Study Flashcards by Rachel Lawson

a non-persistent operating system on a compact disk or USB

live boot media

How well did you know this?

Not at all

Perfectly

used to indicate relevancy to the case or part of the case or to show confidentiality and help organize evidence according to keywords or labels

tags

How well did you know this?

Not at all

Perfectly

a device that copies signals from the physical layer and the data link layer. Since no network or transport logic is used, every frame is received, allowing reliable packet monitoring.

TAP (Test Access Point)

How well did you know this?

Not at all

Perfectly

a measure of cryptographic unpredictability, higher levels indicating higher security

entropy

How well did you know this?

Not at all

Perfectly

what are two ways to maximize integrity of the analysis process to ensure non-repudiation is possible?

use a write-blocker to prevent data from being changed

- create a has before and after analysis and compare checksums

How well did you know this?

Not at all

Perfectly

shows the results of risk assessments in a comprehensible document format, including impact, likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status.

risk register

How well did you know this?

Not at all

Perfectly

a form of segmentation that routes suspicious traffic that is flooding an IP address into another network for analysis

sinkhole

How well did you know this?

Not at all

Perfectly

helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key

(DNSSEC) DNS Security Extensions

How well did you know this?

Not at all

Perfectly

standard that creates reports that assess the ongoing effectiveness of the security architecture over a period of 6-12 months. highly detailed and designed to be restricted.

Service Organization Control (SOC2) Type II

How well did you know this?

Not at all

Perfectly

the concept that fire requires heat, oxygen, and fuel to ignite and burn

the fire triangle

How well did you know this?

Not at all

Perfectly

strategy that uses passive discovery techniques so that threat actors do not know they have been discovered

defensive maneuver

How well did you know this?

Not at all

Perfectly

what are 9 symmetric algorithms?

DES
3DES
IDEA
AES
Blowfish
Twofish
RC4
RC5
RC6

How well did you know this?

Not at all

Perfectly

name 3 asymmetric algorithms

Diffie-Hellman (DH)
RSA
ECC

How well did you know this?

Not at all

Perfectly

encryption type where 2 keys are used, one to encrypt, the other to decrypt

asymmetric

How well did you know this?

Not at all

Perfectly

encryption type where sender and receiver use the same private key

symmetric

How well did you know this?

Not at all

Perfectly

cipher that uses key stream generator to encrypt data bit by bit using XOR function to create ciphertext

stream cipher

How well did you know this?

Not at all

Perfectly

cipher that breaks input into fixed length blocks of data and performs encryption on each block

block cipher

How well did you know this?

Not at all

Perfectly

which symmetric encryption algorithm is a stream cipher?

RC4

How well did you know this?

Not at all

Perfectly

type of control that includes policies, procedures, legal, and regulatory

administrative controls (aka managerial controls)

How well did you know this?

Not at all

Perfectly

name for a freelance ethical hacker

blue hat

How well did you know this?

Not at all

Perfectly

highly trained hackers, funded with covert and open source intelligence or funded by nations

Advanced Persistent Threats (APTs)

How well did you know this?

Not at all

Perfectly

4 important factors in intelligence/sources

timeliness
relevancy
accuracy
confidence levels

How well did you know this?

Not at all

Perfectly

what are the steps of Lockheed Martin’s kill chain?

Reconnaissance
Weaponization
Delivery
Explotation
Installation
Command and Control
Actions on Objectives

How well did you know this?

Not at all

Perfectly

method of obtaining info through public records, websites, and social media

OSINT (Open Source Intelligence)

How well did you know this?

