Domain 7 Flash Cards
Allowed/Blocked listing
allowed or blocked entities, register of entities that are being provided (or blocked) for a particular privilege, service, mobility, access or recognition including web, IP, geo, hardware address, files/programs; entities on the allowed list will be accepted, approved and/or recognized; deprecated AKA whitelist/blacklist; systems also alert IT security personnel an access attempt involves a resource not on a pre-approved list; can also incorporate anti-malware
Alternate site
contingency or Continuity of Operations (COOP) site used to assume system or org operations, if the primary site is not available
Backup
copies of files or programs to facilitate recovery
Baseline
total inventory of all of a system’s components (e.g. hardware, software, data, admin controls, documentation, user instruction); types of baselines include enumerated (which are inventory lists, generated by system cateloging, discovery or enumeration), build security (minimal set of securtiy controls for each CI, see below), modification/update/patch baselines (subsets of total system baseline), or configuration baseline (which should include a revision/version identifier associated with each CI)
Bastion host
a special-purpose computer on a network specifically designed and configured to withstand attacks; it is typically placed in a demilitarized zone (DMZ) or exposed network segment, and its primary function is to act as a gateway between an internal network and external, potentially untrusted networks (like the internet); key characteristics of a Bastion host include:
Hardened security: minimizing the number of running services and apps which reduces potential attack surfaces Publically accessible: exposed to the internet or untrusted network, acting as the first point of contact for external users Logging and monitoring: include extensive logging and monitoring to detect suspicious activity Limited network access: typically has limited access to the internal network
Change management
A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.
Clipping
one of two main methods of choosing records from a large pool for ruther analysis, clipping uses threshold values to select those records exceeding a predefined threashold (also see sampling)
Configuration management
(CM)
A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).
Configuration Item (CI)
aggregation of information system components designated for configuration management and treated as a single entity in the config management process
Cyber forensics
gathering, retaining, analyzing data for investigative purposes, while maintaining the integrity of that data
Disruption
unplanned event that causes a system to be inoperable for a length of time
DPI (Deep Packet Inspection)
a method used by firewalls and other network security devices to examine the data portion (or payload) of packets as they pass through the firewall; DPI goes beyond traditional packet filtering by not only inspecting the header information (such as source/destination IP addresses and port numbers) but also analyzing the content within the packet to identify and respond to security threats
Egress monitoring
monitoring the flow of info out of an org’s boundaries
Entitlement
refers to the privelege granted to users when an account is first provisioned
Entity
any form of a user including hardware device, software daemon, task, processing thread or human, which is attempting to use or access system resources; e.g. endpoint devices are entities that human (or non-human) users use to access a system; should be subject to access control and accounting
Event
observable occurance in a network or system
Hackback
actions taken by a victim of hacking to compromise the systems of the alleged attacker
Heuristics
method of machine learning which identifies patterns of acceptable activity, so that deviations from the patterns will be identified
Honeypots/honeynets
Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy malicious or unauthorized intruders, as a means of delaying their attempts to access production data/assets.
Incident
an event which potentially or actually jeopardizes the CIA of an information system or the info the system processes, stores, transmits
Indicator
technical artifact or observable occurrence suggesting that an attack is imminent, currently underway, or already occured
Indicators of Compromise (IoC)
a signal that an intrusion, malware, or other predefined hostile or hazardous set of events has or is occurring
Information Security Continuous Monitoring (ICSM)
maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions; ongoing monitoring sufficient to ensure and assure effectiveness of security controls
Information Sharing and Analysis Center (ISAC)
entity or collab created for the purposes of analyzing critical cyber and related info to better understand security problems and interdependencies to ensure CIA
Intru sion detection system
(IDS)
A solution that monitors the environment and automatically recognizes malicious attempts to gain unauthorized access.
Intrusion Prevention System
(IPS)
A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access.
Job rotation
The practice of having personnel become familiar with multiple positions within the organization as a means to reduce single points of failure and to better detect insider threats.
Least privilege
The practice of only granting a user the minimal permissions necessary to perform their explicit job function.
Log
record of actions/events that have taken place on a system
Media
Any object that contains data, bounded media is ethernet, fibre, coax. Unbounded media is wireless.
