SY0-701: 4.0 (Security Operations) Flashcards
DLP (4.4)
Data Loss Prevention- Set up to monitor the data of a system while it’s in use, in transit, or at rest in order to detect any attempts to steal the data (hardware or software)
Endpoint DLP Systems (4.4)
a piece of software that’s installed on a workstation or a laptop that monitors the data that’s in use on that computer
Network DLP System (4.4)
A piece of software or hardware placed at the perimeter of the network to detect data in transit
Storage DLP System (4.4)
Software installed on a server which inspects the data while it’s at rest
Cloud-Based DLP System (4.4)
Usually offered as Software as a Service (SaaS) and it’s part of the cloud service and storage system
Acquisition / Procurement (4.2)
Acquisition- Process of obtaining goods or services
Procurement- Encompasses the full process of acquiring goods and services, including all preceding steps
BYOD (4.1)
Bring Your Own Device- Permits employees to use personal devices for work
-Employees have control over device security
COPE (4.1)
Corporate-Owned, Personally Enabled- Involves the company providing a mobile device to employees for both work and personal use
CYOD (4.1)
Choose Your Own Device- Offers a middle ground between BYOD and COPE by allowing employees to choose devices from a company-approved list
Asset Management (4.2)
Refers to the systematic approach to governing and maximizing the value of items an entity is responsible for throughout their lifecycle
Assignment / Allocation of Assets (4.2)
Every organization should designate individuals or groups as owners of the assets
Asset Classification (4.2)
Involves categorizing assets based on criteria like function, value, or other relevant parameters as determined by the organization
Asset Monitoring (4.2)
Maintaining an inventory/record of every asset including specifications, location, assigned users, and other relevant details
Asset Tracking (4.2)
Takes asset monitoring a bit further; Involves maintaining a comprehensive inventory with asset specifications, locations, and assigned users, along with its condition and status using specialized software
Asset Enumeration (4.2)
Involves identifying and counting assets, especially in large organizations or during times of asset procurement or retirement
MDM (4.2)
Mobile Device Management- Lets organizations securely oversee employee devices, ensuring policy enforcement, software consistency, and data protection
Special Publication 800-88 (4.2)
Guidelines for media sanitization- Guidance on media sanitization, destruction, and certification
Media Sanitization (4.2)
Thorough process of making data inaccessible and irretrievable from a storage medium using traditional forensic methods
-Overwriting data
-Degaussing
-Encryption Techniques
CE (Media Sanitization) (4.2)
Cryptographic Erase- Faster than deleting data because the cryptographic keys are what gets erased
Media Destruction (4.2)
Ensures the physical device itself is beyond recovery or reuse
-Shredding
-Pulverizing
-Melting
-Incinerating
Certification (Media Sanitization) (4.2)
An act of proof that the data or hardware has been securely disposed of
Port (4.5)
Logical communication endpoint that exists on a computer or server
Inbound Port (4.5)
Logical communication opening on a server that is listening for a connection from a client
Outbound Port (4.5)
Logical communication opening created on a client in order to call out to a server that is listening for a connection
Well-Known Ports (4.5)
Ports 0 to 1023 are considered well-known and are assigned by the Internet Assigned Numbers Authority (IANA)
Registered Ports (4.5)
Ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols
Dynamic and Private Ports (4.5)
Port 49,152 to 65,535 can be used by any application without being registered with IANA
Protocol (4.5)
Rules governing device communication and data exchange
Port 21 (4.5)
Over TCP
FTP: File Transfer Protocol
Used to transfer files from host to host
Port 22 (4.5)
Over TCP
SSH: Secure Shell
SCP: Secure Copy Protocol
SFTP: Secure File Transfer Protocol
Provides secure remote terminal access as well as file transfer capabilities (SSH)
Provides secure copy functions (SCP)
Provides secure file transfers (SFTP)
Port 23 (4.5)
Over TCP
Telnet
Provides insecure remote control of another machine using a text-based environment; older version of SSH, unencrypted and therefore unsecure
Port 25 (4.5)
Over TCP
SMTP: Simple Mail Transfer Protocol
Provides the ability to send emails over the network
Port 53 (4.5)
Over TCP and UDP
DNS: Domain Name Server
Translates domain names into IP addresses
Port 69 (4.5)
Over UDP
TFTP: Trivial File Transfer Protocol
Used as a lightweight file transfer method for sending configuration files or network booting of an operating system
Port 80 (4.5)
Over TCP
HTTP: Hyper-Text Transfer Protocol
Used for unsecured web browsing
Port 88 (4.5)
Over UDP
Kerberos
Network authentication protocol
Port 110 (4.5)
Over TCP
