Essential Knowledge Flashcards
OSI Layers
Application, Presentation, Session, Transport, Network, Datalink, Physical
Which OSI Layer? FTP,HTTP,SMTP
Application Layer
Which OSI Layer? AFP, NCP, MIME
Presentation Layer
Which OSI Layer? X.225, SCP, ZIP
Session Layer
Which OSI Layer? TCP, UDP
Transport Layer
Which OSI Layer? IP
Network Layer
Which OSI Layer? ARP, CDP, PPP
Data Link Layer
Which OSI Layer? USB Standards, Bluetooth
Physical Layer
PDU at the Application, Presentation, Session Layers?
Data
PDU at the Transport Layer?
Segment
PDU at the Network Layer?
Packet
PDU at the Physical Layer?
Bit
OSI Application, Presentation and Session layers map to which layer of the TCP/IP model?
Application Layer
OSI Transport layer maps to which layer of the TCP/IP model?
Transport Layer
OSI Network layer maps to which layer of the TCP/IP model?
Internet Layer
OSI Data Link and Physical layers map to which layer of the TCP/IP model?
Network Access Layer
TCP three-way handshake consists of?
SYN, SYN-ACK, and ACK segments
A UDP segment structure is called a?
Datagram
A demilitarized zone or DMZ is also called a?
Screened Subnet
A very restricted zone that strictly controls direct access from uncontrolled zones.
Production Network Zone
A controlled zone that has little to no heavy restrictions.
Intranet Zone
A highly secure zone with very strict policies.
Management Zone
A published standard used by organizations worldwide that provides a way to capture the principal characteristics of a vulnerability and produces a numerical score reflecting its severity. The score can be translated into low, medium, high or critical.
Common Vulnerability Scoring System (CVSS)
A method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance.
Security Content Automation Protocol (SCAP)
Categories of vulnerabilities.
Misconfiguration, Default Installations, Buffer Overflows, Missing Patches, Design Flaws, Operating System Flaws, Application Flaws, Open Services, Default Passwords
Example vulnerability management tools
Nessus, Qualsys, GFI Languard, Nikto, OpenVAS, Retina CS
Triangle model whereby an increase in one angle decreases the other two angles.
Security, Functionality and Usability Triangle.
Hack Value
Notion used by hackers to express that something is worth doing or is interesting. This is something that hackers often feel intuitively about a problem or solution. An aspect of hack value is performing feats for the sake of showing that they can be done, even if others think it is difficult.
Zero-day attack
An attack that exploits vulnerability of an application before it is publicly available and the developer releases a patch for that.
Vulnerability
It is an existence of a weakness, design or implementation error that can lead to an unexpected and undesirable event compromising the security of a system.
Payload
Malicious content that is acted upon and executed by a system.
Daisy-Chaining
Process where a hacker gains entry into a computer or network and then uses it to gain access to another.
Doxing
The process of searching for and publishing private information about a target (usually an individual) on the Internet, typically with malicious intent.
Threat Modeling
Consists of: Identify Security Objectives, Application Overview, Decompose Application, Identify Threats and Identify Vulnerabilities
Enterprise Information Security Architecture (EISA)
Collection of requirements and processes that help determine how an organization’s information systems are built and how they work.
Risk Management Approach
Mitigate, Eliminate or Accept
Risk Management Phases
Risk Identification, Risk Assessment, Risk Treatment, Risk Tracking and Risk Review
Security Control categories
Physical, Technical and Administrative
Security Control types
Preventive, detective, and corrective.
Business Impact Analysis should measure what?
Maximum tolerable downtime (MTD) which helps to prioritize the recovery of assets.
Business Impact Analysis should measure what?
An organized process to gauge the potential effects of an interruption to critical business operations as a result of disaster, accident or emergency. For example, part of the BIA can be calculating the Maximum tolerable downtime (MTD) which helps to prioritize the recovery of assets.
Disaster Recovery Plan
Addresses exactly what to do to recover any lost data or services.
Annualized Loss Expectancy
Measurement of the cost of an asset’s value to the organization and the monetary loss that can be expected for an asset due to risk over a one-year period. ALE is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as ALE = ARO X SLE
Annualized Loss Expectancy (ALE)
Measurement of the cost of an asset’s value to the organization and the monetary loss that can be expected for an asset due to risk over a one-year period. ALE is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as ALE = ARO X SLE
Annual Rate of Occurrence (ARO)
An estimate of the number of times during a year, a particular asset would be lost or experience downtime.
Single Loss Expectancy (SLE)
The monetary value expressed from the occurrence of a risk on an asset, Mathematically expressed as SLE = asset value (AV) X exposure factor (EF).
Exposure Factor (EF)
Percentage of asset loss. If an Asset’s Value (AV) is reduced by two thirds, the exposure factor is 0.66. If the asset is completely lost, the EF is 1.0.
User Behavior Analytics (UBA)
A process of tracking users behaviors and extrapolating those behaviors in light of malicious activity, attacks, and frauds. There exist behavior-based intrusion detection systems.
