Security Plus 601 Objectives

1 / 692
Click the card to flip 👆
Terms in this set (692)
Eliciting informationtechnique used to gather information without targets realizing they are providing itWhalingaimed at senior employees like CEOs and CFOs - "big fish"Prepending1. adding an expression or phase, such as adding "SAFE" to a set of email headers to attempt to fool a user into thinking it has passed an antispam tool 2. adding information as part of another attack to manipulate the outcome 3. suggesting topics via a social engineering conversation to lead a target toward relaxed information the social engineer is looking forIdentity frauduse of someone else's identityInvoice scamssending fake invoices to organizations in the hopes of receiving paymentCredential harvestingprocess of gathering credentials like usernames and passwordsreconnaissanceGathering of information about a target, whether that is an organization, individual, or something elsehoaxIntentional falsehoodsimpersonationWhere you act as if you are someone else, can be a limited form of identity fraudwatering hole attackUse websites that targets frequent to attack themtyposquattingUse misspelled and slightly off but similar to legitimate site URLspretextingProcess of using a made-up scenario to justify why are approaching an individualinfluence campaignsTurn public opinion in directions of their choosing - Hybrid warfare - Social mediaHybrid WarfareActive measures like cyber warfare as well as propaganda and information warfarePrinciplesAuthority Intimidation Consensus Scarcity Familiarity Trust UrgencyAuthority PrincipleRelies on the fact that most people will obey someone who appears to be in charge or knowledgeable, regardless of whether or not they actually areIntimidation PrincipleRelies on scarring or bullying an individual into talking a desired actionConsensus PrincipleUses the fact that people tend to want to do why others are doing to persuade them to take an actionfamiliarity principleRely on you liking the individual or even the organization the individual is claiming to representTrust PrincipleRelies on a connection with the individual they are targetingUrgency PrincipleRelies on creating a feeling that the action must be taken quickly due to some reason(s)MalwareDescribes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users - Ransomware - Trojans - Worms - Potentially unwanted programs (PUPs) - Fileless virus - Command and control - Bots - Cryptomalware - Logic bombs - Spyware - Keyloggers - Remote access Trojan (RAT) - Rootkit - BackdoorKeyloggerPrograms that capture keystrokes from keyboard, although may also capture other input like mode movement, touchscreen inputs, or credit card swipes from attached deviceslogic bombFunctions or code that are placed inside other programs that will activate when set conditions are metCommand and control (C&C)Operate in a client-server mode, contact central control systems, which provide commands and updates, and track how many systems are in the botnetFileless virusSpread via methods like spam email and malicious websites, and they exploit flaws in browser plugins and web browsers themselvespotentially unwanted program (PUP)Programs that may not be wanted by the user but are not as dangerous as other types of malwareBackdoorMethods or tools that provide access that bypass normal authentication and authorization procedures, allowing attackers access to systems, devices, or applicationsBotsRemotely controlled systems or devices that have a malware infectionRansomwareTake over a computer and then demands a ransomTrojan horsesType of malware that is typically disguised as legitimate softwareRemote access Trojans (RATs)Provide attackers with remote access to systemsWormsRequire user interaction Often associated with speaking via attacks on vulnerable services, any tour of spread through automated means is possible, can spread via email attachments, network file shared, or other methods as well Self-install, rather than requiring users to click on themRootkitMalware that is specifically designed to allow attackers to access a system through a backdoorAdversarial artificial intelligence (AI)Deal with data poisoning, providing security and analytics AI and ML algorithms with adversarial input that serves the attackers purposes, or attacks against privacy - Tainted training data for machine learning (ML) - Security of machine learning algorithmsOnline Password AttackAgainst a live system that may have defenses in placesoffline password attackCompromised or capture password storerainbow tableEasily searchable database of prompted hashes using the same gagging methodology as the captured password filePlain text (unencrypted) passwordWithout some form of protection, passwords that are just maintained in a list can be easily acquired and reused by even the most casual of attackersbrute force attackWhich iterate through passwords until they find one that worksPassword sprayingForm of brute force attack that attempts to use a single password or small set of passwords against many accountsDictionary attacksForm of brute force attack used a list of words for their attemptsBuffer overflowsCard cloningFocus on capturing information from cars like RFID and magnetic store cards often used for entry accessSupply chain attacksAttempt to compromise devices, systems or software before it even