Security+ Mod 1 & 2 Flashcards
1
Q
ARP Poisoning
A
a network-based attack where an attacker with access to the target network redirects an IP address to the MAC address of a computer that is not the intended recipient
2
Q
Buffer Overflow-
A
an application attack that exploits fixed data buffer sizes in a target piece of software by sending data that is too large for that buffer.
3
Q
Clickjacking-
A
a type of hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements
4
Q
Collision-
A
the act of two different plaintext inputs producing the same exact ciphertext output
5
Q
DDOS-
A
distributed denial of service attack) a network based attack where an attacker hijacks or manipulates multiple computers on networks to carry out a DoS attack
6
Q
DDoS (Distributed Denial of Service)
A
is an attack that uses multiple compromised computers (a “botnet” of “zombies”) to launch the attack.
7
Q
DLL injection-
A
a software vulnerability that can occur when a windows based application attempts to force another running application to load a dynamic link library in memory that could cause the victim application to experience instability or leak sensitive information
8
Q
DNS Poisoning-
A
Domain name system- a network based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attackers choosing.
9
Q
Domain hijacking-
A
a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity.
10
Q
DOS-denial of service attack-
A
a network based attack where the attacker disables systems that provide network services by consuming a networks links available bandwidth, consuming a single systems available resources or exploiting programming flaws in an application or OS.
11
Q
IV- initialization vector-
A
a technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption
12
Q
IV attack-
A
a wireless attack where the attacker is able to predict or control the IV of an encryption process, this giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.
13
Q
Jamming-
A
In networking, the phenomenon by which radio waves from other devices interfere with the 802.11 wireless signals used by computing devices and other network devices.
Attackers may use a radio transceiver to intercept transmissions and inject jamming packets, disrupting the normal flow of traffic across a network.
14
Q
MAC Spoofing-
A
an attack in which an attacker falsifies the factory-assigned MAC address of a devices network interface.
Although the MAC address is hard coded on a network interface, there are tools that you can use to make an OS believe that the interface has a different MAC address. MAC spoofing attacks use the MAC address of another host to try and force the target switch to forward frames intended for the host to the attacker. B?C it operates at the Data Link Layer, MAC address spoofing is limited to the local broadcast domain.
15
Q
Man-in-browser-
A
a type of network attack that combines a man in the middle attack with the use of a trojan horse to intercept and modify web transitions in real time
16
Q
Man-in-the-middle-
A
a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.
17
Q
Memory Leak-
A
a software vulnerability that can occur when software does not release allocated memory when It is done using it, potentially leading to system instability
18
Q
Pass the Hash-
A
a network attack where the attacker steals hashed user credentials and uses them as is to try to authenticate to the same network the hashed credentials originated on.
19
Q
Pen Testing-
A
a method of evaluating security by simulating an attack on a system
20
Q
Pointer Dereference-
A
a software vulnerability that can occur when the code attempts to remove the relationship between a pointer and the thing it points to. If the pointee is not properly established, the dereferencing process may crash the application and corrupt memory.
21
Q
Privilege escalation-
A
exploiting flaws in an operating system or other application to gain greater level of access than was intended for the user or application
22
Q
Race Condition-
A
a software vulnerability that can occur when the outcome of the execution process is directly dependent on the order and timing of certain events and those events fail to execute in the order and timing intended by the developer.
23
Q
Refactoring-
A
the process of restructuring application code to improve its design without affecting the external behavior of the application or to enable it to handle particular situations.
24
Q
Shimming-
A
the process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.
25
URL Hijacking-
an attack in which an attacker registers a domain name with common misspelling of an existing domain so that a user who misspells a URL they enter into a browser is taken to the attackers website
26
WPS-
Wi-Fi protected setup- an insecure feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN
27
SSID-
An SSID or service set identifier is used to help users identify the correct WAP they are connecting to. An extended SSID or ESSID is used when multiple SSIDs are grouped into one.
28
MAC Filtering-
MAC (media access control) filtering specifies a list of valid MAC addresses of devices that will be allowed to connect to the WAP (wireless access point).
