Sec+ Book Flashcards
Cross Site Scripting (XXS)
Attackers embed malicious html or java code into website to capture cookies or hased passwords
Cross Site Request Forgery
attacker tricks user into preforming an action on a website that creates a html link
Code Signing
provides digital signature for code +certification includes hash for code
Static Code Analysis
examines code without running it
Dynamic Code Analysis
examines code while running
Sanboxing
isolated area used for testing
Domain Hijacking
attacker changes registration of domain name without permissions from the owner, usually social engineering
Shimming
produces solution that makes it appear that older drivers are compatible
Refractoring
Rewriting code without changing behavior
Memory Leak
a bug in the app that consumes more memory as it runs
Integer overflow attack
attempts to create numeric value that is too big for an application to handle
Buffer Overflow
when an app recieves more input or different input then expected
Diffie Hellman
algorithm used to private share key between two paroes
MD5
Message Digest - Produces 128 bit hash shown in hexadecimal
SHA
Secure Hash Algorithm - Verifies integrity
Diffusion
Small changes in plain text result in large changes in cipher
Block Cipher
encrypts data in specific sized blocks of 8
Twofish
Blowfish
RC5
CFB
Stream Cipher
encyrpts data as a stream of bits rather than blocks and is more efficent
RC4
TLS
AES
Online Certificate Status Protocol (OCSP)
allows the client to query the ca with serial number of the certificate
Transport Layer Security (TLS)
encrypts https traffic, replacement for SSL,port 443 (TLS)
Secure Sockets Layer (SSL)
certificate based authentication + encrypts data with a combinations of both symmetric and asymmetric
Pretty good Privacy (PGP)
Encrypts email traffic with RSA
CA
Certificate Authority
CRL
certificate revocation list, CA Revoked
XSRF
cross site request forgery
web application tricks user into performing acts on a site ex. purchasing
DAC
Discretionary access control
all objects have owners they modify permissions. DAC allows coworkers to share information within a corporate file system
AES
Advanced Encryption. BLOCK CIPHER encrypts in 128 bit blocks. Can use key sizes 128.192. 256
DES
data encryption standard. Used to provide confidentiality, replaced by AES and 3DES
DLP
Group of technologies that prevent data loss ex. block usb
DSA
Digital Signature Algorithm
encrypts hash of a message
LDAP
Lightweight directory access protocol
used to communicate with directories, indentifies objects and query strings using codes
IPSEC
Internet protocol security
a suite of protocols used to encrypt data in transit
IMAP
Internet Message Access Protocol. Store and manage emails on server
HMAC
Hashed based one message authentication code. A hashing algorithm to verify message of shared key
HOTP
HMAC Based one time password. one time password combines with a secrete key
FDE
Full disk encryption
RADIUS
Remote Authentication Dial In User Service
Process central authentication for remote access client
PKI
Public Key Infrastructure
Group tech used to request, create, manage, store, distribute or revoke digital certificates. Allows two entities privately share symmetric keys without any prior communication
PAP
Password Authentication Protcol. Old protocol that used cleartext
OSCP
Online Certificate Status Protocol
Alternative to CRL. Allows entities to query into the CA with the serial number of a certification
NTLM
New Technology LAN Manager. Protocols that provide CIA in windows systems,128 bits
NAC
Network Access Control - System inspects client to observe health
MSCHAPv2
Microsoft Challenge Handshake Authentication Protocol, provides mutual authentication
Mandatory Access Control (MAC)
restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity. method of limiting access to resources based on the sensitivity of the information that the resource contains and the authorization of the user to access information with that level of sensitivity. You define the sensitivity of the resource by means of a security label
RAT
Remote Access Trojan
RSA
Rivest, SHamir, Adleman - AYSEMMETRIC algorithm used to encrypt data and digitally sign transmissions
SAML
Security Assertion Markup Language
an XML based standard used to exchange authentication
IdP gigitally signs request confirming users identity, then this isent to the SP Service Provider to grant access
SCADA
Security Control and Data Acquisition - system used to control an Industry Control System
SOAR
(security orchestration, automation and response) is a stack of compatible software programs that enables an organization to collect data about cybersecurity threats and respond to security events with little or no human assistance.
