Security+ Flashcards by Robert Nanney

A server that acts as a central repository of all the user accounts and their associated passwords for the network

Domain Controller

How well did you know this?

Not at all

Perfectly

Occurs when an attacker modifies the host file to have the client bypass the DNS server and redirects them to an incorrect or malicious website

Altered Hosts File

How well did you know this?

Not at all

Perfectly

Certain operations that should only be performed once or not at all, such as initializing a memory location

Atomic Execution

How well did you know this?

Not at all

Perfectly

A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs

nxlog - nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng

How well did you know this?

Not at all

Perfectly

Process where each user’s rights and permissions are revalidated to ensure they are correct

User Access Recertification

How well did you know this?

Not at all

Perfectly

Conducted between two business partners that establishes the
conditions of their relationship

Business Partnership Agreement (BPA)

How well did you know this?

Not at all

Perfectly

Fire suppression system that relies upon gas (HALON, FM-200, or CO2) instead of water to extinguish a fire

Clean Agent System - If you hear a loud alarm in the server room… GET OUT!

How well did you know this?

Not at all

Perfectly

A one-way cryptographic function which takes an input and produces a unique message digest

Hash - Instantly match integrity and hashing on the exam

How well did you know this?

Not at all

Perfectly

A tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP, FILE)

[curl]

How well did you know this?

Not at all

Perfectly

The access control policy is determined by the owner

Discretionary Access Control (DAC)
1. Every object in a system must have an owner
2. Each owner determines access rights and permissions for each
object

How well did you know this?

Not at all

Perfectly

Malware is placed on a website that you know your potential victims will access

Watering Holes

How well did you know this?

Not at all

Perfectly

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity and availability of the information asset

Data Owner - The data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls

How well did you know this?

Not at all

Perfectly

Cloud Threats - Insecure Application Programming Interface (API)

An API must only be used over an encrypted channel (HTTPS). Data received by an API must pass service-side validation routines. Implement throttling/rate-limiting mechanisms to protect from a DoS

How well did you know this?

Not at all

Perfectly

Occurs when an attacker is able to execute or run commands
on a remote computer

Remote Code Execution (RCE)

How well did you know this?

Not at all

Perfectly

A communications network designed to implement an industrial control system rather than data networking

Operational Technology (OT)

How well did you know this?

Not at all

Perfectly

A security component in Windows that keeps every user in standard user mode instead of acting like an administrative user

User Account Control (UAC)
1. Eliminates unnecessary admin-level requests for Windows resources
2. Reduces risk of malware using admin-level privileges to cause system
issues

How well did you know this?

Not at all

Perfectly

Provides redundancy by striping data and parity data across the disk drives

RAID 5

How well did you know this?

Not at all

Perfectly

Storage device that performs whole disk encryption by using embedded hardware

Self-Encrypting Drive (SED)

How well did you know this?

Not at all

Perfectly

Program in Linux that is used to change the permissions or rights of a file or folder using a shorthand number system

chmod
R (Read) = 4
W (Write) = 2
X (Execute) = 1
# chmod 760 filename
7 = Owner can RWX
6 = Group can RW
0 = All Users (no access)

How well did you know this?

Not at all

Perfectly

Contents of a virtual machine that exist as deleted files on a cloud-based server after deprovisioning of a virtual machine

Data Remnants

How well did you know this?

Not at all

Perfectly

Resources and costs are shared among several different organizations who have common service needs

Community Cloud

How well did you know this?

Not at all

Perfectly

Encryption algorithm where different keys are used to encrypt and decrypt the data

Asymmetric Encryption (Public Key) - Diffie-Hellman, RSA, and ECC

How well did you know this?

Not at all

Perfectly

A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications

Security Information and Event Management (SIEM)

How well did you know this?

Not at all

Perfectly

A technique that is used to mitigate a weaker key by increasing the time needed to crack it

Key Stretching - WPA, WPA2, PGP, bcrypt, and other algorithms utilize key stretching

How well did you know this?

Not at all

Perfectly

Enterprise management software designed to mediate access to cloud services by users across all types of devices

Cloud Access Security Broker (CASB)

An appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy

Reverse Proxy

Insecure Components, Insufficient Logging and Monitoring, Weak or Default Configurations

Design Vulnerabilities - Utilize scripted installations and baseline configuration templates to secure applications during installation

Cloud Threats - Unprotected Storage

Access control to storage is administered through container policies, IAM authorizations, and object ACLs. Incorrect permissions may occur due to default read/write permissions leftover from creation. Incorrect origin settings may occur when using content delivery networks.

A digital serial data communications network used within vehicles

Controller Area Network (CAN) - The primary external interface is the Onboard Diagnostics (OBD-II) module

A checklist of actions to perform to detect and respond to a specific type of incident

Playbook

A refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions

Deep Learning

Collection of free and open-source SIEM tools that provides storage, search, and analysis functions

ELK/Elastic Stack

A computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing

Metasploit (MSF) - Exploitation

Complete platform designed to replace an entire physical computer and includes a full desktop/server operating system

System Virtual Machine

Cross-platform version of the Remote Desktop Protocol for remote user GUI access

Virtual Network Computing (VNC)- VNC requires a client, server, and protocol be configured

Utility for viewing and modifying the local Address Resolution Protocol (ARP) cache on a given host or server

arp - Networking Security Tools

A restricted version of the BER that only allows the use of only one encoding type

Canonical Encoding Rules (CER)

Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information

Technical Controls

Symmetric stream cipher using a variable key size from 40-bits to 2048-bits that is used in SSL and WEP

Rivest Cipher (RC4)

Process to check the user’s or system’s attributed or characteristics prior to allowing it to connect

Context-aware Authentication - Restrict authentication based on the time of day or location

Encryption algorithm in which both the sender and the receiver must know the same secret using a privately-held key

Symmetric Algorithm (Private Key) - Confidentiality can be assured with symmetric encryption, but key distribution can be challenging. Symmetric is 100-1000x faster than asymmetric. DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RC5, RC6

A TCP/IP protocol that aids in monitoring network-attached devices and computers

Simple Network Management Protocol (SNMP) - SNMP is incorporated into a network management and monitoring system

