Lessons 15-19 Flashcards
Asset
An asset is any device, data or other components of value to an organization
Owners-
are responsible for decisions related to classification, and access control, as well as oversight of protection mechanisms.
Custodians
are responsible for implementing, managing, and monitoring controls
Network mapping
used to create physical and logical diagrams. Popular network mapping tools include Solarwinds, Spiceworks, ManageEngine, and Nmap.
Network Enumeration
discover and document devices and characteristics. DumpSec and Nessus.
End-of-sale
when the product, service, or subscription, is no longer for sale.
End-of-life & End-of-support
- when the product, service, or subscription is deemed obsolete. Once obsolete the product is not sold, improved, or maintained.
- the last date to receive service and support. After this date, updates are no longer available.
Fixed lifecycle-
products with defined dates at the time of release.
Continuous (modern) lifecycle-
products with continuous support and servicing. Generally, customers must take the latest update to remain supported.
ARCHIVING
The process of securely storing original, unmodified files for later potential retrieval
LEGAL HOLD
Is the requirement of an organization to preserve all forms of relevant information when litigation, audit, or government investigation is anticipated.
DATA REMANENCE
Refers to the residual traces of data that remain on a storage medium even after attempts have been made to erase or delete the information.
TRIM
is a command used by OS to inform solid state drives which blocks of data are no longer in use. When TRIM is executed, the SSD may immediately erase the associated data, reducing the likelihood of remanence
DATA SANITIZATION
Aka disk wiping- is a clearing technique that overwrites all addressable storage and indexing locations multiple times.
Shredding (shearing), Pulverizing, Pulping, Burning
- physically breaking media into pieces
- reducing media to dust
- chemically altering media
- incinerating media
CERTIFICATE OF DESTRUCTION
Is issued by the commercial services upon the destruction of media
Certificates should include at minimum: date of destruction, description of media(including serial number), method of destruction, witnesses, company name and address with contact information.
Exposure-
a system of software configuration issue, or lack of control that could contribute to a successful exploit or compromise.
BUG BOUNTY PROGRAM
Aka A vulnerability rewards program (VRP) is an incentive program that compensates individuals for identifying and reporting vulnerabilities or bugs
Open bug bounty program- offered by hundreds of companies like Google, Microsoft, and Facebook
Closed bug program- invitation only.
CVE PROGRAM
Is an international, community-driven effort to catalog hardware and software vulnerabilities for public access.
A CVE is a standardized identifier for a given vulnerability or exposure.
COMMON VULNERABILITY SCORING SYSTEM
CVSS
CVSS is an open frame for communicating the characteristics and severity of hardware and software vulnerabilities.
There 5 ratings: none, low, medium, high, and critical
VULNERABILITY SCANNING
The automated activity that relies on a database of known vulnerabilities such as CVE/NVD, designed to identify vulnerabilities in the target environment
Vulnerability assessment-
identify host attributes and known common vulnerabilities and exposures CVE. find the report.
Penetration testing
evaluate the security of a target by identifying and providing proof of concept of flaws and vulnerabilities or by performing compromise exploitation. Find then exploit then report.
PATCH MANAGEMENT
The process of identifying, acquiring, installing, and verifying patches (updates)
Dynamic application security testing - DAST
a type of security testing that analyzes a running application to find vulnerabilities by simulating attacks.
AUDIT AND EVENT LOGS
Are a chronological record of events and actions
SYSLOG
System logging protocol is a standard protocol used to send system log or event messages to a Syslog server.
* Syslog is used to collect logs from different devices to store in a central location for monitoring and review
SIEM-
security information and event management is an automation tool for real-time data capture event correlation analysis, and reporting
TIP
threat intelligence platform is an automation tool that combines multiple threat intelligence feeds and integrates with existing SIEM solutions
UEBA
User and Entity Behavior Analytics is an automation tool that models the behavior of humans and machines to identify normal and abnormal behavior
SOAR
security orchestration automation, and response is an automation tool that responds to the alerts, triages the data, and takes remediation steps
Orchestration
he integration of disparate tools and platforms for an automated response.
SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)
Is a widely used network management protocol that allows administrators to monitor and manage network devices.
SNMP agents
software modules installed on managed devices. They collect and store information about the device’s performance and respond to queries from SNMP management systems.
SNMP managers
send SNMP queries to agents to retrieve information and can also issue configuration commands to the device
NETFLOW
A network protocol developed by Cisco Systems that allows the collection and analysis of network traffic data.
IPFIX-
is an industry-standard protocol based on NetFlow v9 that provides a vendor-agnostic format
cve- Common Vulnerabilities and Exposures
is a database of publicly known cybersecurity vulnerabilities and exposures. Each vulnerability is assigned a unique identifier, making it easier for organizations to share and reference security issues consistently.
CCE (Common Configuration Enumeration)
a standard that provides unique identifiers for system configuration settings to help organizations manage and assess their security configurations.
CPE (Common Platform Enumeration
is a standardized method of naming and identifying software applications, operating systems, and hardware devices.
CVSS (Common Vulnerability Scoring System)
is a standardized framework for rating the severity of security vulnerabilities. It provides a numerical score from 0 to 10, with higher scores indicating more severe vulnerabilities, helping organizations prioritize their responses to security issues.
OVAL (Open Vulnerability and Assessment Language)
is a standardized language used to describe and share information about the security vulnerabilities and configuration issues of computer systems. It helps automate the assessment, reporting, and remediation of these security issues.
IDS/IPS-
analyze and monitor for suspicious traffic. IPS can deny traffic access
DLP
detect and prevent unauthorized transfer and exfiltration of data.
NAC
enforce endpoint access privileges based on pre-admission and post-admission policies
Web filters
enforce restrictions to websites based on predefined criteria
EDR/XDR
advanced integrated platforms that monitor, report on, and respond to security threats.
Browser extensions (client-side)
plugins or addons used on individual devices to filter internet access. Small-scale use.
INTERNET PROTOCOL IP
A set of rules for routing and addressing packets of data- it is the language of the internet
IP convergence
is the use of the IP as the standard transport for transmitting all information
Extensibility-
is additional functionality or the modification of existing functionality without altering the original structure or data flow.
Open standard
a standard that is publicly available and can be freely adopted and extended.
Address Resolution Protocol ARP
IP address to MAC address mapping. IPv6 uses a neighbor discovery protocol
Internet Control Messaging Protocol ICMP
Error control and troubleshooting (ping, tracert)
Internet Group Management Protocol IGMP
Multicasting IPv6 uses multicast listener discovery
Transmission Control Protocol TCP
3-way handshake connection- delivery
User Datagram Protocol UDP
Connectionless delivery
IPv4
deployed in 1981, was the first publicly used version (i-3 was experimental) of 32-bit address in dotted decimal form, IP address scarcity, and limited security options.
IPv6-
deployed in 1999 (adoption phase)
128-bit address in hexadecimal form
2^128 addresses (340 trillion trillion trillion)
Integrated IPsec
Stateful and stateless auto-configuration capabilities
Scans less effective because of the largest address space
Sniffing is more difficult because of mandated IPSec
QUALITY OF SERVICE QoS
Is a feature of network devices which prioritizes traffic
Controls and manages network resources by setting priorities for specific types of data on the network
APPLICATION LAYER PORTS
*The path of communication from the transport layer to the application layer is through a port
*Port- is an identifier for an application whining a computer
*Applications listen for connections on a port dedicated to that service
*A port is associated with either UDP or TCP
65,535 available ports are broken into 3 ranges
*Ports 1-1,203- assigned by the Internet Assigned Number Authority (IANA) well-known ports
*Ports 1,024-49,151 can be registered with IANA
*Ports 49,151-65,535- ary dynamic or private ports
Some Common Ports
- Port 20/21: FTP (File Transfer Protocol) - Used for transferring files.
- Port 22: SSH (Secure Shell) - Used for secure remote login and command execution.
- Port 23: Telnet - Used for unencrypted text communications.