reaches an organizationMalicious USB cablesEffectively invisible when it replaces an existing cable and will not be noticedMalicious flash driveDrop in locations where they are likely to be picked up and plugged in by insisting victims at their target organizationRace conditions- Time of check/time of useImproper input handling• Secure Sockets Layer (SSL) stripping• On-path attack (previously known as man-in-the-middle attack/ man-in-the-browser attack)Password attacks- Spraying - Dictionary - Brute force - Offline - Online - Rainbow table - Plaintext/unencrypted• Actors and threats- Advanced persistent threat (APT) - Insider threats - State actors - Hacktivists - Script kiddies - Criminal syndicates - Hackers - Authorized - Unauthorized - Semi-authorized - Shadow IT - CompetitorsVectors- Direct access - Wireless - Email - Supply chain - Social media - Removable media - CloudPhysical attacks- Malicious Universal Serial Bus (USB) cable - Malicious flash drive - Card cloning - Skimming• Weak configurations- Open permissions - Unsecure root accounts - Errors - Weak encryption - Unsecure protocols - Default settings - Open ports and servicesCloud-based vs. on-premises attacksCryptographic attacks- Birthday - Collision - DowngradePrivilege EscalationCross-site scriptingInjections- Structured query language (SQL) - Dynamic-link library (DLL) - Lightweight Directory Access Protocol (LDAP) - Extensible Markup Language (XML)Pointer/object dereferenceDirectory Traversal• Third-party risks- Vendor management - System integration - Lack of vendor support - Supply chain - Outsourced code development - Data storageerror handling• Legacy platforms• Response and recovery controls• Replay attack- Session replays• Integer overflow• Request forgeries- Server-side - Cross-siteApplication programming interface (API) attacksResource exhaustion• Cloud models- Infrastructure as a service (IaaS) - Platform as a service (PaaS) - Software as a service (SaaS) - Anything as a service (XaaS) - Public - Community - Private - Hybrid• Memory leakManaged service provider (MSP)/ managed security service provider (MSSP)• Driver manipulation- Shimming - Refactoring• Pass the hash• Edge computing• Wireless- Evil twin - Rogue access point - Bluesnarfing - Bluejacking - Disassociation - Jamming - Radio frequency identification (RFID) - Near-field communication (NFC) - Initialization vector (IV)ContainersLayer 2 attacks- Address Resolution Protocol (ARP) poisoning - Media access control (MAC) flooding - MAC cloningDomain name system (DNS)- Domain hijacking - DNS poisoning - Uniform Resource Locator (URL) redirection - Domain reputationDistributed Denial of Service (DDoS)- Network - Application - Operational technology (OT)• Services integration• Resource policies• Transit gateway• Virtualization- Virtual machine (VM) sprawl avoidance - VM escape protection• Environment- Development - Test - Staging - Production - Quality assurance (QA)Malicious code or script execution- PowerShell - Python - Bash - Macros - Visual Basic for Applications (VBA)Attributes of Actors- Internal/external - Level of sophistication/capability - Resources/funding - Intent/motivation• Secure coding techniques- Normalization - Stored procedures - Obfuscation/camouflage - Code reuse/dead code - Server-side vs. client-side execution and validation - Memory management - Use of third-party libraries and software development kits (SDKs) - Data exposure• Open Web Application Security Project (OWASP)• Software diversity- Compiler - BinaryThreat intelligence sources- Open-source intelligence (OSINT) - Closed/proprietary - Vulnerability databases - Public/private information- sharing centers - Dark web - Indicators of compromise - Automated Indicator Sharing (AIS) - Structured Threat Information eXpression (STIX)/Trusted Automated eXchange of Intelligence Information (TAXII) - Predictive analysis - Threat maps - File/code repositories• Research sources- Vendor websites - Vulnerability feeds - Conferences - Academic journals - Request for comments (RFC) - Local industry groups - Social media - Threat feeds - Adversary tactics, techniques, and procedures (TTP)ScalabilityCloud-based vs. on-premises vulnerabilities• Zero-day• Biometrics- Fingerprint - Retina - Iris - Facial - Voice - Vein - Gait analysis - Efficacy rates - False acceptance - False rejection - Crossover error rateMultifactor authentication (MFA) factors and attributes- Factors: - Something you know - Something you have - Something you are - Attributes: - Somewhere you are - Something you can do - Something you exhibit - Someone you know• Improper or weak patch management- Firmware - Operating system (OS) - Applications• Passive and active reconnaissance- Drones - War flying - War driving - Footprinting - OSINTImpacts- Data loss - Data breaches - Data exfiltration - Identity theft - Financial - Reputation - Availability loss• Threat hunting- Intelligence fusion - Threat feeds - Advisories and bulletins - Maneuver• Vulnerability scans- False positives - False negatives - Log reviews - Credentialed vs. non-credentialed - Intrusive vs. non-intrusive - Application - Web application - Network - Common Vulnerabilities and Exposures (CVE)/Common Vulnerability Scoring System (CVSS) - Configuration reviewOpen Web Application Security Project (OWASP)Software diversity- Compiler - Binary• Automation/scripting- Automated