Various Concepts x2 Flashcards
A solution that provides real time or near real time analysis of security alerts generated by network hardware and applications.
SIEM
A class of security tools the help facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. AKA next generation SIEM.
SOAR
commonly used to gather information about routers, switches, and other network devices including status indicators, and CPU and memory utilization.
SNMP
Inactive data that is archived
Data at Rest
Data that is crossing the network or that resides in the computer’s memory.
Data in Transit
Data that is undergoing change.
Data in Use
an algorithm that performs the encryption or decryption.
Cipher
A single key encrypts and decrypts the data.
Symmetric Encryption
One key encrypts and a second key decrypts the data.
Asymmetric Encryption
encrypts data bit by bit using a mathematical XOR function to create the cipher text. (Symmetric).
Stream cipher
breaks the input into fixed-length blocks of data and performs encryption on the blocks of data.
Block Cipher
breaks the input into 64-bit blocks and uses transposition and substitution to create the cipher text and a key strength of only 56-bits. Considered insecure.
DES - Symmetric cipher
uses 3 separate symmetric keys to encrypt, decrypt, and then encrypt the cipher text to increase the strength of its predecessor.
3DES - Symmetric cipher
block cipher which uses 64-bit blocks to encrypt plaintext to cipher text.
IDEA symmetric
block cipher that uses 128, 192, or 256-bit blocks and a matching key size to encrypt plain text to cipher text. The standard for U.S. government.
AES Symmetric
block cipher uses 64-bit blocks and a variable length key to encrypt plain text to cipher text.
Blowfish symmetric
block cipher that replaced blowfish and uses 128-bit blocks and 128, 192, of 256-bit keys to encrypt plain text to cipher text.
Twofish symmetric
stream cipher using a variable key size from 40 to 2048-bits that is used in SSL and WEP.
RC4 Symmetric
block cipher using key sizes up to 2048-bits.
RC5 symmetric
block cipher introduced as a replacement for DES, but AES was chosen instead.
RC6 symmetric
State the symmetric algorithms (9):
DES, 3DES, AES, Twofish, Blowfish, IDEA, RC4, RC5, and RC6
Asymmetric algorithms are also known as this:
Public Key Cryptography.
a hash digest of a message encrypted with the sender’s private key to let the recipient know that the document was created and sent by the person claiming to have sent it.
Digital Signature
Used to conduct key exchanges and secure key distribution over an unsecure network. Used to establish a VPN tunnel with IPSEC.
Diffie-Hellman Asymmetric Algorithm
relies on the mathematical difficulty of factoring large prime numbers. Supports key sizes from 1024 to 4096-bits.
RSA (Rivest, Shamir, and Adleman) Asymmetric Algorithm
based upon the algebraic structure of elliptic curves over finite fields to define the keys. More efficient than RSA. Commonly used in mobile devices and low-power computing devices.
ECC (Elliptic Curve Cryptography) Asymmetric
State the 3 Asymmetric algorithms
ECC, RSA, Diffie-Hellman
An encryption program used for signing, encrypting, and decrypting emails. Uses IDEA and hybrid encryption.
PGP (pretty good privacy)
Newer version of PGP that uses AES for its symmetric encryption functions. Also is cross platform (linux, windows, etc. ).
GNU Privacy Guard (GPG)
stream cipher using XOR that encrypts plaintext information with a secret random key that is the same length as the plaintext input.
One-Time Pad
PRNG
Pseudo Random Number Generator.
A shared, immutable ledger for recording transactions, tracking assets, and building trust.
Blockchain
a cryptographic key is generated for each execution of the key process. The keys last a “short” time.
Ephemeral
allows calculations to be performed on data without it being decrypted. Used for privacy preserving data in cloud storage and outsourced computations.
Homomorphic encryption
a one-way cryptographic function which takes an input and produces a unique message digest.
Hashing
occurs when 2 files create the same hash digest
Collision
fixed-length 128-bit hash value unique to the input file.
MD5
fixed-length 160-bit hash value unique to the input file. Replaced MD5 to reduce collisions.
SHA-1
family of algorithms with longer hash digests that include SHA-224, SHA-256, SHA-348, and SHA-512
SHA-2
hash digests between 224 and 512-bits.
SHA-3
open-source algorithm that creates unique 160,256, or320-bit hash message digests for each input file.
RIPEMD
hashing algorithm used to create a level of assurance as to the integrity and authenticity of a given message or file.