A technique used to gain information about servers and inventory the systems or services

Banner Grabbing

A library of programming utilities used to enable software developers to access functions of another application

Application Programming Interface (API) - APIs allow for the automated administration, management, and monitoring of a cloud service

A database used to centralize information about clients and objects on the network

Lightweight Directory Access Protocol (LDAP) - Active Directory is Microsoft’s version

A single identity is created for a user and shared with all of the organizations in a federation

Federated Identity Management (FIdM)

A password is computed from a shared secret and is synchronized between the client and the server

HMAC-based One Time Password (HOTP)

Provides data striping across multiple disks to increase performance

RAID 0

Software that is loaded on a managed device to redirect information to the network management system

Agents

The process of ensuring that hardware is procured tamper-free from trustworthy suppliers

Hardware Source Authenticity

Focused on providing controlled access to publicly available servers that are hosted within your organizational network

De-Militarized Zone (DMZ)

Input and output controls on a PLC to allow a user to configure and monitor the system

Human-Machine Interface (HMI)

A software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to

Dereferencing

Class K Fire Suppresion

Black K Hexagon - fire in cooking appliances including vegetable and animal fat

A specialized network scan that sets the FIN, PSH, and URG flags set and can cause a device to crash or reboot

XMAS Attack

A microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function).

Trusted Foundry - Trusted Foundry Program is operated by the Department of Defense (DoD)

A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment

Security Orchestration, Automation, and Response (SOAR)

An attack that embeds a request for a local resource

XML External Entity (XXE) - To prevent XML vulnerabilities from being exploited, use proper input validation

Expected cost of a realized threat over a given year

Annualized Loss Expectancy (ALE)

Only conducts a backup of the contents of a drive that has changed since the last full backup

Differential Backup - Differential backups take more time to create but less time to restore

An access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission level

Role-Based Access Control (RBAC) - Power Users is a role-based permission

Adding random data into a one-way cryptographic hash to help protect against password cracking techniques

Salting - A “nonce” is used to prevent password reuse

An attack that sends an oversized and malformed packet to another computer or server

Ping of Death

Software running on one or more servers to control the monitoring of network-attached devices and computers

Network Management System (NMS) - Management should be conducted on an out-of-band network to increase security

A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux

journalctl

A computer system that is designed to perform a specific, dedicated function

Embedded Systems - Embedded systems are considered static environments where frequent changes are not made or allowed. Embedded systems have very little support for identifying and correcting security issues

Utility that displays all the network configurations of the currently connected network devices and can modify the DHCP and DNS settings

ipconfig/ifconfig - Networking Security Tools

Automated encryption setup for wireless networks at a push of a button, but is severely flawed and vulnerable

WiFi Protected Setup (WPS) - Always disable WPS

An open source password security auditing and password recovery tool available for many operating systems

Jack the Ripper - Exploitation

Each tape is used once per day for two weeks and then the entire set is reused

10 Tape Rotation

Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected

Identification - Forensic Procedures

Specialized type of DMZ that is created for your partner organizations to access over a wide area network

Extranet

Protects against the loss of the array’s data if a single disk fails (RAID 1 or RAID 5)

Fault-resistant RAID

Secured system of cable management to ensure that the wired network remains free from eavesdropping, tapping, data emanations, and other threats

Protected Distribution System (PDS)

Signal that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices

Out-of-band communication

Digital serial data communications used in operational technology networks to link PLCs

Fieldbus

Router keeps track of requests from internal hosts by assigning them random high number ports for each request

Port Address Translation (PAT)

Original 802.11 wireless security standard that claims to be as secure as a wired network

Wired Equivalent Privacy - WEP’s weakness is its 24-bit IV (Initialization Vector)

Network-based attack where a valid data transmission is fraudulently or malicious rebroadcast, repeated, or delayed

Replay Attack - Multi-factor authentication can help prevent successful replay attacks

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities

Nessus - Networking Security Tools

Occurs when permissions are passed to a subfolder from the parent through inheritance

Propagation - Use Groups for roles and do not assign users directly to a folder’s permissions If you copy a folder, then permissions are inherited from the parent folder it is copied into If you move a folder, then permissions are retained from its original permissions

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)

MITRE ATT&CK Framework

Provides flexible authentication via secure tunneling (FAST) by using a protected access credential instead of a certificate for mutual authentication

EAP-FAST

Software development is performed in time-boxed or small increments to allow more adaptivity to change

Agile Software Development

Attempt to overwhelm the limited switch memory set aside to store the MAC addresses for each port

MAC Flooding - Switches can fail-open when flooded and begin to act like a hub

A universal standard of export for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector

Internet Protocol Flow Information Export (IPfix)

A communications protocol used in operational technology networks

Modbus - Modbus gives control servers and SCADA hosts the ability to query and change the configuration of each PLC

Class A Fire Suppresion

Green A Triangle - ordinary combustibles: wood, paper, rubber, fabrics

A feature of key agreement protocols (like SAE) that provides assurance that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised

Perfect Forward Secrecy or Forward Secrecy - The AP and the client use a public key system to generate a pair of long-term keys - The AP and the client exchange a one-time use session key using a secure algorithm like Diffie-Hellman - The AP sends the client messages and encrypts them using the session key created in Step 2 - Client decrypts the messages received using the same one-time use session key

A component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions

Machine Learning (ML) - Machine learning is only as good as the datasets used to train it

Virus that is able to rewrite itself entirely before it attempts to infect a file (advanced version of polymorphic virus)

Metamorphic

The process of identifying the person responsible for the confidentiality, integrity availability and privacy of information assets

Data Ownership

Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake

OCSP Stapling

Symmetric key encryption that supports 128-bit and 256-bit keys

Advanced Encryption Standard (AES)

Provides control over what the application should do when faced with a runtime or syntax error

Structured Exception Handling (SEH)

A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats

Endpoint Detection and Response (EDR)

Utilizes complex mathematics to create sets of objects and subjects to define how they interact

Lattice-based Access Control - Only in high security systems due to its complex configuration

