
WPS allows you to connect to a wireless network by simply pushing a button, negating the need to insert a password each time.
Low-level formatting
Low-level formatting (i.e., closest to the hardware) marks the surfaces of the disks with markers indicating the start of a recording block (typically today called sector markers) and other information like block CRC to be used later
SWGS
is a cyber security product that protects company data and enforces security policies. SWGs operate in between company employees and the Internet.
Initialisation vector
An initialization vector (IV) is a random or pseudo-random value used in cryptography to ensure that identical plaintexts encrypt to different ciphertexts
XDR
XDR is a technology that centralizes various security points, including EDR, network firewalls, identity and access management (IAM), cloud access security brokers (CASB), etc.
Deprovisioning
the process of deleting an employee’s access to your company’s systems, apps and internal data resources
PEAP
Protected Extensible Authentication Protocol (PEAP): PEAP is a version of Extensible Authentication Protocol (EAP) that encapsulates and encrypts the EAP data using a certificate stored on the server, making it more secure for Wireless Local Area Networks (WLANs).
802.1x
This is an overarching access control standard. 802.1x allows access to only authenticated users or devices and is therefore used by managed switches for port-based authentication.
EAP-TLS
EAP-TLS is a specific, secure version of wireless authentication that requires a certificate stored on the endpoint (client or device) to verify identity and authorization.
EAP-TTLS
EAP-TTLS: EAP-TTLS uses two phases. The first is to set up a secure session with the server by creating a tunnel using certificates that are stored on the server, and seen by the client. The second is to authenticate the client’s credentials.
Gap Analysis steps
Assessment: A thorough assessment is conducted to understand the organization’s current security measures, policies, procedures, and technologies.
Benchmarking: This involves comparing the existing security practices against established industry standards, frameworks, and compliance regulations.
Identification: Gaps are pinpointed by identifying areas where security measures fall short of the desired or required level.
Prioritization: Not all gaps are equal in terms of risk. Prioritization involves ranking the identified gaps based on their potential impact and likelihood of exploitation.
Remediation strategy: With prioritized gaps in mind, a comprehensive remediation strategy is developed. This strategy outlines actionable steps to close the identified gaps and enhance the organization’s security posture.
Zero Trust Control Plane
The control plane serves as an instrumental command center for cybersecurity. It uses the subject/identity with company policies and threat intelligence data to decide which users or devices can access the network. By centralizing control this way, organizations can regulate access, monitor activity, and swiftly respond to emerging threats.
Threat Scope Reduction
Preventing threats before they manifest is a paramount goal in cybersecurity. This is where the concept of threat scope reduction enters the picture. By intentionally narrowing the potential attack surface, organizations can preemptively thwart possible avenues of exploitation. This involves strategies such as minimizing exposed services, reducing the attackable code base, and employing rigorous patch management. Through such proactive measures, the potential for breaches is significantly diminished.
Policy Driven Access Control
The translation of security policies and guidelines into concrete action is a challenge faced by many organizations. Policy-driven access control offers a solution by automating the enforcement of these directives. Through a systematic approach, organizations can define access rights, permissions, and responses to specific scenarios. This not only ensures consistency but also eliminates the risk of human error in the execution of security protocols.
Policy Enforcement Point
The policy enforcement point assumes the role of a vigilant gatekeeper. It’s like a security checkpoint that follows the rules set by the policy administrator and double-checked by the policy engin
Policy Engine
The policy engine determines who gains access to critical network resources on a per-user basis. It operates based on policies, written by the organization’s security team, which lay down the rules for access. Context is crucial, with data from SIEM, threat intelligence, user attributes, and device information informing decisions
Policy Administrator
The policy administrator executes the decisions made by the policy engine to control access to the network. They issue access tokens and can communicate with the data plane.
Implict Trust Zone
This refers to areas within a network or system where certain levels of trust are assumed without explicit verification. These zones are designed to simplify and expedite communication and interactions between components within those zones
Risk of shared tenancy
When utilizing public cloud services, “shared tenancy” comes into play. This concept refers to multiple customers sharing the same physical infrastructure, where each customer operates within their own isolated virtual environment. If the customer does not secure its data properly, then that could lead to a side-channel attack where another tenant has access to their data inadvertently
RAID 6
RAID 6 uses two parity stripes, the practice of dividing data across the set of hard disks or SSDs, on each disk. It allows for two disk failures within the RAID set before any data loss.