POP3: Post Office Protocol version 3
Responsible for retrieving email from a server
Port 119 (4.5)
Over TCP
NNTP: Network News Transfer Protocol
Used for accessing newsgroups
Port 135 (4.5)
Over TCP and UDP
RPC: Remote Procedure Call
Facilitates communication between different system processes
Ports 137, 138, and 139 (4.5)
Over TCP and UDP
NetBIOS
Networking protocol suite
Port 143 (4.5)
Over TCP
IMAP: Internet Message Access Protocol
Allows access to email messages on a server
Port 161 (4.5)
Over UDP
SNMP: Simple Network Management Protocol
Manages network devices
Port 162 (4.5)
Over UDP
SNMP Trap
Responsible for sending SNMP trap messages
Port 389 (4.5)
Over TCP
LDAP: Lightweight Directory Access Protocol
Facilitates directory services
Port 443 (4.5)
Over TCP
HTTPS: Hyper-Text Transfer Protocol Secure
Provides secure web communication
Port 445 (4.5)
Over TCP
SMB: Server Message Block
Used for file and printer sharing over a network
Ports 465 and 587 (4.5)
Over TCP
SMTPS: Simple Mail Transfer Protocol Secure
Provides secure SMTP communication
Port 514 (4.5)
Over UDP
Syslog
Used for sending log messages
Port 636 (4.5)
Over TCP
LDAPS: Lightweight Directory Access Protocol Secure
LDAP communication over SSL/TLS
Port 993 (4.5)
Over TCP
IMAPS: Internet Message Access Protocol Secure
Used for secure email retrieval over SSL/TLS
Port 995 (4.5)
Over TCP
POP3S: Post Office Protocol Secure
Used for secure email retrieval over SSL/TLS
Port 1433 (4.5)
Over TCP
Microsoft SQL
Used to facilitate communication with Microsoft SQL Server
Ports 1645 and 1646 (4.5)
Over TCP
RADIUS TCP
Used for remote authentication, authorization, and accounting
Ports 1812 and 1813 (4.5)
Over UDP
RADIUS UDP
Used for authentication and accounting as defined by the Internet Engineering Task Force (IETF)
Port 3389 (4.5)
Over TCP
RDP: Remote Desktop Protocol
Enables remote desktop access
Port 6514 (4.5)
Over TCP
Syslog TLS
Used in a secure syslog that uses SSL/TLS to encrypt the IP packets using a certificate before sending them across the IP network to the syslog collector
ACL (4.5)
Access Control List- A rule set that is placed on firewalls, routers, and other network infrastructure devices that permit or allow traffic through a particular interface
IAM (4.6)
Identity and Access Management- Systems and processes used to manage access to information in an organization to ensure that the right individuals have access to the right resources at the right times for the right reasons
Identification (4.6)
Process where a user claims an identity to a system, typically using a unique identifier like a username or an email address
Authentication (4.6)
Process of verifying the identity of a user, device, or system and this involves validating the credentials provided by the user against a database of authorized users
Authorization (4.6)
Process that determines what permissions or levels of access the user has
Accounting (4.6)
Process of tracking and recording user activities
IAM 4 Steps (4.6)
Identification
Authentication
Authorization
Accounting
Provisioning (4.6)
Process of creating new user accounts, assigning them appropriate permissions, and providing users with access to systems
Identity Proofing (4.6)
Process of verifying the identity of a user before the account is created
Interoperability (4.6)
The ability of different systems, devices, and applications to work together and share information
Attestation (4.6)
Process of validating that user accounts and access rights are correct and up-to-date
MFA (4.6)
Multi-Factor Authentication- Security system that requires more than one method of authentication from independent categories of credentials to verify the users identity
Passkeys (4.6)
Users can create and access online accounts without needing to input a password; public key is stored on server and private key is stored on users device (therefore if server is compromised the attacker only gets the public key)
Password Security (4.6)
Measures the passwords ability to resist guessing and brute-force attacks
Password Policy Characteristics (4.6)
Length- should be 12-16 characters
Complexity- mix case, numbers and symbols
Reuse- using the same password for different accounts increases risk
Expiration- mandates regular password changes (no longer recommended because users are more likely to reuse passwords
Age- length of time password has been in use
Password Managers (4.6)
Tools that store, generate, share, and autofill passwords to enhance security
Passwordless Authentication (4.6)
Provides improved security and a more user-friendly experience
-Biometrics
-Hardware tokens
-One-time passwords (OTP- e.g. code sent to phone or email)
-Magic links (email link automatically logs user into website)
-Passkeys (integrates with browser or operating system
SSO (4.6)
Single Sign-On- Authentication process that allows a user to access multiple applications or websites by logging in only once with a single set of credentials
IdP (4.6)