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it

XML Bomb (Billion Laughs Attack) - To prevent XML vulnerabilities from being exploited, use proper input validation

The length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event

Work Recovery Time (WRT)

A connection between two or more computers or device that are not on the same private network

Layer 2 Tunneling Protocol (L2TP) - L2TP is usually paired with IPSec to provide security

A suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services

System and Organization Controls (SOC)

An international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems (ISMS)

ISO 27002

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses

nmap - Networking Security Tools

A type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the system's state on an endpoint

Host-based IDS/IPS (HIDS/HIPS)

Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit

Network DLP System

Organizations are able to place their trust in a single third-party (also called the bridge model)

Trusted Third-Party - Trusted third-party model is more efficient than a cross certification or web of trust model

A password is computed from a shared secret and current time

Time-based One Time Password (TOTP)

An open standard and decentralized protocol that is used to authenticate users in a federated identity management system

OpenID - User logs into an Identity Provider (IP) and uses their account at Relying Parties (RP).

Components and protocols that facilitate the centralized configuration and monitoring of security mechanisms within offices and data centers

Physical Access Control System (PACS) - PACS can either be implemented as part of a building automation system or a separate system.

Virus that combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer

Multipartite

Logs the events for the operating system and third-party applications

Application Logs

Standard used PKI for digital certificates and contains the owner/user’s information and the certificate authority’s information

X.509

A test that uses active tools and security utilities to evaluate security by simulating an attack on a system to verify that a threat exists, actively test it, bypass security controls, and then finally exploit vulnerabilities on a given system

Penetration Test

The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system

Weaponization

List of precomputed valued used to more quickly break a password since values don’t have to be calculated for each password being guessed

Rainbow Table

A stream cipher that encrypts plaintext information with a secret random key that is the same length as the plaintext input

One-Time Pad - not commonly used

Measures the average time between failures of a device

Mean Time Between Failures (MTBF)

Data is encrypted by an application prior to being placed on the data bus

Bus Encryption - Ensures that the device at the end of the bus is trusted to decrypt the data

Attempts to have a non-persistent effect activated by a victim clicking a link on the site

Reflected XSS

Method used by an attacker to gain access to a victim’s machine in order to infect it with malware

Attack Vector

A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information

Trusted Platform Module (TPM) - A TPM can be managed in Windows via the tpm.msc console or through group policy

Short for “sampled flow”, it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring

sflow

Attempt to exploit the victim’s web browser

DOM-based XSS

A processor that integrates the platform functionality of multiple logical controllers onto a single chip

System-on-Chip (SoC) - System-on-Chip are power efficient and used with embedded systems

Activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system

Behavior-based Monitoring

Translates the information into a format that the sender and receiver both understand

Presentation Layer - Layer 6

A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network

netflow

Four key controls for mitigating vulnerabilities in Operational Technology/Industrial Control Systems

1. Establish administrative control over Operational technology networks by recruiting staff with relevant expertise 2. Implement the minimum network links by disabling unnecessary links, services 3. Develop and test a patch management program for Operational Technology Network 4. Perform regular audits of logical and physical access to systems to detect possible vulnerabilities and intrusion

Act of configuring an operating system securely by updating it, creating rules and policies to govern it, and removing unnecessary applications and services

Hardening

Insertion of additional information or code through data input from a client to an application

Injection Attack

A remote worker’s machine diverts internal traffic over the VPN but external traffic over their own internet connection

Split Tunneling

Number of times per year that a threat is realized

Annualized Rate of Occurrence (ARO)

Deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data

Data Masking

Replacement for WEP which uses TKIP, Message Integrity Check (MIC), and RC4 encryption

WiFi Protected Access (WPA) - WPA was flawed, so it was replaced by WPA2

A suite of free open source utilities for editing and replaying previously captured network traffic

tcpreplay - Packet Capture

A deidentification method where a unique token is substituted for real data

Tokenization

Attack that creates a large number of processes to use up the available processing power of a computer

Fork Bomb

Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them

Active Interception

Only conducts a backup of the contents of a drive that have changed since the last full or incremental backup

Incremental Backup

A system that can provide automated identification of suspicious activity by user accounts and computer hosts

User and Entity Behavior Analytics (UEBA). UEBA solutions are heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning

Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected

Collection - Forensic Procedures

Symmetric block cipher that uses 128-bit, 192-bit, or 256-bit blocks and a matching encryption key size to encrypt plaintext into ciphertext

Advanced Encryption Standard (AES)

Represents the actual network cables and radio waves used to carry data over a network

Physical Layer - Layer 1 - Bits

Security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network

Network Access Control (NAC) - If a device fails the inspection, it is placed into digital quarantine. IEEE 802.1x standard is used in port-based NAC

Technique used by an attacker to find two different messages that have the same identical hash digest

Birthday Attack

Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

Cloud Security Alliance’s Cloud Control Matrix

An ordered set of rules that a router uses to decide whether to permit or deny traffic based upon given characteristics

Access Control List

Utility that is used to create an exploitation website that can perform Open port scans in a more stealth-like manner

scanless - Networking Security Tools

Attacker adds an additional VLAN tag to create an outer and inner tag

Double Tagging - Prevent double tagging by moving all ports out of the default VLAN group

Creates network segment for each client when it connects to prevent them from communicating with other clients on the network

AP Isolation

A security framework that divides IT into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate

Control Objectives for Information and Related Technology (COBIT)

A task automation and configuration management framework from Microsoft, consisting of a command-line shell and the associated scripting language

PowerShell - Shell and Scripts

An open-source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps

Graylog

Process of configuring workstation or server to only provide essential applications and services

Least Functionality

A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks

Real-Time Operating System (RTOS) - Embedded systems typically cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond tolerances

Provides your organization with the hardware and software needed for a specific service to operate

Platform as a Service (PaaS)

A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attacks against the system from within the browser context

Browser Exploitation Framework (BeEF) - Exploitation

Variant on a Denial of Service (DOS) attack where attacker initiates multiple TCP sessions but never completes the 3-way handshake

SYN Flood - Flood guards, time outs, and an IPS can prevent SYN Floods

Removal of data with a certain amount of assurance that it cannot be reconstructed

Clearing

An attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level. A shim is placed between two components to intercept calls and redirect them

Driver Manipulation

Utility that is used to view and manipulate the IP routing table on a host or server

route - Networking Security Tools

A password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols

Cain and Abel - Exploitation

Provides two independent zones with full access to the data (RAID 10)

Disaster-tolerant RAID

Occurs when an attacker masks their own MAC address to pretend they have the MAC address of another device

MAC Spoofing - MAC Spoofing is often combined with an ARP spoofing attack. Limit static MAC addresses accepted. Limit duration of time for ARP entry on hosts.

