General Flashcards
What are two ways to measure risk?
Quantitative and Qualitative
Which risk response is also included when risk mitigation is performed?
Acceptance
This describes the probability of a threat being realized.
Likelihood
This describes the amount of loss during a one-year timespan.
Annualized Loss Expectancy (ALE)
This phase of the risk management life cycle identifies effective means by which identified risks can be reduced.
Control
A ____________ should include detailed descriptions of the necessary steps required to successfully complete a task.
Process
This function of the NIST CSF defines capabilities needed for the timely discovery of security incidents.
Detect
A formal mechanism designed to measure performance of a program against desired goals.
Key Performance Indicator (KPI)
Which cloud service type represents the lowest amount of responsibility for the customer?
SaaS
This describes when a customer is completely dependent on a vendor for products or services.
Vendor lock-in
This describes when a copy of vendor-developed source code is provided to a trusted third party, in case of disaster.
Source code escrow
This describes all of the suppliers, vendors, and partners needed to deliver a final product.
The Supply Chain
A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain.
CMMC
True or False. The use of cloud service providers always reduces risk.
False
Which type of data can be used to identify an individual and includes information about past, present, or future health?
Protected Health Information (PHI)
Which type of data describes intangible products of human thought and ingenuity?
Intellectual Property (IP)
Which data destruction method is focused on the sanitization of the key used to perform decryption of data?
Crypto erase
Which concept identifies that the laws governing the country in which data is stored have control over the data?
Data sovereignty
A non-regulatory agency in the United States that establishes standards and best-practices across the entire science and technology field is known as:
NIST
What regulation enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and/or analyze data on subjects located there?
GDPR
Which U.S. federal law is designed to protect the privacy of children?
COPPA
Which process is designed to provide assurance that information systems are compliant with federal standards?
Certification and Accreditation
This describes the identification of applicable laws depending on the location of the organization, data, or customer/subject.
Jurisdiction
What concept is often linked to the “prudent man rule”?
Due care
This describes when an organization’s legal team receives notification instructing them to preserve electronically stored information.
Legal Hold
What type of agreement is often described as an “umbrella” contract that establishes the agreement between two entities to conduct business?
Master Services Agreement (MSA)
Which agreement governs services that are both measurable and repeatable and also generally include enforcement mechanisms that result in financial penalties for non-compliance?
Service Level Agreement (SLA)
What is the last step in a business continuity plan?
Maintenance
NIST defines this as “An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.”
Business Impact Analysis
This generally defines the amount of data that can be lost without irreparable harm to the operation of the business.
Recovery Point Objective
Which type of assessment seeks to identify specific types of sensitive data so that its use and handling can be properly disclosed?
Privacy Impact Assessment
Using other branch locations to manage a disaster response is referred to as:
Alternate Operating Facilities
Which type of DR site has lowest operating expense and complexity?
Cold Site
This type of site is one that can be activated and used within minutes.
Hot Site
This term describes when cloud service offerings are used for DR capabilities.
DRaaS, DR as a Service
True or False. Incident response should only involve the information technology department.
False
True or False. BCDR is a technical capability and so senior leadership involvement is not required.
False
True or False. BCDR plans should not be tested as doing so may break production systems.
False
Which type of simulation test includes a meeting to review the plans and analyze their effectiveness against various BCDR scenarios?
Walk-through
Which type of simulation test is used to determine whether all parties involved in the response know what to do and how to work together to complete the exercise?
Tabletop Exercise
When performing this type of test, issues and/or mistakes could cause a true DR situation:
Full Interruption
What are the two main components of a VPN?
Creating a tunnel and protecting data via encryption
Identify some ways a VPN might help an adversary avoid detection.
Answers will vary but should include a description of hiding data/activities and geographic location.
Describe a solution designed to validate the health of an endpoint prior to allowing access.
Network Access Control (NAC)
This is a passive technology used to provide visibility into network traffic within a switch.
Test Access Port or TAP
What version of SNMP should be used whenever possible?
Version 3
Which type of environment is characterized by having hosts and networks available for use by visitors, such as the public or vendors?
Guest
This describes a specially configured, highly hardened, and closely monitored system used to perform administrative tasks.
Jump Box
This type of network segmentation differs from a traditional network segmentation approach as it provides much higher levels of security, granularity, and flexibility.