- Port 25: SMTP (Simple Mail Transfer Protocol) - Used for sending emails.
- Port 53: DNS (Domain Name System) - Used for resolving domain names to IP addresses.
- Port 80: HTTP (HyperText Transfer Protocol) - Used for web traffic.
- Port 110: POP3 (Post Office Protocol 3) - Used for retrieving emails.
- Port 143: IMAP (Internet Message Access Protocol) - Used for retrieving emails with more features than POP3.
- Port 443: HTTPS (HTTP Secure) - Used for secure web traffic.
- Port 3389: RDP (Remote Desktop Protocol) - Used for remote desktop access.
secure protocol
is to ensure confidentiality, integrity, authentication, nonrepudiation, or any combination thereof.
SECURE COMMUNICATIONS AND MANAGEMENT PROTOCOLS
HTTPS (80)- HTTP + TLS
FTPS (989,990)- FTP + TLS
Secure SHell (22)- secure channel between a local and remote device. Telnet replacement
SFTP (22)- Secure file transport packaged with SSH
SRTP (5601)- Used for securely sending audio and video messages over IP networks
S/MIME- Used to send digitally signed and encrypted email messages
DNSSec (53)- an extension to the DNS protocol that enables origin authentication, authenticated denial of existence, and data integrity.
SECURE EMAIL COMMUNICATIONS
Refers to the use of various measures and protocols to protect the confidentiality, integrity, and authenticity or email messages exchanged between parties.
SPF- sender policy framework-
email authentication method designed to prevent email spoofing and protect against forged or unauthorized use of domain names in email messages.
DKIM- DomainKeys Identified mail-
an email authentication method designed to verify the authenticity and integrity of email messages.
DMARC- Domain-based message authentication, reporting, and conformance
an email authentication protocol that helps protect against email spoofing and phishing attacks.
SPF Record-
The domain owner creates an SPF record and publishes it in the DNS settings of their domain. The SPF record contains information about the authorized email servers that are allowed to send emails on behalf of the domain.
Server-to server encryption
establishes an encrypted connection to protect the email data in transit between the senders and recipient servers.
End-to-end encryption-
ensures that the email message is encrypted on the sender’s device and can only be decrypted by the intended recipient. This means that not even the email service provider has access to the decrypted content.
TLS-
transport layer security is a cryptographic protocol used to encrypt communication between email servers during transmission.
S/MIME-
Secure/Multipurpose internet mail extensions is a standard for secure email messaging that provides encryption and digital signatures.
WINDOWS GROUP POLICY
Provides centralized management and configuration of OS, applications, and users settings in a Microsoft Windows Active Directory environment.
Group policy object GPO
a group of settings. They can be associated with single or numerous active directory containers, including sites, domains, or organizational units (OUs)
Group policy management console GPMC
snap-in provides a single administrative tool for managing group policy across the enterprise
SECURITY-ENHANCED LINUX (SELinux )
Is the Linux kernel access control security module
Created by the US national security agency NSA and Red Hat. This security module is available for most Linux distributions but is mainly used on RHEL and Fedora
SELinux operates on the principle of least privilege. By default, everything is denied and the policy is written that gives each element of the system only the permissions it needs to function
Targeted policy
the most common type of policy is targeted policy where only selected processes are protected.
Strict policy
the more stringent policy where all processes are protected.
Enforcing-
the default and most secure SELinux mode, SELinux enforces the access control policies and does not allow users to override them.
Permissive
SELinux does not enforce the policies but logs events when a user or process attempts to access a resource blocked off by the policies. This enables monitoring for potential issues
IDENTITY AND ACCESS MANAGEMENT
IAM is a business process of enabling the right individuals to access the right resources at the right times and for the right reasons.
Provisioning & Deprovisioning
- the process of creating and managing digital identities
- the process of removing and deleting digital identities
onboarding
Account creation requests, User agreements are signed (NDA/AUP), user accounts are created, and group/role memberships are established.