RAID 5
RAID 5 is the most common secure RAID level. It requires at least 3 drives but can work with up to 16. Data blocks are striped across the drives and on one drive a parity checksum of all the block data is written. T
Tabletop
A tabletop exercise is a valuable tool for testing your disaster recovery plan in a controlled setting. During this exercise, key stakeholders gather around a table to discuss and strategize how they would respond to a hypothetical disaster scenario. This exercise allows participants to identify gaps in their plan, refine communication channels, and assess decision-making processes. This exercise is the easiest to set up as it takes the least administrator effort as it is a paper-based exercise.
Controller Level (Level 1):
This level is responsible for the real-time control of the physical processes. It includes devices such as Programmable Logic Controllers (PLCs) that receive input from sensors on the plant floor, process the data, and send commands to actuators and other devices to control the industrial processes. Level 1 controllers ensure that the plant operates efficiently and safely.
SCADA level 0
Plant Level (Level 0): This is the lowest level in the SCADA system hierarchy. It includes the physical equipment and processes on the factory floor, such as sensors, actuators, motors, pumps, and other industrial devices. These devices gather data and perform actions as directed by the higher-level controllers.
SCADA level 0
Plant Level (Level 0): This is the lowest level in the SCADA system hierarchy. It includes the physical equipment and processes on the factory floor, such as sensors, actuators, motors, pumps, and other industrial devices. These devices gather data and perform actions as directed by the higher-level controllers.
SCADA Level 1
Controller Level (Level 1): This level is responsible for the real-time control of the physical processes. It includes devices such as Programmable Logic Controllers (PLCs) that receive input from sensors on the plant floor, process the data, and send commands to actuators and other devices to control the industrial processes. Level 1 controllers ensure that the plant operates efficiently and safely.
SCADA level 2
Coordinating Computer Level (Level 2): At this level, there are supervisory computers or Human-Machine Interface (HMI) systems that provide a centralized view of the plant’s operations. They collect data from Level 1 controllers, display it to operators, and often include control functions for higher-level coordination. Operators can monitor the plant’s status, make adjustments, and respond to alarms and events.
SCADA level 3
Program Logic Controller Level (Level 3): This level is responsible for managing and controlling the overall production process. It often involves more advanced software systems that can coordinate multiple production lines or areas within the plant. Level 3 systems may also include functions such as recipe management, production scheduling, and data logging for analysis and reporting.
SCADA
Supervisory Control and Data Acquisition (SCADA) systems are sophisticated automated industrial control systems (ICS) that encompass various stages of production
WPA2
Wi-Fi Protected Access version 2 (WPA2): WPA2 is currently the most commonly used protocol. It uses an Advanced Encryption Standard with Counter Mode Cipher Block Chaining Message Authentication Code Protocol (WPA2 CCMP) with a 128-bit encryption key and AES encryption, offering strong protection for wireless networks.
Data at rest
Data at rest is data that is not being used and is stored either on a hard drive, storage devices, files, or database servers. While it remains static until accessed, it is still susceptible to breaches if not adequately protected.
Data at transit
Data in transit is data on the move, traveling across networks or communication channels. This could be the data transmitted during a purchase from a website. The session is protected using either Transport Layer Security (TLS), Secure Sockets Layer (SSL), which is an older version of TLS, or Hypertext Transfer Protocol Secure (HTTPS).
Data at transit
Data in transit is data on the move, traveling across networks or communication channels. This could be the data transmitted during a purchase from a website. The session is protected using either Transport Layer Security (TLS), Secure Sockets Layer (SSL), which is an older version of TLS, or Hypertext Transfer Protocol Secure (HTTPS).
Obstruction methods
Obfuscation can involve various methods, including XOR and ROT13 for data masking, defined as follows:
Operational control
Operational controls revolve around the execution of day-to-day activities and processes necessary for delivering goods and services.
Policy administrator
The policy administrator executes the decisions made by the policy engine to control access to the network. They issue access tokens and can communicate with the data plane.
