SYO-701 Flashcards
Technical controls (category)
implemented using a system
IT security controls
eg: firewall, anti-virus
Managerial Controls (category)
policies and procedures
admin stuff
SOPs
on-boarding policy, demotion, review login reports, separation of duties
Operational controls (category)
implemented by people instead of systems
guard shack, require multiple guard, awareness training
physical controls (category)
door lock, warning sign, power generator
preventive control type
block access to a resource
firewall rules
door locks
on-boarding policy
deterrent control type
discourage attacks
warning banner
posted warning signs
threat of demotion
Detective control type
identify intrusion attempts
audit log monitoring
motion detectors
Corrective control type
Apply a control after an event has been detected to reverse impact of event
Continue operations with minimal downtime
Ransomware recovery using backups
use law enforcement to manage criminal activity
fire extinguishers
compensating control type
control using other means
existing controls aren’t sufficient
may be a temporary control
use a temporary firewall rule to block an application while waiting for a security patch
implement separation of duties
generator used after a power outage
Directive control type
direct a subject towards compliance
this is a weak security control
tell people to store sensitive files in a protected folder
train users on security policy
Create compliance policies and procedures
security policy training
Zero Trust
Authenticate to each device or process on the network, not just a VPN or firewall.
Everything must be verified, nothing inherently trusted
Data plane
zero trust plane of operation
process frames packet and network data
movement of data across network
Switch ports, NAT, processsing, forwarding, trunking
Control plane
zero trust plane of operation
manage actions of the data plane
network decision making and traffic management
routing tables, NAT tables, IP address configs
Adaptive Identity
zero trust
Consider the source and the requested resources
Multiple risk indicators with relationship to the organization
If user is in China, considered higher risk
Find out how risky the login is.
(zero trust) Threat Scope reduction
zero trust
decrease number of possible entry points
policy-driven access control (zero trust)
zero trust
Make authentication requirements stronger based on Adaptive Identity.
combine adaptive identity with a predefined set of rules
PEP
zero trust
Policy Enforcement Point
everything must be validated via the PEP
Subjects and systems must be vallidated through Policy Enforcment Point
PEP is a gatekeeper for allowing or blocking traffic to resources
Can be multiple devices working together.
Works on the Data plane
PDP
zero trust
Policy Decision Point
gets forwareded requests from the PEP
decides whether traffic should be allowed or not
makes a process for authentication
Works on the control plane
Policy Engine - zero trust
zero trust
Part of the PDP
evaluate each access decision based on policy
grant, deny or revoke access
Policy Administrator - zero trust
Part of the PDP
Generate access tokens
the PA creates or shuts down a communication based on decisions from the Policy Engine
Tells the PEP to allow or disallow access
TPM
trusted platform module
specification for cryptography hardware
cryptography process like random number generator, key generators
unique keys burned in during manufacturing
versatile memory to store keys, hardware config info
securely store bitlocker keys
password protected against dictionary attacks
HSM
hardware security module
used in large environments
- a rack server
securely stoer thousands of keys
high-end cryptographic hardware used to perform crypto functios
key backup
- secure storage for keys
cryptographic accelerators
- GPU for performing crypto functions
secure enclave
protected area in hardware for secrets
- implemented as a hardware processor
- isolated from main processor
- many different technologies and names
extensive security features
- has its own boot ROM
- has its own boot process
- true random number generator
- real-time memory encryption
- root crypto keys
- AES encryption
block chain
distributed ledger
everyone on blockchain tracks the ledger
tracks transaction and sends it everyone
can be used to track progress of parts on an assembly line
block of transactions
secure hash is calcuated from previous blocks of transaction data
hash is added to the new block of verified transactions
chain of hashes
new calculated block is distributed to everyone
if any blocks are altered, all the following hashes in the chain are recalcuated
is the altered chain doesn’t match other chains on network, it will be rejected
OCSP stapling
During the TLS/SSL handshake, the server sends the digitally signed OCSP verification with the certificate message to the client.