Securing the BIOS

1. Flash the BIOS 2. Use a BIOS password 3. Configure the BIOS boot order 4. Disable the external ports and devices 5. Enable the secure boot option

Used during the event to find out whether something bad might be happening

Detective Controls

Provides redundancy by mirroring the data identically on two hard disks

RAID 1

A specific string of bytes triggers an alert

Signature-based Detection (IDS)

A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps

Memdump - Forensics

Setting when the network adapter is able to capture all of the packets on the network, regardless of the destination MAC address of the frames carrying them

Promiscuous Mode - Protocol Analyzers

A piece of software that is installed on the device requesting access to the network

Persistent Agents

For data collection procedures, analysts should always follow the order of volatility

* CPU registers and cache memory * Contents of system memory (RAM), routing tables, ARP cache, process table, temporary swap files * Data on persistent mass storage (HDD/SDD/flash drive) * Remote logging and monitoring data * Physical configuration and network topology * Archival media

A digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

Autopsy - Forensics

Attacker configures their device to pretend it is a switch and uses it to negotiate a trunk link to break out of a VLAN

Switch Spoofing

Ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols

Registered Ports

Built to address a specific security issue, such as email privacy, employee termination procedures, or other specific issues

Issue-Specific Policies

The science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention

Artificial Intelligence (AI)

Technology like a DVD-R that allows data to be written only once but read unlimited times

Write Once Read Many (WORM)

A standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them

SYSLOG - Used to consolidate all the logs into a single repository. Syslog can refer to the protocol, the server, or the log entries themselves. Newer implementations can use MD-5 or SHA-1 for authentication and integrity

Software that isn’t benign nor malicious and tends to behave improperly without serious consequences

Grayware

Describes how a connection is established, maintained, and transferred over the physical layer and uses physical addressing (MAC addresses)

Data Link Layer - Layer 2 - Frames

Security controls that are installed before an event happens and are designed to prevent something from occurring

Preventative Controls

Provides centralized administration of dial-up, VPN, and wireless authentication services for 802.1x and the Extensible Authentication Protocol (EAP)

Remote Authentication Dial-In User Service (RADIUS) - operates at the application layer

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion

Kill Chain

An encryption program used for signing, encrypting, and decrypting emails

Pretty Good Privacy (PGP) - The IDEA algorithm is used by PGP. Symmetric functions use 128-bit or higher keys and the asymmetric functions use 512-bit to 2048-bit key sizes

An estimation of the amount of damage that a negative risk might achieve

Magnitude of Impact

A hardened server that provides access to other hosts within the DMZ

Jumpbox - An administrator connects to the jumpbox and the jumpbox connects to hosts in the DMZ. The jumpbox and management workstation should only have the minimum required software to perform their job and be well hardened

Occurs when you are able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn’t able to access

Privilege Escalation

An access model that is dynamic and context-aware using IF-THEN statements

Attribute-Based Access Control (ABAC)

A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics

Hardware Root of Trust (ROT) - A hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, which we can then use to sign a digital report

Restricted version of the BER which allows one encoding type and has more restrictive rules for length, character strings, and how elements of a digital certificate are stored in X.509

Distinguished Encoding Rules (DER)

Allow all of the subdomains to use the same public key certificate and have it displayed as valid

Wildcard Certificates

Virus embedded into a document and is executed when the document is opened by the user

Macro Virus

Security controls that are focused on decision-making and the management of risk

NIST - Management Controls

The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives

Actions on Objectives

Symmetric block cipher which uses 64-bit blocks to encrypt plaintext into ciphertext

International Data Encryption Algorithm (IDEA)

Allows a certificate owner to specify additional domains and IP addresses to be supported

Subject Alternative Name (SAN)

Used to provide authentication but is not considered secure since it transmits the login credentials unencrypted (in the clear)

Password Authentication Protocol (PAP)

Provides redundancy by striping and double parity data across the disk drives

RAID 6

Used to provide authentication by using the user’s password to encrypt a challenge string of random numbers

Challenge Handshake Authentication Protocol (CHAP)

Ports 49,152 to 65,535 can be used by any application without being registered with IANA

Dynamic or Private Ports

Attacker sends a ping to subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing

Smurf Attack

The CPU's security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running

Trusted Execution

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

sn1per - Networking Security Tools

Process of changing an IP address while it transits across a router

Network Address Translation (NAT) - Using NAT can help us hide our network IPs

Act of creating subnetworks logically through the manipulation of IP addresses

Subnetting

Allows the combination of multiple physical hard disks into a single logical hard disk drive that is recognized by the operating system

Redundant Array of Independent Disks (RAID)

Supports mutual authentication by using server certificates and Microsoft’s Active Directory to authenticate a client’s password

Protected EAP (PEAP) - LEAP is proprietary to Cisco-based networks

Attack which exploits a security flaw to permanently break a networking device by reflashing its firmware

Permanent Denial of Service

Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Analysis - Forensic Procedures

Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine

Teardrop Attack

A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end

OpenSSL - Shell and Scripts

A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks

Cybersecurity Framework (CSF)

Phishing attempt to trick a user to access a different or fake website (usually by modifying hosts file)

Pharming

Requires each agency to develop, document, and implement an agencywide information systems security program to protect their data

Federal Information Security Management (FISMA) Act of 2002

An attacker attempts to flood the server by sending too many ICMP echo request packets (which are known as pings)

Ping Flood

An architecture of input, hidden, and output layers that can perform algorithmic analysis of a dataset to achieve outcome objectives