Not at all

Perfectly

framework for analyzing incidents and intrusions by exploring relationships between adversary, capability, infrastructure, and victim

Diamond Model of Intrusion Analysis

knowledge base for adversary tactics

MITRE ATT&CK Framework

a malware infection that sets off a malicious function when logical conditions are met

logic bomb

5 steps for securing the BIOS

1. Flash the BIOS (update software) 2. Use a BIOS password 3. Configure boot order 4. Disable external ports and devices 5. Enable secure boot

3 tips for securing NAS (Network Attached Storage)

1. use data encryption 2. use proper authentication 3. log NAS access

technology that provides automated identification of suspicious activity using AI and machine learning

UEBA (User and Entity Behavior Analytics)

attack where unsolicited messages are sent to bluetooth devices

bluejacking

attack involving the unauthorized access of info from wireless device over bluetooth

bluesnarfing

an encryption method that provides a small footprint and/or low computational complexity for resource-constrained systems such as an Internet of Things (IoT) device.

lightweight cryptography

the manual review of code to identify oversights, mistaken assumptions, or a lack of knowledge or experience. This may ensure security or improve the code depending on who is peer-reviewing it.

static code analysis

a tool that is placed between an organization’s resources and a cloud service provider that enforces defined security-based policies while monitoring traffic

CASB (Cloud Access Security Broker)

a database of information about vulnerabilities that are codified as signatures.

CVE (Common Vulnerabilities and Exposures)

used to monitor social media for incidents, such as disgruntled consumers posting negative content. In terms of security, this can be used to gather threat intelligence.

sentiment analysis

an appliance designed to perform centralized public key infrastructure (PKI) management, key generation, or key escrow for devices

HSM (Hardware Security Module)

a phishing attack conducted through a voice channel (telephone or VoIP, for instance)

Vishing

an encryption method that allows computation to be performed directly on encrypted data without requiring access to a secret key. Analysis can apply functions on encrypted data without needing to reveal the values of the data

Homomorphic encryption

lists every person who has worked with or who has touched the evidence that is a part of an investigation

chain of custody

collecting information that is widely and openly available from publicly available sources

passive reconnaissance

Put the following in order evidence should be collected based on volatility: - swap file - processor cache - hard drive or usb drive - random access memory

1. Processor cache 2. Random Access Memory 3. Swap File 4. Hard Drive or USB Drive

information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation

SPI (Sensitive Personal Information)

a pattern matching technique that uses a structured database of string values to detect matches; may use format or sequence

EDM (Exact Data Match)

used to enable access to a directory of resources and uses a client-server model for mutual authentication

LDAPS

access control type that requires all access to be predefined based on system classification, configuration, and authentication

MAC (Mandatory Access Control)

nslookup command that requests DNS records for only the name servers

set type=ns

most common vulnerability found on Windows and Linux systems

missing patches

fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire

FM-200

a popular vulnerability scanner that can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities, and perform compliance auditing

Nessus

a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development

Metasploit

United States federal law that requires financial institutions to explain how they share and protect their customers’ private information

The Gramm-Leach-Bliley Act (GLBA)

a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms

Sarbanes-Oxley (SOX)

United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments

Family Educational Rights and Privacy Act (FERPA)

creates perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including copying the slack, unallocated, and free space on a given drive

FTK Imager

data sanitization technique that involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings

Clearing

a system on a network used to access and manage devices in a separate security zone

jumpbox

a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks

Aircrack-ng

creates a reverse shell from a victimized machine back to an attacker.

Netcat

a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain

wildcard certificate

a centralized solution that allows administrators to create and enforce policies for mobile devices, such as pushing updates, preventing certain apps, and turning functions on/off

MDM (Mobile Device Management)

a means of separating personal and work data

storage segmentation

The four steps of patch management

1. Planning 2. Testing 3. Implementing 4. Auditing

a method of creating a policy to deploy across a large number of devices

GPO (Group Policy Object)

cryptographic module embedded in a computer to enforce trusted execution and attest to boot settings and metrics

Root of Trust (ROT)

UEFI feature that gathers secure metrics to validate the boot process in an attestation report

measured boot

type of attack where the attacker breaks out of a normally isolated VM by interacting directly with the hypervisor

VM escape

contents of a virtual machine that exist as deleted files on a cloud based server after the deprovisioning of a virtual machine

data remnants

authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner

Kerberos

authentication protocol in which users supply authentication information to authentication client devices, which are then passed to an AAA server that processes the request

RADIUS

regulation that applies to companies of any size that accept credit card payments

PCI-DSS (Payment Card Industry Data Security Standard)

password-based authentication protocol that is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs and can be used with EAP

