They rely on infrared light, or heat radiation. They look for changes in infrared radiation in a room or space and alert when that change occurs.

Phishing, vishing, smishing, misinformation, disinformation, business email compromise, pretexting, watering hole attack, impersonation, brand impersonation, and typosquatting.

Misinformation is incorrect information, often resulting from getting facts wrong. Disinformation is incorrect, inaccurate, or outright false information that is intentionally provided to serve an individual or organization’s goals.

1. Is it timely?
2. Is the information accurate?
3. Is the information relevant?

Resource exhaustion is when systems consume all of the memory, storage, processing time, or other resources available to them, rendering the system disabled or crippled for other uses.

RFID cloning attacks work by cloning an RFID tag or card.

Hashing and validating

Forensics may be used for investigations, incident response, intelligence, and counterintelligence.

Forward proxies are placed between clients and servers, and they accept requests from clients and send them forward to servers. Reverse proxies are placed between servers and clients, and they are used to help with load balancing and caching of content.

Motion recognition and object detection

Vertical scalability uses a more capable system or device and helps when all tasks or functions need to be handled on the same system or infrastructure. Horizontal scaling uses more smaller systems or
devices. A horizontally scaled system can take advantage of the ability to transparently add and remove more resources, allowing it to adjust as needs grow or shrink and allows opportunities for transparent upgrades, patching, and even incident response.

BYOD (bring your own device), CYOD (choose your own device) COPE (Corporate owned, personally enabled), and corporate owned.

Symmetric cryptosystems use a shared secret key available to all users of the cryptosystem. Asymmetric cryptosystems use individual combinations of public and private keys for each user of the system.

Competitors may engage in corporate espionage designed to steal sensitive information from your organization and use it to their own business advantage.

If the encryption key is lost, the data on the drive will likely be unrecoverable since the same strong encryption that protects it will make it unlikely that you will be able to brute-force the key and acquire the data. Technical support can be more challenging, and data corruption or other issues can have a larger impact, resulting in unrecoverable data.

Security devices that are designed to be able to intercept, analyze, and apply rules to web traffic, including tools like database queries, APIs, and other web application tools.

A summary of the forensic investigation and findings; an outline of the forensic process, including tools used and any assumptions that were made about the tools or process; a series of sections detailing the findings for each device or drive—accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail; and recommendations or conclusions in more detail than the summary included.

The overall computational power and capacity of embedded systems is usually much lower than a traditional PC or mobile device; embedded systems may not connect to a network; without network connectivity, CPU and memory capacity, and other elements, authentication is also likely to be impossible; and embedded systems may be very low cost, but many are effectively very high cost because they are a component in a larger industrial or specialized device.

Data exfiltration, espionage, service disruption, blackmail, financial gain, philosophical/political beliefs, ethical, revenge, disruption/chaos, and war.

It refers to the ongoing efforts to ensure that the implemented policies and controls are effective and continuously maintained.

Master service agreements (MSA), service level agreements (SLAs), memorandum of understanding (MOU), memorandum of agreement (MOA), and business partners agreements (BPAs).

Bollards are posts or other obstacles that prevent vehicles from moving through an area. Bollards may look like posts, pillars, or even planters, but their purpose remains the same: preventing vehicle access.

An individual whose personal data is being processed.

Tabletop exercises, simulation exercises, parallel processing, and failover exercises

The use of default settings that pose a security risk; the presence of default credentials or unsecured accounts, including both normal user accounts and unsecured root accounts with administrative privileges;
open ports and services that are not necessary to support normal system operations; and open permissions that allow users access that violates the principle of least privilege.

Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.

An authorized attacker is one who acts with authorization and seeks to discover security vulnerabilities with the intent of correcting them.

Threat vectors are the means that threat actors use to obtain access to a system.

Digitally signed messages assure the recipient that the message truly came from the claimed sender. They enforce nonrepudiation. Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification and unintentional modification.

NFC, or near-field communication, is used for very short range communication between devices. You’ve likely seen NFC used for payment terminals using Apple Pay or Google Wallet using cell phones. NFC is limited to short range, meaning that it is not used to build networks of devices, and instead it is primarily used for low bandwidth, device to device purposes.

Initial access, privilege escalation, pivoting (lateral movement), and persistence.

Root cause analysis is used to determine why an event or issue occurred.

• Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand.
• Elasticity goes a step further than scalability and says that applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when they are no longer needed.

Honeypots are configured to appear to be vulnerable and are heavily instrumented to record what an attacker does. Honeynets are networks set up to collect information about network attacks. A honeyfile is an intentionally attractive file that contains unique, detectable data that is left in an area for attackers to take. Honeytokens are data intended to be attractive to attackers and are used to allow security professionals to track data.

Communication plans, stakeholder management plans, business continuity plans, and disaster recovery plans

Poor security practices including weak default settings, lack of network security (firewalls), exposed or vulnerable services, lack of encryption for data transfer, weak authentication, use of embedded credentials and insecure data storage; Short support lifespans; Vendor data handling practice issues.

System logs, application logs, security logs, vulnerability scan output, network and security device logs, web logs, DNS logs, authentication logs, dump files, and VoIP and SIP logs.

1. Open networks do not require authentication or use encryption and often use a captive portal to obtain information from users.
2. Preshared keys (PSK) require that a passphrase or key is shared with anybody who wants to use the network and provides encryption.
3. Enterprise authentication relies on a RADIUS server and utilizes an EAP protocol for authentication.

The Linux dd command is a command-line utility that allows you to create disk images for forensic or other purposes.

Example: dd if=/dev/sda of=example.img conv=noerror,sync

Business email compromise (BEC) relies on using apparently legitimate email addresses to conduct scams and other attacks.

Malware specifically designed to allow attackers to access a system through a backdoor.

Software-defined networking (SDN).

The inherent risk facing an organization is the original level of risk that exists before implementing any controls. Inherent risk takes its name from the fact that it is the level of risk inherent in the organization’s business.

Fingerprints, retina scanning, iris recognition; facial recognition; voice recognition; vein recognition, and gait analysis

Key exchange is a major problem; symmetric key cryptography does not implement nonrepudiation; the algorithm is not scalable; and keys must be regenerated often.

TOTP, or time-based one-time passwords and HMAC-based one-time password (HOTP).

The principle of least privilege says that individuals should only be granted the minimum set of permissions necessary to carry out their job functions.

Data minimization techniques seek to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.

A legal hold.

The European Union’s General Data Protection Regulation (GDPR) requires that every data controller designate a data protection officer (DPO) who bears overall responsibility for carrying out the organization’s data privacy efforts.

IT implementations, systems, and services created through unofficial means, often by well-meaning employees or by employees outside of central IT.

One of the most important defenses against ransomware is an effective backup system that stores files in a separate location that will not be impacted if the system or device it backs up is infected and encrypted by ransomware.

The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.

Bluejacking sends unsolicited messages to Bluetooth-enabled devices. Bluesnarfing is unauthorized access to a Bluetooth device, typically aimed at gathering information like contact lists or other details the device contains.

Log reviews from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities; security information and event management (SIEM) systems that correlate log entries from multiple sources and provide actionable intelligence; and configuration management systems that provide information on the operating system and applications installed on a system.

If the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority. This situation is known as an insecure direct object reference.

HSMs manage encryption keys and perform cryptographic operations efficiently.

Authority relies on the fact that most people will obey someone who appears to be in charge or knowledgeable, regardless of whether or not they actually are.

Mean Time Between Failures (MTBF) is the expected amount of time between system failures. Mean Time to Repair (MTTR) is the average amount of time to restore a system to its normal operating state after a failure. Recovery Time Objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. Recovery Point Objective (RPO) is the amount of data that the organization can tolerate losing during an outage.

Steganography is the art of using cryptographic techniques to embed secret messages within another file.

Extensible Authentication Protocol (EAP), Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), 802.1X, Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), and Kerberos

Protected health information (PHI)

Periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices

Intimidation relies on scaring or bullying an individual into taking a desired action.

An individual who carries out the intent of the data controller or stewardship responsibility but is responsible for the secure safekeeping of information.

Chain-of-custody documentation.

Through code signing. Developers digitally sign their code with their own private key and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

Hot sites, warm sites, and cold sites

A standard

Active/active load balancer designs distribute the load among multiple systems that are online and in use at the same time. Active/passive load balancer designs bring backup or secondary systems online when an active system is removed or fails to respond properly to a health check.

A virtual private network (VPN) is a way to create a virtual network link across a public network that allows the endpoints to act as though they are on the same network.