courses of action - Continuous monitoring - Continuous validation - Continuous integration - Continuous delivery - Continuous deploymentElasticity• Syslog/Security information and event management (SIEM)- Review reports - Packet capture - Data inputs - User behavior analysis - Sentiment analysis - Security monitoring - Log aggregation - Log collectorsVersion control• Security orchestration, automation, and response (SOAR)• Biometrics- Fingerprint - Retina - Iris - Facial - Voice - Vein - Gait analysis - Efficacy rates - False acceptance - False rejection - Crossover error rate• Multifactor authentication (MFA) factors and attributes- Factors: - Something you know - Something you have - Something you are - Attributes: - Somewhere you are - Something you can do - Something you exhibit - Someone you know• Penetration testing- Known environment - Unknown environment - Partially known environment - Rules of engagement - Lateral movement - Privilege escalation - Persistence - Cleanup - Bug bounty - PivotingExercise typesRed-Team: Blue-Team: White-Team: Purple-Team:• Configuration management- Diagrams - Baseline configuration - Standard naming conventions - Internet protocol (IP) schema• Data sovereignty• On-premises vs. cloud• Data protection- Data loss prevention (DLP) - Masking - Encryption - At rest - In transit/motion - In processing - Tokenization - Rights management• Non-persistence- Revert to known state - Last known-good configuration - Live boot media• High availability- Scalability• Geographical considerations• Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspectionHashing• Supervisory control and data acquisition (SCADA)/industrial control system (ICS)- Facilities - Industrial - Manufacturing - Energy - Logistics• Internet of Things (IoT)- Sensors - Smart devices - Wearables - Facility automation - Weak defaults• API considerations• Site resiliency- Hot site - Cold site - Warm site• Deception and disruption- Honeypots - Honeyfiles - Honeynets - Fake telemetry - DNS sinkholeMultifunction printer (MFP)• Real-time operating system (RTOS)• Cloud service providers• System on chip (SoC)• On-premises vs. off-premises• Fog computing• Thin client• Access control vestibules• Microservices/APIAlarmsSignage• Infrastructure as code- Software-defined networking (SDN) - Software-defined visibility (SDV)• Serverless architecture• Provisioning and deprovisioning• Personnel- Guards - Robot sentries - Reception - Two-person integrity/controlLocks- Biometrics - Electronic - Physical - Cable locks • USB data blocker• LightingFencing• Integrity measurement• Perfect forward secrecyDrones• Automation/scripting- Automated courses of action - Continuous monitoring - Continuous validation - Continuous integration - Continuous delivery - Continuous deployment• Faraday cagesElasticityQuantum- Communications - Computing• Version control• Authentication methods- Directory services - Federation - Attestation - Technologies: - Time-based one- time password (TOTP) - HMAC-based one-time password (HOTP) - Short message service (SMS) - Token key - Static codes - Authentication applications - Push notifications - Phone call - Smart card authentication• Post-quantum• Digital signatures• EphemeralAuthentication, authorization, and accounting (AAA)• Cloud vs. on-premises requirements• Environments- Development - Test - Staging - Production - Quality assurance (QA)• Hashing• Provisioning and deprovisioning• Elliptic-curve cryptography• Integrity measurements• Secure coding techniques- Normalization - Stored procedures - Obfuscation/camouflage - Code reuse/dead code - Server-side vs. client-side execution and validation - Memory management - Use of third-party libraries and software development kits (SDKs) - Data exposure• Blockchain- Public ledgersCipher suites- Stream - Block• Symmetric vs. asymmetric• Homomorphic encryptionScalabilityLimitations- Speed - Size - Weak keys - Time - Longevity - Predictability - Reuse - Entropy - Computational overheads - Resource vs. security constraints• Authentication methods- Directory services - Federation - Attestation - Technologies: - Time-based one- time password (TOTP) - HMAC-based one-time password (HOTP) - Short message service (SMS) - Token key - Static codes - Authentication applications - Push notifications - Phone call - Smart card authentication• Protocols- Domain Name System Security Extensions (DNSSEC) - SSH - Secure/Multipurpose Internet Mail Extensions (S/MIME) - Secure Real-time Transport Protocol (SRTP) - Lightweight Directory Access Protocol Over SSL (LDAPS) - File Transfer Protocol, Secure (FTPS) - SSH File Transfer Protocol (SFTP) - Simple Network Management Protocol, version 3 (SNMPv3) - Hypertext transfer protocol over SSL/TLS (HTTPS) - IPSec: - Authentication header (AH)/Encapsulating Security Payloads (ESP) - Tunnel/transport - Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP)Endpoint protection- Antivirus - Anti-malware - Endpoint detection and response (EDR) - DLP - Next-generation firewall (NGFW) - Host-based intrusion prevention system (HIPS) - Host-based intrusion detection system (HIDS) - Host-based firewallAuthentication, authorization, and accounting (AAA)Authentication, authorization, and accounting. A group of technologies used in remote access systems.