Identity Provider- System that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network
Protocols used with single sign-on (SSO) (4.6)
LDAP/LDAPS- Lightweight Directory Access Protocol
OAuth- Open Authorization
SAML- Security Assertion Markup Language
OAuth (4.6)
Open standard for token-based authentication and authorization that allows an individuals account information to be used by third-party services without exposing the users password (e.g. when you sign on a website using Google account)
SAML (4.6)
Security Assertion Markup Language- A standard for logging users into applications based on their sessions in another context; allows services to separate from identity providers and removes the need for direct user authentication
Federation (4.6)
Process that allows for the linking of electronic identities and attributes to store information across multiple distinct identity management systems
Federation Login Process (4.6)
Login Initiation
Redirection to an identity provider
Authenticating the user
Generation of an assertion
Returning to a service provider
Verification and access
PAM (4.6)
Privileged Access Management- Solutions that helps organizations restrict and monitor privileged access within an IT environment
PAM key components (4.6)
Just-In-Time Permissions (JIT Permissions)
Password Vaulting
Temporal Accounts
JIT Permissions (4.6)
Security model where administrative access is granted only when needed for a specific period
Password Vaulting (4.6)
Technique used to store and manage passwords in a secure environment, such as in a digital vault
Temporal Accounts (4.6)
Used to provide time-limited access to resources, and they are automatically disabled or deleted after a certain period of time
MAC (reference access) (4.6)
Mandatory Access Control- Employs security labels to authorize user access to specific resources; used in environments of high data security where users cant modify their own permissions
DAC (4.6)
Discretionary Access Control- Resources owner determines which users can access each resource
RBAC (Role) (4.6)
Role-Based Access Control- Assigns users to roles and uses these roles to grant permissions to resources
RBAC (Rule) (4.6)
Rule-Based Access Control- Enables administrators to apply security policies to all users
ABAC (4.6)
Attribute-Based Access Control- Uses object characteristics for access control decisions
Resource Attributes (4.6)
File creation date, resource owner, file owner, and data sensitivity
Time-of-day Restrictions (4.6)
Controls restrict resource access based on request times (e.g. don’t allow user logins during midnight hours)
Principle of Least Privilege (4.6)
A user should only have the minimum access rights needed to perform their job functions and tasks, and nothing additional or extra
Permission/Authorization Creep (4.6)
Occurs when a user gains excessive rights during their career progression in the company
UAC (4.6)
User Access Control- A mechanism designed to ensure that actions requiring administrative rights are explicitly authorized by the user
DAC (SELinux) (4.5)
Discretionary Access Control- Each object has a list of entities that are allowed to access it
Context-Based Permission (4.5)
Permission schemes that are defined by various properties for a given file or process
Baselining (4.5)
Process of measuring changes in the network, hardware, or software environment
Security Template (4.5)
A group of policies that can be loaded through one procedure
Group Policy Editors (4.5)
gpedit (Windows)
Group Policy (4.5)
Set of rules or policies that can be applied to a set of users or computer accounts within an operating system
SELinux (4.5)
Security-Enhanced Linux- Set of controls (default context-based permission scheme) that are installed on top of another Linux distribution like CentOS or Red Hat Linux
defines 3 main contexts for each file and process
1. User- Defines what users can access an object(_u)
2. Role- Defines what roles can access a given object (_r)
3. Type- Groups objects together that have similar security requirements or characteristics
4. Level- Used to describe the sensitivity level of a given file, directory, or process
SELinux User Types (4.5)
Unconfined_u (All Users)
User_u (Unprivileged users)
Sysadmin_u (System Administrators)
Root (Root User)
SELinux Modes (4.5)
Disabled- SELinux is essentially turned off, and so MAC is not going to be implemented
Enforcing- All the SELinux security policies are being enforced
Permissive- SELinux is enabled but the security policies are not enforced
SELinux Policy Types (4.5)
Targeted- Policies are enforced only for specified objects
Strict- Policies are enforced for every object
Secure Baseline (4.1)
Standard security configuration applied to guarantee minimum security for a system, network, or application
Secure Baseline Steps (4.1)
Establish- Set up a system including security and applications and then create image
Deploy- Apply baseline image to assets
Maintain- Ensure systems are locked down and continually install patches/updates etc.
