Security+ Acronyms Flashcards
PCI DSS
PCI DSS - Payment Card Industry Data Security Standards
Defines how to manage credit/debit card data
Specific controls, there are 12, but usually discuss these
Company must annually have a security test/audit
All user accounts must be unique
Never store the CVV code of the card
lesson 1
NIST
National Institute for Standards and Technology
USGov agency that makes standards and guidelines
Describes/Defines cybersecurity framework as 5 functions: Identify Protect Detect Respond Recover
lesson 1
GDPR
GDPR - General Data Protection Regulation
EU law regarding privacy protections in and out of EU
Must have informed consent to be able to use someones personal data
Exam? - usually has international implications
lesson 1
ISO 31000
ISO - International Organization of Standardization
31000 - Specification which lists enterprise risk managements (ERM) best practices
lesson 1
Security Control Functional Types
Type 1:
Preventative - before attack - physical or logical
Detective - during attack - record successful or failed attacks - security guard monitoring camera
Corrective - after attack - responds to and/or fixes an incident - security guard response
Type 2:
Deterrent - psychological - unmonitored camera
Physical - gates, fences, locks, camera, signs
Compensating - substitute for principle control as recommended by security standard
lesson 1
NIST CSF
National Institute of Standards and Technology Cybersecurity Framework
A list of activities and objectives undertaken to mitigate risks
lesson 1
ISO 27001
International Organization of Standardization
27001 - information security rules and regulations (compliance/regulations)
lesson 1
ISO 27701
ISO - International Organization of Standards
27701 - focuses on personal data and privacy rules
lesson 1
ISO 27702
ISO - International Organization of Standardization
27702 - Information Security best practices
lesson 1
ISO 22301
ISO - International Organization of Standardization
22301 - Security & resilience, business continuity management
lesson 1
SSAE SOC2, SOC3
SSAE - Statements on Standards for Attestation Engagements
-are audit specifications to assure consumers of service providers (cloud or 3rd party) meet professional standards
SOC - Service Organization Control
SOC2 - evaluates internal controls (relative to the CIA triad) of the service provider, internal report between auditor, regulator, and provider; detailed reports
SOC3 - less detailed reports certifying compliance with SOC2 results freely distributed
lesson 1
CSA
CSPs
ERA
Cloud Control Matrix
CSA - Cloud Security Alliance
an organization to define cloud frameworks to assist CSPs in setting up and delivering secure cloud platforms; useful for consumers in selecting CSPs
CSPs - Cloud Service Providers
ERA - Enterprise Reference Architecture, best practices for architecting cloud solutions
Cloud Control Matrix - lists of specific controls and assessment guidelines for CSPs; baseline level of security a CSP should meet
lesson 1
CIS
Center for Information Security
known for the 20 CIS controls
produces benchmarks for different aspects of cybersecurity (PCI DSS, ISO 2700, etc)
lesson 1
STIGs
STIGs - Security Technical Implementation Guides, a DOD Cyber Exchange guideline for hardening hw and sw
example of OS/Vendor guidelines
lesson 1
OWASP
Open Web Application Security Project
organization publishes the top 10 most critical app security risks
develops resources (Zed Attack Proxy and Juice Shop) to help investigate and understand pen testing and app security issues
lesson 1
SOX
Sarbanes-Oxley Act
Due diligence - responsible persons have not been negligent in discharge of this duties
US regulation/legislation mandating implementation of risk assessments, internal controls and audit procedures
lesson 1
Computer Security Act
Requires federal agencies develop security policies for computer systems which process confidential information
lesson 1
FISMA
Federal Information Security Management Act
governs the security of data processed by federal gov agencies
lesson 1
GLBA
Gramm-Leach-Bliley Act
Financial services legislation
lesson 1
HIPAA
Health Insurance Portability and Accountability Act
Health information protection legislation
lesson 1
Security Control Categories
Managerial
-controls that give oversight of the system
Operational
-controls that depend on a person for implementation
Technical
-controls implemented in operating systems, sw, and security appliances
lesson 1
CIA Triad
Secure information has 3 properties:
C - Confidentiality
-certain info should only be known to certain people
I - Integrity
-data is stored and transferred as intended, modifications are authorized
A - Availability
-information is accessible to those authorized to view or modify it
Non-repudiation
-a subject cannot deny doing something, such as creating, modifying, or sending a resource
ACL
Access Control List
very all encompassing term, could mean lots of things
used in firewalls and on file system objects (permissions)
is an example of a preventative security control
lesson 1
Shadow IT
IT systems deployed by others outside of central IT department as work around to short comings of the implemented IT system
example: installing an access point in your office
aka Rogue IT, Fake IT, Stealth IT
lesson 2
Vulnerability
Any weakness of a system which could cause a security breach, intentionally or unintentionally
Asset value
Ease of exploit
lesson 2
Threat
Potential for a vulnerability to be exploited Internal/External Malicious/accidental Threat actor Threat vector
lesson 2
Risk
likelihood and impact of a threat actor exploiting a vulnerability
Risk = vulnerability + threat
Risk(likelihood * impact)
lesson 2
Hats - white, black, grey
white hat - attacks performed for good, authorized/planed attacks
black hat - attacks performed with malicious intent, unauthorized
grey hat - mix of white and black hats, similar to fixing lock by breaking in and then fixing it with a note that it was fixed
lesson 2
Script kiddies
untrained attackers, usually just using a script found on internet, etc.