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2)

a framework in a series of protocols that allows for numerous different mechanisms of authentication, including things like simple passwords, digital certificates, and public key infrastructure

EAP (Extensible Authentication Protocol)

positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy.

reverse proxy

what is Cain and Abel used for?

password cracking

attack that uses a single ping with a spoofed address sent to the broadcast address of a network, causing them to respond to the spoofed address and overwhelm the victim with responses to the initial ping

smurf

the team assigned the role of judge, enforcing rules and handling requests and issues in a cybersecurity training exercise

white team

encryption algorithms that break input into 64 bit blocks

DES, IDEA, Blowfish

encryption algorithm that uses 128 bit, 192 bit, 256 bit blocks

AES

encryption algorithm that uses 128 bit blocks

Twofish

encryption algorithm that uses a variable key size of 40 bits to 2048 bits

RC4

type of attacker that usually quietly gathers information from compromised systems

APT

involves removing sensitive data from a hard drive using the device's internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one. data cannot be recovered even in a lab environment

purging

use of a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media, and may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. some tools may allow data recovery

data wiping/clearing

a cloud deployment model where the cloud consumer uses multiple public cloud services

multi-cloud

describes the overall accuracy of a biometric system, and the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal

crossover error rate

a hardware-based cryptographic processing component that is a part of the motherboard

TPM (Trusted Platform Module)

shared authentication protocol designed to facilitate the sharing of information (resources) within a user profile between sites

OAuth

an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields

Open ID Connect (OIDC)

utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies

Hping

most secure protocol for use with VPNs

IPsec

a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network

Heuristic analysis

open-source intelligence provider that allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community

VirusTotal

a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices

secure erase

method of sanitization in which storage media is encrypted by default, and the encryption key itself is destroyed during the erasing operation. offers used with solid state drives

cryptographic erase (CE)

conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service being run

banner grabbing

how do you calculate Single Loss Expectancy (SLE)?

Asset Value (AV) x Risk Factor (RF)

how do you calculate Annual Loss Expectancy (ALE)?

Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)

techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key

key stretching

XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes; a solution for providing single sign-on (SSO) and federated identity management

SAML (Security Assertions Markup Language)

What does a User-Agent request a resource from when conducting a SAML transaction?

Service Provider (SP)

used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment

SOAR (Security Orchestration Automation and Response)

Port number that is encrypted by default for LDAP

Port 636

netcat command that signifies listening and a listening port

-l -p

which type of attack may insert an always true statement (eg 7 == 7)

SQL injection

if port 443 is in use, which protocols would you expect to see used?

HTTPS, SSL, or TLS

an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks

fuzzing

type of scan that is generally unable to detect many vulnerabilities on a device

uncredentialed scan

role that is primarily responsible for data quality. This involves ensuring data are labeled and identified with appropriate metadata. That data is collected and stored in a format and with values that comply with applicable laws and regulations

data steward

role that handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures

data custodian

role that is responsible for oversight of any PII/SPI/PHI assets managed by the company.

privacy officer

authentication system that uses a username and password

PAP (Password Authentication Protocol)

why is SMS unsecure?

it may be accessible to attackers via VoIP or other systems, and is unable to be encrypted

when should you schedule vulnerability scans of an organization's data center?

during periods of low activity

During which incident response phase is the preservation of evidence performed?

containment, eradication, and recovery

biometric authentication factor that relies on matching patterns on the eye's surface using near-infrared imaging; most accurate and least intrusive of the eye scans

iris scan

an attack combining the dictionary and brute force methods into a single tool

hybrid attack

hashing algorithm that creates a 160-bit fixed output

RIPEMD

hashing algorithm that creates a 256-bit fixed output

SHA-2

two hashing algorithms that create a 128-bit fixed output

NTLM and MD-5

the least secure wireless security and encryption protocol

WEP

tool that could be used to detect unexpected output from an application being managed or monitored

behavior-based analysis tool

world's most popular open-source port scanning utility

nmap

conducted by walking around a build while locating wireless networks and devices

war walking

process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system

Pass the Hash (PtH)

a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks

Insecure direct object references (IDOR)

the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes

Attribute-based access control (ABAC)

analysis framework makes no allowance for an adversary retreat in its analysis

The Lockheed Martin cyber kill chain

most secure access control method

MAC (Mandatory Access Control)

inspects the code for possible errors and issues without actually running the code

static code analyzer

security policy that could help detect fraudulent cases that occur even when other security controls are already in place

mandatory vacation

software that detects potential data breaches/ data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest

Data Loss Prevention (DLP) Software

command is used to display information about the current wired network connection on a Linux system, including its IP address, subnet mask, and MAC address

a type of virus that use various techniques to protect it from being reverse engineered. This includes changing its code during execution and encrypting its payloads

armored virus

protects against web application vulnerabilities like SQL injections

WAF (Web Application Firewall)

an automated version of a playbook used by a SOAR to have the system conduct as many steps as possible

runbook

what encryption algorithm is NOT PKI x.509 compliant and cannot be used in various secure functions

Blowfish

Cisco's replacement for LEAP. It addresses LEAP vulnerabilities using TLS (Transport Layer Security) with PAC (Protected Access Credential) instead of certificates

EAP-FAST (Flexible Authentication via Secure Tunneling)

uses a server-side public key certificate to create an encrypted tunnel between the supplicant and authentication server; industry standard.

PEAP (Protected Extensible Authentication Protocol)

a secure hash of a password sent to the authenticating server. By itself, this does not provide mutual authentication from the client to the supplicant.

EAP-MD5

multiple organizations allow access to each other's users by joining their RADIUS servers into a RADIUS hierarchy

RADIUS federation

the attacker captures some data used to log on or start a session legitimately. The attacker then disrupts the legitimate session and resends the captured data to re-enable the connection

replay attack

a type of brute force attack aimed at exploiting collisions in hash functions. The purpose of this type of attack is to forge a digital signature.

birthday attack

an attack that can facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths

downgrade attack

the process of extracting data from a computer when that data has no associated file system metadata

carving

occurs when a software product will no longer be produced or sold. These products are most likely to be replaced by a newer version or model.

EOL (End of Life)

occurs when a product will no longer be supported by a vendor. Updates and patches will no longer be produced

EOS (End of Service life)

an outdated computing software or hardware that is still in use. but generally will receive no support or maintanance

legacy system

the five functions referenced by the NIST

Identify, Protect, Detect, Respond, Recover

devices that perform some pre-processing of data to and from edge devices to enable prioritization. They also perform the wired or wireless connectivity to transfer data to and from the storage and processing networks

edge gateways

the process in which a product is continually tested throughout the development lifecycle to ensure it is meeting the functional and security goals of a customer

continuous validation

the process of delivery of software to a production environment using automation reducing the software development lifecycle

continuous deployment

provides encryption and authentication for RTP (Real-Time Protocol) data in unicast and multicast data flows. will encrypt all data sent and received by each SIP endpoint for the entire journey; can be used to encrypt VoIP calls

SRTP (Secure Real-time Transport Protocol)

protocol that uses digital certificates to authenticate the endpoints and establish a TLS tunnel

SIP (Session Initiation Protocol) (or SIPS, the secure version)

what software development security feature is commonly known as stack protection and does not execute the source code?

complier

which generation of antivirus software is characterized by signature-based detection and prevention of known viruses?

first generation antivirus software

which generation of antivirus software can detect other malicious software such as Trojans, spyware, and crypto jackers?

anti-malware software

what piece of technology features application aware filtering?

firewalls

penetration technique that uses remote access and tunneling protocols to bypass a network boundary and compromise servers on an internal network

pivot

an asymmetric cryptographic key that is generated for each execution of a key establishment process.

ephemeral key

homomorphic encryption

secure areas that protect resources against unauthorized users and spillage of information, utilizing a host that is not physically connected to any network

air gap

which data state will require the encryption keys stay safe for the longest period of time?

data at rest

an attack where an attacker, with access to the network, redirects an IP address to the MAC address of an unintended computer, allowing them to sniff all traffic on a switched network

ARP poisoning

two terms that refer to a document that guides investigators to determine priorities and remediation plans by listing the procedures, contacts, and resources available to responders for various incident categories