ESS (4.1)
Extended Service Set Configuration- Involves multiple wireless access points working together to create a unified and extended coverage area for users in a large building or facility
Optimal Wireless Channels for 2.4GHz Range (4.1)
Channels 1, 6, and 11 (When selected the listed channels won’t interfere with each other)
Site Survey (4.1)
Process of planning and designing a wireless network to provide a solution
Heat Map (4.1)
Graphical representation of the wireless coverage, the signal strength, and frequency utilization data at different locations on a map
WEP (4.1)
Wired Equivalency Protocol- Outdated 1999 wireless security standard meant to match wired LAN security for wireless networks
64-bit- 40 bits of key data with 24-bits of initialization vector
128-bit- 104 bits of key data with 24-bits of initialization vector
WPA (4.1)
Wi-Fi Protected Access- Introduced in 2003 as a temporary improvement over WEP while the more robust IEEE 802.11i standard was in development
WPA2 (4.1)
Wi-Fi Protected Access 2- Improved data protection and networks access control by addressing weaknesses in WPA version; replaced TKIP with the AES (Advanced Encryption Standard) protocol and adopted CCMP for stronger Encryption
TKIP (4.1)
Temporal Key Integrity Protocol- Generates new 128-bit keys for each packet, eliminating WEPs key-reuse vulnerabilities
WPA3 (4.1)
Wi-Fi Protected Access 3- Latest version using AES (Advanced Encryption Standard) encryption and introducing new features like SAE (Simultaneous Authentication of Equals), OWE (Enhanced Open/Opportunistic Wireless Encryption), updated cryptographic protocols, and management protection frames
CCMP (4.1)
Counter Cipher Mode with Black Chaining Message Authentication Code Protocol
AES (4.1)
Advanced Encryption Standard
MIC (4.1)
Message Integrity Code
SAE (4.1)
Simultaneous Authentication of Equals- Enhances security by offering a key establishment protocol to guard against offline dictionary attacks
OWE (4.1)
Enhanced Open/Opportunistic Wireless Encryption- Major advancement in wireless security, especially for networks using open authentication
Cryptographic Protocol (4.1)
Uses a newer variant of AES (Advanced Encryption Standard) known as the AES GCMP (Galois Counter Mode Protocol)
GCMP (4.1)
Galois Counter Mode Protocol- Supports 128-bit AES (Advanced Encryption Standard) for personal networks and 192-bit AES for enterprise networks with WPA3
Management Protection Frames (4.1)
Required to protect network from key recovery attacks; prevents eavesdropping, forging, and tampering
AAA Protocol (4.1)
Authentication, Authorization, and Accounting Protocol- Plays a vital role in network security by centralizing user authentication to permit on authorized users to access network resources
RADIUS (4.1)
Remote Authentication Dial-In User Service- Client/server protocol offering AAA (Authentication, Authorization, Accounting) services for network users
TACACS+ (4.1)
Terminal Access Controller Access-Control System Plus- Separates the functions of AAA (Authentication, Authorization, Accounting) to allow for more granular control over processes
Authentication Protocols (4.1)
Confirm user identity for network security and authorized access
- EAP- Extensible Authentication Protocol
- PEAP- Protected Extensible Authentication Protocol
- EAP-TTLS- Extensible Authentication Protocol-Tunneled Transport Layer Security
- EAP-FAST- Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling
EAP (4.1)
Extensible Authentication Protocol- Authentication framework that supports multiple authentication methods
PEAP (4.1)
Protected Extensible Authentication Protocol- Authentication protocol that secures EAP within an encrypted an authenticated TLS (Transport Layer Security) tunnel
EAP-TTLS (4.1)
Extensible Authentication Protocol-Tunneled Transport Layer Security- Authentication protocol that extends TLS (Transport Layer Security) support across multiple platforms
EAP-FAST (4.1)
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling- Developed by Cisco, it enables secure re-authentication while roaming within a network without full authentication reach time
Application Security (4.1)
Critical aspect of software development that focuses on building applications that are secure by design
Application Security Areas (6) (4.1)
Input Validation
Secure Cookies
Static Code Analysis
Dynamic Code Analysis
Code Signing
Sandboxing
Input Validation (4.1)
Acts as a gatekeeper to ensure that applications only act on well-defined and uncontaminated data
Validation Rules (4.1)
Rules that delineate acceptable and unacceptable inputs
SAST (4.1)
Static Application Security Testing (aka Static Code Analysis)- A method of debugging an application by reviewing and examining its source code before the program is ever run
Manual Code Review (4.1)
Performing the code review using a human instead of a static analysis tool
Dynamic Code Analysis (4.1)
Testing method that analyzes an application while it’s running
Fuzzing (4.1)
aka Fuzz Testing- Finds software flaws by bombarding it with random data to trigger crashes and security vulnerabilities