29
ACL-
access control list- On a router, a list that is used to filter network traffic and implement anti-spoofing measures. In a DAC access control scheme, a list that is associated with each object, specifying the subjects that can access the object and their levels of access.
30
Active-Active-
a redundancy mode used by load balancers to route traffic equally through two load balancers. An active/active cluster provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.
31
Active-Passive-
a redundancy mode used by load balancers to route traffic through a primary (active) load balancer while the other (passive) load balancer is on standby in case of failure of the active device. An active/passive cluster provides Enterprise services to clients from only one virtual server . The other server comes online only when the currently active server goes offline.
32
ANT-
a proprietary wireless network technology that is similar to Bluetooth implementations that consume a smaller amount of energy.
33
Banner Grabbing-
the act of collecting information about network hosts by examining text-based welcome screens that are displayed by some hosts. involves opening random connections to common port or network protocols and gathering information from banner or error responses.
34
OUI (Organizationally Unique Identifier) grabbing
is like banner grabbing or OS fingerprinting. The OUI can identify the manufacturer of the network adapter and therefore, conclude other assumptions related to system type and/or purpose.
35
Ping-t
-t switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.
36
Ping-n
-n switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.
37
Ping-S
switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.
38
Ping-r
switch records route for count hops. This is used for IPv4 addresses.
39
Netstat-
command allows the admin to check the state of ports on the local machine (Windows or Linux). He or she may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.
40
Tracert-
The trace route (tracert) command can help discover where a network route ends when a ping fails. However, the server is responding to pings.
41
Ipconfig-
only provides network adapter information such as the IP address of the server.
42
OS (operating system) fingerprinting
is a method used by Nmap to probe hosts for running OS type and version, and even application names and device type (e.g., laptop or virtual machine).
43
Zen map-
GUI for Nmap. Use traceroute command to map out network.
44
Net cat-(or NC for short)
is a remote access software that is available for both Windows and Linux. It can be used as a backdoor to other servers.
45
Data exfiltration –
the process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
46
DLP-
data loss/ leak prevention a software solution that detects and prevents sensitive info in a system or network from being stolen or otherwise falling into the wrong hands.
47
DNSSEC-
Domain Name System Security Extensions- a security protocol that provides authentication of DNS data and upholds DNS data integrity
48
File Integrity monitoring-
is a feature available in most antivirus software or HIPS (Host-based Intrusion Prevention System). HIPS can capture a baseline of the image, any radical change (like an image) using hashing algorithms, will flag the incident, and quarantine the files.
49
Hardware Security module-
HSM- a physical device that provides root of trust capabilities
50
IPSEC- Internet Protocol Security-
a set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the internet.
51
Load Balancer-
a network device that distributes the network traffic or computing workload among multiple devices in a network.
52
An active/active
cluster provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.
53
An active/passive
cluster provides Enterprise services to clients from only one virtual server. The other server comes online only when the currently active server goes offline.
54
A URL filter
allows you to control access to websites by permitting or denying access to specific websites based on information contained in a URL list.
55
NAC-
Network Access Control- the collection of protocols, policies and hardware that govern access of devices connecting to a network. Essentially a health policy that verifies each requesting node conforms to a healthy policy (patch level, antivirus/firewall configuration, and so on).
56
NIDS-
Network Intrusion detection system- a system that uses passive hardware sensors to monitor traffic on a specific segment of the network. Uses Signature-based (or pattern-matching) detection.
57
NIPS-
an active, in line security device that monitors suspicious network and or system traffic and reacts in real times to block it.
(Network Intrusion Prevention System) is an appliance placed on the network to provide an active response to any network threats that matches its policies or signatures.
58
Out-of-Band link-
offers better security than in-band. You may use separate cabling or the same cabling and physical switches, but a separate VLAN for management.
59
in-band
link is less secure, since the management channel is shared by the network being monitored. This will make alerts more detectable by an adversary and can also be blocked.