HMAC
original version of password hashing used by Windows that uses DES and is limited to 14 characters.
LANMAN Hash(LM hash)
replacement to LM Hash that uses RC4 and released with Windows 3.1 in 1993.
NT LAN Manager Hash (NTLM Hash)
replaced NTLM and uses HMAC-MD5 and is considered difficult to crack.
NTLMv2 Hash
A technique that allows an attacker to authenticate to a server or service by using the underlying NTLM or LM hash instead or requiring the plaintext password.
Pass the Hash
a technique used to mitigate a weaker key by increasing the time needed to crack it,
Key Stretching
adding random data into a one-way hash to help protect against password cracking techniques.
Salting
An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption.
PKI
digitally signed electronic documents that bind a public key with a user’s identity.
Certificates
digital certificate standard used in PKI that contains owner, user, and certificate authority information.
X.509
allow all the subdomains of a website to use the same public key certificate and have it displayed as valid.
Wildcard certificates
Allows a certificate owner to specify additional domains and IP addresses to be supported.
SAN Subject Alternate Name
only require the server to be validated
Single-sided certificates
require both the server and the user to be validated.
Dual-sided certificates
standard that contains encoding methods that include BER, CER, and DER.
X.690
original ruleset covering the encoding of data structures for certificates where several different encoding types can be used.
BER (Basic Encoding Rules)
A restricted version of BER that only allows one encoding type.
CER (Canonical Encoding Rules)
restricted version of BER that has one encoding type and stricter rules for length, character strings, and how elements of digital certificate are stored in x.509
DER (Distinguished Encoding Rules)
used to verify information about a user prior to requesting that a CA issue the certificate.
Registration Authority (RA)
the entity that issues certificates to a user
CA Certificate Authority
online list of digital certificates that the CA has revoked.
CRL Certificate Revocation List
a protocol that allows you to determine the revocation status of a digital certificate using its serial number.
OCSP Online Certificate Status Protocol
allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the ssl or tls handshake.
OCSP Stapling
allows an https website to resist impersonation attacks by presenting a set of trusted public keys to the user’s browser as part of the HTTP header.
Public Key Pinning
occurs when a secure copy of a user’s private key is held in case the user accidentally loses their key. Usually require 2 persons (separation of duties) to retrieve the key.
Key Escrow
a specialized type of software that allows the restoration of a lost or corrupt key.
Key Recovery Agent
a decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-based PKI system and is a concept used in PGP and GNuPg.
Web of Trust
is a web of trust. Peer to peer self-signed certificate where the more people know you, the more people will trust you. Examples include the ebay seller rating system.
PGP (Pretty Good Privacy)
a standard that provides cryptographic security for electronic messaging, email.
S/MIME secure multipurpose internet mail extensions
a protocol that encrypts PPP packets and sends data as encrypted traffic. It also can use CHAP based authentication which is considered insecure.
PPTP port1723. PPTP
is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs.
LT2P port1701
A TCP/IP protocol that authenticates and encrypts IP packets and effectively secures communications between devices using this protocol. It also provides CIA, confidentiality through encryption, integrity through hashing, and authentication through a key exchange.
IPSec
method used by IPSec to create the vpn tunnel by encrypting the connection between authenticated peers.
IKE Internet Key Exchange
this is a set of IPSec specifications that are negotiated between devices that are establishing an IPSec relationship
SA Security Association
protocol in IPSec that provides integrity and authentication.
Authentication Header AH
provides confidentiality through encryption, hashing of the AH, and integrity by encapsulation in the IPSec protocol.
ESP
Two IPSec vpn modes
Transport and Tunnel.
only encrypts the payload and not the header. Semi- truck comparison- only the trailer is encrypted and not the cab.
Transport Mode
encrypts both the payload and headers. Semi- truck comparison- both the cab and trailer are encrypted.
Tunnel mode
an unexpected increase in the amount of voltage provided
Surge
a short transient in voltage that can be due to a short circuit, tripped breaker, power outage, or lightning strike.
Spike
An unexpected decrease in a power supply.
Sag
occurs when the voltage drops low enough that it typically causes the lights to dim and can cause a computer to shut off.
Brownout
totally loss of power for a prolonged amount of time.
Blackout
Allows the combination of multiple hard disks into a logical single disk drive that is recognized by the system.
RAID Redundant Array of Inexpensive Disks
provides data striping across multiple disks to increase performance. Requires at least 2 drives.