Microsegmentation
What type of architecture adopts the approach of “never trust, always verify”?
Zero Trust Architecture
This implementation creates a software-defined network by utilizing existing physical network equipment.
SDN Overlay
This describes improving performance by adding additional resources to an individual system, such as adding processors, memory, and storage to an existing server.
Scaling Vertically
A ______________________________________ leverages the global footprint of cloud platforms by distributing and replicating the components of a service to improve performance to all the key service areas needing access to the content.
Content Delivery Network (CDN)
What design strategy often conflicts with information technology management approaches that look to consolidate platforms and reduce product portfolios?
Heterogeneity/Diversity
Which type of virtualization allows the client to either access an application hosted on a server or stream the application from the server to the client for local processing?
Application Virtualization
This non-profit organization provides guidance and best practices on the development and protection of web applications.
OWASP
What are some of the functions that can be performed via a Container API?
Some examples include list logs generated by an instance; issue commands to the running container; create, update, and delete containers; and list capabilities.
What environment is used to merge code from multiple developers to a single master copy and subject it to unit and functional tests?
Test or Integration Environment
Which type of application testing is frequently performed using scanning tools such as OWASP’s Zed Attack Proxy (ZAP)?
Dynamic Application Security Testing (DAST)
This describes middleware software designed to enable integration and communication between a wide variety of applications throughout an enterprise.
Enterprise Service Bus (ESB)
True or False. Traditional software development models incorporate security requirements throughout all phases.
False
Which type of software testing ensures that a particular block of code performs the exact action intended and provides the exact output expected?
Unit Testing
Which type of testing verifies that individual components of a system are tested together to ensure that they interact as expected?
Integration Testing
What development model includes phases that cascade with each phase starting only when all tasks identified in the previous phase are complete?
Waterfall
What development model incorporates Security as Code (SaC) and Infrastructure as Code (IaC)?
SecDevOps
Storing passwords using this method should be disabled as it provides marginal improvements in protection compared to simply storing passwords in plaintext.
Reversible Encryption
What is the term used to describe when credentials created and stored at an external provider are trusted for identification and authentication?
Federation
Which access control model is a modern, fine-grained type of access control that uses a type of markup language call XACML?
Attribute-Based Access Control (ABAC)
What authentication protocol is comparable to RADIUS and associated with Cisco devices?
TACACS+
What authentication scheme uses an HMAC built from a shared secret plus a value derived from a device and server’s local timestamps?
Time-Based One Time Password (TOTP)
In which stage of the data life cycle is data shared using various mechanisms, such as email, network folders, websites, or cloud storage?
Use
Describe some of the critical elements included in data management.
Answers will vary but should include descriptions of data inventory, data mapping, backups, quality assurance, and integrity controls.
Identify some practical DLP example use-cases.
Blocking use of external media, print blocking, Remote Desktop Protocol (RDP) blocking, clipboard privacy controls, restricted virtual desktop infrastructure (VDI) implementation, data classification blocking.
What is the name of the data obfuscation method that replaces sensitive data with an irreversible value?
Tokenization
What data obfuscation method is designed to protect personally identifiable information so that data can be shared?
Anonymization
Which type of virtualization platform supports microservices and server-less architecture?
Containerization
_____________________________ is assigned to cloud resources through the use of tags and is frequently exploited to expose configuration parameters which may reveal misconfigured settings.
Metadata
Which type of cloud service model can be described as virtual machines and software running on a shared platform to save costs and provide the highest level of flexibility?
Multi-tenant
After powering-up a virtual machine after performing maintenance, the virtual machine is no longer accessible by applications previously configured to connect to it. What is a possible cause of this issue?
The IP address was reassigned to another instance.
Which type of storage model supports large amounts of unstructured data and is commonly used to store archives and backup sets?
Blob Storage
Which technology uses a ledger distributed across a peer-to-peer (P2P) network?
Blockchain
___________________ reality emulates a real-life environment through computer-generated sights and sounds.
Augmented/Virtual
This term describes computer-generated images or video of a person that appear to be real but are instead completely synthetic and artificially generated.
Deep Fake
______________ computers use information represented by spin properties, momentum, or even location of matter as opposed to the bits of a traditional computer.