OCSP stapling improves the client experience by:
* Reducing the time it takes to establish a connection
* Ensuring the browser gets the same response performance for the certificate status as it does for the website content
* Addressing privacy concerns by removing the need for the CA to receive revocation requests directly from the client
UTM
unified threat management
aka all in one security device
aka web security gateway
URL filtering, content inspection
malware inspecion
spam filter
CSU/DSU (LAN to WAN connection)
routing and switching
firewall
IDS/IPS
badwidth shaper for QoS
VPN server
SD-WAN
Software defined networking in a wide area network
WAN built for cloud
cloud based app communicate directly to the cloud
dynamic network connects on-site users directly to cloud applications
SASE
Secure Access Service Edge
VPN for cloud services
SASE servers located on the cloud, near the apps
SASE client installed on devices
BYOD
bring your own device
BYOT
bring your own technology
employee owned devices
difficult to secure
BYOT
bring your own technology
employee owned devices
COPE
corporate owned personally enabled devices
organization owned device
used for both personal and corporate stuff
CYOD
a subset of COPE device
choose your own device
choose apple or android
MIC
message integrity check
wireless security
make sure data is the same as sent
provides data integrity
GCMP
galois counter mode protocol
wifi protocol
works with WPA3
secure hashes with AES
SAE
Simultaneous Authentication of Equals
wifi security protocol
Variant of diffie-helmen key exchange
everyone uses a different session key, even if everyone has the same preshared key
handshake and mutual authentication process is changed
create a shared session key without sending key across network
EAP
extensible authentication protocol
many ways to authentication
integrates with 802.1x
works with WiFi
enumeration
part of asset management
record all parts of an asset
CPU. mem, keyboard, mouse, etc
CVSS
common vulnerability scoring system
uses NVD
NVD
national vulnerabilit database
nvd.nist.gov
vulns with a score of 10 are most critical
0 score is least critical
scores change with CVSS version
CVE
Common vulnerabilities and exposures
vulnerability database
exposure factor
loss of value or business activity due to vulnerability
if a vuln takes down half of the business, exposure factor is 50%
SPF
sender policy framework
email security
add a TXT record in DNS
SPF - configure a list of all servers authorized to send emails
DKIM
domain key identified mail
mail server digitally signs all outgoing mail
public key is in the DKIM TXT record
users can validate that the messages are legit with DKIM public key
DMARC
domain based message authentication, reporting and comformance
extension of SPF and DKIM
handle emails that aren’t validated using SPF and DKIM
write policy to a DNS TXT record
possible policy action on unvalidated email:
- accept all,
- send to spam,
- quarantine
- reject email
can send compliance reports to the email admin
MAC
Mandatory Access Control
OS limits operations on an object
every object is labeled
- eg: confidential, secret
admin of the system decides which person can access which labels
eg: SELinux file types and user restrictions
DAC
Discrectionary Access Control
similar to unix chmod
owner of data controls who can access it
flexible access control
weak security, because it depends on users to have good security
RBAC
role based access control
each user has a role in the organization
admin provides access based on user’s role
in windows, use AD Groups to provide role-based access control
rule-based access control
system enforced rules
rules created by admin, not users
object ACLs, similar to linux file ACLs
eg: a lab worker can only access a file between 9 AM and 5 PM.
attribute based access control
users can have complex relationships to applications and data
next generation authorization model
evaluate multiple parameters
- resource info, IP addr, time of day, desired action, relationship to the data
JIT permissions
Just in time permissions
short term admin permissions
a breached user account doesn’t have admin access
user requests admin permissions from a clearinghouse
primary credentials are stored in a password vault, and never doled out
each user gets a different short term set of admin credentials to use
when user is finished, short term credentials are deleted.