Incident Response Plan or Runbook

occurs when a tester is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test

white-box testing

Occurs when a tester is not provided with any information about the system or program prior to conducting the test

black-box testing

Linux command that allows for viewing the entire contents of one or more files

cat

Linux command that outputs the first 10 lines of a provided file by default. This can be adjusted to output more or fewer lines using the -n switch

head

Linux command that outputs the last 10 lines of a provided file by default. This can be adjusted to output more or fewer lines using the -n switch

tail

method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

pinning

Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake

OCSP Stapling

A protocol that allows you to determine the revocation status of a digital certificate using its serial number

OCSP (Online Certificate Status Protocol)

a command-line tool to transfer data to or from a server using supported protocols, such as HTTP, FTP, or IMAP. It is commonly used in web scrapers or for downloading files from the web to local storage

curl

a device that converts mechanical energy into electrical energy for use in a peripheral circuit, and is an expensive option for power failover and do not immediately provide power

generator

convincingly useful but actually fake data. This data can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to reuse or exploit it can be traced

honeyfile

two things to note about any time offset when performing analysis on a breached system

daylight savings time and UTC

an asymmetric public and private key-based cryptographic technique for encrypting data. generates keys through the properties of a special equation providing smaller and more efficient cryptographic key processes.

Elliptic curve cryptography (ECC)

three places where one might find operating system files during acquisition

cache, pagefile, RAM

what two integrity concepts utilize the TPM?

- boot attestation | - measured boot

a header option that forces the browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping

HTTP Strict Transport Security (HSTS)

a header option that mitigates clickjacking, script injection, and other client-side attacks

Content Security Policy (CSP)

provides a vector a popular social engineering technique that drops infected USB media around college campuses. also used for war flying.

UAV (Unmanned Aerial Vehicle) aka drone

four core features of the Diamond Model of Intrusion Analysis

adversary, capability, infrastructure, and victim

two configurations to increase router security

1. block source routed packets | 2. message authentication

category of control that gives oversight of an information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

managerial control

category of control that is implemented primarily by people rather than systems. For example, a security guard

operational control

nmap command that is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state

-sS

nmap command that scans scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.

-sU

nmap command to specify a port range.

-p

how many commonly used ports does an nmap scan by default?

1000

nmap scan to find open ports

-o

type of data that is too valuable to allow any risk of capture; may be top secret. escalate any breeches immediately

critical data

an electronic device that records information and communicates the information to the consumer remotely.

smart meter

a combination of hardware and software that contains a dedicated function and uses a computer component to complete the function

embedded system

mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient's email client at their convenience

POP3

a digital file accurately representing the contents and configuration of a disk volume or a whole data storage unit, including a bootloader and operating system (OS)

disk image

a point-in-time copy of data maintained by the file system and are commonly live acquisitions. has less validity than a disk image

snapshot

what are some reasons you might choose to use a stateless firewall?

ease of set up with basic rules, block certain ports, set rules for protocol ID or type

a cloud network hub that allows users to interconnect virtual private clouds (VPC) and on-premises networks through a central console.

transit gateway

a set of specifications that defines a management interface for a host application to activate, provision, and manage encryption of user data on self-encrypting drives (SED)

Opal security subsystem class

control type that serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection

compensating control

control type that acts to eliminate or reduce the likelihood that an attack can succeed. It operates before an attack can take place. An example of this control type is a lock

preventative control

control type that acts to eliminate or reduce the impact of an intrusion event. is used after an attack

corrective control

three common constraints of embedded systems

- cryptographic capability - network range - compute power

publications from the Internet Engineering Task Force (IETF) and other related bodies or organizations that detail how certain technologies are used and their best practices

Request for Comments (RFC)

a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services

SWG (Secure Web Gateway)

the principle that developers should commit and test updates often, such as every day or sometimes even more frequently.

Continuous integration

the level of risk before any type of mitigation has been attempted

inherent risk

the likelihood and impact of risk after specific mitigation, transference, or acceptance measures have been applied

residual risk

allows compatible scanners to determine whether a computer meets a configuration baseline

SCAP (Security Content Automation Protocol)