Quantum
Which technology allows the crafting of components on-demand, and potentially eliminates the need to share designs or plans that may lead to intellectual property theft?
3D Printing
Identify two types of certificates commonly used to implement access controls for mobile devices.
Trust (device) and user certificates
Which standard is associated with the Simultaneous Authentication of Equals (SAE)?
WPA3 (Wi-Fi 6)
Which type of device attack allows complete control of a device without the target device being paired with the attacker?
BlueBorne
Identify some reasons why DoH poses a security threat in an enterprise setting.
Answers may vary. DoH, if approved, must be configured to use a trusted provider. DoH encapsulates DNS traffic within https traffic making it harder to identify. DoH can bypass external DNS query restrictions configured on firewalls.
Identify how Bluetooth can be used for physical reconnaissance.
Answers may vary. Bluetooth devices are discoverable using freely available tools, meaning an attacker can locate out-of-sight devices and also collect information about the hardware and vendor.
Identify some reasons why EOL software and hardware are concerning.
Responses will vary but should include a description regarding the lack of vendor support and vendor-supplied security patches.
True or False. Operating System instances running in the cloud are patched automatically by the cloud provider.
False
Which types of attacks on the Android OS can bypass the protections of mandatory access control?
Inter-app communication attacks
Which control is designed to prevent a computer from being hijacked by a malicious OS?
Answers may vary but secure boot, measured boot, or attestation services all apply.
Which type of host protection should provide capabilities that directly align to the NIST Cybersecurity Framework Core?
Endpoint Protection and Response
True or False. Operating in a public cloud removes the need for BCDR plans due to the fact that cloud platforms are so reliable.
False
What name is given to the practice of splitting encrypted data outputs into multiple parts which are subsequently stored in disparate storage locations?
Bit Splitting or Cryptographic Splitting
Which cloud computing practice eliminates the use of traditional virtual machines to deliver cloud services?
Serverless Computing
What is a critical component dictating the implementation of logging capabilities in the cloud?
Legal and regulatory compliance
What is the primary source of data breach in the cloud?
Misconfiguration
Which component integrates practically all the components of a traditional chipset including GPU?
System on a Chip, or SoC
Which type of industrial computer is typically used to enable automation in assembly lines and is programmed using ladder language?
Programmable Logic Controller, or PLC
Which type of availability attack are industrial computers most sensitive to?
Denial of Service, or DoS
An ________ ________ describes the method by which ICS are isolated from other networked systems.
Air Gap
What makes attacks against ICS uniquely concerning?
Answers will vary, but essentially because ICS control systems that interact with the real world and can cause humanitarian and/or environmental disasters when breached or attacked.
What is the name of the algorithm used by SHA-3?
Kekkack
Which MAC method is commonly paired with Salsa20 on hardware that does not have integrated AES support?
Poly1305
Describe the key distribution problem.
Answers will vary. Should identify that it is associated with symmetric encryption and that sharing the key between two parties can be risky if not performed carefully.
Is Salsa20 a stream or block cipher?
Stream
How are modes of operation related to symmetric encryption?
Answers will vary. Modes of operation are like “techniques” used to make symmetric block ciphers operate in a way that is comparable to stream ciphers.
What symmetric encryption problem is asymmetric encryption uniquely equipped to solve?
Key distribution
What is the bulk encryption method used in the following cipher suite? ECDHE-RSA-AES128-GCM-SHA256
AES
What encryption scheme is generally associated with protecting email?
Secure/Multipurpose Internet Mail Extensions (S/MIME)
What issue related to the use of authentication header (AH) makes it difficult/problematic to implement?
It does not work across NAT gateways.
Which implementation of Elliptic Curve Cryptography (ECC) is no longer recommended for use by the NSA?
P256
True or False. Private keys are contained within digital certificates.
False. Public keys are contained within digital certificates.
Which of the following would be best suited to protecting data stored on a removable disk: IPSec, TLS or AES?
AES is a symmetric block cipher and best suited to this. IPSec and TLS are associated with transport encryption.
Which device used to provide strong authentication stores a user’s digital certificate, private key associated with the certificate, and a personal identification number (PIN)?
Smart card
How do device certificates help security operations?
Answers will vary. A description of using device certificates to identify authorized endpoints is appropriate.
What is the purpose of a bridge CA?