60
Secure Post Office Protocol v3 (POP3)
is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient's email client at their convenience.
61
Secure Internet Message Access Protocol v4 (IMAP4)
is primarily designed for dial-up access and the client contacts the server to download its messages, then disconnects. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. Messages can be stored and organized on the server.
62
Protocol Analyzer-
this type of diagnostic software can examine and display data packets that are being transmitted over a network. EX: Wireshark
63
POP-
a protocol used to retrieve email from a mailbox on the mail server
64
Proxy-
a device that acts on behalf of one end of a network connection when communicating with the other end of connection
device that acts on behalf of another service. A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused.
A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused.
A proxy server places information retrieved from the internet into a temporary storage area so that if the information is requested again by another client, the proxy already has it. This reduces the number of calls to the internet and speeds up performance.
65
Router-
a device that connects multiple networks that use the same protocol.
66
S/MIME-
Secure/multipurpose internet mail extensions- an email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications
the user is issued a digital certificate containing a public key that is signed by a CA (Certificate Authority) to establish its validity.
67
SIEM-
a security information and event management- a solution that provides real time or near real time analysis of security alerts generated by network hardware and applications.
68
Aggregation switches –
a network device that combines multiple ports into a single link in order to enhance redundancy and increase bandwidth
can connect multiple subnets to reduce the number of active ports. When aggregating subnets, the subnets are connected to the switch versus the router.
69
SNMP
SNMP-simple network management protocol- an application layer services used to exchange information between network devices.
70
SNMPv1
SNMPv1 uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. This protocol does not support encryption.
71
SNMPv2c
SNMPv2c also uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. Like SNMPv1, this protocol does not support encryption
72
correlation engine
correlation engine is part of a security information and event manager (SIEM). It captures and examines logged events to alert administrators of potential threats on a network.
73
MIB
Management Information Base (MIB) is the database that the agent within SNMP utilizes. The agent is a process that runs on a switch, router, server or other SNMP compatible network device.
74
SSL Decryptor SSL inspector SSL interceptor-
SSL Decryptor SSL inspector SSL interceptor- is a type of proxy used to examine encrypted traffic before it enters or leaves the network. This ensures that traffic complies with data policies and strong cipher suites are used.
75
Switch
Switch- a device that has multiple network ports and combines multiple physical network segments into a single logical network.
76
TLS
TLS- Transport Layer Security- a security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/Ip connection
77
Tunnel mode
Tunnel mode- is when the whole IP packet (header and payload) is encrypted and a new IP header added.
78
UTM
UTM- Unified threat management- the practice of centralizing various security techniques into a single appliance. Unified Threat Management) systems include an application firewall to provide more complex network security.
An SSL interceptor is not found in a UTM.
The UTM (Unified Threat Management) is an all-in-one security appliance. Its ability to block specific URLs or websites comes from its content filtering feature. Even unknown websites that fit the description of having inappropriate images can be set to block.
Many UTM appliances include a malware scanner that scans the web traffic and compares the packet or heuristic behavior to determine if a network connection is malicious.
A UTM is like an intrusion prevent system (IPS) that can block network connections or prevent a file from being download.
79
VDI-
VDI- virtual desktop infrastructure- a virtualation implementation that separates the personal computing environment from a user’s physical computer.
80
Virtual IP-
VIP - A virtual IP address is an IP address that doesn't correspond to an actual physical network interface. Uses for VIPs include network address translation, fault-tolerance, and mobility.
VIP- Each server node has its own IP address, but externally a load-balanced service is advertising a Virtual IP (VIP) address. A virtual IP address is an IP address that doesn't correspond to an actual physical network interface. Uses for VIPs include network address translation, fault-tolerance, and mobility.
Uses for VIPs inclue network address translation, fault tolerance and mobility
81
VPN Concentrator-
A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels. This is ideal for telecommuters. If used with TLS or SSL VPN, port 443 will be used.
82
VPN-
Virtual private network- a method of extending a private network by tunneling through a public network, such as the internet
83
A site-to-site VPN
connects two or more local networks, each site running a VPN gateway. The gateway does all the work.