• Cloud vs. on-premises requirementsRedundancy- Geographic dispersal - Disk: - Redundant array of inexpensive disks (RAID) levels - Multipath - Network: - Load balancers - Network interface card (NIC) teaming - Power: - Uninterruptible power supply (UPS) - Generator - Dual supply - Managed power distribution units (PDUs)Replication- Storage area network - VMDatabase- Tokenization - Salting - Hashing• Backup types- Full - Incremental - Snapshot - Differential - Tape - Disk - Copy - Network-attached storage (NAS) - Storage area network - Cloud - Image - Online vs. offline - Offsite storage: - Distance considerationsHardening- Open ports and services - Registry - Disk encryption - OS - Patch management: - Third-party updates - Auto-updateSelf-encrypting drive (SED)/ full-disk encryption (FDE)- Opal• Restoration orderDiversity- Technologies - Vendors - Crypto - Controls• Embedded systems- Raspberry Pi - Field-programmable gate array (FPGA) - Arduino• Sandboxing• Virtual private network (VPN)- Always-on - Split tunnel vs. full tunnel - Remote access vs. site-to-site - IPSec - SSL/TLS - HTML5 - Layer 2 tunneling protocol (L2TP)Specialized- Medical systems - Vehicles - Aircraft - Smart meters• Voice over IP (VoIP)• Heating, ventilation, air conditioning (HVAC)DronesDNS• Network access control (NAC)- Agent and agentless• Surveillance systems• Acquisition- Order of volatility - Disk - Random-access memory (RAM) - Swap/pagefile - OS - Device - Firmware - Snapshot - Cache - Network - Artifacts• Communication considerations- 5G - Narrow-band - Baseband radio - Subscriber identity module (SIM) cards - Zigbee• Constraints- Power - Compute - Network - Crypto - Inability to patch - Authentication - Range - Cost - Implied trust• Bollards/barricadesIntegrity- Hashing - Checksums - ProvenanceBadges• Network appliances- Jump servers - Proxy servers: - Forward - Reverse - Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS): - Signature-based - Heuristic/behavior - Anomaly - Inline vs. passive - HSM - Sensors - Collectors - Aggregators - Firewalls: - Web application firewall (WAF) - NGFW - Stateful - Stateless - Unified threat management (UTM) - Network address translation (NAT) gateway - Content/URL filter - Open-source vs. proprietary - Hardware vs. software - Appliance vs. host-based vs. virtual• Access control list (ACL)Access Control Lists. Lists of rules used by routers and stateless firewalls. These devices use the ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols• Cameras- Motion recognition - Object detection• Closed-circuit television (CCTV)• Industrial camouflage• Route security• Preservation• Implications of IPv6• Data recovery• Fire suppressionSensors- Motion detection - Noise detection - Proximity reader - Moisture detection - Cards - Temperature• Monitoring services• Visitor logs• File integrity monitors• Air gap• Screened subnet (previously known as demilitarized zone)• Protected cable distribution• Secure areas- Air gap - Vault - Safe - Hot aisle - Cold aisle• Secure data destruction- Burning - Shredding - Pulping - Pulverizing - Degaussing - Third-party solutions• Strategic intelligence/ counterintelligence• Key length• Key stretching• Salting• Authentication protocols- Extensible Authentication Protocol (EAP) - Protected Extensible Authentication Protocol (PEAP) - EAP-FAST - EAP-TLS - EAP-TTLS - IEEE 802.1X - Remote Authentication Dial-in User Service (RADIUS) Federation• Key exchange• Methods- Pre-shared key (PSK) vs. Enterprise vs. Open - WiFi Protected Setup (WPS) - Captive portals• Installation considerations- Site surveys - Heat maps - WiFi analyzers - Channel overlaps - Wireless access point (WAP) placement - Controller and access point security• Control type- Preventive - Detective - Corrective - Deterrent - Compensating - Physical• Regulations, standards, and legislation- General Data Protection Regulation (GDPR) - National, territory, or state laws - Payment Card Industry Data Security Standard (PCI DSS)• Mobile devices- MicroSD hardware security module (HSM) - MDM/Unified Endpoint Management (UEM) - Mobile application management (MAM) - SEAndroid• Modes of operation- Authenticated - Unauthenticated - Counter• Benchmarks /secure configuration guides- Platform/vendor-specific guides: - Web server - OS - Application server - Network infrastructure devices• Third-party risk management- Vendors - Supply chain - Business partners - Service level agreement (SLA) - Memorandum of understanding (MOU) - Measurement systems analysis (MSA) - Business partnership agreement (BPA) - End of life (EOL) - End of service life (EOSL) - NDA• Cloud security controls- High availability across zones - Resource policies - Secrets management - Integration and auditing - Storage: - Permissions - Encryption - Replication - High availability - Network: - Virtual networks - Public and private subnets - Segmentation - API inspection and integration - Compute: - Security groups - Dynamic resource allocation - Instance awareness - Virtual private cloud (VPC) endpoint - Container securityLightweight cryptographySteganography- Audio - Video - ImageData 5.3- Classification - Governance - Retention• Common use cases- Low power devices - Low latency - High resiliency - Supporting confidentiality - Supporting integrity - Supporting obfuscation - Supporting authentication - Supporting non-repudiationCloud native controls vs. third-party solutions• Credential policies- Personnel - Third-party - Devices - Service accounts - Administrator/root accounts• Use cases- Voice and video - Time synchronization - Email and web - File transfer - Directory services - Remote access - Domain name resolution - Routing and switching - Network address allocation - Subscription services• Account types- User account - Shared and generic accounts/credentials - Guest accounts - Service accounts• Boot integrity- Boot security/Unified Extensible Firmware Interface (UEFI) - Measured boot - Boot attestation• Account policies- Password complexity - Password history - Password reuse - Network location - Geofencing - Geotagging - Geolocation - Time-based logins - Access policies - Account permissions - Account audits - Impossible travel time/risky login - Lockout - Disablement• Application security- Input validations - Secure cookies - Hypertext Transfer Protocol (HTTP) headers - Code signing - Allow list - Block list/deny list - Secure coding practices - Static code analysis: - Manual code review - Dynamic code analysis - Fuzzing• Risk types- External - Internal - Legacy systems - Multiparty - IP theft - Software compliance/licensing• Account types 3.7- User account - Shared and generic accounts/credentials - Guest accounts - Service accounts• Hardware root of trust• Trusted Platform Module (TPM)• Business impact analysis- Recovery time objective (RTO) - Recovery point objective (RPO) - Mean time to repair (MTTR) - Mean time between failures (MTBF) - Functional recovery plans - Single point of failure - Disaster recovery plan (DRP) - Mission essential functions - Identification of critical systems - Site risk assessment• Load balancing- Active/active - Active/passive - Scheduling - Virtual IP - Persistence• Network segmentation- Virtual local area network (VLAN) - Screened subnet (previously known as demilitarized zone) - East-west traffic - Extranet - Intranet - Zero TrustDER Distinguished Encoding Rules• Notifications of breaches- Escalation - Public notifications and disclosures• Access control schemes- Attribute-based access control (ABAC) - Role-based access control - Rule-based access control - MAC - Discretionary access control (DAC) - Conditional access - Privileged access management - Filesystem permissions• Out-of-band management• Port security- Broadcast storm prevention - Bridge Protocol Data Unit (BPDU) guard - Loop prevention - Dynamic Host Configuration Protocol (DHCP) snooping - Media access control (MAC) filtering• Public key infrastructure (PKI)- Key management - Certificate authority (CA) - Intermediate CA - Registration authority (RA) - Certificate revocation list (CRL) - Certificate attributes - Online Certificate Status Protocol (OCSP) - Certificate signing request (CSR) - CN - Subject alternative name - ExpirationDES Data Encryption Standard• Certificate formats- Distinguished encoding rules (DER) - Privacy enhanced mail (PEM) - Personal information exchange (PFX) - .cer - P12 - P7B• Quality of service (QoS)• Concepts- Online vs. offline CA - Stapling - Pinning - Trust model - Key escrow - Certificate chaining• Port spanning/port mirroring- Port taps• Network reconnaissance and discovery- tracert/traceroute - nslookup/dig - ipconfig/ifconfig - nmap - ping/pathping - hping - netstat - netcat - IP scanners - arp - route - curl - theHarvester - sn1per - scanless - dnsenum - Nessus - Cuckoo• File manipulation- head - tail - cat - grep - chmod - logger• Cryptographic protocols- WiFi Protected Access 2 (WPA2) - WiFi Protected Access 3 (WPA3) - Counter-mode/CBC-MAC Protocol (CCMP) - Simultaneous Authentication of Equals (SAE)DKIM Domain Keys Identified Mail• Packet capture and replay- Tcpreplay - Tcpdump - Wireshark• Roles and responsibilities 5.5- Data owners - Data controller - Data processor - Data custodian/steward - Data protection officer (DPO)• Connection methods and receivers- Cellular - WiFi - Bluetooth - NFC - Infrared - USB - Point-to-point - Point-to-multipoint - Global Positioning System (GPS) - RFID• Mobile device management (MDM)- Application management - Content management - Remote wipe - Geofencing - Geolocation - Screen locks - Push notifications - Passwords and PINs - Biometrics - Context-aware authentication - Containerization - Storage segmentation - Full device encryption• Exploitation frameworks• Enforcement and monitoring of:- Third-party application stores - Rooting/jailbreaking - Sideloading - Custom firmware - Carrier unlocking - Firmware over-the-air (OTA) updates - Camera use - SMS/Multimedia Messaging Service (MMS)/Rich Communication Services (RCS) - External media - USB On-The-Go (USB OTG) - Recording microphone - GPS tagging - WiFi direct/ad hoc - Tethering - Hotspot - Payment methods• Deployment models- Bring your own device (BYOD) - Corporate-owned personally enabled (COPE) - Choose your own device (CYOD) - Corporate-owned - Virtual desktop infrastructure (VDI)• Password crackersSolutions- CASB - Application security - Next-generation secure web gateway (SWG) - Firewall considerations in a cloud environment: - Cost - Need for segmentation - Open Systems Interconnection (OSI) layers• Information life cycleIdentity- Identity provider (IdP) - Attributes - Certificates - Tokens - SSH keys - Smart cards• Impact assessment• Incident response process- Preparation - Identification - Containment - Eradication - Recovery - Lessons learnedIdentity 3.7- Identity