Cryptographic key management systems are used to store keys and certificates as well as to manage them centrally.

A policy

Environmental attacks include attacks like targeting an organization’s heating and cooling systems, maliciously activating a sprinkler system, and similar actions.

A malicious fake access point that is set up to appear to be a legitimate, trusted network.

Network access control (NAC) can use a software agent that is installed on the computer to perform security checks, or it may be agentless and run from a browser or via another means without installing software locally.

Impact score = the value of the scope metric * ISS

A risk management strategy where you change your business practices to completely eliminate the potential that a risk will materialize.

Controls must meet the intent and rigor of the original requirement and must provide a similar level of defense, and must sufficiently offset the risk that the original PCI DSS requirement addressed. Existing PCI DSS requirements cannot be considered as compensating controls if they’re already required for other assessed items, existing requirements may be considered as compensating controls if they are required for another area but are not required for the item under review.

Software solutions that store, manage, and secure passwords and other information, allowing users to use strong passwords without memorizing dozens, or hundreds, of individual complex passwords.

Microwave sensors use a baseline for a room or space that is generated by detecting normal responses when the space is at a baseline. When those responses to the microwaves sent out by the sensor change, they will trigger. They can detect motion through materials that infrared sensors cannot.

Effective vendor monitoring is crucial for managing and mitigating third-party risks.

A service provider that processes personal information on behalf of a data controller.

Segmentation places sensitive systems on separate networks where they may communicate with each other but have strict restrictions on their ability to communicate with systems on other networks.

Fences, perimeter lighting, locks, fire suppression systems, and burglar alarms

Hashing, tokenization, and masking

Audits are formal reviews of an organization’s security program or specific compliance issues conducted on behalf of a third party. Assessments are less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement.

Pretexting

Confidentiality, integrity, and availability

Inline CASB solutions physically or logically reside in the connection path between the user and the service and can see requests before they are sent to the cloud service, allowing the CASB to block requests that violate policy. API-based CASB solutions do not interact directly with the user but rather interact directly with the cloud provider through the provider’s API. This approach provides direct access to the cloud service without custom user device configuration.

Members of management or organizational leadership, technical experts, communications and public relations staff, legal and human relations staff, law enforcement

Signature-based detection; heuristic or behavior-based detection; artificial intelligence (AI) and machine learning (ML) systems; and sandboxing

Establishing a baseline, deploying the security baseline, and maintaining the baseline

An attack used in attempts to get users to log into their existing accounts, particularly for stores and banks.

Signature-based detections rely on a known hash or signature matching to detect a threat. Heuristic or behavior-based detections look for specific patterns or sets of actions that match threat behaviors. Anomaly-based detections establish a baseline for an organization or network and then flags when out-of-the-ordinary behavior occurs.

Key elements of data loss prevention (DLP) systems are the ability to classify data so that organizations know which data should be protected; data labeling or tagging functions, to support classification and management practices; policy management and enforcement functions used to manage data to the standards set by the organization; and monitoring and reporting capabilities, to quickly notify administrators or security practitioners about issues or potential problems.

Security Assertions Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization information.

A guideline

Secure access service edge (SASE) combines VPNs, SD-WAN, and cloud- based security tools like firewalls, CASBs, and zero-trust networks to provide secure access for devices regardless of their location.

To ensure that changes do not cause outages.

Bots are remotely controlled systems or devices that have a malware infection. Groups of bots are known as botnets, and botnets are used by attackers who control them to perform various actions ranging from additional compromises and infection to denial-of-service (DoS) attacks or acting as spam relays.

Guards can make decisions that technical control systems cannot, and they provide additional capabilities by offering both detection and response capabilities. Guards can validate an individual’s identity, ensure that they enter only the areas they are supposed to, and ensure that they have signed a visitor log and that their signature matches a signature on file or on their ID card.

The term unskilled attacker is a term used for people who use hacking techniques and premade tools but have limited skills.

KPIs quantitatively measure vendors’ performance in order to ensure that vendors are meeting the agreed-upon standards.

Tabletop exercises leverage discussions and conversations to help organizations prepare for actual events.

Data at rest, data in transit, data in use

The use of VLANs to segment different trust levels, user groups, or systems; placing IoT devices on a separate, protected VLAN; using a VLAN for guest networks or to isolate VoIP phones from workstations; changing default passwords; and removing unnecessary software.