Security Trinity
CIA - Confidentiality, Integrity and Availability
Confidentiality
Measures taken to prevent disclosure of information or data to unauthorized individuals or systems and to ensure the proper disclosure of information to those who are authorized to receive it.
Integrity
Methods and actions taken to protect the information from unauthorized alteration or revision - whether the data is at rest or in transit. Often ensured through the use of a hashing algorithm.
Bit-flipping
Cryptographic attack where bits are manipulated in the cipher text to generate a predictable outcome in the plain text once it is decrypted.
Availability
Communication systems and data being ready for use when legitimate users need them.
Authenticity
Genuine. For example, a digital signature can be used to guarantee the authenticity of the person sending a message.
Rainbow Series
Old security standards for DOD systems. Included the Orange Book which contained the Trusted Computer System Evaluation Criteria (TCSEC).
TCSEC
Old DOD security standard for computers which set basic requirements for testing the effectiveness of computer security controls built into a computer system.
Common Criteria for Information Technology Security Evaluation
Current DOD standard that replaced TCSEC which provides a way for vendors to make claims about their in-place security by following a set standard of controls and testing methods, resulting in an Evaluation Assurance Level (EAL) (Levels 1 - 7). This criteria is designed to reduce or remove vulnerabilities from a product before it is released.
Target of Evaluation (TOE)
DOD Common Criteria term for what is being tested.
Security Target (ST)
DOD Common Criteria term describing the Target of Evaluation (TOE) and security requirements.
Protection Profile (PP)
DOD Common Criteria term that describes a set of security requirements specifically for the type of products being tested.
Access Control
Restricting access to a resource in some selective manner.
Mandatory Access Control (MAC)
A method of access control where security policy is controlled by a security administrator. As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings. It is not possible under MAC enforcement for users to change the access control of a resource.
Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classification (top secret, confidential etc) and a category (which is essentially an indication of the management level, department or project to which the object is available).
Discretionary Access Control (DAC)
Discretionary Access Control (DAC) allows each user to control access to their own data. DAC is typically the default access control mechanism for most desktop operating systems. Instead of a security label in the case of MAC, each resource object on a DAC based system has an Access Control List (ACL) associated with it. An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group.
Security Policy
Document describing the security controls implemented in a business to accomplish a goal.
Access Control Policy
Identifies the resources that need protection and the rules in place to control access to those resources.
Information Security Policy
Identifies to employees what company systems may be used for, what they cannot be used for, and what the consequences are for breaking the rules.
Information Protection Policy
Defines information sensitivity levels and who has access to those levels. Also addresses how data is stored, transmitted and destroyed.
Password Policy
Defines length, complexity, maximum and minimum age and reuse.
E-mail Policy
Addresses the proper use of the company email systems.
Information Audit Policy
Defines the framework for auditing security within the organization.
Promiscuous Policy
A wide open policy.
Permissive Policy
Blocks only things that are known to be dangerous.
Prudent Policy
Provides maximum security but allows some potentially and known dangerous services because of business needs.
Paranoid Policy
Locks everything down.
Standards
Mandatory rules used to achieve consistency.
Baselines
Minimum security level necessary.
Guidelines
Flexible recommended actions in the event there is no standard to follow.
Procedures
Detailed step by step instructions for accomplishing a task or a goal.
Script Kiddie
A person uneducated in hacking techniques who simply makes use of freely available tools and techniques on the Internet.
Phreaker
Someone who manipulates telecommunications systems in order to make free calls.
White Hat Hacker
The good guys. Ethical hackers. Hired by a customer for the specific goal of testing and improving security or for other defensive purposes. Don’t use their knowledge without prior consent. Also known as security analysts.
Black Hat Hacker
The bad guys. Crackers. Illegally using their skills for either personal gain or malicious intent. Seek to steal or destroy data and to deny access to resources and systems. Do not ask for permission or consent.
Gray Hat Hacker
Neither good or bad. Some are curious about hacking and who feel it’s their duty, with or without customer permission, to demonstrate security flaws in systems.
Hacktivism
Is the use of technology to promote a political agenda or a social change. Is illegal in nature.
Suicide Hackers
A hacker who is willing to risk everything to pull off a hack.
Cyberterrorist
Motivated by religious or political beliefs to create fear and large-scale systems disruption.
State Sponsored Hacker
Employed by a government.
Operating System Attack
Target the common mistakes made when installing operating systems - accepting and leaving all the defaults.
Application Level Attack
Attacks on programming code and software logic of an application that has vulnerabilities.
Shrink-wrap Code Attack
Takes advantage of the built-in code and scripts most off-the-shelf applications come with.
Misconfiguration Attack
Takes advantage of systems that are on purpose or by accident, not configured appropriately for security.
Infowar
The use of offensive and defensive techniques to create advantage over your adversary.
Phases of Ethical Hacking
- Reconnaissance
- Scanning and Enumeration
- Gaining Access
- Maintaining Access
- Covering Tracks
Reconnaissance Phase
Steps taken to gather evidence and information on the targets you want to attack. Information gathering can be passive or active in nature.