SIEM
Security Information and Event Management - Security system that attempts to look at security events throughout organization
SNMPv3
Simple network management Protocol - monitor and manage network devices
SSH
Secure shell - used to encrypt network traffic
SSO
Single Sign on - Authentication method where users can access multiple resources on a network using a single sign on
STP
Spinning Tree Protocol - protects switches from looping
TACACS+
Terminal Access Controller Access Control System+
provides central authentication for remote access clients
TOTP
time based one time password
uses a timestamp that expires after a set time
TPM
Trusted Platform Module- chip on a motherboard that produces full disk encryption, remote attestation, and a secure boot process
UTM
Unified Threat Manager - group of security controls combined in a single solution
Technical Control
one that uses tech to reduce vulnerabilities. encryption, antivirus, IDS, firewalls, least priveldge
least privilege (PoLP)
user or entity should only have access to the specific data, resources and applications needed to complete a required task.
Administrative Controls
risk vulnerability assessments, day to day ops, security and awareness training
Preventive Controls
Prevent security incidents including hardening, user training, guards, account management
Corrective Controls
attempts to reverse the impact of an incident or problem after its occured, IPS< backups, recover plans
Compensating Control
when you cant use the primary control
Netstat
view stats for TCP/IP Protocols
Virtualization
allows multiple servers to operate on a single physical host
VM Sprawl
when the number of virtual machines (VMs) on a network reaches a point where administrators can no longer manage them effectively
ARP Command
view and manipluate the ARP cache
VM Escape
the attacker runs code on a VM that allows an operating system running within it to break out and interact directly with the hypervisor
RoleBAC
Role Based Access Control - used roles to manage rights and perms for users.
RuleBAS
uses rules like a firewall
ABAC
Attribute based access control uses policies to evaluate attributes and grant access when the system detects a match in the policy. You can also use an ABAC policy to enforce more complex behavior, such as ‘users from the Sales department can only edit CRM records during work hours.
Crossover Error Rate
quality of the biometric system
False Rejection Rate
percentage of time false rejections occur
Smart Cards
credit card sized cards that authenticate using PKI. Certificate based
Kerberos
Authentication protocol using tickets
Airgap
A metaphor for physicals isolation, indicating that a system or network is completelty isolated from another system/network
DMZ
Demilitriziaed Zone - provides a layer of security for servers that are accessible from the internet
WAF
Protects a web server against web application attacks, usually placed in the DMZ
802.1x server
provides strong port secuirty using port based authentication. Prevents rogue devices form connection to a network by ensuring that only authorized clients can
SSID
Server Set Identifier is the name of the wireless network. Disabling ssid broadcast hides a wireless network from casual users
Bluejacking
sends information to a device
sending unsolicited messages thru the phone.
Bluesnarfing
g takes information from a device
unauthorized access from a bluetooth device
IaaS
Infastrucutre as a service provides hardware resources via cloud. Limit the size of an org’s hardware footprint
PaaS
Platform As A service - provides an easy to configure OS and on demand computing for customers
chmod
changes commands on a linux system
Watering Hole Attack
attackers modify a sites that a targeted groups visits and infects them with malware
APR Poisoning
misleads the computer about the actual mac. used for man in the middle attacks
Hash Collision
occurs when the hashing algorithm creates the same hash for different passwords
Birthday Attack
Attacker is able to create a passwords that uses the same has as the actual users password
What attacks does input validation prevent?
buffer overflow, SQL Injection, command injection, cross site scripting, XSRF
race condition
where the system’s substantive behavior is dependent on the sequence or timing of other uncontrollable events, leading to unexpected or inconsistent results
Black Box Testing
pen testing with zero prior knowledge
White Box Testing
pen testing with full knowledge of the enviroment
TCPdump
a command line protocol analyzer.