Back out plan
A backout plan is like having a safety net when conducting a risky activity. In security operations, it’s a plan to undo a change if things go wrong. If a new security update crashes a system, the backout plan helps return everything to the way it was, keeping an organization safe from prolonged security vulnerabilities.
Service restart
Shutting down or rebooting systems can disrupt legitimate user access to computing resources and hinder incident response and recovery efforts. Attackers might time their actions to coincide with an application restart, aiming to exploit potential lapses in security during the restart process.
Public key format
To identify a public key, the format (also known as the Public-Key Cryptography Standards (PKCS) of the public key) is P7b and the file extension is .cer. The file serves as a form of digital “identity proof,” much like a physical certificate (such as an award or diploma).
Record level encryption
Record-level encryption: Record-level encryption serves as a potent data-safeguarding technique by encrypting discrete records within databases or other data repositories. In this approach, each individual record is enveloped with its distinct encryption key, heightening the complexity of unauthorized attempts to breach the record’s sensitive contents
Volume level
BitLocker’s integration with the TPM introduces a robust layer of security, enhancing the process of volume-level encryption. By utilizing the TPM chip, BitLocker ensures the integrity of a system’s boot process and authentication mechanisms. This synergy establishes a twofold security approach: the TPM securely stores critical encryption keys, safeguarding them from tampering or extraction, while BitLocker encrypts the entire volume, thwarting unauthorized access to data.
TLS handshake
Handshake: The sender and receiver initiate a handshake, during which they agree on encryption parameters, exchange cryptographic keys, and authenticate each other’s identity.
Encryption: Once the handshake is complete, the actual data transmission begins. The data is encrypted using symmetric encryption keys, ensuring that only the authorized recipient possesses the means to decipher it.
Transmission: The encrypted data traverses the internet’s various networks and routers, shielding it from prying eyes and potential eavesdroppers.
Decryption: Upon reaching the intended recipient, the data is decrypted using the same symmetric key. This process ensures that only the recipient can access the original, meaningful information.
Symmetric algorithms
Examples of symmetric algorithms are the Data Encryption Standard (DES—56 bit), the Triple Data Encryption Standard (3DES—168 bit), and the more popular Advanced Encryption Standard (AES—256 bit). AES can send more data in each packet. AES was selected as the new encryption standard by the US National Institute of Standards and Technology (NIST) in 2001.
Key stretching
Key stretching is a cryptographic technique designed to transform a password into a longer, more complex key.
Online/ offline CAs
Online CAs swiftly verify keys in real time, matching the pace of the digital world. Offline CAs prioritize security by working in isolated environments, away from online threats.
Third party certification
Third-party certificates are like online IDs. They’re issued by CAs, who verify that a website or service is genuine. Unlike homemade IDs, these certificates are recognized globally, like self-signed certificates, making them trustworthy. If you trade on the internet, then you need trusted third-party certificates on your website. Some examples of third parties that sell certificates are DigiCert, GlobalSign, GeoTrust, and Thawte.
Threat actors
Threat actors are typically classed as internal or external. An internal attacker launches their attack from inside the company, while an external attacker launches their attack from outside of the company.
Resource/funding vs availability
resources/funding availability, the extent of resources and funding at the disposal of threat actors is a pivotal determinant of their operational prowess. Well-financed threat actors such as state-sponsored groups or organized cybercrime syndicates command a formidable array of tools and expertise. This enables them to deploy intricate, multifaceted attacks that can exploit even the minutest vulnerabilities:
Controller level 1
Controller Level (Level 1): This level is responsible for the real-time control of the physical processes. It includes devices such as Programmable Logic Controllers (PLCs) that receive input from sensors on the plant floor, process the data, and send commands to actuators and other devices to control the industrial processes. Level 1 controllers ensure that the plant operates efficiently and safely
reflected
Reflected: In reflected attacks, the attacker obtains the victim’s IP address and crafts a packet seemingly from the victim. This packet is then sent to servers that unintentionally resend it, leading to a flood of traffic that overwhelms the victim’s server and consuming its entire bandwidth.
