- Essential Knowledge
| Layer | Description | Technologies | Data Unit |
|---|---|---|---|
| 1 | Physical | USB, Bluetooth | Bit |
| 2 | Data Link | ARP, PPP, MAC, STP | Frame |
| 3 | Network | IP, IPsec, ICMP | Packet |
| 4 | Transport | TCP, UDP | Segment |
| 5 | Session | SCP, SOCKS, NetBIOS | Data |
| 6 | Presentation | AFP, MIME, SSL | Data |
| 7 | Application | FTP, HTTP, SMTP, SNMP | Data |
| Layer | Description | OSI Layer Equivalent |
|---|---|---|
| 1 | Network Access | 1, 2 |
| 2 | Internet | 3 |
| 3 | Transport | 4 |
| 4 | Application | 5-7 |
- Confidentiality: passwords, encryption
- Integrity: hashing, digital signatures
- Availability: anti-DoS solutions
- Common Vulnerability Scoring System (CVSS): placing numerical score based on severity
- National Vulnerability Database (NVD): US government repository of vulnerabilities
- Default installation: failure to change settings in an application that come by default
- Default passwords: leaving default passwords that come with system/application
- Misconfiguration: improperly configuring a service or application
- Missing patches: systems that have not been patched
- Design flaws: flaws inherent to system design such as encryption and data validation
- Operating System Flaws: flaws specific to each OS
- Buffer overflow: code execution flaw, eg: EIP (Extended Instruction Pointer) register
- Nessus
- Qualys
- GFI Languard
- Nikto
- OpenVAS
- Retina CS
| Description | Examples |
|---|---|
| Physical | Guards, lights, cameras |
| Technical | Encryption, smart cards, access control lists |
| Administrative/Operational | Training awareness, policies, procedures |
- Preventive: controls used to stop potential attacks by preventing users from performing specific actions, such as encryption and authentication
- Detective: controls used to monitor and alert on malicious or unauthorized activity, such as IDS's and CCTV feeds monitored in real life, record any intrusion attempts
- Deterrent: controls used to discourage potential attackers and send warning messages to the attackers, such as signs that warn possible attackers about the alarm system and monitoring in place
- Compensating: controls used to supplement directive controls when the intended control is failed, such as administrator reviewing logs files for violations of company policy
- Corrective: controls designed to fix things after an attack has been discovered and stopped
- Recovery: controls used to recover from security violations and restore information and systems to a persistent state
- Aggregating and providing search for log data
- Functions related to a security operations center (SOC)
- Identifying
- Monitoring
- Recording
- Auditing
- Analyzing
- Internet: uncontrollable
- Internet DMZ: controlled buffer network
- Production Network Zone: very restricted; controls direct access from uncontrolled zones; no users
- Intranet Zone: controlled; has little to no heavy restrictions
- Management Network Zone: might find VLANs and IPsec; highly secured; strict policies
- Access Control: what resources are protected and who can access them
- MAC (Mandatory Access Control): access set by an administrator
- DAC (Discretionary Access Control): allowing users to give access to resources that they own and control
- Information Security: what can systems be used for
- Information Protection: defining data sensitivity levels
- Password: how long, characters required, etc.
- E-Mail: proper and allowable use of email systems
- Information Audit: defining the framework used for auditing
- Standard: mandatory rules to achieve consistency
- Baseline: providing the minimum security necessary, can compare to future states monitored over time to see what security and configuration changes have been made
- Procedure: step-by-step instructions
- Guideline: flexible or recommended actions
- Promiscuous: wide open
- Permissive: blocking only known dangerous things
- Prudent: blocking most and only allows things for business purposes
- Paranoid: locking everything down
- Risk identification
- Risk assessment
- Assessing the organization's risks and estimates the likelihood and impact of those risks
- Assigning priorities for risk mitigation and implementation plans, which help to determine the quantitative and qualitative value of risk
- Risk treatment
- Risk tracking
- Risk review
- Accept
- Avoid
- Transfer
- Mitigate
- Exploit
- Identify security objectives
- Application Overview
- Decompose application
- Identify threats
- Identify vulnerabilities
- Business Impact Analysis (BIA): process that identifies and evaluates the potential effects that man-made or natural events will have on business operations, identifies the critical systems that would be affected by them
- Maximum Tolerable Downtime (MTD)
- Business Continuity Plan (BCP): procedure for maintaining businesses during any event
- Disaster Recovery Plan (DRP)
- Annualized Loss Expectancy (ALE)
- Annual Rate of Occurrence (ARO)
- Single Loss Expectancy (SLE)
ALE = SLE * ARO
- User Behavior Analysis (UBA): tracking users and extrapolating data in light of malicious activity
- White Hat: ethical hacker
- Black Hat: hacker that seeks to perform malicious activities
- Gray Hat: hacker that performs good or bad activities but do not have the permission of the organization they are hacking against
- Hacktivist: someone who hacks for a cause
- Suicide Hacker: not caring about any impunity to themselves
- Cyberterrorist: motivated by religious or political beliefs to create fear or disruption
- State-Sponsored Hacker: hacker that is hired by a government
- Script Kiddie: uneducated in security methods, but uses tools that are freely available to perform malicious activities
- Cracker: using tools for personal gain or destructive purposes
- Ethical Hacker
- Employing tools that hackers use with a customer's permission
- Always obtaining an agreement from the client with specific objectives before any testing is done
- Operating System: targeting OS flaws or security issues inside such as guest accounts or default passwords
- Application Level: targeting on programming code and software logic
- Shrink-Wrap Code: taking advantage of built-in code or scripts
- Misconfiguration: taking advantage of systems that are misconfigured due to improper configuration or default configuration
- Infowar: using of information and communication techniques to take competitive advantages over an opponent
- Reconnaissance: gathering evidence about targets
- Scanning & Enumeration: obtaining more in-depth information about targets
- Gaining Access: leveled attacks in order to gain access to a system
- Maintaining Access: items in place to ensure future access
- Covering Tracks: steps taken to conceal success and intrusion
- Criminal: laws that protect public safety and usually have jail time attached
- Civil: private rights and remedies
- Common: laws that are based on societal customs
- Based on the British BS7799 standard, focuses on security governance
- PDCA cycle is Plan, Do, Check and Act
- Standard for organizations handling Credit Cards, ATM cards and other POS cards
- 6 major objectives:
- Build and Maintain a Secure Network and Systems
- Protect card holder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
- A law that sets privacy standards to protect patient medical records and health information shared between doctors, hospitals and insurance providers, requires employers standard national numbers to identify them on standard transactions
- A law that requires publicly traded companies to submit to independent audits and to properly disclose financial information, contains 11 titles
- A United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO)
- A law to codify the authority of the Department of Homeland Security with regard to implementation of information security policies
- Catalogs security and privacy controls for federal information systems, created to help implementation of FISMA
- 5 functions are Identify, Protect, Detect, Response and Recover
- Hack value: perceived value or worth of a target as seen by the attacker
- Zero-day attack: attack that occurs before a vendor knows or is able to patch a flaw
- Daisy Chaining: gaining access to one network and/or computer then using the same information to gain access to multiple networks and computers that contain desirable information
- Doxing: searching for and publishing information about an individual usually with a malicious intent
- Enterprise Information Security Architecture (EISA): a set of requirements, processes, principles and models that determines how systems work within an organization
- Incident management: dealing with specific incidents to mitigate the attack, resolving and preventing the future recurrence of a security incident
- Fingerprinting: another word for port sweeping and enumeration
- Defense-in-Depth: a security strategy in which security professionals use several protection layers throughout an information system
- Competitive Intelligence: information gathered by businesses about competitors