Organized crime appears in any case where there is money to be made.

Single sign-on (SSO) systems allow a user to log in with a single identity, and then use multiple systems or services without reauthenticating.

User access reviews, log monitoring, and vulnerability management

Software-defined networking (SDN) uses software-based network configuration to control networks. SDN designs rely on controllers that manage network devices and configurations, centrally managing the software-defined network.

Physical penetration testing, offensive penetration testing, defensive penetration testing, and integrated penetration testing.

Maintenance windows.

Type I hypervisors, also known as bare-metal hypervisors, operate directly on top of the underlying hardware. This is the model most commonly used in datacenter virtualization because it is highly efficient. Type II hypervisors run as an application on top of an existing operating system. In this approach, the operating system supports the hypervisor and the hypervisor requests resources for each guest operating system from the host operating system.

Penetration testing provides us with knowledge that we can’t obtain elsewhere; in the event that attackers are successful, penetration testing provides us with an important blueprint for remediation; and penetration tests can provide us with essential, focused information on specific attack targets.

The algorithm to use to perform encryption and decryption; the encryption key to use with that algorithm

Programs that capture keystrokes from keyboards, although keylogger applications may also capture other input like mouse movement, touchscreen inputs, or credit card swipes from attached devices.

The eight Common Vulnerability Scoring System (CVSS) metrics are attack vector metric, attack complexity metric, privileges required metric, user interaction metric, confidentiality metric, integrity metric, availability metric, and scope metric. The first four measures evaluate the exploitability of the vulnerability, whereas the next three evaluate the impact of the vulnerability. The eighth metric discusses the scope of the vulnerability.

Exploitability = 8.22 × AttackVector × AttackComplexity × PrivilegesRequired × UserInteraction

A hacktivist uses hacking techniques to accomplish some activist goal.

Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.

Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page.

RFID (Radio Frequency Identification) is a relatively short range (from less than a foot of some passive tags to about 100 meters for active tags) wireless technology that uses a tag and a receiver to exchange information.

Firewall rules, access control lists, intrusion prevention systems, and encryption

Usernames, certificates, tokens, SSH keys, and smart cards.

Public cloud, private cloud, community cloud, and hybrid cloud.

The timeline for the engagement and when testing can be conducted; valid targets; data handling requirements; what behaviors to expect from the target; what resources are committed to the test; legal concerns should also be addressed, including a review of the laws that cover the target organization, any remote locations, and any service providers who will be in-scope, and when and how communications will occur.

Network segments, physical or virtual network segments, or other components of an infrastructure that are able to be separate from less secure zones through logical or physical means.

They define permissible network traffic.

Jump servers

Memory-resident viruses, non-memory resident viruses, boot sector viruses, macro viruses, and email viruses

Secure boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts. Measured boot is intended to help prevent boot-level malware. Measured boot processes measure each component, starting with the firmware and ending with the boot start drivers.

VPCs are used to group systems into subnets and designate those subnets as public or private, depending on whether access to them is permitted from the Internet.

Role assignment, which states that subjects can use only permissions that match a role they have been assigned; role authorization, which states that the subject’s active role must be authorized for the subject

—this prevents subjects from taking on roles they shouldn’t be able to; and permission authorization, which states that subjects can only use permissions that their active role is allowed to use.

Static code analysis (sometimes called source code analysis) is conducted by reviewing the code for an application. Static analysis does not run the program, instead it focuses on understanding how the program is written and what the code is intended to do. Dynamic code analysis relies on execution of the code while providing it with input to test the software.

The output section of the report shows the detailed information returned by the remote system when probed for the vulnerability, including the name of the vulnerability, overall severity, detailed description, solution, references, port/hosts, vulnerability information, and risk information.

DLP is data loss prevention. DLP systems help organizations enforce information handling policies and procedures to prevent data loss and theft.

The primary responsibility of the hypervisor is enforcing isolation between virtual machines. This means that the hypervisor must present each virtual machine with the illusion of a completely separate physical environment dedicated for use by that virtual machine.

Ransomware is malware that takes over a computer then demands a ransom or payment.

The risk analysis provides guidance in prioritizing risks so that the risks with the highest probability and magnitude are addressed first.

Quantitative risk analyses help determine whether the potential impact of a risk justifies the costs incurred by adopting a risk management approach.