Pass the hash attack
A pass-the-hash attack is a security concern that primarily affects older operating systems such as Windows NT 4.0, for which the authentication protocol was NTLM and user passwords were stored locally and hashed using the MD4 algorithm. In such systems, attackers could exploit weak hashing using methods such as rainbow tables or tools such as hashcat to carry out hash collision attacks
Network Access Control
Network Access Control (NAC)
NAC ensures that every remote device is fully patched so that they are not vulnerable to attacks
Network Access Control
Network Access Control (NAC)
NAC ensures that every remote device is fully patched so that they are not vulnerable to attacks
Secure Cookie
cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol
Fuzzing
Fuzzing, or fuzz testing, involves inputting massive amounts of random data, or “fuzz,” into a software program to uncover security vulnerabilities and bugs.
SASE
Secure Access Service Edge (SASE) is a cloud-native security architecture that combines network security functions with WAN capabilities to provide improved performance and flexibility for remote users and branch offices, making it an ideal solution for the organization.
Technical debt
In the rush to automate security operations, organizations may resort to quick fixes, such as easy-to-implement automation, that accumulate technical debt over time. Technical debt refers to the extra time it will take to compensate for issues that arise when shortcuts are taken or when automation is implemented without considering long-term maintainability
TCP/IP Handshake
SYN: sender extends a synchronise packet conveying the sequence number of the next packet.
SYN-ACK: The receiver responds with an acknowledged
ACK: sender sends the ack packet to confirm receipt
SAE
Simultaneous Authentication of Equals (SAE): SAE is a password-based authentication and key establishment protocol that provides stronger security compared to previous methods used in WPA2.
Simple network management port number
162
Mitre attack framework
Adversarial: This looks at the behavior of potential attackers according to the group to which they are sorted. An example of an adversarial would be APT28, which was a Russian government-funded cyber group that allegedly interfered with the US election in 2016 and carried out a six-month campaign against the German parliament in 2014.
Tactics: This is the medium by which the attack will be carried out. For instance, if your network is the target of some form of phishing attack, you could review phishing attack tactics in the framework, which will explain how they are launched.
Techniques: These are a breakdown of the actual processes of how an attack will be launched. For a drive-by compromise, for example, the framework provides an article describing the different processes and techniques that go into the targeting of the user’s web browser.
SCADA
Plant Level (Level 0): This is the lowest level in the SCADA system hierarchy. It includes the physical equipment and processes on the factory floor, such as sensors, actuators, motors, pumps, and other industrial devices. These devices gather data and perform actions as directed by the higher-level controllers.
Controller Level (Level 1): This level is responsible for the real-time control of the physical processes. It includes devices such as Programmable Logic Controllers (PLCs) that receive input from sensors on the plant floor, process the data, and send commands to actuators and other devices to control the industrial processes. Level 1 controllers ensure that the plant operates efficiently and safely.
Coordinating Computer Level (Level 2): At this level, there are supervisory computers or Human-Machine Interface (HMI) systems that provide a centralized view of the plant’s operations. They collect data from Level 1 controllers, display it to operators, and often include control functions for higher-level coordination. Operators can monitor the plant’s status, make adjustments, and respond to alarms and events.
Program Logic Controller Level (Level 3): This level is responsible for managing and controlling the overall production process. It often involves more advanced software systems that can coordinate multiple production lines or areas within the plant. Level 3 systems may also include functions such as recipe management, production scheduling, and data logging for analysis and reporting.
Address Resolution Protocol (ARP):
When connections are made to a switch, each port is allocated to a MAC address. The ARP protocol is used to map an IP address to a MAC address.
What is Nessus
A remote scanning tool that can identify vulnerabilities that hackers can exploit
Forgery
Forgery attacks manipulate data (often through the creation of falsified tokens or requests) with the goal of impersonating legitimate users or application
Password Spraying
Instead of checking every single combination, sprayers focus on a few common usernames (such as admin, root, or user) and try a list of common passwords (such as 123456, password, password123, letmein, and changeme). You can prevent password spraying by implementing strong password policies, MFA, and monitoring systems for unusual login patterns.
WEp
Wired equivalent privacy (WEP): WEP’s key management is an outdated protocol that was problematic due to insufficient security. The encryption keys used only a 64-bit encryption key with the RC4 stream cipher to protect data, leaving them vulnerable to attacks. WEP used a 24-bit initialization vector (IV) to help encrypt data packets. However, the IVs were reused, which made it relatively easy for attackers to predict and crack the encryption keys.