Artificial Neural Network (ANN) - A machine learning system adjusts its neural network to reduce errors and optimize objectives

An attack that combines a deidentification dataset with other data source to discover how secure the deidentification method used is

Reidentification

Provides regulations that govern the security, confidentiality, and integrity of the personal information collected, stored, or processed during the election and voting process

Help America Vote Act (HAVA) of 2002

A baseline is established and any network traffic that is outside of the baseline is evaluated

Anomaly-based Monitoring

Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Reporting - Forensic Procedures

Occurs when an attacker takes over a TCP session between two computers without the need of a cookie or other host access

TCP/IP Hijacking

A default user profile for each user is created and linked with all of the resources needed

Single Sign-On (SSO)

Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application

SQL Injection - If you see ` OR 1=1; on the exam, it’s an SQL injection

The hostile or attacking team in a penetration test or incident response exercise

Red Team

The automation of multiple steps in a deployment process

Orchestration

The attacker determines what methods to use to complete the phases of the attack

Reconnaissance

Three sets of backup tapes (like the grandfather-father-son) that are rotated in a more complex system

Towers of Hanoi

An open source software for automating analysis of suspicious files

Cuckoo - File Manipulation

Occurs when a secure copy of a user’s private key is held in case the user accidently loses their key

Key Escrow

Allows two phones to utilize the same service and allows an attacker to gain access to the phone’s data

SIM Cloning

The extensions allow a trusted process to create an encrypted container for sensitive data

Secure Enclave

Also known as Flash cookies, they are stored in your Windows user profile under the Flash folder inside of your AppData folder

Locally Shared Object (LSO)

Address the security needs of a specific technology, application, network, or computer system

System-Specific Policies

A piece of code that connects to the Internet to retrieve additional tools after the initial infection by a dropper

Downloader

A mechanism for ensuring the confidentiality, integrity, and availability of software code and data as it is executed in volatile memory

Secure Processing

Encryption algorithm which breaks the input into 64-bit blocks and uses transposition and substitution to create ciphertext using an effective key strength of only 56-bits

Data Encryption Standard (DES) - DES used to be the standard for encryption

Staff administering, evaluating, and supervising a penetration test or incident response exercise

White Team

Breaks the input into fixed-length blocks of data and performs the encryption on each block

Block Cipher

Ports 0 to 1023 are considered well-known and are assigned by the Internet Assigned Numbers Authority (IANA)

Well-Known Ports

A hash digest of a message encrypted with the sender’s private key to let the recipient know the document was created and sent by the person claiming to have sent it

Digital Signature

Attacker sends a UDP echo packet to port 7 (ECHO) and port 19 (CHARGEN) to flood a server with UDP packets

Fraggle Attack

Advanced version of an encrypted virus that changes itself every time it is executed by altering the decryption module to avoid detection

Polymorphic

The process of finding and investigating other computers on the network by analyzing the network traffic or capturing the packets being sent

Network Sniffing

An encryption method that allows calculations to be performed on data without decrypting it first

Homomorphic Encryption - Homomorphic encryption can be used for privacy-preserving outsourced storage and computation

A command line utility that allows you to capture and analyze network traffic going through your system

tcpdump - Packet Capture

An international standard that details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)

ISO 27001

A command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)

curl - Networking Security Tools

Occurs when an attacker embeds malicious scripting commands on a trusted website

Cross-Site Scripting (XSS) - Prevent XSS with output encoding and proper input validation

Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label

Rule-based Access Control

A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations

Risk Management Framework (RMF)

Software that aggregates and catalogs data from multiple sources within an industrial control system

Data Historian

Was introduced in 2018 to strengthen WPA2. Has an equivalent cryptographic strength of 192-bits.

WPA3 - Largest improvement in WPA3 is the removal of the Pre-Shared Key (PSK) exchange

A specialized type of file server that is used to host files for distribution across the web

FTP Server - FTP servers should be configured to require TLS connections

A command line utility used to copy disk images using a bit by bit copying process

dd - Forensics

Occurs when the name resolution information is modified in the DNS server’s cache

DNS Poisoning

Methods and technologies that remove identifying information from data before it is distributed

Deidentification

Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization

dnsenum - Networking Security Tools

Penetration Testing Process

o Get permission and document info o Conduct reconnaissance o Enumerate the targets o Exploit the targets o Document the results

A cryptographic key that is generated for each execution of a key establishment process

Ephemeral - Ephemeral keys are short-lived and used in the key exchange for WPA3 to create perfect forward secrecy

A technical method used in social engineering to trick users into entering their username and passwords by adding an invisible string before the weblink they click

Prepending

A network diagnostic command for displaying possible routes and measuring transit delays of packets across an Internet Protocol network

tracert/traceroute - Networking Security Tools

The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

Command & Control (C2)

Designed to only run a single process or application like a virtualized web browser or a simple web server

Processor Virtual Machine

Provides all the hardware, operating system, and backend software needed in order to develop your own software or service

Infrastructure as a Service (IaaS)

Exploit techniques that use standard system tools and packages to perform intrusions. Detection of an adversary is more difficult when they are executing malware code within standard tools and processes

Living Off the Land

A software development method where application and platform updates are committed to production rapidly.

Continuous Deployment - Continuous deployment focuses on automated testing and release of code in order to get it into the production environment more quickly

Occurs when an attacker redirects one website’s traffic to another website that is bogus or malicious

Pharming

Malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime

DLL Injection

A standard designed to regulate the transfer of secure public information across networks and the Internet utilizing any security tools and services available

Open Vulnerability and Assessment Language (OVAL)

Digitally-signed electronic documents that bind a public key with a user’s identity

Certificates

Cloud Threats - Insufficient Logging and Monitoring

Software as a service may not supply access to log files or monitoring tools. Logs must be copied to non-elastic storage for long-term retention.