Nmap
network scanner run form the command line
Netcat
used to remotley administer servers. can be used for banner grabbing
syslogs
identify when service starts and stops
SIEM
Security Information and Event Management
aggregate and correlate logs from multiple sources in a single location. continous monitoring and automated alerting and triggering
Physical Controls
Tech controls you can touch
Cable Locks
Secure mobile computers and laptops
Airgap
physical sec control that ensures a computer or network is physically isolated from another computer or network
RPO
Recovery Point Object
Refers to the amount of data you can afford to lose
RTO
Recover Time Object
maximum amount of time it should take to restore a system after an outage
MTBF
Mean Time Before Repair
average time between failures
MTTR
Mean Time To Repair
average time it takes to restore a failed system
Table Top Exercises
Discussion based only
Symmetric Ecnyrption
Uses the same key to encrypt and decrypt data
Asymmetric Encyrption
used a public and private key to create a matched pair
Non-Repudiation
prevents a party from denying an action
RC4
Commonly used stream cipher, symmetric
These methods secure email with encryption and digital signatures
S/MIME and PGP, both use RSA and certificates
Key Escrow
stores cop of private keys used in PKI
Wildcard Certificates
use a * for child domains to reduce the admin burden of managing certificates
Purging
all sensitive data has been removed from the device
Wiping
completely removing all remnants of data on a disk by using 1s and 0s to overwrite bits
Degaussing
a very powerful electronic magnet that renders data on a tape and data disk drives unreadable
AUP
Acceptable Use Policy
proper system usage for users and spells out rules of behavior when accessing systems and networks
NDA
Non disclosure Agreement
ensure that proprietary data is not shared
Data Owner
Overall responsible for the data
Privacy Officer
Ensure the company complies with relevant laws to protect private data, PII, PHI
SLA
Service Level Agreement
agreement between a company and a vendor that stipulated performance expectations such as min uptime and max downtime
Privacy Custodian/Steward
handles routine tasks to protect data
Order of Votality from Most to Least volatile
cache memory, RAM, paging file, hard drive data, logs stored remote, achrived media
DNS Blackholing
uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply.
Proximity Cards
commonly used with physical access control systems and relies upon RFID devices embedded into a token
Physical Controls
Any security measures that are designed to deter or prevent
unauthorized access to sensitive information or the systems that
contain it
Alarm systems, locks, surveillance cameras, identification cards, and
security guards
Technical Controls
Safeguards and countermeasures used to avoid, detect,
counteract, or minimize security risks to our systems and
information
Smart cards, encryption, access control lists (ACLs), intrusion detection
systems, and network authentication
Administrative Controls
Focused on changing the behavior of people instead of removing
the actual risk involved
Policies, procedures, security awareness training, contingency planning,
and disaster recovery plans. User training is the most cost-effective security control to use
White Hats Hacker
Non-malicious hackers who attempt to break into a company’s
systems at their request
Open-Source Intelligence (OSINT)
Methods of obtaining information about a person or organization through public records, websites, and social media
Kill Chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion
Polymorphic
Advanced version of an encrypted virus that changes itself
every time it is executed by altering the decryption module
to avoid detection
Watering Holes
Malware is placed on a website that you know your potential victims will
access
ex. diontrainings.com rather than diontraining.com
Privilege Escalation
Occurs when you are able to exploit a design flaw or bug in a system to
gain access to resources that a normal user isn’t able to access
Logic Bomb
Malicious code that has been inserted inside a program and will execute
only when certain conditions have been met
Signature-based Detection
A specific string of bytes triggers an alert
True positive
Malicious activity is identified as an attack
False positive
Legitimate activity is identified as an attack
True negative
Legitimate activity is identified as legitimate traffic
False negative
Malicious activity is identified as legitimate traffic
Basic Input Output System (Bios)
Firmware that provides the computer instructions for how to accept input
and send output
▪ Unified Extensible Firmware Interface (UEFI)
▪ BIOS and UEFI are used interchangeable in this lesson
SCCM
Microsoft’s System Center Configuration Management
Network Attached Storage (NAS)
Storage devices that connect directly to your organization’s network. NAS systems often implement RAID arrays to ensure high availability
Unified Extensible Firmware Interface (UEFI)
A type of system firmware providing support for 64-bit CPU