Stateless Firewalls
A stateless firewall is one that doesn’t store information about the current state of a network connection. Instead, it evaluates each packet individually and attempts to determine whether it is authorized or unauthorized based on the data that it contains.
PEAP
Protected Extensible Authentication Protocol (PEAP): PEAP is a version of Extensible Authentication Protocol (EAP) that encapsulates and encrypts the EAP data using a certificate stored on the server, making it more secure for Wireless Local Area Networks (WLANs
PEAP
Protected Extensible Authentication Protocol (PEAP): PEAP is a version of Extensible Authentication Protocol (EAP) that encapsulates and encrypts the EAP data using a certificate stored on the server, making it more secure for Wireless Local Area Networks (WLANs
Dns sinkhole
A DNS sinkhole identifies known malicious domains and ingeniously sends back false information to potential attackers, preventing them from launching an attack.
DNSSEC
DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records
MAC filtering
MAC filtering, which secures the network by ensuring that only an approved user’s MAC address is added to the wireless access point.
Typosqautting
Typosquatting: Typosquatting exploits typing errors. Cyber attackers register domains that bear great similarity to legitimate domain names with minor changes such as spelling errors or missing symbols
Watering hole
Compromising websites for targeted attacks
Watering hole
Compromising websites for targeted attacks
Certificate authority (CA) compromise
The digital world relies on CAs to issue digital certificates. If a CA is compromised, attackers can generate fraudulent certificates, leading to the interception of encrypted communications and the potential for widespread
IMAP
The Internet Message Access Protocol, also known as IMAP, is a protocol for receiving emails from a server. Since IAMP allows access to emails from multiple locations simultaneously, it keeps the email on the server after being delivered. Also, it doesn’t;t download the entire email until the recipient opens it.
Currently, the 4th version of the IMAP protocol is in use, and it is one of the most used protocols for email receiving
POP3
Post Office Protocol is a more user-friendly method of accessing mailboxes. Version 3 is the most widely used version of this standard, and it is popular among users due to its low reliance on Internet connections. POP3 transfers emails from the server to the client, allowing you to read them even if you are not connected to the internet
SMTP
port number: 587SMTP (Simple Mail Transfer Protocol) is a widely used TCP protocol for email sending. The SMTP protocol is mainly used by the clients to send emails to the servers or for the email communications between servers.
There are 2 types of SMTP servers: Relays and Receivers. Relays accept emails from users and route them to recipients, while Receivers deliver them to the mailbox after accepting the email from the Relay servers
L2TP/IPS
is a virtual private network (VPN) protocol that creates a connection between your device and a VPN server without encrypting your content. Due to its lack of encryption and authentication, L2TP is usually paired with Internet Protocol Security (IPsec) protocol
Ipsec Tunnel Mode
This is the mode in which a user creates a VPN session from a remote location. During tunnel mode, the AH and ESP are both encrypted. Authentication methods include certificates, Kerberos authentication, and pre-shared keys.
Ipsec always on mode
This mode is applied during the creation of a site-to-site VPN, the purpose of which is to build a point-to-point connection between two sites in possession of their own VPNs. The session is set to always on to ensure the connection is available all the time. While a site-to-site VPN is active, both the AH and the ESP are encrypted.
ipsec transport mode
This mode is used during the creation of an IPSec tunnel with an internal network using client/server-to-server communication. During transport mode, only the ESP is encrypted.
POP
E-mail protocol that allows e-mail clients to communicate with e-mail servers. POP provides only one-way communication
imap
E-mail protocol used by e-mail clients to communicate with e-mail servers. Provides two way communication unlike POP.
Generators purpose
generators are backup power sources during prolonged outages and are not designed for the continuous, fine-grained power control needed in data center environments
active/active load balancer
ctive/active load balancer configuration, load balancers function together as a dynamic array, actively managing incoming traffic. The configuration can include multiple load balancers and there must be at least two. They not only distribute traffic but also cache requests for enhanced efficiency.
quorum disk
The quorum disk is a shared storage resource that members of the cluster share. It acts as a neutral arbiter, storing critical configuration and state information that both the active and passive nodes access
Geographic dispersion
Geographic dispersion involves the strategic distribution of data centers, servers, and critical infrastructure across different geographical locations, often separated by significant distances.