Motion detector types
wave pattern motion detectors transmit ultrasonic or microwave signals into the montored area watching for changes in the returned signals bouncing off objects; infrared heat-based detectors watch for unusual heat patters; capacitance detectors work based on electromagnetic fields
mean time between failure (mtbf)
is an estimation of time between the first and any subsequent failures
mean time to failure (mttf)
is the expected typical functional lifetime of the device given a specific operating enviornment
mean time to repair (mttr)
is the average length of time required to perform a repair on the device
Need to know
Primarily associated with organizations that assign clearance levels to all users and classification levels to all assets; restricts users with the same clearance level from sharing information unless they are working on the same effort. Entails compartmentalization.
Netflow
data that contains info on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity
Parity bits
RAID technique; logical mechanism used to mark striped data; allows recovery of missing drive(s) by pulling data from adjacent drives
Patch
An update/fix for an IT asset, it used to fix, remediate a vulnerability.
Precursor
signal from events suggesting a possible change of conditions, that may alter the current threat landscape
Regression testing
testing of a system to ascertain whether recently approved modifications have changed its performance, or if other approved functions have introduced unauthorized behaviors
Request For Change (RFC)
documentation of a proposed change in support of change management activities
Root Cause Analysis
principle-based systems approach for the identification of underlying causes associated with a particular risk set or incidents
RTBH (Remote Triggered Black Hole)
a network security technique used in conjunction with firewalls and routers to mitigate Distributed Denial of Service (DDoS) attacks or unwanted traffic by dropping malicious or unwanted traffic before it reaches the target network; RTBH works by creating a “black hole route”, where packets destined for a specific IP address are discarded or “dropped” by the network equipment, effectively isolating malicious traffic
Sandboxing
An isolated test environment that simulates the production environment but will not affect production components/data.
Separation of duties
The practice of ensuring that no organizational process can be completed by a single person; forces collusion as a means to reduce insider threats.
Striping
RAID technique; writing a data set across multiple drives. Striping
Sampling
one of two main methods of choosing records from a large pool for ruther analysis, sampling uses statistical techniques to choose a sample that is representative of the entire pool (also see clipping)
System Center Configuration Manager (SCCM)
is a Microsoft systems management software product that provides the capability to manage large groups of computers providing remote control, patch management, software distribution, operating system deployment, and hardware and software inventory
Security Incident
Any attempt to undermine the security of an org or violation of a security policy is a security incident
Secure Web Gateway (SWG)
a security solution that filters and monitors internet traffic for orgs, ensuring that users can securely access the web while blocking malicious sites, preventing data leaks, and enforcing web browsing policies; while it is not a traditional firewall, it complements firewall functionality by focusing specifically on web traffic security
TCP Wrappers
a host-based network access control system used in Unix-like operating systems to filter incoming connections to network services; allows administrators to define which IP addresses or hostnames are allowed or denied access to certain network services, such as SSH, FTP, or SMTP, by controlling access based on incoming TCP connections; TCP Wrappers relies on two config files: /etc/hosts.allow, and /etc/hosts.deny
Trusted Computing Base (TCB)
the collection of all hardware, software, and firmware components within an architecture that is specifically responsible for security and the isolation of objects that forms a trusted base
TCB is a term that is usually associated with security kernels and the reference monitor a trusted base enforces the security policy a security perimeter is the imaginary boundary that separates the TCB from the rest of the system; TCB components communicate with non-TCB components using trusted paths the reference monitor is the logical part of the TCB that confirms whether a subject has the right to use a resource prior to granting access the security kernel is the collection of the TCB components that implement the functionality of the reference monitor
Tuple
tuple usually refers to a collection of values that represent specific attributes of a network connection or packet; these values are used to uniquely identify and manage network flows, as part of a state table or rule set in a firewall; as an example, a 5-tuple is as a bundle of five values that identify a specific connection or network session, which might include the sourced IP address, source port numbers, destination IP address, destination port number, and the specific protocol in use (e.g. TCP UDP)
Uninterruptible power
supplies (UPS)
Batteries that provide temporary, immediate power during times when utility service is interrupted. ActiveX Data Objects (ADO)
Capability
View-Based access controls
access control that allows the database to be logically divided into components like records, fields, or groups allowing sensitive data to be hidden from non-authorized users; admins can set up views by user type, allowing only access to assigned views