cases for automation
user onboarding and offboarding
guard rails
- automated validation on configs
- limit admin mistakes
security groups
- assign or remove users from AD groups
ticket creation
- automate turning user emails into helpdesk tickets
escalation
- correct helpdesk issues before involving a human
- if helpdesk cannot fix it, automatically escalate to security
enable and disable services as needed
CI/CD Continuous integration and continuous deployment
use APIs with automation
incident lifecycle (in order)
PDACERL
preparation
detection
analysis
containment,
eradication,
recovery
lessons learned
chain of custody
used in digital forensics
control evidence
- maintain integrity of data
log who access data
have hashes and digital signatures of data to maintain data integrity
label and catalog everything
- digitally tag all items for ongoing documentation
- seal and store data
Data owner
accountable for a specific data
VP of sales owns the customer relationship data
treasurer owns financial informatio
data controller
manage the purposes and means by which personal data is processed
eg: payroll department defines payroll amounts and pay time
data processor
processes data on behalf of the data controller
often a third-party or different group
eg: payroll company sends the paychecks
data custodian/steward
responsible for data accuracy, privacy and security
attach sensitivity labels to data
make sure data complies with laws
implement security controls
grant users access to data
Qualitative risk assessment
Risk assessment
identify significant risk factors
ask opinions about the significance
display visually with traffic light grid or similar method
ARO
annualized rate of occurence
AV
asset value
value of an asset to the organization
includes cost of th asset, effect on company sales
EF
exposure factor
percentage of the value lost due to an incident
SLE
single loss expenctancy
monetary loss if a single event occurs.
SLE = AV * EF
eg: 1 laptop stolen
- SLE = 1000 * 1 = 1000
ALE
annualized loss expectency
annualize loss per year
ALE = ARO * SLE
eg: seven laptops stolen per years
- ALE = 7 * 1000
risk likelihood
qualitative measurement of risk
eg: rare, possible, almost certain
eg: high, medium, low
risk probability
quantitative measurement of risk
eg: statistical measurement
based on historical performance
numbers
risk appetite posture
qualitative description for readiness to take risk
eg: conservative, neutral, expansionary
risk tolerance
an acceptable variance from the risk appetite
usually larger than risk appetite
eg: you can drive 5 mph over speed limit before you get a ticket
risk register
every project has a plan, but also a risk
- identify and document risk associated with each step of a project
- document solutions to the risk
risk reporting
formal document
- identify risk
- detailed information for each risk
created for senior management
- make decisions regarding resources, budgeting, additional security tasks
includes critical and emerging risks
- the most important considerations
SLA
service level agreement
minimum terms for services provided
uptime, down response time, etc
commonly used between customers and providers
MOU
memorandum of understanding
informal contract between two organizations
confidentiality agreements
very broad, not detailed
MOA
memorandum of agreement
one step above an MOU
more detailed than an MOU, but still fairly broad
not a contract
may not contain legally enforcable promises
MSA
master service agreement
legal contract and agreement of terms
broad framework to cover future transactions
covers many detailed negotiations
foundation for future services
WO
work order
aka SOW - statement of work
extends an MSA
specific list of items to be completed
Details the scope of the job, location and deliverables
NDA
non-disclosure agreement
confidentiality agreement between parties
protect data, so companies can discuss trade secrets
unilateral - one way NDA
bilateral - two way NDA
multilateral - many way NDA, for multiple companies
BPA
business partners agreement
two people going into business together make an agreement
has owner’s stake
has financial contract
who makes the decisions?
prepare for contingencies
GLBA
gramm-leach-bliley act of 1999
requires disclosure of privacy info from banks
SOX
sarbanes-oxley act
public accounting reform and investor protection act of 2002
due diligence
monitor compliance
make sure that the company is acting in good faith to do compliance
implies a third party is doing due diligence
due care
monitor compliance
make sure that the company is acting in good faith to do compliance
implies the company itself is doing due care
attestation (compliance monitoring)
someone must sign off on formal compliance docs
ultimately responsible if the docs are incorrect
EDR
Endpoint Detection and Response
host endpoint security client
more advanced than signature detection
behavioral analysis, machine learning and process monitoring
lightweight agent on the endpoint
detects threats
investigate the threat
root cause analysis
respond to threats
XDR
eXtended Detection and Response
enhanced version of EDR
improved missed detection, false positives and long investigation times
analyses data from many different endpoints to make conclusions
adds network-based detection
correlate endpoint, network and cloud data to find threats
XDR behavior analytics
user behavior analytics
watch users, hosts, network traffic, data repositories, etc
make a baseline of normal activity
watch for any unusual activity