On-site backup
They involve storing copies of your essential data within your physical premises, providing swift access when needed
Witness server
Witness Server: Adding an additional layer of reliability, the witness server is an impartial entity that assists in determining the state of the cluster. The witness server helps prevent split-brain scenarios and ensures that the cluster operates smoothly.
Uninterruptible Power Supply
Uninterruptible Power Supply (UPS): A UPS is an electrical device used to provide backup power to connected equipment or devices during power outages or fluctuations in the electrical supply. It is designed to keep the system going only for a few minutes to allow the server team to close the servers down gracefully.
Power Distribution Units (PDUs)
PDUs serve as a frontline defense, effectively mitigating power spikes, blackouts, and brownouts to safeguard your critical equipment and data. Their primary function is to maintain a balanced distribution of power, guard against the perils of overload and overheating, and thereby enhance the safety and longevity of connected equipment
SNMP
The SNMP is a widely used protocol used for network management. It operates with a key component known as the Management Information Base (MIB), which is essentially a database of network information. The TRAP agent is the component in an SNMP responsible for sending messages
161/162 port
TCP/UDP
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) both are protocols of the Transport Layer Protocols. TCP is a connection-oriented protocol whereas UDP is a part of the Internet Protocol suite, referred to as the UDP/IP suite. Unlike TCP, it is an unreliable and connectionless protocol. In this article, we will discuss the differences between TCP and UDP.
Elliptic Curve Cryptography (ECC
• ECC is based on the algebraic structure of elliptic curves over finite fields.
• It provides the same level of security as traditional algorithms like RSA but with much smaller key sizes, which results in faster computations and reduced storage requirements.
Elliptic Curve Cryptography (ECC
• ECC is based on the algebraic structure of elliptic curves over finite fields.
• It provides the same level of security as traditional algorithms like RSA but with much smaller key sizes, which results in faster computations and reduced storage requirements.
Elliptic Curve Cryptography (ECC
• ECC is based on the algebraic structure of elliptic curves over finite fields.
• It provides the same level of security as traditional algorithms like RSA but with much smaller key sizes, which results in faster computations and reduced storage requirements.
ECDHE
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is a key exchange algorithm that allows two parties to establish a shared secret over an insecure communication channel
ECDHE
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
• Purpose: Used for key exchange. • Function: Establishes a secure, shared secret between two parties over an insecure channel without pre-shared keys. The “ephemeral” aspect means that it generates a temporary key for each session, enhancing security. • Performance: Provides perfect forward secrecy (PFS), meaning even if the server’s private key is compromised, past sessions remain secure. • Usage: Often used in SSL/TLS to securely exchange keys for establishing an encrypted session.
ECDSA vs ECDHE
Purpose: ECDSA is used to verify the authenticity of data or messages.
Purpose ECDHE is used to securely exchange encryption keys between two parties.
SNMP trap
SNMP TRAP agents play a crucial role in network surveillance, helping maintain the security and integrity of network devices
Attestation and acknowledgment
Confirming compliance and recognizing it
Attestation and acknowledgment
Confirming compliance and recognizing it
RAID 0
RAID 0 (disk striping) is the process of dividing a body of data into blocks and spreading the data blocks across multiple storage devices, such as hard disks or solid-state drives (SSDs), in a redundant array of independent disks group.
RAID 6
RAID 6 is a storage configuration that provides redundancy and fault tolerance using a dual parity method. Is also known as disk striping with double parity
requires 4 disks
Disk Striping
(disk striping) is the process of dividing a body of data into blocks and spreading the data blocks across multiple storage devices,
RAID 5
a redundant array of independent disks configuration that uses disk striping with parity
requires 3
RAIDS
RAID 0 (striping), RAID 1 (mirroring) and its variants, RAID 5 (distributed parity), and RAID 6 (dual parity).
Business impact analysis
Business Impact Analysis
BIA is carried out by an auditor with the objective of identifying a single point of failure. The
Pupling
This means turning the paper waste into pulp and is like making papier-mâché.