An individual or team who does not have controller or stewardship responsibility but is responsible for the secure safekeeping of information.

Preventive controls, detective controls, corrective controls, deterrent controls, compensating controls, and directive controls

ISS = 1 – [(1 – Confidentiality) × (1 – Integrity) × (1 – Availability)]

Backdoors are methods or tools that provide access that bypasses normal authentication and authorization procedures, allowing attackers access to systems, devices, or applications.

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Attackers use a technique called blind SQL injection to conduct an attack even when they don’t have the ability to view the results directly. Two forms of blind SQL injection are content-based and timing-based.

An access control vestibule is a pair of doors that both require some form of authorized access to open. The first door opens after authorization, closes, and only after it is closed can the person who wants to enter provide their authorization to open the second door.

Parameter pollution is one technique that attackers have successfully used to defeat input validation controls.

Tabletop, walkthroughs, simulations

When attackers use misspelled and slightly off but similar to the legitimate site URLs and rely on the fact that people will mistype URLs and end up on their sites to drive up sales.

Conducting social engineering attacks that trick the user into revealing a password, either directly or through a false authentication mechanism; eavesdropping on unencrypted network traffic; and obtaining a dump of passwords from previously compromised sites and assuming that a significant number of users reuse their passwords from that site on other sites.

Stateless firewalls (sometimes called packet filters) filter every packet based on data like the source and destination IP and port, the protocol, and other information that can be gleaned from the packet’s headers, whereas stateful firewalls (sometimes called dynamic packet filters) pay attention to the state of traffic between systems.

Policies, standards, procedures, and guidelines

Name five factors that influence how often an organization decides to conduct vulnerability scans against its systems.

Guards can be fallible, and social engineering attempts can persuade guards to violate policies or even to provide attackers with assistance.

Guards are relatively expensive.

Brute-force attacks, password spraying attacks, and dictionary attacks

Static testing (analyzes code without executing it), dynamic testing (executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities), and interactive testing (combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces).

Disclosure, alteration, and denial

WPA-Personal uses Simultaneous Authentication of Equals (SAE) mode to provide authentication while protecting against offline dictionary attacks. This allows clients to authenticate without an authentication server infrastructure. The other is WPA-Enterprise, which relies on a RADIUS authentication server as part of an 802.1X implementation for authentication. This means users can have unique credentials and can be individually identified.

They determine which accounts, users, groups, or services can perform actions like reading, writing, and executing (running) files.

Part of the contract between the cloud service and an organization. A right-to-audit clause provides either a direct ability to audit the cloud provider or an agreement to use a third-party audit agency.

Full disk encryption (FDE) encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use.

Nation-state actors are sponsored by or supported by nations and are typically sophisticated and highly resourced.

Trojans require user interaction, whereas worms are self-installed and spread themselves.

A threat map.

Preparation, identification, containment, eradication, recovery, and lessons learned

It allows network engineers to place systems of differing security levels and functions on different network subnets.

E-discovery

Step-by-step guides intended to help incident response teams take the right steps in a given scenario.

What term describes an organization that offers services such as security monitoring, vulnerability management, incident response, and firewall management?

If the impact is 0, the base score is 0.

If the scope metric is Unchanged, calculate the base score by adding together the impact and exploitability scores.

If the scope metric is Changed, calculate the base score by adding together the impact and exploitability scores and multiplying the result by 1.08.

The highest possible base score is 10. If the calculated value is greater than 10, set the base score to 10.

They exploit a different trust relationship. XSS attacks exploit the trust that a user has in a website to execute code on the user’s computer. XSRF attacks exploit the trust that remote sites have in a user’s system to execute commands on the user’s behalf.

The process of applying security controls to reduce the probability and/or magnitude of a risk.

Occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls.

Phishing is a broad term used to describe the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data.

Offline distribution, public key encryption, and the Diffie–Hellman key exchange algorithm

RAID, journaling, full and incremental backups, snapshots, images, copies of individual files, backup media, cloud backups, and off-site or on-site storage

A container.

Preservation

Bandwidth requirements for both the backups themselves and restoration time if the backup needs to be restored partially or fully; time to retrieve files and cost to retrieve files; reliability is also crucial; and new security models may also be required for backups.