lesson 2
hacktivists
hacking to prove a point, not necessarily for malicious intent or for gain monetarily
lesson 2
APT
Advanced Persistent Threat
refers to the ongoing ability of an adversary to compromise network security to obtain and maintain access using a variety of tools and techniques
used by State Actors who have nation backing, high amount of resources
lesson 2
State Actor
state or nation backed attackers, usually military/secret services
highly sophisticated
use APT
purpose of espionage and strategic advantage
deniability
false flag operations
lesson 2
Insider threat actor
malicious has access (employees, contractors, partners)
- wanting to sabotage, or for financial gain, business advantage
- unintentional due to
- weak policies/procedures and/or weak adherence to policy;
- lack of training
- Shadow IT
lesson 2
Attack surface
points where attacker can discover/exploit vulnerabilities in a network or application
lesson 2
Attack Vectors
how to access system direct access removable media email remote and wireless supply chain web and social media cloud
lesson 2
TTP
Tactics, techniques, and procedures
a threat research source
attempts to tell you how you are being attacked, identifies attackers
describes what and how an attacker acts
lesson 2
Honeypot
Honeynet
honeypot - a distraction system to trick attackers to attack
honeynet - a network of honey pots
intention is to learn about attackers and how they operate on give nssytem
lesson 2
Honeypot
Honeynet
honeypot - a distraction system to trick attackers to attack
honeynet - a network of honey pots
intention is to learn about attackers and how they operate on give nssytem
A form of threat research
lesson 2
ISACs
Intelligence Sharing and Analysis Centers
shares threat intelligence and promote best practices
lesson 2
OSINT
Open source intelligence threat data sources
a threat resource
lesson 2
Threat Research Sources
is a counter intelligent gathering effort to discover tactics , techniques, and procedures (TTP) of attackers
sources:
security solution providers - companies to assist in this effort
dark net
dark web
honeypot/nets
IOC
Indicator of Compromise
a residual sign that an asset or network has been successfully attacked or is continuing to be attacked
or
evidence of a TTP
describes how to recognize what attack actions might look like
examples: unauthorized sw and files suspicious emails suspicious registry and file system changes unknown port and protocol usage excessive bandwidth rogue hw service disruption and defacement suspicious or unauthorized account usage
lesson 2
STIX
Structured Threat Information eXpression
threat data feed framework, syntax for describing Cyber Threat Intel (CTI)
lesson 2
TAXII
Trusted Automated eXchange of Indicator Information
a protocol for transmitting Cyber Threat Intel (CTI) data between server and clients
lesson 2
AIS
Automated Indicator Sharing
A service offered by Dept of Homeland Security (DHS) for companies to participate in threat intelligence sharing
lesson 2
Threat Map
animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform
lesson 2
CVSS
Common Vulnerability Scoring System
lesson 3
CVE
Common Vulnerabilities and Exposures
a threat feed, a database of these items maintained by Mitre
Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software
lesson 2
SIEM
Security Information and Event Management
threat intel provider platform
utilized AI to correlate CTI data with observed data from customer networks
lesson 2
SOAR
Security Orchestration, Automation and Response
a designed as a solution to the problem of the volume of alerts overwhelming analysts’ ability to respond
Can be combined with SIEM
scan the organization’s store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting
lesson 2