84
A remote access virtual private network (VPN)
involves VPN client agents connecting to a VPN-enabled router concentrator at the company's main network. This is ideal for telecommuters. If used with TLS or SSL VPN, port 443 will be used.
Like TLS VPN, SSL (Secure Sockets Layer) VPN will also pass through traffic over port 443. However, TLS is more secure than SSL.
85
TLS (Transport Layer Security) VPN
will require a remote server listening on port 443 (so no changes to firewalls) and optionally, a set of client certificates for authenticating the device (transparent for users after simple set up).
Like TLS VPN, SSL (Secure Sockets Layer) VPN will also pass through traffic over port 443. However, TLS is more secure than SSL.
86
Tunneling-
a data-transport technique in which data packet is encrypted and encapsulated in another data packet in order to conceal the information of the packet inside.
87
Vulnerability assessment-
a security assessment that evaluates a systems security and its ability to meet compliance requirements based on the configuration state of the system.
88
FQDN (fully qualified domain name)
will be routed accordingly between the servers in the cluster. can have multiple IP addresses using DNS records, and name resolution can route the sessions. However, only the first record will be active until it is unavailable.
89
GLBP-
Gateway Load Balancing Protocol is Cisco's proprietary service to providing a load-balanced service with a VIP. The infrastructure is Cisco-based, so this service will most likely be implemented.
90
Common Address Redundancy Protocol
(CARP) is another commonly used network protocol that works in the same way as GLBP.
91
multipurpose proxy server
can be configured with filters for multiple protocol types, such as HTTP (Hypertext Transfer Protocol), FTP (File Transfer Protocol), and SMTP (Simple Mail Transfer Protocol).
92
application-specific proxy,
like a web proxy, will only filter out content from the web. A proxy server is required for FTP services as well.
93
non-transparent class of proxies
requires a client to be configured with the proxy server address and port settings.
94
transparent class of proxies
requires no extra configuration of client computers. This proxy intercepts client traffic through a switch, router or other inline network appliance.
95
web application firewall (WAF)
is mainly designed to protect software running on web servers by preventing denial of service (DoS) attacks, where thousands of connections are attempted to overwhelm the server.
A WAF may also prevent backend databases from being compromised using SQL injections, where a hacker issues SQL query commands into text fields of forms on the web server.
96
Border firewalls
filter traffic between the trusted local network and untrusted external networks, such as the Internet. DMZ (Demilitarized Zone) configurations are established by border firewalls.
97
network-based firewall
analyzes packets at the layer 2 or data link layer of the OSI (Open Systems Interconnection) model.
98
Internal firewalls
can be placed anywhere within the network, either inline or as host firewalls, to filter traffic flows between different security zones.
99
Whole network firewalls
are put into place to protect the whole network. They are placed inline in the network and inspect all traffic that passes through.
100
Single host firewalls
are installed on the host and only inspect traffic destined for the host.
101
application firewall
analyzes packets at layer 7 or the application layer. can be called by different names, such as application layer gateway firewall, stateful multilayer inspection firewall, or deep packet inspection firewall. mostly installed on a server as an application (e.g., Windows Firewall). However, it can also run on physical network appliances, like a UTM device.
102
Layer 3 Firewall
The most basic is layer 3 where the firewall blocks traffic from specific IP ranges. In access control list (ACL), the final default rule is typically to block any traffic that has not matched a rule (implicit deny).
103
Stateless firewall-
a firewall that does not track the active state of a connection as it reaches the firewall
104
Stateful Firewall-
A firewall that tracks the active state of a connection and can make decisions based on the contents of a network packet as it relates to the state of the connection.
105
layer 2 Firewall
of transparent firewall looks at bridged packets that run through a pair of locally-switched Ethernet ports. It can be placed into a network without having to re-subnet it.
106
A state table
contains information about sessions between network hosts. This type of data is gathered by a stateful firewall.
107
Signature-based (or pattern-matching)
detection uses a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident. Used by a NIDs.