operation at boot, full GUI and mouse operation at boot, and
better boot security
Secure Boot
A UEFI feature that prevents unwanted processes from executing
during the boot operation
Hypervisor
Manages the distribution of the physical resources of a host machine
(server) to the virtual machines being run (guests)
Defense in Depth
Layering of security controls is more effective and secure than relying on
a single control
Directory Traversal
Method of accessing unauthorized directories by moving through the
directory structure on a remote server
Race Conditions
A software vulnerability when the resulting outcome from execution processes is
directly dependent on the order and timing of certain events, and those events
fail to execute in the order and timing intended by the developer
MAC Flooding
Attempt to overwhelm the limited switch memory set aside to store the
MAC addresses for each port
Switches can fail-open when flooded and begin to act like a hub
Access Control List
▪ An ordered set of rules that a router uses to decide whether to permit or
deny traffic based upon given characteristics
▪ IP Spoofing is used to trick a router’s ACL
Bastion Hosts
▪ Hosts or servers in the DMZ which are not configured with any services
that run on the local network
▪ To configure devices in the DMZ, a jumpbox is utilized
Network Address Translation (NAT)
Process of changing an IP address while it transits across a router
▪ sing NAT can help us hide our network IPs
NAT Filtering
Filters traffic based upon the ports being utilized and type of connection
(TCP or UDP)
Web Application Firewall
Firewall installed to protect your server by inspecting traffic being sent to
a web application
▪ A WAF can prevent a XSS or SQL injection
Proxy Server
A device that acts as a middle man between a device and a remote server
Unified Threat Management
Combination of network security devices and technologies to provide
more defense in depth within a single device. UTM may include a firewall, NIDS/NIPS, content filter, anti-malware, DLP,
and VPN. UTM is also known as a Next Generation Firewall (NGFW)
Virtual Desktop Infrastructure (VDI)
VDI allows a cloud provider to offer a full desktop operating system to an
end user from a centralized server
Software as a Service (SaaS)
Provides all the hardware, operating system, software, and applications
needed for a complete service to be delivered
Infrastructure as a Service (IaaS)
Provides all the hardware, operating system, and backend software
needed in order to develop your own software or service
Platform as a Service (PaaS)
Provides your organization with the hardware and software needed for a
specific service to operate
Domain Controller
A server that acts as a central repository of all the user accounts and their
associated passwords for the network
FTP Server
A specialized type of file server that is used to host files for distribution
across the web
Continuous Integration
▪ A software development method where code updates are tested and
committed to a development or build server/code repository rapidly
▪ Continuous integration can test and commit updates multiple times per
day
▪ Continuous integration detects and resolves development conflicts early
and often
Continuous Deployment
Continuous deployment focuses on automated testing and release of
code in order to get it into the production environment more quickly. A software development method where application and platform updates
are committed to production rapidly
Continuous Delivery
A software development method where application and platform
requirements are frequently tested and validated for immediate
availability. Continuous delivery focuses on automated testing of code in order to get it ready for release
Ping Flood
An attacker attempts to flood the server by sending too many ICMP echo
request packets (which are known as pings)
Smurf Attack
Attacker sends a ping to subnet broadcast address and devices reply to
spoofed IP (victim server), using up bandwidth and processing
SYN Flood
Variant on a Denial of Service (DOS) attack where attacker initiates
multiple TCP sessions but never completes the 3-way handshake
Man-in-the-Middle (MITM)
Attack that causes data to flow through the attacker’s computer where
they can intercept or manipulate the data
Watering Hole
Occurs when malware is placed on a website that the attacker knows his
potential victims will access
Replay Attack
Network-based attack where a valid data transmission is fraudulently or
malicious rebroadcast, repeated, or delayed
Service Set Identifier (SSID)
▪ Uniquely identifies the network and is the name of the WAP used by the
clients
▪ Disable the SSID broadcast in the exam
Evil Twin
A rogue, counterfeit, and unauthorized WAP with the same SSID as your
valid one
Simultaneous Authentication of Equals (SAE)
▪ A secure password-based authentication and password-authenticated key
agreement method
WiFi Protected Access version 2 (WPA2)
802.11i standard to provide better wireless security featuring AES with a
128-bit key, CCMP, and integrity checking
▪ WPA2 is considered the best wireless encryption available
!! if you are asked about…..