Passive Reconnaissance
Gathering information about a target without their knowledge. Examples include social engineering, dumpster diving and network sniffing.
Active Reconnaissance
Uses tools and techniques that may or may not be discovered by the target.
Scanning and Enumeration Phase
Taking the information gathered in recon and actively applying tools and techniques to gather more in-depth information on the targets,
Gaining Access Phase
True attack against a target in order to gain a foothold.
Maintaining Access Phase
Ensure there is continued access to a compromised system, usually by creating a back door.
Zombie
Compromised computer systems that can be used to launch further attacks or for further information gathering.
Covering Tracks Phase
Hackers attempt to conceal their success and avoid detection by security professionals. This could include removing or altering log files, hiding files with hidden attributes or directories, using tunneling protocols, etc.
Security Incident and Event Management (SIEM)
Helps to perform functions related to a Security Operations Center (SOC) such as identifying, monitoring, recording, auditing, and analyzing security incidents. Example, Splunk.
Ethical Hacker
Someone who employs the same tools and techniques as a criminal may use with the customer’s full support and approval to help secure a network or a system. They work within the confines of an agreement made between themselves and a customer before any action is taken.
Cracker
Malicious hacker who is motivated by personal gain or destructive purposes outside the interests of the system owner,
Get Out Of Jail Free Card
The contract that defines the permission and authorization given to a security professional conducting a Pen Test and defines the confidentiality and the scope.
Tiger Team
A group of people working to address a specific problem or goal. Ethical hackers are sometimes part of a Tiger Team. In IT, a tiger team is usually composed of skilled hackers who will seek to penetrate a network or other tech environment for the purposes of improving security and closing security loopholes.
Penetration Test
A clearly defined, full-scale test of the security controls of a system or network in order to identify security risks and vulnerabilities. Has three phases, preparation, assessment and conclusion.
PENTEST Preparation Phase
Defines the time period during which the Pentest contract is hammered out. The scope of the test, the types of attacks allowed and the individuals assigned to perform the activity are agreed upon.
PENTEST Assessment Phase
Also known as the security evaluation phase or the conduct phase - the actual assaults on the security controls.
PENTEST Conclusion Phase
Also known as post-assessment phase - defines the time when final reports are prepared for the customer detailing the findings of the tests and providing recommendations to improve security.
Black Box Testing
The ethical hacker has no knowledge of the Target of Evaluation (TOE) so as to simulate an outside, unknown attacker. Takes the most time to complete and is the most expensive. It emphasizes outside attack and does not take into account any trusted users on the inside.
White Box Testing
The ethical hacker has full knowledge of the network, system and infrastructure they are targeting. This facilitates quicker testing and less expensive. Designed to simulate a knowledgeable internal threat such as a disgruntled network admin or other trusted user.
Gray Box Testing
The ethical hacker has partial knowledge and assumes an insider threat and privilege escalation.
Health Insurance Portability and Accountability Act (HIPAA)
Addresses privacy standards with regard to medical information. Has five subsections: Electronic Transaction and Code Sets, Privacy Rule, Security Rule, National Identifier Requirements, Enforcement.
Sarbanes-Oxley Act
Created to make corporate disclosures more accurate and reliable in order to protect the public and investors from shady behavior. Has 11 titles that handle everything from what financials should be reported to protecting against auditor conflicts of interest and enforcement for accountability.
Open Source Security Testing Methodology Manual (OSSTMM)
Peer-reviewed formalized methodology of security testing and analysis that can provide actionable information to measurably improve your operational security. Defines three types of compliance:
Legislative,
Contractual and
Standards Based.
Payment Card Industry Data Security Standard (PCI-DSS)
A security standard for organizations handling credit cards, ATM cards and other point-of-sale cards that apply to all entities involved in the payment process. Consists of 12 requirements:
- Install and maintain firewall configuration to protect data.
- Remove vendor-supplied default passwords and other default security features
- Protect stored data
- Encrypt transmission of cardholder data
- Install, use and update antivirus
- Develop secure systems and applications
- Use “need to know” as a guideline to restrict access to data
- Assign a unique ID to each stakeholder
- Restrict any physical access to the data
- Monitor all access to data and network resources
- Test security procedures and systems regularly
- Create and maintain an information security policy
Control Objects for Information and Related Technology (COBIT)
Created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). Is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development, good practice, and emphasizes regulatory compliance and helps security architects figure out and plan minimum security requirements for their organizations. Categorizes control objectives into the following domains:
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- Monitoring and Evaluation
ISO/IEC 27001:2013
Provides requirements for creating, maintaining and improving organizational Information Security systems.
Criminal Law
Body of rules and statutes that define conduct prohibited by the government because it threatens and harms public safety and welfare and that establishes punishment to be imposed for the commission of such acts.
Civil Law
A body of rules that delineates private rights and remedies as well as governs disputes between individuals in such areas as contracts, property, and family law, distinct from criminal law.
Common Law
Law based on societal customs and recognized and enforced by the judgments and decrees of the court.
PDU at the Data Link Layer
Frame