108
Anomaly-based
detection uses an engine that looks for irregularities in the use of protocols. For example, the engine may check packet headers or the exchange of packets in a session against RFC standards and generate an alert, if they deviate from strict RFC compliance.
109
Heuristic-based
detection learns from experience to detect differences from the baseline. This type of detection is the same as behavioral-based detection.
110
Behavioral-based
(statistical or profile-based) detection uses an engine to recognize baseline "normal" traffic or events. Any deviation from the baseline (outside a defined level of tolerance) generates an incident.
111
Rulesets
are a configuration setting for the intrusion detection system (IDS). Content filtering, such as blocking URLs and applying keyword-sensitive blacklists or whitelists, are examples of a ruleset.
112
STP (Spanning Tree Protocol)
is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.
SWITCH LOOP on the network will cause network connections to drop, since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.
113
Port security
is an advanced security feature that allows a certain amount of MAC addresses to access a physical port. After a certain number, new connections will be blocked.
114
flood guard
is a feature of a circuit-level firewall that prevents maliciously open connections from forming. This is not applicable to switching loops.
SWITCH LOOP on the network will cause network connections to drop, since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.
115
DHCP-
Dynamic Host Configuration Protocol- a protocol used to automatically assign IP addressing information to IP network computers.
provides an automatic method for network address allocation. As well, an IP address and subnet mask can include optional parameters.
116
MAC
Media Access Control) filters can block data coming from specific MAC addresses to drop. However, "dummy" client switches were deployed, which normally means no advanced configurations have been made.
117
Meterpreter er.
is an exploit module that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the serv
118
Nexpose
is a vulnerability scanner. When integrated with Metasploit Pro, Metasploit can then read the scan report and confirm vulnerabilities to rule out false positives.
119
Kali or Kali Linux
is a Debian-derived Linux distribution designed for system forensics and penetration testing. Simply loading onto a laptop does nothing.
120
Nessus
is a vulnerability scanner from Tenable. A hacker may use a vulnerability scanner to seek out easy targets (e.g., open ports) to plan for an attack.
It is not a NIPS (Network Intrusion Prevention System).
It does not perform any changes to the application or computer operating system.
Commonly deployed solution for application vulnerability assessments.
121
Metasploit
is an exploitation framework with tools for exploiting vulnerabilities.
122
Sysinternals-
suite of tools designed to assist with troubleshooting issues with Windows.
Process Explorer (tool in Sysinternals) can reveal all the processes and its details on the system. It can filter out the legitimate activity generated by normal operation of the computer, which is what the admin used to find the rogue service. These tools are not useful for a networking issue. Unknown processes are easily seen in the Process Explorer view. These unknown processes may have an unrecognized name or no icon.
The Autoruns tool, which is part of Windows Sysinternals, can help with hunting down malware on a computer. Autoruns' ability to identify the startup services and their locations, can lead to researching ways to remove the malware and its rogue services.
123
Process Explorer
(tool in Sysinternals) can reveal all the processes and its details on the system. It can filter out the legitimate activity generated by normal operation of the computer, which is what the admin used to find the rogue service. These tools are not useful for a networking issue. Unknown processes are easily seen in the Process Explorer view. These unknown processes may have an unrecognized name or no icon.
124
The Autoruns tool,
which is part of Windows Sysinternals, can help with hunting down malware on a computer. Autoruns' ability to identify the startup services and their locations, can lead to researching ways to remove the malware and its rogue services.
125
Cain and Abel
is used to recover Windows passwords and includes a password sniffing utility.
126
John the Ripper
is compatible with multiple platforms such as Windows, MAC OS X, Solaris, and Android, and is primarily used as a password hash cracker.
127
THC Hydra
is often used against remote authentication using protocols such as Telnet, FTP (file transfer protocol), HTTPS (hypertext transfer protocol secure), SMB (server message protocol), etc.
128
Aircrack
is used to sniff and decrypt WEP (wired equivalent privacy) and WPA (wireless protected access) wireless traffic.