Credentials then assigned
Orientation and training
Authorization
Authorization is granted by data/resource owners or a “need to know” is established
Rights and permissions are assigned by the custodian
User training
Change Requests
User accounts are audited
User access is audited
Change requests submitted based on personnel requirements
Change requests are audited
Security education, training and awareness (SETA)
Termination/ offboarding
Termination tasks include reclaiming physical assets and access control assets, and removing/disabling accounts and access.
Reassigning file and folder permissions and ownership
Users should be reminded of any agreements that extend beyond employment.
Authorization creep
the accumulation of unnecessary rights and permissions over time
SINGLE SIGN-ON SSO
Users can access multiple applications within the same organization or domain using a single set of credentials.
Federated identity
It enables users to access applications or platforms across multiple enterprise domains (that are apart of a federated configuration) using a single set of credentials (portable identity)
FEDERATED IDENTITY MANAGEMENT
FIM refers to the process and technologies involved in managing user identities, access rights, and permissions across federated systems.
SAML - security assertion markup language
An XML-based open standard for exchanging authentication and authorization data between a SP and an IdP
Authorization server API/ resource
the server that authenticated the user and issued an access token to the resource server.
OAUTH 2.0
An open standard protocol and framework designed to provide secure, delegated access to resources without sharing credentials
BIOMETRICS
Physical or behavioral human characteristics that can be used to digitally identify a person
PHYSIOLOGICAL MARKERS AND BEHAVIORAL TRAITS
- Fingerprint- a unique pattern of finger ridges.
- Retinal- unique structure of capillaries that supply the retina with blood
- Iris- unique color and iris patterns
- Vein- unique vein pattern in palm and fingers
- Facial- based on facial features
- Voiceprint- unique vocal attributes
- Handwriting- analysis of speed, shape, and stroke of the pen
- Gait- walking traits such as step length, width, speed, and angle
ACCESS CONTROL
Is a security process that enables organizations to manage who is authorized to access data and resources and what they are allowed to do
Physical access control
focuses on facilities, equipment, devices, and paper
Logical access control
focuses on systems, applications, and data
Rights
are entitlements granted to users that determine their level of control and access within a system: change system time, create a user, install software.
Permissions
specific authorizations and define what a user can do with specific files or system resources: read, write, delta, modify
Dual control
requires more than one subject or key to complete a specific task.
Separation of duties
implies breaking a task into separate processes, so no one subject is in complete control or has overriding decision-making power.
Subjects
are active entities, generally in the form of a person, process, or device that causes information to flow among objects, or changes the system. State.
Objects
passive entities(resource) that contain or receive information or instructions
Authorization can be static(hard-coded) or dynamic (influenced by situational factors)
Role-based (RBAC)-
access is based on the subject’s assigned roles.
Mandatory (MAC)
MAC access is based on the relationship between subject clearance( and need to know), and object classification level
Attribute- based (ABAC)
access is determined by a combination of attributes.
* Is a logical access control model that controls access to objects by evaluation rules against the attributes of the subject and object, operations, and the environment
Discretionary (DAC)
determined by the data owner
PRIVILEGED ACCOUNTS
Is any account that provides rights and permission above and beyond those of non-privileged (standard) accounts
Standing privileged
is defined as accounts that have persistent privileged access 24x7x365
ZERO-STANDING PRIVILEGE (ZSP)
Aims to minimize the standing privileges granted to users or accounts within a system
In practice, ZSP means continuous reauthentication (explicit validation), and granting to authorized users the privileged access they need for the minimum time and only the minimum rights that they need (least privilege)
Administrator-
generally have the highest level of access and control over an OS, device, application, database, or network
Root/sudo
have complete control over the UNIX/LINUX systems
PRIVILEGED ACCESS MANAGEMENT (PAM)
A set of practices, technologies, and policies designed to manage and secure privileged accounts and access to critical systems and sensitive data within an organization
Just-in-time privileged access-
is provided only for a limited duration and specific tasks
Privileged elevation and delegation
mechanisms for granting temporary or restricted privileges to non-privileged users when needed, reducing the dependency on persistent privileged accounts