Software tool that allows for the capture, reassembly, and analysis of packets from the network

Protocol Analyzer

Layer from which the message is created, formed, and originated

Application Layer - Layer 7 - Consists of high-level protocols like HTTP, SMTP, and FTP

A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis

Wireshark - Packet Capture

Class B Fire Suppresion

Red B Square - flammable liquids and gases: gasoline, oils, paint

A logical communication opening created on a client in order to call out to a server that is listening for a connection

Outbound Port

Chip residing on the motherboard that contains an encryption key

Trusted Platform Module (TPM)

Occurs when virtual machines are created, used, and deployed without proper management or oversight by the system admins

Virtualization Sprawl

A newer and updated version of the PGP encryption suite that uses AES for its symmetric encryption functions

GNU Privacy Guard (GPG)

Uses logical address to route or switch information between hosts, the network, and the internetworks

Network Layer - Layer 3 - Packets, Routers

An interpreted, high-level and general-purpose programming language

Python - Shell and Scripts

A market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on

Splunk

Uses digital signatures to provide an assurance that the software code has not been modified after it was submitted by the developer

Code Signing

An open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks

hping - Networking Security Tools

Used whenever you can’t meet the requirement for a normal control

Compensating Control

Utility for reading from and writing to network connections using TCP or UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts

netcat - Networking Security Tools

Used after an event occurs

Corrective Controls

Analysis and testing of a program occurs while it is being executed or run

Dynamic Analysis

A property of IaC that an automation or orchestration action always produces the same result, regardless of the component's previous state

Idempotence

A python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database

the harvester - Networking Security Tools

A single operating system kernel is shared across multiple virtual machines but each virtual machine receives its own user space for programs and data

Application Containerization - Containerization allows for rapid and efficient deployment of distributed applications

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource

Time of Check to Time of Use (TOCTTOU) - Develop applications to not process things sequentially if possible. Implement a locking mechanism to provide app with exclusive access

Cisco’s proprietary version of RADIUS

TACACS+

A specialized type of software that allows the restoration of a lost or corrupted key to be performed

Key Recovery Agent

Provides integrity, confidentiality, and authenticity of packets by encapsulating and encrypting them

Encapsulating Security Payload (ESP)

A security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy

Forward Proxy

Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code

Shellcode

Occurs when an attacker observes the operation of a cipher being used with several different keys and finds a mathematical relationship between those keys to determine the clear text data

IV Attack

A logical communication opening on a server that is listening for a connection from a client

Inbound Port

Network adapter can only capture the packets directly addressed to itself

Non-promiscuous Mode - Protocol Analyzers

Attestation model built upon XML used to share federated identity management information between systems

Security Assertion Markup Language (SAML)

A means for software or firmware to permanently alter the state of a transistor on a computer chip

eFUSE

Attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network

ARP Poisoning - Allows an attacker to essentially take over any sessions within the LAN. ARP Poisoning is prevented by VLAN segmentation and DHCP snooping.

Cryptographic protocols that provide secure Internet communications for web browsing, instant messaging, email, VoIP, and many other services

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Attempts to remove, detain, or redirect malicious traffic

Network Intrusion Prevention Systems - NIPS should be installed in-line of the network traffic flow. NIPS can also perform functions as a protocol analyzer.

Malicious code that has been inserted inside a program and will execute only when certain conditions have been met

Logic Bomb

Methods that make it difficult for an attacker to alter the authorized execution of software

Anti-Tamper - Anti-tamper mechanisms include a field programmable gate array (FPGA) and a physically unclonable function (PUF)

A claim that the data presented in the report is valid by digitally signing it using the TPM’s private key

Attestation

A simulated random number stream generated by a computer that is used in cryptography, video games, and more

Pseudo-Random Number Generator (PRNG) - There are no such thing as truly random numbers in computers

Method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits

Address Space Layout Randomization

Exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer or server

Hijacking

The attacker identifies a vector by which to transmit the weaponized code to the target environment

Delivery

Utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connections

SSH - Shell and Scripts

Utility used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information

nslookup/dig - Networking Security Tools

Cloud Threats - Improper Key Management

APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data. Do not hardcode or embed a key into the source code. Do not create one key with full control to access an application’s functions. Delete unnecessary keys and regenerate keys when moving into a production environment.

A SIEM log management and analytics software that can be used for compliance reporting for legislation and regulations like HIPPA, SOX, and PCI DSS

ArcSight

An operating system that meets the requirements set forth by government and has multilevel security

Trusted Operating System (TOS)

An international standard that acts as a privacy extension to the ISO 27001 to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS)

ISO 27701

An attack that allows an attacker to break out of a normally isolated VM by interacting directly with the hypervisor

VM Escape

Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated

Cross-Site Request Forgery (XSRF/CSRF) - Prevent XSRF with tokens, encryption, XML file scanning, and cookie verification

Focused on changing the behavior of people instead of removing the actual risk involved

Administrative Controls

Exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive

Degaussing

A physical device that allows you to intercept the traffic between two points on the network

Network Tap

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence

Due Care

Focused on the things done by people

NIST - Operational Controls

Hosts or servers in the DMZ which are not configured with any services that run on the local network

Bastion Hosts

A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed

FTK Imager - Forensics

Uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan

Non-Persistent Agents

Comparing a precomputed encrypted password to a value in a lookup table

Cryptanalysis Attack

Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers

Building Automation System (BAS)

Source code of an application is reviewed manually or with automatic tools without running the code

Static Analysis

Malware designed to install or run other types of malware embedded in a payload on an infected host

Dropper - Droppers are likely to implement anti-forensics techniques to prevent detection and analysis

Utility used to determine if a host is reachable on an Internet Protocol network

ping/pathping - Networking Security Tools

A protocol that encapsulates PPP packets and ultimately sends data as encrypted traffic

Point-to-Point Tunneling Protocol (PPTP) - PPTP can use CHAP-based authentication, making it vulnerable to attacks

Act of removing data in such a way that it cannot be reconstructed using any known forensic techniques

Purging (Sanitizing)

A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographic region

Supervisory Control and Data Acquisition (SCADA) - SCADA typically run as software on ordinary computers to gather data from and manage plant devices and equipment with embedded PLCs

Used to verify information about a user prior to requesting that a certificate authority issue the certificate

Registration Authority

Microsoft’s proprietary protocol that allows administrators and users to remotely connect to another computer via a GUI