Open == No security or protection provided
WEP + IV
WPA == TKIP and RC4
WPA2 = CCMP AND AES
HVAC
HVAC systems may be connected to ICS and SCADA networks
OpenID
An open standard and decentralized protocol that is used to
authenticate users in a federated identity management system
● User logs into an Identity Provider (IP) and uses their account at
Relying Parties (RP)
● OpenID is easier to implement than SAML
● SAML is more efficient than OpenID
Security Assertion Markup Language (SAML)
Attestation model built upon XML used to share federated identity
management information between systems
802.1x
IEEE standard that defines Port-based Network Access Control (PNAC) and
is a data link layer authentication technology used to connected devices
to a wired or wireless LAN
▪ RADIUS
▪ TACACS+
▪ 802.1x can prevent rogue devices
Extensible Authentication Protocol (EAP
A framework of protocols that allows for numerous methods of
authentication including passwords, digital certificates, and public key
infrastructure
Lightweight Directory Access Protocol (LDAP
A database used to centralize information about clients and objects on
the network
Unencrypted Port 389
Encrypted Port 636
Active Directory is Microsoft’s version
Challenge Handshake Authentication Protocol (CHAP)
Used to provide authentication by using the user’s password to encrypt a
challenge string of random numbers
Virtual Private Network (VPN)
Allows end users to create a tunnel over an untrusted network and
connect remotely and securely back into the enterprise network. Client-to-Site VPN or Remote Access VPN
Remote Authentication Dial-In User Service (RADIUS)
Provides centralized administration of dial-up, VPN, and wireless
authentication services for 802.1x and the Extensible Authentication
Protocol (EAP)
Discretionary Access Control (DAC)
The access control policy is determined by the owner
- Every object in a system must have an owner
- Each owner determines access rights and permissions for each
object
Mandatory Access Control (MAC)
An access control policy where the computer system determines
the access control for an object. The owner chooses the permissions in DAC but in MAC, the computer does. MAC relies on security labels being assigned to every user (called a subject) and every file/folder/device or network connection (called an object). Data labels create trust levels for all subjects and objects
Implicit Deny
All access to a resource should be denied by default and only be allowed
when explicitly stated
Separation of Duties
Requires more than one person to conduct a sensitive task or operation
Job Rotation
Occurs when users are cycled through various jobs to learn the overall
operations better, reduce their boredom, enhance their skill level, and
most importantly, increase our security
chmod
Program in Linux that is used to change the permissions or rights of a file
or folder using a shorthand number system
Risk Avoidance
A strategy that requires stopping the activity that has risk or
choosing a less risky alternative
Quantitative analysis
s uses numerical and monetary values to calculate risk
Dictionary Attack
Method where a program attempts to guess the
password by using a list of possible passwords
Rainbow Table
List of precomputed valued used to more quickly break a password since values don’t have to be calculated for each password being guessed. crack the password hashes in a database
Simple Network Management Protocol (SNMP)
A TCP/IP protocol that aids in monitoring network-attached devices and
computers. SNMP is incorporated into a network management and monitoring system
Runbook
An automated version of a playbook that leaves clearly defined
interaction points for human analysis
dd
A command line utility used to copy disk images using a bit by bit copying
process
FTK Imager
A data preview and imaging tool that lets you quickly assess electronic
evidence to determine if further analysis with a forensic tool is needed
Memdump
A command line utility used to dump system memory to the standard
output stream by skipping over holes in memory maps
SSH
Utility that supports encrypted data transfer between two computers for
secure logins, file transfers, or general purpose connections
netstat
Utility that displays network connections for Transmission Control
Protocol, routing tables, and a number of network interface and network
protocol statistics
Risk Appetite vs Risk Acceptance
Risk acceptance: choosing (or not choosing) to take an action that affects risk to the organization
Risk appetite: how much risk you can accept.