provider (IdP) - Attributes - Certificates - Tokens - SSH keys - Smart cardsDLP Data Loss Prevention• Account policies 3.7- Password complexity - Password history - Password reuse - Network location - Geofencing - Geotagging - Geolocation - Time-based logins - Access policies - Account permissions - Account audits - Impossible travel time/risky login - Lockout - Disablement• Authentication management- Password keys - Password vaults - TPM - HSM - Knowledge-based authentication• Authentication/authorization- EAP - Challenge-Handshake Authentication Protocol (CHAP) - Password Authentication Protocol (PAP) - 802.1X - RADIUS - Single sign-on (SSO) - Security Assertion Markup Language (SAML) - Terminal Access Controller Access Control System Plus (TACACS+) - OAuth - OpenID - Kerberos• Attack frameworks- MITRE ATT&CK - The Diamond Model of Intrusion Analysis - Cyber Kill Chain• Stakeholder management• Types of certificates- Wildcard - Subject alternative name - Code signing - Self-signed - Machine/computer - Email - User - Root - Domain validation - Extended validation• Privacy notice• Disaster recovery plan3DES (Triple Data Encryption Standard)• Continuity of operations planning (COOP)• Shell and script environments- SSH - PowerShell - Python - OpenSSL• Incident response teamForensics- dd - Memdump - WinHex - FTK imager - Autopsy• Retention policiesDNS Domain Name System• Data sanitization• Incident response plansABAC Attribute-based Access Control• Exercises- Tabletop - Walkthroughs - Simulations• Log files- Network - System - Application - Security - Web - DNS - Authentication - Dump files - VoIP and call managers - Session Initiation Protocol (SIP) traffic• syslog/rsyslog/syslog-ng• Communication planDNSSEC Domain Name System Security Extensions• Business continuity planNXLogAD Active DirectoryAES Advanced Encryption StandardAdvanced Encryption Standard. A strong symmetric block cipher that encrypts data in 128-bit blocks. AES can use key sizes of 128, 192, or 256 bits• Vulnerability scan output• SIEM dashboards- Sensor - Sensitivity - Trends - Alerts - Correlation• Netflow/sFlow- Netflow - sFlow - IPFIX• Protocol analyzer output• journalctlAES256 Advanced Encryption Standards 256bit• Bandwidth monitorsMetadata- Email - Mobile - Web - FileAH Authentication HeaderIsolation• Reconfigure endpoint security solutions- Application approved list - Application blocklist/deny list - Quarantine• Configuration changes- Firewall rules - MDM - DLP - Content filter/URL filter - Update or revoke certificatesContainmentSegmentationDoS Denial-of-ServiceSOAR- Runbooks - Playbooks• Documentation/evidence- Legal hold - Video - Admissibility - Chain of custody - Timelines of sequence of events: - Time stamps - Time offset - Tags - Reports - Event logs - InterviewsAIS Automated Indicator Sharing• On-premises vs. cloud 4.5- Right-to-audit clauses - Regulatory/jurisdiction - Data breach notification lawsALE Annualized Loss ExpectancyAP Access Point• E-discoveryDRP Disaster Recovery Plan• Non-repudiationAPT Advanced Persistent Threat• Category- Managerial - Operational - TechnicalARO Annualized Rate of OccurrenceDSA Digital Signature Algorithm• Key frameworks- Center for Internet Security (CIS) - National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF) - International Organization for Standardization (ISO) 27001/27002/27701/31000 - SSAE SOC 2 Type I/II - Cloud security alliance - Cloud control matrix - Reference architectureDSL Digital Subscriber Line• Personnel 5.3- Acceptable use policy - Job rotation - Mandatory vacation - Separation of duties - Least privilege - Clean desk space - Background checks - Non-disclosure agreement (NDA) - Social media analysis - Onboarding - Offboarding - User training: - Gamification - Capture the flag - Phishing campaigns: - Phishing simulations - Computer-based training (CBT) - Role-based training• Diversity of training techniquesASP Active Server PagesEAP Extensible Authentication ProtocolAUP Acceptable Use PolicyAcceptable Use Policy. A policy defining proper system usage and the rules of behavior for employees. If often describes the purpose of computer systems and networks, how users can access them, and the responsibilities of users when accessing the systems• Organizational policies- Change management - Change control - Asset managementECC Elliptic-curve Cryptography• Risk management strategies- Acceptance - Avoidance - Transference: - Cybersecurity insurance - Mitigation• Risk analysis- Risk register - Risk matrix/heat map - Risk control assessment - Risk control self-assessment - Risk awareness - Inherent risk - Residual risk - Control risk - Risk appetite - Regulations that affect risk posture - Risk assessment types: - Qualitative - Quantitative - Likelihood of occurrence - Impact - Asset value - Single-loss expectancy (SLE) - Annualized loss expectancy (ALE) - Annualized rate of occurrence (ARO)Disasters- Environmental - Person-made - Internal vs. externalECDSA Elliptic-curve Digital Signature AlgorithmOrganizational consequences of privacy and data breaches- Reputation damage - Identity theft - Fines - IP theftBCP Business Continuity Planning• Data types- Classifications: - Public - Private - Sensitive - Confidential - Critical - Proprietary - Personally identifiable information (PII) - Health information - Financial information - Government data - Customer