Remote Desktop Protocol (RDP) - RDP doesn’t provide authentication natively

U.S. Government standards for the level of shielding required in a building to ensure emissions and interference cannot enter or exit the facility

TEMPEST

This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system

Installation

Analyzes the current traffic against an established baseline and triggers an alert if outside the statistical average

Anomaly-based Detection (IDS)

A container for an emulated computer that runs an entire operating system

Virtual Machine

The default file system format for Windows and is more secure because it supports logging, encryption, larger partition sizes, and larger file sizes than FAT32

New Technology File System (NTFS)

The original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized

Basic Encoding Rules (BER)

Sending of unsolicited messages to Bluetooth-enabled devices

Bluejacking

A decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-based PKI system

Web of Trust

Method used by an attacker to access a victim’s machine

Threat Vector

The longest period of time a business can be inoperable without causing irrevocable business failure

Maximum Tolerable Downtime (MTD)

A role responsible for handling the management of the system on which the data assets are stored

Data Custodian

An access control policy where the computer system determines the access control for an object

Mandatory Access Control (MAC) - MAC relies on security labels being assigned to every user (called a subject) and every file/folder/device or network connection (called an object). Data labels create trust levels for all subjects and objects

Attack that targets an individual client connected to a network, forces it offline by deauthenticating it, and then captures the handshake when it reconnects. Used as part of an attack on WPA/WPA2

WiFi Disassociation Attack

A specialized type of DoS which attempts to send more packets to a single server or host than they can handle

Flood Attack

Any system that is different in its configuration compared to a standard template within an infrastructure as code architecture

Snowflake Systems - Lack of consistency leads to security issues and inefficiencies in support

A deidentification technique where data is generalized to protect the individuals involved

Aggregation/Banding

Method used by IPSec to create a secure tunnel by encrypting the connection between authenticated peers

Internet Key Exchange (IKE)

Utilizes a web of trust between organizations where each one certifies others in the federation

Cross-Certification

Logs the events such as successful and unsuccessful user logins to the system

Security Logs

Attempts to get data provided by the attacker to be saved on the web server by the victim

Stored/Persistent XSS

Algorithm that creates a fixed-length 128-bit hash value unique to the input file

Message Digest 5 (MD5) - SHA has higher encryption

A TCP/IP protocol that authenticates and encrypts IP packets and effectively securing communications between computers and devices using this protocol

IPSec

A role focused on the quality of the data and associated metadata

Data Steward

Attack that causes data to flow through the attacker’s computer where they can intercept or manipulate the data

Man-in-the-Middle (MITM)

Unauthorized access of information from a wireless device over a Bluetooth connection

Bluesnarfing

A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems

Programmable Logic Controller (PLC)

Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or from other files

logger - File Manipulation

A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances

Serverless - Serverless depends on orchestration

Firmware that provides the computer instructions for how to accept input and send output

Basic Input Output System (BIOS) OR Unified Extensible Firmware Interface (UEFI)

Class D Fire Suppresion

Yellow D Star - combustible metals and metal alloys

A logical communication endpoint that exists on a computer or server

Port

The collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent

Influence Operations or Influence Campaign

Seeks to identify any issues in a network, application, database, or other systems prior to it being used that might compromise the system

Vulnerability Assessment

Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation

Fuzzing

Wireless B, G, and N

Use a 2.4 GHz signal

An automated version of a playbook that leaves clearly defined interaction points for human analysis

Runbook

Measures the average time it takes to repair a network device when it breaks

Mean Time To Repair (MTTR)

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report

Measured Boot

Low-level CPU changes and instructions that enable secure processing

Processor Security Extensions

Cost associated with the realization of each individualized threat that occurs

Single Loss Expectancy (SLE)

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

Physical Controls

A technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash instead of requiring the associated plaintext password

Pass the Hash - difficult to defend against

Utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics

netstat - Networking Security Tools

A group of policies that can be loaded through one procedure

Security Template

Attack which relies on the large amount of DNS information that is sent in response to a spoofed query on behalf of the victimized server

DNS Amplification

An authentication protocol used by Windows to provide for two-way (mutual) authentication using a system of tickets

Kerberos - A domain controller can be a single point of failure for Kerberos

Attack that exploits a process in the registration process for a domain name that keeps the domain name in limbo and cannot be registered by an authenticated buyer

Domain Name Kiting

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Center for Internet Security (CIS)

Protocol used in IPSec that provides integrity and authentication

Authentication Header (AH)

Combination of network security devices and technologies to provide more defense in depth within a single device

Unified Threat Management - UTM may include a firewall, NIDS/NIPS, content filter, anti-malware, DLP, and VPN. Also known as NGFW.

Provide general direction and goals, a framework to meet the business goals, and define the roles, responsibilities, and terms

Organizational Policies

Occurs when an attacker blindly injects data into the communication stream without being able to see if it is successful or not

Blind Hijacking

A single computer (or file, group of files, or IP range) that might be attractive to an attacker

Honeypot

A software development method where code updates are tested and committed to a development or build server/code repository rapidly.

Continuous Integration - Continuous integration can test and commit updates multiple times per day. Continuous integration detects and resolves development conflicts early and often.

Occurs when an attacker is able to execute or run commands on a victim computer

Arbitrary Code Execution

Allows two devices to transmit information when they are within close range through automated pairing and transmission

Near Field Communication (NFC)

One or more switch ports are configured to forward all of their packets to another port on the switch

Port Mirroring

Manages the distribution of the physical resources of a host machine (server) to the virtual machines being run (guests)

Hypervisor

An agreement for the owners and operators of the IT systems to document what technical requirements each organization must meet

Interconnection Security Agreement (ISA)

A standard that provides cryptographic security for electronic messaging

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Operates at the session layer and only inspects the traffic during the establishment of the initial session over TCP or UDP

Circuit-Level Gateway

An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption

Public Key Infrastructure (PKI) - PKI and public key encryption are related but they are not the same thing

A UEFI feature that prevents unwanted processes from executing during the boot operation

Secure Boot

Provides all the hardware, operating system, software, and applications needed for a complete service to be delivered