Stress Testing (4.1)
Type of software testing that evaluates the stability and reliability of a system under extreme conditions
Code Signing (4.1)
Technique used to confirm the identity of the software author and guarantee that the code has not been altered or corrupted since it was signed
Sandboxing (4.1)
Security mechanism that is used to isolate running programs by limiting the resources and the changes they can make to a system
Persistent Agent (4.5)
Network access is granted using software installed on a device requesting network access
NAC (4.5)
Network Access Control- Scans devices for their security status before granting network access, safeguarding against both known and unknown devices
Non-Persistent Agent (4.5)
Network access is granted by users connect to Wi-Fi, access a web portal, and click a link for login
Time-Based Network Access Control (4.5)
Users can only log onto network during specific times of the day
Location-Based Network Access Control (4.5)
Users can only log on from specified areas/locations
Web Filtering (4.5)
Technique used to restrict or control the content a user can access on the Internet
Agent-Based Web Filtering (4.5)
Installing a small piece of software known as an agent on each device that will require web filtering
Centralized Proxy (4.5)
Server that acts as an intermediary between an organizations end users and the Internet
URL Scanning (4.5)
Used to analyze a websites URL to determine if it is safe or not to access
Content Categorization (4.5)
Websites are categorized based on content, like social media, adult content, or gambling, which are frequently restricted in the workplace
Block rules (4.5)
Specific guidelines set by an organization to prevent access to certain websites or categories of websites
Reputation-Based Filtering (4.5)
Blocking or allowing website based on their reputation score which is usually determined by a third party website
DNS Filtering (4.5)
Technique used to block access to certain websites by preventing the translation of specific domain names to their corresponding IP addresses
DKIM (4.5)
DomainKeys Identified Mail- Allows the receiver to check if the email was actually sent by the domain it claims to be sent from and if the content was tampered with during transit
SPF (4.5)
Sender Policy Framework- Email authentication method designed to prevent forging sender addresses during email delivery
DMARC (4.5)
Domain-based Message Authentication, Reporting, and Conformance- An email validation system designed to detect and prevent email spoofing
Email Gateway (4.5)
Server or system that serves as the entry and exit point for emails
On-Premise Email Gateway (4.5)
Physical server that is located within an organizations own data center or premises that provides an organization with full control over their email system
Cloud-Based Email Gateway (4.5)
Email gateway that is hosted by third-party cloud service providers to provide greater scalability and ease of maintenance
Hybrid Email Gateway (4.5)
Used to combine the benefits of both on-premise and cloud-based gateways into a single offering
Spam Filtering (4.5)
Process of detecting unwanted and unsolicited emails and preventing them from reaching as users email inbox
EDR (4.5)
Endpoint Detection and Response- Category of security tools that monitor endpoint and network events and record the information in a central database; not as comprehensive as XDR (Extended Detection and Response)
FIM (4.5)
File Integrity Monitoring- Used to validate the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline
XDR (4.5)
Extended Detection and Response- Security strategy that integrates multiple technologies into a single platform to improve detection accuracy and simplify the incident response process; more comprehensive than EDR (Endpoint Detection and Response)
UBA (4.5)
User Behavior Analytics- Deploys big data and machine learning to analyze user behaviors for detecting security threats
UEBA (4.5)
User and Entity Behavior Analytics- Built upon the foundation of UBA (User Behavior Analytics) with monitoring of entities as an addition function
Protocol (4.5)
Set of rules or procedures for transmitting data between electronic devices
Secure Protocol (4.5)
HTTPS instead of HTTP
FTPS instead of FTP
SSH instead of Telnet
IMAPS instead of IMAP
POP3S instead of POP3
SMTPS instead of SMTP
SNMPS instead of SNMP
Port (4.5)
Logical construct that identifies specific processes or services in a given system
Well Known = 0 - 1,023 (system processes and services)
Registered Ports = 1,024 - 49,151 (software applications)
Dynamic/Private Ports = 49152 - 65,535 (client-side connections)
Transport Method (4.5)
Refers to the way data is moved from one place to another, usually using either TCP (has error checking built in) or UDP (no error checking or delivery assurance) to transmit the data
Vulnerability Management (4.3)
Systematic and ongoing process of identifying, evaluating, prioritizing, and mitigating vulnerabilities
Package Monitoring (4.3)
Ensures that the libraries and components that the application depends on are secure and up-to-date