129
Microsoft Security Compliance Toolkit (SCT)
compares scanned hosts with a template of controls and configuration settings to determine system compliance. Any findings of non-compliance can be used to determine actions for a WSUS (Windows Server Update Services) server to handle. (Microsoft's Security Compliance Toolkit) Does not patch systems. includes the Policy Analyzer Tool and the Local Group Policy Object (LGPO) Tool.
130
WSUS- (Windows Server Update Service)
server is a central repository for updates related to OS and applications like Microsoft Office. Once downloaded locally, WSUS distributes the updates to the client computers.
131
The local group policy object (LGPO) Tool,
on its own, automates the process of change of local GPOs on a computer. This tool is helpful in managing systems that are not part of the domain. This tool is best used in conjunction with the policy analyzer tool.
132
Microsoft System Center Configuration Manager (SCCM)
is a software management suite to manage a large amount of systems on multiple platforms. It does not include a policy analyzer tool and a LGPO tool.
133
CVEs
(Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.
134
inSSIDer
is a software that can survey Wi-Fi networks to determine SSID, BSSID (wireless access point MAC address), frequency band, and radio channel.
135
Aircrack-ng
is a suite of utilities designed for wireless network security testing. The principal tools include airmon-ng (monitor mode), airodump-ng (frame capture), aireplay-ng (frame injection), and aircrack-ng (decode authentication key).
the specific tool, which is also called aircrack-ng, can decode the authentication pre-shared key or password for WEP, WPA, and WPA2 using a dictionary word or a relatively short key.
136
AirPcap-
Wireless adapter driver that supports monitor mode. Designed specifically for packet capture. Sniffs non-unicase wireless traffic.
137
BitLocker keys
are stored along with the associated computer account object in Active Directory. It is viewable in the object's properties view. This is a different location than the NTDS.DIT file.
138
BitLocker
is a full drive encryption technology. It does not have a process for encrypting passwords, nor the sending and receiving of passwords from node to node.
139
%SystemRoot%\NTDS\NTDS.DIT file
stores domain user passwords and credentials. Employees commonly use their domain credentials to login to do work and gain access to corporate information.
140
Wireshark-
A protocol analyzer tool- Packets that are analyzed or decoded will provide information, such as protocol used and at what port. If a port is open, it will be listed in the analyzed information.
141
Order of restoration –
In general, the first step in restoring services involves enabling and testing power delivery systems, such as a power grid, generators, and even UPSs (uninterruptible power supplies). Without power, IT systems and network equipment cannot run.
In general, the second step in restoring services involves enabling and testing switch infrastructure,
then routing appliances and systems.
Other important network servers include domain controllers so that users may log in to their computers and reach Enterprise services.
In general, the sixth step in restoring services involves enabling and testing front-end applications like a web server.
Workstations
142
Key performance indicators (KPI)
can be used to determine the reliability of each asset.
143
Business impact analysis (BIA)
is the process of assessing what losses might occur for each threat scenario.
144
Single Loss Expectancy (SLE)
is the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF).
145
EF Exposure Factor
is the percentage of the asset value that would be lost.
146
Annual Loss Expectancy (ALE)—
the amount that would be lost over the course of a year.
147
input validation attack
passes invalid data to the application, and since the input handling on the routine is inadequate, it causes the application (or even the OS) to behave in an unexpected way.
148
SEP
(Symantec Endpoint Protection) – Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers. It has the largest market-share of any product for endpoint security.
The proactive threat protection feature of SEP provides a behavioral approach to protecting the system against unknown threats. For example, a process utilizing high levels of CPU for a long time is a possible threat that will be stopped by the software eventually.
The virus and spyware protection feature of SEP (Symantec Endpoint Protection) is the commonly known anti-virus software that should be on every client image.
The network and host exploitation mitigation feature of SEP protects the system against exploits on the web, network, and any zero-day attacks.
149
Remote access
refers to the user's device connecting over or through an intermediate network, usually a public Wide Area Network (WAN). It does not make a direct cabled or wireless connection to the network.