data• Privacy enhancing technologies- Data minimization - Data masking - Tokenization - Anonymization - Pseudo-anonymizationBGP Border Gateway ProtocolBIA Business Impact AnalysisEIP Extended Instruction Pointer• Terms of agreementEOS End of ServiceBPDU Bridge Protocol Data UnitAAA (authentication, authorization, and accounting)BSSID Basic Service Set IdentifierACL Access Control ListBYOD Bring Your Own DeviceESN Electronic Serial NumberCAPTCHA Completely Automated Public Turing Test to Tell Computers and Humans ApartCAR Corrective Action ReportAI Artificial IntelligenceCASB Cloud Access Security BrokerCBC Cipher Block ChainingESP Encapsulating Security PayloadAPI Application Programming InterfaceCCMP Counter-Mode/CBC-MAC ProtocolMOA Memorandum of AgreementARP Address Resolution ProtocolASLR Address Space Layout RandomizationCERT Computer Emergency Response TeamATT&CK Adversarial Tactics, Techniques, and Common KnowledgeCFB Cipher FeedbackAV AntivirusBASH Bourne Again ShellCHAP Challenge-Handshake Authentication ProtocolMPLS Multiprotocol Label SwitchingCIRT Computer Incident Response TeamBIOS Basic Input/Output SystemBPA Business Partnership AgreementFDE Full Disk EncryptionCMS Content Management SystemCN Common NameCA Certificate AuthorityMSP Managed Service ProviderFPGA Field Programmable Gate ArrayNTLM New Technology LAN ManagerCRC Cyclic Redundancy CheckCBT Computer-based TrainingOSI Open Systems InterconnectionCCTV Closed-Circuit TelevisionPaaS Platform as a ServiceCSIRT Computer Security Incident Response TeamGCM Galois/Counter ModeCIO Chief Information OfficerGDPR General Data Protection RegulationCIS Center for Internet SecurityCSR Certificate Signing RequestPAP Password Authentication ProtocolCOOP Continuity of Operations PlanningCOPE Corporate-owned Personally EnabledCP Contingency PlanningCTM Counter-ModeCRL Certificate Revocation ListCSA Cloud Security AlliancePBX Private Branch ExchangeCSO Chief Security OfficerCSP Cloud Service ProviderCVE Common Vulnerabilities and ExposuresCSU Channel Service UnitCVSS Common Vulnerability Scoring SystemCTO Chief Technology OfficerCYOD Choose Your Own DevicePPP Point-to-Point ProtocolDBA Database AdministratorDAC Discretionary Access ControlDDoS Distributed Denial-of-ServiceGPU Graphics Processing UnitDEP Data Execution PreventionGRE Generic Routing EncapsulationPTZ Pan-Tilt-ZoomDHCP Dynamic Host Configuration ProtocolDHE Diffie-Hellman EphemeralHDD Hard Disk DriveDLL Dynamic-link LibraryRADIUS Remote Authentication Dial-in User ServiceDMARC Domain Message Authentication Reporting and ConformanceDNAT Destination Network Address TransactionHIPS Host-based Intrusion Prevention SystemHMAC Hash-based Message Authentication CodeRC4 Rivest Cipher version 4DPO Data Protection OfficerHSM Hardware Security ModuleRIPEMD RACE Integrity Primitives Evaluation Message DigestHTML Hypertext Markup LanguageHTTP Hypertext Transfer ProtocolECB Electronic Code BookHTTPS Hypertext Transfer Protocol SecureECDHE Elliptic-curve Diffie-Hellman EphemeralHVAC Heating, Ventilation, Air ConditioningEDR Endpoint Detection and ResponseEFS Encrypted File SystemIaaS Infrastructure as a ServiceEOL End of LifeROI Return on InvestmentERP Enterprise Resource PlanningICMP Internet Control Message ProtocolICS Industrial Control SystemsESSID Extended Service Set IdentifierFACL File System Access Control ListIDEA International Data Encryption AlgorithmFIM File Integrity MonitoringRTOS Real-time Operating SystemFRR False Rejection RateFTP File Transfer ProtocolFTPS Secured File Transfer ProtocolSAE Simultaneous Authentication of EqualsIDS Intrusion Detection SystemGPG GNU Privacy GuardGPO Group Policy ObjectGPS Global Positioning SystemSCEP Simple Certificate Enrollment ProtocolIKE Internet Key ExchangeHA High AvailabilitySDK (software development kit)HIDS Host-based Intrusion Detection SystemSDLC Software Development Life CycleIoC Indicators of CompromiseHOTP HMAC-based One-time PasswordSDLM Software Development Life-cycle MethodologyHSMaaS Hardware Security Module as a ServiceIP Internet ProtocolSDN Software-defined NetworkingSDP Service Delivery PlatformIR Incident ResponseIRC Internet Relay ChatIAM Identity and Access ManagementIRP Incident Response PlanSDV Software-defined VisibilityISFW Internal Segmentation FirewallIDF Intermediate Distribution FrameIdP Identity ProviderISO International Organization for StandardizationIEEE Institute of Electrical and Electronics EngineersSED Self-Encrypting DrivesIM Instant MessagingIMAP4 Internet Message Access Protocol v4ISSO Information Systems Security OfficerIoT Internet of ThingsSEH Structured Exception HandlingIPS Intrusion Prevention SystemIPSec Internet Protocol SecurityIV Initialization VectorKDC Key Distribution CenterKEK Key Encryption KeyISA Interconnection Security AgreementL2TP Layer 2 Tunneling ProtocolSFTP SSH File Transfer ProtocolISP Internet Service ProviderLDAP Lightweight Directory Access ProtocolITCP IT Contingency PlanLEAP Lightweight Extensible Authentication ProtocolMaaS Monitoring as a ServiceMAC Media Access ControlSHA Secure Hashing AlgorithmLAN Local Area NetworkSIEM Security Information and Event ManagementSIM Subscriber Identity ModuleMD5 Message Digest 5MDF Main Distribution FrameMAM Mobile Application ManagementMAN Metropolitan Area NetworkMBR Master Boot RecordSIP Session Initiation ProtocolMFA