Penetration Testing (4.3)
Used to simulate a real-world attack on a system to evaluate its security posture
Threat Intelligence (4.3)
Continual process used to understand the threats faced by an organization
System and Process Audits (4.3)
Process that involves conducting a comprehensive review of the information system, security policies, and procedures
Threat Intelligence Feed (4.3)
Continuous stream of data related to potential or current threats to an organizations security
OSINT (4.3)
Open Source Intelligence- Intelligence that is collected from publicly available sources including reports, forums, news articles, blogs, and social media posts
Proprietary Third-Party Feeds (4.3)
Threat intelligence feeds that are provided by commercial vendors, usually under a subscription service type of business model
Dark Web (4.3)
Part of the Internet tat is intentionally hidden and inaccessible through standard web browsers
Responsible Disclosure (4.3)
Term used to describe the ethical practice where a security researcher discloses information about vulnerabilities in a software, hardware, or online service
CVE (4.3)
Common Vulnerability and Exposures- System that provides a standardized way to uniquely identify and reference known vulnerabilities in software and hardware
EF (4.3)
Exposure Factor- Used as a quantifiable metric to help a cybersecurity professional understand the exact percentage of an asset that is likely to be damaged or affected if a particular vulnerability is exploited
Risk Tolerance (4.3)
Refers to the level of risk that an organization is willing to accept in pursuit of its objectives and before action is deemed necessary to mitigate the risk
Vulnerability Response and Remediation (4.3)
Strategies that identify, assess, and address vulnerabilities in a system or network to strengthen an organizations security posture
Cybersecurity Strategies (4.3)
Patching
Purchasing cybersecurity insurance policies
Network segmentation
Implementing compensating controls
Granting exceptions and exemptions
Validating Vulnerability Remediation (4.3)
Rescans
Audits
Verification
Vulnerability Reporting (4.3)
Process of documenting aand communicating details about security weaknesses identified in software or systems to the individuals or organzations responsible for addressing the issue
Internal Reporting (4.3)
Involves the identification, documentation, and communication of the organizations vulnerabilities within the organizational structure
External Reporting (4.3)
Involves discussions with the vendors, partners, customers, or the public at large, depending on the specific vulnerability involved
Responsible Disclosure Reporting (4.3)
Art of disclosing vulnerabilities ethically and judiciously to the affected stakeholders before making the announcement to the public at large
System Monitoring (4.4)
Observation of computer system, including the utilization and consumption of its resources
Baseline (4.4)
Established performance metrics and data points for standard behavior of a system, network, or application
Application Monitoring (4.4)
Emphasizes the management and monitoring of software application performance and availability
Infrastructure Monitoring (4.4)
observation of the performance and availability of an organizations physical and virtual infrastructure
Log Aggregation (4.4)
Process of collecting and consolidating log data from various sources into a centralized location
Alerting (4.4)
Involves setting up notification to inform relevant stakeholders when specific events or conditions occur
Scanning (4.4)
Involves examining systems, networks, or applications to identify vulnerabilities, configuration issues, or other potential problems
Vulnerability Scan (4.4)
Checks for vulnerabilities in systems, networks, or applications by comparing the systems state against databases of vulnerabilities
Configuration Scan (4.4)
Checks for misconfiguration that could impact system performance or security
Code Scan (4.4)
Checks the source code of an application for potential issues, such as security vulnerabilities or coding errors
Reporting (4.4)
Involves generating summaries or detailed reports based on the collected and analyzed data
Archiving (4.4)
Involves storing data for long-term retentions and future reference, including organizations log data, performance data, and incident data
Alert Response and Remediation or Validation (4.4)
Involves taking appropriate actions in response to alerts and ensuring that the identified issues have been effectively addressed
Remediation (4.4)
Steps used to resolve the identified issues or vulnerabilities
Validation (4.4)
Involves verifying that the remediation implemented was actually successful and has effectively addressed the given issue or vulnerability
Quarantining (4.4)
Isolating a system, network, or application to prevent the spread of a threat and limit its potential impact
Alert Tuning (4.4)
Adjusting alert parameters to reduce errors, false positive, and to improve the overall relevance of the alerts being generated by a given system
SNMP (4.4)