RAID 0
provides redundancy by mirroring the data identically on two hard disks. Requires at least 2 drives.
RAID 1
provides redundancy by striping data and parity data across the disk drives. Requires at least 3 different drives.
RAID 5
provides redundancy and double parity data across the disk drives. Requires at least 4 different drives.
RAID 6
creates a striped RAID of two mirrored RAIDs.
RAID 10 It is a combination of RAID 1 and RAID 0, equaling a RAID 10.
two or more servers working together to perform a particular job function.
Cluster
the second server can take over if the active server fails.
Failover Cluster
servers are clustered in order to share resources.
Load-balancing cluster
near duplicate of working site and can be up and running in minutes.
Hot site
A site partially equipped but will require some configuration prior to being active.
Warm site
A minimally equipped site with no configuration.
Cold Site
All of the contents of the data storage are copied.
Full Backup
Only backs up the changes to the data storage since the last full backup or this type of backup
Incremental Backup. Quicker backup times, longer restoral in the event of a failure.
Only backs up the changes to the data storage since the last full backup
Differential Backup.
Quicker restoral time in the event of a failure, longer backup times.
each data storage tape is used once a day for 2 weeks, and then the entire set is reused.
10 Tape Rotation
Three sets of backup tapes are used: son = daily, father=weekly, and grandfather=monthly.
Grandfather-father-son
three sets of back up tapes used to store data. One tape = every other day, tape 2 = every four days, and tape three = every eight days.
Towers of Hanoi backup system
type of backup primarily used to capture the entire operating system image including all applications and data.
Snapshot backup
A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.
Business Impact Analysis
MTD
Maximum Tolerable Downtime
WRT
Work Recovery Time
The longest time a organization can sustain lost access to data
RPO Recovery Point Objective.
When a thief attempts to take responsibility for a shipment by diverting the delivery to a nearby location.
Diversion theft
this provides a comprehensive security management framework.
Governance
this defines the role of security in an organization and establishes the desired end state of the security program.
Policies
this is used to implement a policy in an organization.
Standards
this is used to recommend actions.
Guidelines
This is detailed step-by-step instructions that are created to ensure that personal can perform a given action.
Procedures
the attacker sends a TCP SYN request using the same IP address and port as both the source and destination IP address and port. the system replies to itself exhausting resources and leading to a system crash.
land attack,
this is any information that can result in a loss of security or the advantage a company has if it is accessed by unauthorized persons.
Sensitive Data
Data that would have no impact to the organization if it were leaked.
Public Data
Data that will have minimal impact to the organization if it were leaked.
Sensitive Data
Data that should only be used inside of the organization.
Private Data
The highest level of data classification such as trade secrets, intellectual property, etc that would seriously affect the organization if disclosed.
Confidential Data
Government data that can be released to the public.
Unclassified Data
Government data that would not impact national security but would affect those the data represents.
Sensitive, but Unclassified
Government data that could seriously affect the government if unauthorized disclosure occurs.
Confidential Data
Government data that would damage national security if disclosed.
Secret Data
Government data that could gravely damage national security if released to unauthorized persons.
Top Secret Data
A senior executive role with responsibility for maintaining the CIA of information assets.
Data Owner
A role that focuses on maintaining the quality of the data and associated metadata.
Data Steward
A role that focuses on handling the management of the systems on which the data is stored.
Data Custodian
A role responsible for the oversight of any PII/SPI/PHI assets managed by the company.
Privacy officer
Affects US government computer systems that stores, collects, or uses PII.
Privacy Act of 1974
Affects publicly traded US companies and requires certain accounting methods and financial reporting requirements.
Sarbanes-Oxley SOX
Affects banks, mortgage, loan, insurance, and credit card companies that prohibits the sharing of PII or financial information with third parties.
Gramm-Leach-Bliley GLBA
Requires each government agency to develop, document, and implement an agency wide systems security program to protect their data.
Federal Information Security Act of 2002 FISMA
provides regulations that govern the security, confidentiality, and integrity of the PII collected, stored, and processed during the election and voting process.
Help America Vote Act HAVA of 2002
Requires any California business that stores PII to disclose a breach.
SB1386
methods and technologies that remove identifying information from data before it is distributed.
Deidentification
A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure of the original data.
Data Masking
A deidentification method where a unique token is substituted for real data.
Tokenization
a deidentification method where data is generalized to protect the individuals involved.