Answers will vary. A bridge CA allows the interoperability and shared trust between multiple, otherwise independent, PKIs. Bridge CAs enable cross-certification.
_________________ ___________________ is the entity responsible for issuing and guaranteeing certificates.
Certificate Authority
True or False. A website protected with a valid digital certificate is guaranteed to be safe.
False. The digital certificate provides assurance that the site is genuine, but it could still be rogue in nature.
What is another term to describe the requirement for both client and server devices to use certificates to verify identity?
Mutual authentication
What is the name of the response header configured on a web server to notify a browser to connect to the requested website using HTTPS only?
HTTP Strict Transport Security (HSTS)
The error message “your connection is not private” is displayed when accessing a known website. What is a possible cause of this error?
The website is configured to use a weak signing algorithm.
Which threat assessment approach is described as emulating known TTPs to mimic the actions of a threat in a realistic way, without emulating a specific threat actor?
Threat emulation
Which defensive approach describes a team of specialists working with the viewpoint of “assume breach”?
Threat Hunting
Which threat actor group includes adversaries such as Anonymous, WikiLeaks, or LulzSec?
Hacktivists
Developed by Lockheed Martin, this describes the steps/actions an adversary must complete in order to achieve their goals.
Cyber Kill Chain
True or False. CPE is a list of records where each item contains a unique identifier used to describe publicly known vulnerabilities.
False. The description is for CVE.CPE uses a syntax similar to Uniform Resource Identifiers (URI), CPE is a standardized naming format used to identify systems and software.
What vulnerability assessment analysis approach requires the evaluation of a system or software while it is running?
Dynamic assessment
What testing method uses specialty software tools designed to identify problems and issues with an application by purposely inputting/injecting malformed data to it?
Fuzzing or fuzz testing
This describes the actions of an attacker using one exploited system to access another within the same organization.
Pivoting
What document describes the manner in which a pen-test may be performed?
Rules of Engagement (RoE)
Which category of tool describes the Metasploit tool?
An exploit framework
Which type of deceptive technology is generally less complicated to deploy than other deceptive technologies but can serve a similar purpose?
Simulator
Honeytoken and canary files are types of _______________ files.
Decoy
An ___________________________ system is one that is “unchangeable.”
Immutable
______________________________ describes the set of configuration changes made to improve the security of an endpoint from what the default configuration provides.
Hardening
In Linux, ________________ describe self-contained software applications which include all the necessary components and libraries they need to be able to operate on an immutable system.
Flatpaks
Which type of vulnerability is caused by processes operating under the assumption that a critical parameter or piece of information has not changed?
TOCTOU
When reviewing the operation of a web application, the following is observed: https://www.foo.com/products/jsessionid=8858PNRX949WM26378/?item=bigscreen-tv.
What is problematic with this?
The session ID is included in the URL, meaning that anyone with access to the jsessionid information could perform an authentication bypass attack for the identified user.
Which approach describes how software can be analyzed for open-source components?
Software Composition Analysis
True or False. JSON is not dependent upon web technologies.
False. JSON is designed to leverage common web technologies as part of its operation.
What type of attack is most closely associated with the use of characters such as ‘ OR ‘x’ = ‘x’ – ?
Authentication Bypass, a type of SQL injection attack.
True or False. By default, switches provide packet capture utilities full visibility into all traffic flows for connected devices.
False. A switch must be configured to mirror traffic or utilize a tap in order to provide full visibility for packet capture. Switches natively isolate traffic.
Two alerts are generated by an IDS, one with a priority value of 1 and the other with a priority value of 10. Which should be investigated first?
The one with a priority value of 1, which represents a more concerning event type.
Which security product is most likely to support the use of YARA rules?
Antivirus
In what ways does the support of security incidents differ from traditional tickets/requests in IT?
Answers will vary. The answer should describe how security incidents must be handled based on severity rather than order received.
What is most concerning regarding false negatives?
They represent legitimate security incidents that do not generate an alert.
What term describes evidence handling from collection through presentation in court?