Multifactor AuthenticationMDM Mobile Device ManagementSLA Service-level AgreementMFD Multifunction DeviceMFP Multifunction PrinterML Machine LearningMMS Multimedia Message ServiceSLE Single Loss ExpectancyMOU Memorandum of UnderstandingSMB Server Message BlockMSA Measurement Systems AnalysisMS-CHAP Microsoft Challenge-Handshake Authentication ProtocolS/MIME (Secure/Multipurpose Internet Mail Extensions) definitionMSSP Managed Security Service ProviderMTBF Mean Time Between FailuresMTTF Mean Time to FailureMTTR Mean Time to RepairMTU Maximum Transmission UnitNAC Network Access ControlNAS Network-attached StorageNAT Network Address TranslationNDA Non-disclosure AgreementNFC Near-field CommunicationNFV Network Function VirtualizationNGFW Next-generation FirewallNG-SWG (Next-generation Secure Web Gateway)NIC Network Interface CardNIDS Network-based Intrusion Detection SystemNIPS Network-based Intrusion Prevention SystemNIST National Institute of Standards & TechnologyNOC Network Operations CenterNTFS New Technology File SystemSMS Short Message ServiceNTP Network Time ProtocolOCSP Online Certificate Status ProtocolOID Object IdentifierOS Operating SystemSMTP Simple Mail Transfer ProtocolOSINT Open-source IntelligenceOSPF Open Shortest Path FirstOT Operational TechnologyOTA Over-The-AirOTG On-The-GoOVAL Open Vulnerability and Assessment LanguageOWASP Open Web Application Security ProjectP12 PKCS #12P2P Peer-to-PeerSMTPS Simple Mail Transfer Protocol SecurePAC Proxy Auto ConfigurationPAM Privileged Access ManagementPAM Pluggable Authentication ModulesSNMP Simple Network Management ProtocolPAT Port Address TranslationPBKDF2 Password-based Key Derivation Function 2SOAP (Simple Object Access Protocol)PCAP Packet CapturePCI DSS Payment Card Industry Data Security StandardPDU Power Distribution UnitPE Portable ExecutablePEAP Protected Extensible Authentication ProtocolPED Portable Electronic DevicePEM Privacy Enhanced MailPFS Perfect Forward SecrecyPGP Pretty Good PrivacyPHI Personal Health InformationPII Personally Identifiable InformationPIN Personal Identification NumberPIV Personal Identity VerificationPKCS Public Key Cryptography StandardsPKI Public Key InfrastructurePoC Proof of ConceptPOP Post Office ProtocolPOTS Plain Old Telephone ServiceSOAR (security orchestration, automation, and response)PPTP Point-to-Point Tunneling ProtocolPSK Preshared KeySoC (System on a Chip)PUP Potentially Unwanted ProgramQA Quality AssuranceQoS Quality of ServiceRA Registration AuthorityRAD Rapid Application DevelopmentSOC (Security Operations Center)RAID Redundant Array of Inexpensive DisksRAM Random Access MemoryRAS Remote Access ServerRAT (Remote Access Trojan)SPF Sender Policy FrameworkRCS Rich Communication ServicesRFC Request for CommentsRFID Radio Frequency IdentificationSPIM Spam over Instant MessagingSQL Structured Query LanguageRPO Recovery Point ObjectiveRSA Rivest, Shamir, & AdlemanRTBH Remotely Triggered Black HoleRTO Recovery Time ObjectiveSQLi SQL InjectionRTP Real-time Transport ProtocolS/MIME Secure/Multipurpose Internet Mail ExtensionsSaaS Software as a ServiceSRTP Secure Real-time Transport ProtocolSAML Security Assertions Markup LanguageSCADA Supervisory Control and Data AcquisitionSCAP (Security Content Automation Protocol)SSD Solid State DriveSSH Secure ShellSSID Service Set IdentifierSSL Secure Sockets LayerSSO Single Sign-onSTIX (Structured Threat Information eXpression)STP Shielded Twisted PairSWG Secure Web GatewayTACACS+ Terminal Access Controller Access Control SystemTAXII Trusted Automated eXchange of Intelligence InformationTCP/IP Transmission Control Protocol/Internet ProtocolTGT Ticket Granting TicketTKIP Temporal Key Integrity ProtocolTLS Transport Layer SecurityTOTP Time-based One Time PasswordTPM Trusted Platform ModuleTSIG Transaction SignatureTTP Tactics, Techniques, and ProceduresUAT User Acceptance TestingUDP User Datagram ProtocolUEBA User and Entity Behavior AnalyticsUEFI Unified Extensible Firmware InterfaceUEM Unified Endpoint ManagementUPS Uninterruptible Power SupplyURI Uniform Resource IdentifierURL Universal Resource LocatorUSB Universal Serial BusUSB OTG USB On-The-GoUTM Unified Threat ManagementUTP Unshielded Twisted PairVBA Visual Basic for ApplicationsVDE Virtual Desktop EnvironmentVDI Virtual Desktop InfrastructureVLAN Virtual Local Area NetworkVLSM Variable-length Subnet MaskingVM Virtual MachineVoIP Voice over IPVPC Virtual Private CloudVPN Virtual Private NetworkVTC Video TeleconferencingWAF Web Application FirewallWAP Wireless Access PointAccess Point. A device that connects wireless clients to wireless networksWEP Wired Equivalent PrivacyWIDS Wireless Intrusion Detection SystemWIPS Wireless Intrusion Prevention SystemWORM Write Once Read ManyWPA WiFi Protected AccessWPS WiFi Protected SetupXaaS Anything as a ServiceXML (Extensible Markup Language)XOR (Exclusive OR)XSRF Cross-site Request ForgeryXSS Cross-site Scriptingactive reconnaissanceA penetration testing method used to collect information. It sends data to systems and analyzes responses to gain information on the hocA connection mode used by wireless devices without an AP. When wireless devices connect through an AP, they are using infrastructure mode.affinityA scheduling method used with load balancers. It uses the client's IP address to ensure the client is redirected to the same server during a session