Technical controls, operational controls, managerial controls, and physical controls

On-demand self-service computing, scalability, elasticity, measured service, agility and flexibility

It ensures that developers and users have access to the latest versions of software and that changes are carefully managed throughout the release process.

Zero trust presumes that there is no trust boundary and no network edge. Each action is validated when requested as part of a continuous authentication process and access is only allowed after policies are checked, including elements like identity, permissions, system configuration and security status, threat intelligence data review, and security posture.

Frequency analysis involves looking at the blocks of an encrypted message to determine if any common patterns exist.

Application management Content management. Remote wipe Geolocation and geofencing Screen locks, passwords, and PINs are all part of normal device security models to prevent unauthorized access.

Biometrics Context-aware authentication Containerization is an increasingly common solution to handling separation of work and personal use contexts on devices. Storage segmentation can be used to keep personal and business data separate as well. Full-device encryption (FDE)

Confidentiality, integrity, authentication, and nonrepudiation.

Attack VectorNetwork (score0.85); Attack ComplexityLow (score0.77); Privileges RequiredNone (score0.85); User InteractionNone (score0.85); ScopeUnchanged; ConfidentialityHigh (score0.56); IntegrityNone (score0.00); AvailabilityNone (score0.00).

Setting the password history to remember 24 or more passwords and setting maximum passwords age to “60 or fewer days, but not 0,” preventing users from simply changing their passwords 24 times to get back to the same password while requiring password changes every 2 months. Setting the minimum password length to 14 or more characters. Requiring password complexity. Disabling the storage of passwords using reversible encryption

Reducing the number of open ports and services that it provides by disabling ports and protocols.

A capability that allows you to limit the number of MAC addresses that can be used on a single port.

Input validation helps prevent a wide range of problems, from cross- site scripting (XSS) to SQL injection (SQLi) attacks.

Least privilege, separation of duties, job rotation and mandatory vacations, clean desk space, onboarding and offboarding, nondisclosure agreements (NDAs), social media, and user training.

Attribute-based access control (ABAC), role-based access control (RBAC), rule-based access control (RBAC or RuBAC), mandatory access control (MAC), and discretionary access control (DAC)

When a vulnerability scanner reports a vulnerability, this is known as a positive report. This report may either be accurate (a true positive report) or inaccurate (a false positive report). Similarly, when a scanner reports that a vulnerability is not present, this is a negative report. The negative report may either be accurate (a true negative report) or inaccurate (a false negative report).

The addition of new users requires the generation of only one public- private key pair; users can be removed far more easily from asymmetric systems; key regeneration is required only when a user’s private key is compromised; asymmetric key encryption can provide integrity, authentication, and nonrepudiation; key distribution is a simple process; and no preexisting communication link needs to exist.

The port/hosts section provides details on the server(s) that contain the vulnerability as well as the specific services on that server that have the vulnerability.

A port mirror sends a copy of all the traffic sent to one switch port to another switch port for monitoring. A SPAN can do the same thing but can also combine traffic from multiple ports to a single port for analysis.

Endpoint detection and response (EDR) tools combine monitoring capabilities on endpoint devices and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events. Key features of EDR systems are the ability to search and explore the collected data and to use it for investigations as well as the ability to detect suspicious data.

From most volatile to least volatile:

CPU cache and register; ephemeral data such as the process table, kernel statistics, the system’s ARP cache, and similar information; the content of RAM; swap and pagefile information; files and data on a disk; the operating system (Windows Registry); data on devices such as smartphones, tables, IoT devices, and embedded or specialized systems; firmware; snapshots from VMs; network traffic and logs; and artifacts like devices, printouts, media, and other items.

Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.

Alteration is the unauthorized modification of information and is a violation of the principle of integrity. Denial is the unintended disruption of an authorized user’s legitimate access to information.

A semi-authorized attacker

Dark web

Firewall settings, network segmentation, intrusion detection systems (IDSs), intrusion prevention systems (IPSs)

Mobile device management (MDM)

Pattern matching and watermarking

The practice of running an application in a controlled or isolated environment to prevent it from interacting negatively with other system resources or applications.

Developer commits change, build process is triggered, build report is delivered, tests run against build, test report is delivered, and if successful, code is deployed.

The certificate was compromised (e.g., the certificate owner accidentally gave away the private key); the certificate was erroneously issued (e.g., the CA mistakenly issued a certificate without proper verification); the details of the certificate changed (e.g., the subject’s name changed); and the security association changed (e.g., the subject is no longer employed by the organization sponsoring the certificate).