Chain of custody
Which utility can be used to extract data from binary files and can display the contents in hexadecimal, decimal, octal, or ASCII formats
hexdump
Which tool can be used to identify interactions between processes and the Linux kernel?
strace
________________________ is a popular command line utility used to analyze memory dumps.
volatility
Which command line utility is designed to display real-time information about system memory, running processes, interrupts, paging, and I/O statistics?
vmstat
Risk management
The cyclical process of identifying, assessing, analyzing, and responding to risks.
enterprise risk management (ERM)
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
Risk Management Framework (RMF) or ISO 31000
A comprehensive set of standards for enterprise risk management.
Risk
Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Likelihood
In risk calculation, the chance of a threat being realized, expressed as a percentage.
Impact
The severity of the risk if realized by factors such as the scope, value of the asset, or the financial impacts of the event.
Single Loss Expectancy (SLE)
The amount that would be lost in a single occurrence of a particular risk factor.
Annual Loss Expectancy (ALE)
The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
Annual Rate of Occurrence (ARO)
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
Asset Value (AV)
The value of an asset, such as a server or even an entire building.
Exposure Factor (EF)
In risk calculation, the percentage of an asset’s value that would be lost during a security incident or disaster scenario.
Total Cost of Ownership (TCO)
Associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan.
Return on Investment (ROI)
A metric to calculate whether an asset is worth the cost of deploying and maintaining it.
Mean Time To Recovery (MTTR)
Metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
Mean Time Between Failures (MTBF)
Metric for a device or component that predicts the expected time between failures.
Gap Analysis
An analysis that measures the difference between current state and desired state in order to help assess the scope of work included in a project.
Risk avoidance
In risk mitigation, the practice of ceasing activity that presents risk.
Risk acceptance
The response of determining that a risk is within the organization’s appetite and no countermeasures other than ongoing monitoring is needed.
Risk mitigation
The response of reducing risk to fit within an organization’s risk appetite.
Risk transference
In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.
attack vectors
A specific path by which a threat actor gains unauthorized access to a system.
residual risk
Risk that remains even after controls are put into place.
Risk appetite
A strategic assessment of what level of residual risk is tolerable for an organization.
Key Performance Indicators (KPI)
A formal mechanism designed to measure performance of a program against desired goals.
Key Risk Indicators (KRI)
The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occuring.
Scalability
Property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.
Reliability
The fundamental security goal of ensuring that an information processing system is trustworthy.
Availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
Risk tolerance
Determines the thresholds that separate different levels of risk.
Tradeoff analysis
Comparing potential benefits to potential risks and determining a course of action based on adjusting factors that contribute to each area.
Separation of duties
Security policy concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
Job rotation
The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person’s duties.
Mandatory vacation
The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.
Least privilege
Basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
Cloud Service Provider (CSP)
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an “as a service” subscription-based, cloud-centric offering.
Shared responsibility model
Identifies that responsibility for the implementation of security as applications, data and workloads are transitioned into a cloud platform are shared between the customer and the cloud service provider (CSP.)
Software as a Service (SaaS)
Cloud service model that provisions fully developed application services to users.
Platform as a Service (PaaS)
Cloud service model that provisions application and database services as a platform for development of apps.
Infrastructure as a Service (IaaS)
Cloud service model that provisions virtual machines and network infrastructure.
Vendor Lock-in
A customer is dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs.
Vendor Lockout
A vendor’s product is developed in a way that makes it inoperable with other products, the ability to integrate it with other vendor products is not a feasible option or does not exist.
Vendor Viability
A vendor that has a viable and in-demand product and the financial means to remain in business on an ongoing basis.
Source Code Escrow
A copy of vendor-developed source code provided to a trusted third party in the event the vendor ceases business.
Support Availability
Verifying the type and level of support to be provided by the vendor in support of their product or service.
Meeting Client Requirements
Formally defining what functionality is required of a product or service, and taking steps to verify that a vendor’s service or product provides at least this level of functionality.
supply chain
The end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.
Supply Chain Visibility (SCV)
The capacity to understand how all vendor hardware, software, and services are produced and delivered as well as how they impact an organization’s operations or finished products.
Cloud Security Alliance (CSA)
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.
Security Trust and Risk (STAR)
A framework of security best practices for Cloud service providers that is developed and maintained by the Cloud Security Alliance (CSA).
System and Organization Controls (SOC)
Use of standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate the policies, processes, and procedures in place and designed to protect technology and financial operations.
International Organization for Standardization (ISO)
Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27K series) and risk management (31K series).