Simple Network Management Protocol- Internet protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior
SNMP Trap Message (4.4)
Simple Network Management Protocol Trap Message- A message that’s sent from a network device to an SNMP management system without being solicited by the system
Granular Trap Message (4.4)
Sent message to get a unique objective identifier to distinguish each message as a unique message being received
OID (4.4)
Object Identifier (used with SNMP- Simple Network Management Protocol- trap messages)
MIB (4.4)
Management Information Base- Used to describe the structure of the management data of a device subsystem using a hierarchical namesapace containing object identifiers
Verbose Trap (4.4)
Simple Network Management Protocol Trap- May be configured to contain all the information about a given alert or event as a payload
SNMPv3 (4.4)
SNMPv1 and v2 both transmit in plaintext. V3 offer…
Confidentiality using encryption (DES for earlier implementations and 3DES or AES for newer implementations)
Integrity using hashes
Authentication by validating source of messages
SIEM (4.4)
Security Information and Event Manager- Solution that provides real-time or near-real-time analysis of security alerts that are generated by network hardware and applications
Agent (SIEM) (4.4)
Software agent installed on each system, such as a server or workstation, from which the SIEM (Security Information and Event Manager) needs to collect log data
Agentless (SIEM) (4.4)
Under this approach, the SIEM (Security Information and Event Manager) system directly collects log data from each system using standard protocols such as SNMP (Simple Network Management Protocol) or WMI (Windows Management Instrumentation)
SIEM Software examples (4.4)
Security Information and Event Manager- Splunk, ELK or Elastic Stack, ArcSight, QRadar
CVSS (4.4)
Common Vulnerability Scoring System- Used to provide a numerical score to reflect the severity of a given vulnerability
0.0 = None
0.1 - 3.9 = Low
4.0 - 6.9 = Medium
7.0 - 8.9 = High
9.0 - 10.0 = Critical
Antivirus Software (4.4)
fundamental security tool that protects systems against malware, including viruses, worms, trojans, ransomware, and spyware
DLP Systems (4.4)
Data Loss Prevention Systems- Used to monitor and control data endpoints, network traffic, and data store in the cloud to prevent potential data breaches from occurring
NIDS (4.4)
Network Intrusion Detection System- Passively identify potential threats
NIPS (4.4)
Network Intrusion Prevention System- Actively identify and block or prevent potential threats
Firewalls (4.4)
Serve as a barrier between a trusted internal network and an untrusted external network
Vulnerability Scanner (4.4)
Tools that identify security weaknesses in a system, including missing patches, incorrect configurations, and other types of known vulnerabilities
SCAP (4.4)
Security content Automation Protocol- Open standards that automate vulnerability management, measurement, and policy compliance for systems in an organization
3 Main languages used within SCAP (4.4)
OVAL- Open Vulnerability and Assessment Language
XCCDF- Extensible Configuration Checklist Description Format
ARF- Asset Reporting Format
OVAL (4.4)
Open Vulnerability and Assessment Language- XML (extensible Markup Language) schema for describing system security states and querying vulnerability reports and information
XCCDF (4.4)
Extensible Configuration Checklist Description Format- XML (Extensible Markup Language) schema for developing and auditing best-practice configuration checklists and rules
ARF (4.4)
Asset Reporting Format- XML (Extensible Markup Language) schema for expressing information about assets and the relationships between assets and reports
CCE (4.4)
Common Configuration Enumeration- Scheme for provisioning secure configuration checks across multiple sources
CPE (4.4)
Common Platform Enumeration- Scheme for identifying hardware devices, operating systems, and applications
CVE (4.4)
Common Vulnerabilities and Exposures- List of records where each item contains a unique identifier used to describe a publicly known vulnerability
Benchmark (4.4)
Set of security configuration rules for some specific set of products to provide a detailed checklist that can be used to secure systems to a specific baseline
FPC (4.4)
Full Packet capture- Captures the entire packet, including the header and the payload for all traffic entering and leaving a network
Flow Analysis (4.4)
Relies on a flow collector, which records metadata and statistics rather than recording each frame that passes through the network
NetFlow (4.4)
A Cisco developed means of reporting network flow information to a structured database
IPFIX (4.4)
Internet Protocol Information Export- Defines traffic flows based on shared packet characteristics
Zeek (4.4)
Software that passively monitors a network like a sniffer, but only logs full packet capture of potential interest
MRTG (4.4)
Multi router Traffic Grapher- Creates graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using SNMP (Simple Network Management Protocol)