A web application firewall (WAF) plays an important role in protecting web applications against attacks. It sits in front of a web server and receives all network traffic headed to that server. It then scrutinizes the input headed to the application, performing input validation before passing the input to the web server.

Data at rest, data in transit, data in use

Loop prevention, broadcast storm prevention, bridge protocol data unit (BPDU) guard, and Dynamic Host Configuration Protocol (DHCP) snooping

Parameterized queries offer another technique to protect applications against injection attacks.

Block ciphers operate on “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. Stream ciphers operate on one character or bit of a message (or data stream) at a time.

The Framework Core, the Framework Implementation, and the Framework Profile

Risk Severity = Likelihood * Impact

Open source threat intelligence is threat intelligence that is acquired from publicly available sources.

The operational procedures guides that organizations use to perform actions.

Vendor security information websites, vulnerability and threat feeds from vendors, government agencies, and private organizations, academic journals and technical publications, professional conferences and local industry group meetings, and social media accounts of prominent security professionals

Agent-based DLP and agentless DLP

Restore network connectivity and a bastion or shell host; restore network security devices (firewalls, IPS); restore storage and database services; restore critical operational servers; restore logging and monitoring service; and restore other services as soon as possible.

Version of X.509; serial number; signature algorithm identifier; issuer name; validity period; subject’s Common Name (CN); certificates may optionally contain Subject Alternative Names (SAN) that allow you to specify additional items (IP addresses, domain names, and so on) to be protected by the single certificate; and subject’s public key

Isolation, containment, segmentation

Local file inclusion and remote file inclusion attacks. Local file inclusion attacks seek to execute code stored in a file located elsewhere on the web server. Remote file inclusion attacks allow the attacker to go a step further and execute code that is stored on a remote server.

128-bit keys require 10 rounds of encryption; 192-bit keys require 12 rounds of encryption; and 256-bit keys require 14 rounds of encryption.

Planning, requirements definition, design, coding, testing, training and transition, ongoing operations and maintenance, and end-of-life decommissioning

Homomorphic encryption technology allows encrypting data in a way that preserves the ability to perform computation on that data.

Whether the VPN will be used for remote access, or if it will be a site-to- site VPN; and whether they will be a split-tunnel VPN or a full-tunnel VPN

Geographic dispersion of systems, separation of servers and other devices in datacenters, use of multiple network paths (multipath) solutions, redundant network devices, protection of power, systems and storage redundancy, and platform diversity

Message-based threat vectors, wired networks, wireless networks, systems, files and images, removable devices, cloud, and supply chain

Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information; integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally; and availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.

When an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization

Logic bombs are functions or code that are placed inside other programs that will activate when set conditions are met instead of independent malicious programs.

The entity who determines the reasons for processing personal information and directs the methods of processing that data.

Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems. Vulnerabilities are weaknesses in our systems or controls that could be exploited by a threat. Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.

Geographic restrictions and permission restrictions

An allow list allows you to build a list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the allow list, they will be removed, disabled, or will not be able to be installed. Deny lists are lists of software or applications that cannot be installed or run, rather than a list of what is allowed.

Security tests, security assessments, and security audits

Hardware security modules (HSMs) are typically external devices or plug-in cards used to create, store, and manage digital keys for cryptographic functions and authentication, as well as to offload cryptographic processing.

They accept an input of any length; they produce an output of a fixed length; the hash value is relatively easy to compute; the hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output); and the hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value).

Isolation goes a step further and completely cuts a system off from access to or from outside networks.

Attacks that exploit vulnerabilities that are not yet disclosed.

Attack surface

Set permissions properly; consider high availability and durability options; and use encryption to protect sensitive data.

A substitution cipher is a type of coding or ciphering system that changes one character or symbol into another.

Application programming interfaces (APIs) are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.

DomainKeys Identified Mail (DKIM) allows organizations to add content to messages to identify them as being from their domain. Sender Policy Framework (SPF) allows organizations to publish a list of their authorized email servers. SPF records specify which systems are allowed to send email from that domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) is a protocol that uses SPF and DKIM to determine if an email message is authentic.

Certificate revocation lists (CRLs), Online Certificate Status Protocol (OCSP), and certificate stapling