Software as a Service (SaaS)

Type of backup primarily used to capture the entire operating system image including all applications and data

Snapshot Backup

Process of measuring changes in the network, hardware, and software environment

Baselining

Physical devices that act as a secure cryptoprocessor during the encryption process

Hardware Security Module (HSM)

The longest period of time that an organization can tolerate lost data being unrecoverable

Recovery Point Objective (RPO) - Recovery Point Objective (RPO) is focused on how long can you be without your data. MTD and RPO help to determine which business functions are critical and to specify appropriate risk countermeasures

Logical controls that are put into a system to help secure it

NIST - Logical Controls

Occurs when a Trojan infects a vulnerable web browser and modifies the web pages or transactions being done within the browser

Man-in-the-Browser (MITB)

Methods used to secure data and information by verifying a user has permissions to read, write, delete, or otherwise modify it

Access Control

Network traffic is analyzed for predetermined attack patterns

Signature-based Monitoring

An XML schema used to define and describe the information being created by OVAL to be shared among the various programs and tools

OVAL Language

Utilizes a keystream generator to encrypt data bit by bit using a mathematical XOR function to create the ciphertext

Stream Cipher

A framework of protocols that allows for numerous methods of authentication including passwords, digital certificates, and public key infrastructure

Extensible Authentication Protocol (EAP)

A commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics

WinHex - Forensics

An international standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies, and paradigms that differed between industries, subject matters, and regions

ISO 31000

A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration

Infrastructure as Code (IaC) - IaC allows for the use of scripted approaches to provisioning infrastructure in the cloud

Uniquely identifies the network and is the name of the WAP used by the clients

Service Set Identifier (SSID) - Disable the SSID broadcast in the exam

Logs the events such as a system shutdown and driver failures

System Logs

A protocol that allows you to determine the revocation status of a digital certificate using its serial number

Online Certificate Status Protocol (OCSP)

A SIEM log management, analytics, and compliance reporting platform created by IBM

QRadar

A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language

Function as a Service (FAAS)

A protocol that can create a secure channel between two computers or network devices to enable one device to control the other device

Secure Shell (SSH)

Computers and other network-attached devices monitored through the use of agents by a network management system

Managed Devices

A firmware update that is digitally signed by the vendor and trusted by the system before installation

Trusted Firmware Updates

Manages the establishment, termination, and synchronization of a session over the network

Session Layer - Layer 5

Attempts to detect, log, and alert on malicious network activities

Network Intrusion Detection Systems - NIDS use promiscuous mode to see all network traffic on a segment

An online list of digital certificates that the certificate authority has revoked

Certificate Revocation List (CRL)

A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption

Endpoint Protection Platform (EPP)

A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security

Unified Extensible Firmware Interface (UEFI)

Firewall installed to protect your server by inspecting traffic being sent to a web application

Web Application Firewall - A WAF can prevent a XSS or SQL injection

A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture

Field Programmable Gate Array (FPGA) - End customer can configure the programming logic to run a specific application instead of using an ASIC (application-specific integrated circuit)

IEEE standard that defines Port-based Network Access Control (PNAC) and is a data link layer authentication technology used to connected devices to a wired or wireless LAN

802.1x

Attacker guesses the session ID for a web session, enabling them to take over the already authorized session of the client

Session Theft

Shielding installed around an entire room that prevents electromagnetic energy and radio frequencies from entering or leaving the room

Faraday Cage

Manages and ensures transmission of the packets occurs from a host to a destination using either TCP or UDP

Transport Layer - Layer 4 - Segments (TCP) or Datagrams (UDP)

Cloud Threats - Cross Origin Resource Sharing (CORS) Policy

A content delivery network policy that instructs the browser to treat requests from nominated domains as safe. Weak CORS policies expose the site to vulnerabilities like XSS.

A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer

Race Conditions - A race condition vulnerability is found where multiple threads are attempting to write a variable or object at the same memory location

Wireless A, N, and AC

Use a 5.0 GHz signal

Allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the user’s web browser as part of the HTTP header

Public Key Pinning

A secure password-based authentication and password-authenticated key agreement method

Simultaneous Authentication of Equals (SAE) - (SAE) provides forward secrecy

Creates a striped RAID of two mirrored RAIDs (combines RAID 1 & RAID 0)

RAID 10

Three sets of backup tapes are defined as the son (daily), the father (weekly), and the grandfather (monthly)

Grandfather-Father-Son Tape Rotations

Protects against the loss of the array’s data if a single component fails (RAID 1, RAID 5, RAID 6)

Fault-tolerant RAID

802.11i standard to provide better wireless security featuring AES with a 128-bit key, CCMP, and integrity checking

WiFi Protected Access version 2 (WPA2) - WPA2 is considered the best wireless encryption available

The method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk

Data Acquisition

Occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks

Unauthorized Zone Transfer

Occurs when a process stores data outside the memory range allocated by the developer

Buffer Overflow - Over 85% of data breaches were caused by a buffer overflow

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

Diamond Model of Intrusion Analysis

A network that manages embedded devices

Industrial Control Systems (ICS) - ICS is used for electrical power stations, water suppliers, health services, telecommunications, manufacturing, and defense needs. ICS manages the process automation by linking together PLCs using a fieldbus to make changes in the physical world (values, motors, etc)

A methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business

Cloud Security Alliance’s Reference Architecture

The length of time it takes after an event to resume normal business operations and activities

Recovery Time Objective (RTO)

Class C Fire Suppresion

Blue C Circle - live electrical equipment

An appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage

Hardware Security Module (HSM)

Encryption algorithm which uses three separate symmetric keys to encrypt, decrypt, then encrypt the plaintext into ciphertext in order to increase the strength of DES

Triple DES (3DES)

Attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page

Clickjacking

A software development method where application and platform requirements are frequently tested and validated for immediate availability

Continuous Delivery- Continuous delivery focuses on automated testing of code in order to get it ready for release

Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run

Smash the Stack

Specialized hardware device that allows for hundreds of simultaneous VPN connections for remote workers

VPN Concentrator

The weaponized code is executed on the target system by this mechanism

Exploitation