single Pane of Glass (4.4)
A central point of access for all the information, tools, and systems
Implementing Single Pane of Glass (4.4)
Define requirements
Identify and integrate data sources
Customize the interface
Develop SOPs and documentation
Continuously monitor and maintain the solution
Incident Response Cycle (7 phases) (4.8)
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Post-Incident activity/lessons learned
threat Hunting (4.8)
Cybersecurity methods for finding hidden threats not caught by regular security monitoring
Intelligence Fusion and Threat Data (4.8)
Use SIEM (Security Information and Event Manager) and analysis platforms to spot concerns in the logs and real-world security threats
Root Cause Analysis (4.8)
A systematic process to identify the initial source of the incident and how to prevent it from occurring again
Root Cause Analysis Process (4.8)
Define the scope of the incident
Determine the causal relationships
Identify an effective solution
Implement and track the solution
TTX (4.8)
Tabletop Exercise- Exercises simulate incident within a control framework
Digital Forensics (4.8)
Process of investigating and analysing digital devices and data to uncover evidence for legal purposes
Digital Forensics Procedures (4.8)
Identification
Collection
Analysis
Reporting
Identification (Digital Forensics) (4.8)
Ensures the safety of the scene, secures it to prevent any evidence contamination, and determines the scope of the evidence to be collected
Collection (Digital Forensics) (4.8)
Refers to the process of gathering, preserving, and documenting physical or digital evidence in various fields
Analysis (Digital Forensics) (4.8)
Involves systematically scrutinizing the data to uncover relevant information, such as potential signs of criminal activity. hidden files, timestamps, and user interactions
Reporting (Digital Forensics) (4.8)
Involves documenting the finding, processes, and methodologies used during a digital forensic investigation
Order of Volatility (4.8)
Dictates the sequence in which data sources should be collected and preserved based on their susceptibility to modification or loss
- Collect data from systems memory
- Capture data from the system state
- Collect data from the storage devices
- Capture network traffic and logs
- Collect remotely store or archived data
Chain of Custody (4.8)
Documented and verifiable record that tracks the handling, transfer, and preservation of digital evidence from the moment it is collected until it is presented in a court of law
Disk Imagin (4.8)
Involves creating a bit-by-bit or logical copy of a storage device, preserving its entire content, including deleted files and unallocated space
File Carving (4.8)
Focuses on extracting files and data fragments from storage media without relying on the file system
Legal Hold (4.8)
Formal notification that instructs employees to preserve all potentially relevant electronic data, documents, and records
Electronic Discovery (4.8)
Process of identifying, collecting, and producing electronically stored information during legal proceedings
Data Acquisition (4.8)
The method and tools used to created a forensically sound copy of the data from a source device, such as system memory or a hard disk
Log File (4.9)
A file that records either events that occur in an operating system or other software that runs or messages between different users of a communication software
Journalctl (4.9)
Linux command line utility used for querying and displaying logs from the journal, which is responsible for managing and storing log data on a Linux machine
NXLog (4.9)
A multi-platform log management tool that helps to easily identify security risks, policy breaches, or analyze operational problems
Metadata (4.9)
Data the describes other data by providing an underlying definition or description by summarizing basic information about data that makes finding and working with particular instances of data easier
SOAR (4.7)
Security, Orchestration, Automation, Response
Playbook (4.7)
Checklist of actions for specific incident responses
Runbook (4.7)
Automated versions of playbooks with human interaction points
REST (4.7)
REpresentational State Transfer- Architectural style that uses standard HTTP methods and status codes, uniform resource identifiers, and MIME (Multipurpose Internet Mail Extensions) types
SOAP (4.7)
Simple Object Access Protocol- Protocol that defines a strict standard with a set structure for the message, usually in XML (eXtensible Markup Language) format
CURL (4.7)
Tool to transfer data to or from a server using one of the supported protocols
Runbook (4.7)
Automated version of a Playbook and includes clearly defined interaction points for human intervention and analysis
Orchestration (4.7)
Coordinated and sequenced execution of multiple automated tasks, ensuring they work harmoniously within a larger, complex process
Continuous Delivery (4.7)
Software development practice where new code changes are automatically tested and prepared for a release that allows for reliable, manual deployments to a production environment at any chosen time