Packet monitoring
A package typically refers to a software component or module that is used within an application
Packet monitoring
A package typically refers to a software component or module that is used within an application
Information sharing organizationd
Information-Sharing Organizations (ISOs) are collaborative platforms on which cybersecurity practitioners, experts, government agencies, and private-sector entities conver
System monitors
Systems refers to the servers, workstations, and endpoints that make up an organization’s network. Monitoring systems involves keeping a vigilant eye on their performance metrics, such as CPU usage, memory utilization, and network traffic. By establishing baselines and thresholds, security teams can detect anomalies that might indicate a security breach or system failure.
SNMP agents
SNMP agents are software modules or processes running on network devices, such as routers, switches, servers, and even IoT devices.
SNMP
Managers
SNMP managers are centralized systems responsible for monitoring and managing network devices. They initiate SNMP requests to gather information from SNMP agents and can also configure and control devices. Managers use SNMP protocol operations such as GET, SET, and GETNEXT to retrieve or modify information stored in the Management Information Base (MIB), which stores information about devices on the network.
SNMP
Managers
SNMP managers are centralized systems responsible for monitoring and managing network devices. They initiate SNMP requests to gather information from SNMP agents and can also configure and control devices. Managers use SNMP protocol operations such as GET, SET, and GETNEXT to retrieve or modify information stored in the Management Information Base (MIB), which stores information about devices on the network.
SNMP Traps
SNMP traps are asynchronous notifications sent by SNMP agents to SNMP managers without a prior request. They are used to inform managers of specific events or conditions
Secure copy protocol
Port 22 Secure Copy Protocol (SCP) is a network protocol that supports the transfer of files between hosts on a network. It is built on the Secure Shell (SSH) protocol, providing encryption and authentication to ensure the confidentiality and integrity of data during transmission
policy admin
Policy administrator: The policy administrator executes the decisions made by the policy engine to control access to the network. They issue access tokens and can communicate with the data plane.
Active devices
Active devices are a proactive force within your network security arsenal. They actively intervene and act when potential threats are detected. These devices can block or mitigate threats in real time, helping to maintain the integrity and security of your networ
Passive Devices
Passive devices are observers. They monitor network traffic, analyze patterns, and provide insights into potential threats and vulnerabilities.
White Team
A white team is a group of IT specialists tasked with overseeing red vs blue exercises
DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of extensions to DNS (Domain Name System) that adds a layer of security to the domain name resolution process
DNS port
53
POp3 port
995
POp3 port
995
IMAP
993
SMTP SSL port
465
AD HOC
Ad hoc assessments are sporadic and arise in response to specific events or perceived threats. This type of assessment is tailored to focus on the immediate dangers and is characterized by its flexibility and swift implementation.
One Time
: One-time assessments are conducted for specific scenarios or projects, often at the inception of a new venture, system implementation, or organizational change. This approach provides a detailed one-time view of the risks associated with a particular endeavor.
Global
Global: Worldwide data protection regulations
PEM
Privacy Enhanced Mail (PEM) files are a type of Public Key Infrastructure (PKI) file used for keys and certificates
dmarc
DMARC stands as a robust secure email security protocol, empowering domain owners to precisely dictate the actions taken when their emails fail authentication tes
DKIM
DKIM is an email authentication method that enables a sender to digitally sign their email messages. These signatures are then validated by the recipient’s email server to confirm the message’s authenticity. This way, DKIM pr
SPF
(SPF): SPF is another email authentication mechanism. It checks whether the sender’s IP address is authorized to send mail on behalf of a particular domain. Each sender needs to create a text (TXT) record DNS of their domain.
SWG
Secure Web Gateway (SWG)? A secure web gateway protects an organization from online security threats and infections by enforcing company policy and filtering Internet-bound traffic.
IMAP
143/993
IMAP
143/993
POP
Post Office Protocol (POP) is used for retrieving emails from a remote email server.
Port 110
995
Email ports
• Port 587: Used for SMTP with STARTTLS encryption (modern standard for email submission).
• Port 465: Used for SMTP over SSL (SMTPS).
2. POP3 (Post Office Protocol 3)
• Port 110: Standard port for POP3 without encryption.
• Port 995: Used for POP3 over SSL/TLS (encrypted POP3).
3. IMAP (Internet Message Access Protocol)
• Port 143: Standard port for IMAP without encryption.
• Port 993: Used for IMAP over SSL/TLS (encrypted IMAP).
POP
993
IMAP
995
POP
993
Email ports
POP :993
IMAP: 995
SMNP:587