Cybersecurity Maturity Model Certification (CMMC)
A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain by requiring suppliers to demonstrate that they have mature cybersecurity capabilities.
virtual local area networks (VLAN)
A logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.
Protected Health Information (PHI)
Data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business.
Personal Identifiable Financial Information (PIFI)
Personal information about a consumer provided to a financial institution that can include account number, credit/debit card number, name, social security number and other information.
Intellectual property (IP)
Data that is of commercial value and can be granted rights of ownership, such as copyrights, patents, and trademarks.
data owner
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
Data classification
The process of applying confidentiality and privacy labels to information.
Data retention
The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.
Data sovereignty
In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.
data subject
An individual that is identified by privacy data.
attestation of compliance (AOC)
A set of policies, contracts and standards identified as essential in the agreement between two parties.
Certification and accreditation (C&A)
A process executed in four distinct phases: initiation and planning, certification, accreditation, and continuous monitoring.
Information System Security Officer (ISSO)
Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.
Certifying Authority
The entity responsible for reviewing the results of a certification and accreditation package, including audits reports, and making the final decision regarding accreditation status.
Authority to Operate (ATO)
A formal letter of accreditation provided to the system owner granting them permission to operate a system.
Common Criteria (CC)
A set of standards developed by a group of governments working together to create a baseline of security assurance for a trusted operating system (TOS).
Due care
Organizational security policies are (to some extent) driven by legislation introduced as a response to the growing appreciation of the threat posed by computer crime. Legislation can cover many aspects of security policy but the key concepts are due diligence (demonstrating awareness of security issues) and due care (demonstrating responses to identified threats). Security policy is also driven by adherence to industry codes of practice and standards.
due diligence
A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.
legal hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
e-Discovery
Procedures and tools to collect, preserve, and analyze digital evidence.
Cold Site
Predetermined alternate location where a network can be rebuilt after a disaster.
warm site
Alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.
hot site
Fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster.
after action report (AAR)
An analysis of events that can provide insight into how to improve response processes in the future.
Firewalls
Software or hardware device that protects a system or network by blocking unwanted network traffic.
Routers
An intermediate system working at the Network layer capable of forwarding packets around logical networks of different layer 1 and layer 2 types.
Load Balancer
Type of switch, router, or software that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.
Virtual Private Cloud (VPC)
A private network segment made available to a single cloud consumer on a public cloud.
elastic IP address
A public IPv4 address that can be assigned to any instance or network interface in a VPC within an AWS account.
social engineering
Activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.
virtual appliance
A preconfigured, self-contained virtual machine image ready to be deployed and run on a hypervisor.
MX records
A special type of DNS record used to identify the email servers used by a domain.
Distributed Denial of Service
Attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
Rate Limiting
An approach that protects the attack from consuming all available bandwidth and impacting other servers and services on the network. It reduces the amount of throughput available to the server or service being attacked.
Web Application Firewall (WAF)
A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
Blackhole Routing
Retrieves all the traffic intended for an endpoint and drops both legitimate and malicious traffic.
Cloud Service Providers
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an “as a service” subscription-based, cloud-centric offering.
DDoS Mitigation Software/Appliance
Reflects the methods used to reduce the impact of a distributed denial of service (DDoS) attack. DDoS mitigation can be implemented through the use of special software or by deploying a virtual appliance designed to provide DDoS protection.
unified threat management (UTM)
All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.
Content Filtering
A security measure performed on email and internet traffic to identify suspicious, malicious and/or inappropriate content in accordance with an organization’s policies.
MIME (Multi-Purpose Internet Mail Extensions)
A protocol specifying Internet mail message formats and attachments.
Data Loss Prevention (DLP)
Software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
SPAM
Junk messages sent over email (or instant messaging, which is called spim). It can also be utilized within social networking sites.
SPAM Block Lists (SBL)
Identifies known bad senders. Security companies typically provide this as a service to organizations to reduce SPAM messages.
Antivirus
Inspecting traffic to locate and block viruses.
caching engines
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
non-transparent proxy
A server that redirects requests and responses for clients configured with the proxy address and port.
transparent proxy
A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.
SQL injection
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
cross-site scripting (XSS)
A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.
cross-site request forgery (XSRF)
A malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.
file inclusion
A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.
directory traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