150
The Domain Name System
(DNS) is a system for resolving host names and domain labels to IP addresses. It uses a distributed database system that contains information on domains and hosts within those domains.
151
DNS server cache poisoning
is a redirection attack that aims to corrupt the records held by the DNS server itself.
instead of trying to subvert the name service used by the client, it aims to corrupt the records held by the DNS server itself.
152
DNS spoofing
is an attack that compromises the name resolution process. The attacker may compromise the process of DNS resolution by replacing the valid IP address for a trusted website.
153
Secure File Transfer Protocol (SFTP)
is a secure version of File Transfer Protocol (FTP), which facilitates data access and data transfer over a Secure Shell (SSH) data stream. It is part of the SSH Protocol.
154
Implicit Transport Layer Security (FTPS)
negotiates a Secure Sockets Layer/Transport Layer Security (SSl/TLS) tunnel before the exchange of any File Transfer Protocol (FTP) commands.
155
Explicit TLS (FTPES)
uses the AUTH TLS command to upgrade an unsecure connection.
156
Secure Shell (SSH) FTP (SFTP)
encrypted the authentication and data transfer between the client and server and a secure link is created between the client and server using SSH.
157
Trivial File Transfer Protocol (TFTP)
is a connectionless protocol that provides file transfer services. It does not provide the guaranteed delivery offered by FTP.
158
Directory services
is a network service that stores identity information in a particular network, including users, groups, servers, client computers, and printers.
159
Unified Communications-
These solutions are messaging applications that combine multiple communications channels and technologies into a single platform. These communications channels can include voice, messaging, interactive whiteboards, data sharing, email and social media.
160
Secure Post Office Protocol v3 (POP3)
is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient's email client at their convenience.
161
Simple Mail Transfer Protocol (SMTP)
specifies how mail is delivered from one system to another.
162
Session control
is used to establish, manage, and disestablish communications sessions. They handle tasks such as user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/video), and session management and termination.
163
Session Initiation Protocol
(SIP) is one of the most widely used session control protocols. SIP endpoints are the end-user devices (also known as user agents).
164
Quality of Service (QoS)
provides information about the connection to a QoS system, which in turn, ensures that voice or video communications are free from problems such as dropped packets, delay, or jitter.
165
Top level Network Time Protocol
(NTP) servers (stratum 1) obtain the Coordinated Universal Time (UTC) from a highly accurate clock source, such as an atomic clock.
A Stratum 1 Time Server is a network appliance that receives precise time from a hardware reference clock to provide a time resource to client computers. Network Time Protocol (NTP) implements a hierarchical system of time references.
166
Route injection
means that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (non-existent address), or continuously looped around the network, causing DoS.
167
Vulnerability scanner
Assess systems, networks and applications for weaknesses
Also considered in the context of credentialed v. non-credentialed
Credentialed scan uses specific permissions set by the security personnel when it scans a system.
A non-credentialed scan only assess what a normal user sees. Advantage is that allows focus on the most glaring weaknesses that any user can see, regardless of their privileges. Also less intrusive and tend to consume less resources than credentialed scan.
168
Port Scanner
Assess the current state of all ports on network and detect potential open ports that may pose risk to organization
169
Protocol/packet Analyzer
Assess traffic on a network and what it reveals about its contents and the protocols being used.
170
Fingerprinting tools
Identify a targets operating system information and running services, also called banner granning
171
Network enumerator
Map the logical structure of the network and ID rouge systems on the network.
172
Password Cracker
Recover secret password from data stored or transmitted by a computer.
173
Backup utilites
Create copies of scanned data
174
Command-Line Tools
Ping-
tracert/traceroute-
netstat-
arp-
nslookup/dig-
ipconfig-
nmap-
netcat-
Ping- see if a host is responding to basic network requests.
tracert/traceroute- See the route and delays of packets across a network
netstat- See current network connection info on a host
arp- See ARP entries on a host.
nslookup/dig- Query DNS servers
ipconfig- See network interface info on a host.
nmap- Scan ports and fingerprint systems
netcat- Monitor and modify network traffic