Aggregation and Banding
An attack that combines a deidentified dataset with other data sources to discover how secure the deidentification method is.
Reidentification
agreement between two parties that identifies what data is confidential and cannot be shared outside of the relationship.
Non-disclosure Agreement NDA
A non-binding agreement between two or more parties to detail a common line of action.
MOU Memorandum of Understanding
an agreement concerned with the ability to support and respond to problems within a given timeframe and continuing to provide the agreed upon level of service to the user.
Service-level Agreement SLA
an agreement for the owners and operators of IT systems to document what technical requirements each must meet.
Interconnection Security Agreement ISA
Conducted between two business partners that establish the conditions of their relationship.
Business Partnership Agreement BPA
Exposes the hard drive to a powerful magnetic field which causes the data written on the drive to be erased.
Degaussing
the act of removing data in a manner that it cannot be reconstructed using any known forensic techniques.
Purging (Sanitizing)
the act of removing data with a certain amount of assurance cannot be reconstructed.
Clearing
this is a risk driven architecture the considers the who, what, when, where, and why.
SABSA Sherwood Applied Business Security Architecture
A security framework that divides IT into four domains: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
COBIT Control Objectives for Information and Related Technology
this is a security control framework developed by the Department of Commerce.
NIST 800-53
considered to be the de facto standard for IT security practices.
ITIL Information Technology Infrastructure Library
a frame work with consensus-developed secure configuration guidelines for hardening and prioritized sets of best practices for IT security.
Center for Internet Security CIS
a framework developed by NIST and used in government applications that integrates security and management activities into the system development life cycle.
Risk Management Framework RMF
a set of industry standards and best practices developed by NIST to help organizations manage cyber related risks.
Cybersecurity Framework CSF
State the five categories of CSF
Identify, Protect, Detect, Respond, and Recover
an international standard that identifies requirements for implementing, maintaining, and improving information security management systems ISMS.
ISO 27001
an international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems ISMS.
ISO 27002
Punycode format for representing ASCII characters in legacy or international dns systems
xn–
an attack where a malicious dns server is used to tunnel other protocols.
dns tunneling
an attack where he browser is redirected to the malicious web page that delivers the exploit to the victim’s machine through a series of redirections.
http302 cushioning
Zero Trust model protects these 3 areas
Workforce, workload, and workplace.
acts as a privacy extension to ISO 27001 with additional requirements for establishing and maintaining PIMS (privacy information management systems).
ISO 27701
an international standard for enterprise risk management that replaces a myriad of other standards and methodologies.
ISO 3100
a suite of reports produced during an audit which is used by service organizations to issue validated reports on internal controls over those information systems and their users.
System and Organizational Controls SOC
provides fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the risks with cloud solutions.
Cloud Security Alliance’s Cloud Control Matrix
a set of procedures that an investigator follows when examining a security event.
Incident Response
What are the six incident response steps, in order:
Preparation, identification, containment, eradication, recovery, and lessons learned.
A linux cmd line utility used for querying and displaying logs from journald, the systemd logging service in Linux.
Journalctl
a multiplatform, open source log management tool that helps easily identify security risks, policy breaches, or analyze various operational logging systems.
Nxlog
a proprietary network protocol developed by Cisco that collects active IP traffic as it flow in or out of an interface, including its point of origin, destination, and paths on the network.
Netflow
an open source version of netflow
Sflow
A universal standard of export for IP flow information from routers, probes, etc used by various information systems and defines how that information should be formatted and transferred to a collector.
Internet Protocol Flow Information Export IPFIX
Two methods that combat shellcode attacks:
ADSLR and DEP
This is an indicator that shellcode is traversing the network.
Detecting patterns that contain NOP (no-operation) instructions.
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
Legal Hold
Name two popular digital forensic tools:
FTK (Forensics ToolKit) and EnCase
What can be used to investigate Windows security, system, and application logs?
Event Viewer
exchanging/swapping out multiple IP addresses that are associated with a malicious FQDN
Fast Fluxing
an early IPS evasion technique that split malicious traffic that bypassed IPS sensors.
Fragmentation
Open Source software and an open network that enables anonymous communications so that users can browse the web anonymously.
TOR The Onion Router
a very popular P2P file sharing application that is still in use.
BitTorrent
malware that downloads a file over the network and then executes that file.
Dropper
7 steps in Lockheed Martin’s cyber kill chain
Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, and Actions on Objectives
