- Regulatory: Legally enforceable
- Non-regulatory: Not legally enforceable
- Industry-specific: Ensures compliance for that industry
- Vendor guides: How to set up devices/software
- Multiple controls: If one control fails, the next control prevents attacks.
- Vendor diversity: When you have the same product from two vendors, if one fails, you are still up and running.
- Control diversity: Use of more than one control, for example, administrative and technical controls working together.
- DMZ: Boundary layer
- Extranet: Web server residing in DMZ that can be accessed via username and password
- Air gaps: Isolating a system from the network
- NAT: Hides the internal network
- Honeypot: Finds attack methods so that they can be mitigated
- Guest Wi-Fi: Used by guests or employees at lunchtime
- VLAN: Created on a switch, segments the local network, reduced broadcast domain
- VPN: Site-to-site, always-on mode, can be used instead of a lease line
- VPN: Secure connection network from a remote location to work
- VPN concentrator: Sets up a secure session
- SSL VPN: Uses a SSL certificate
- SIEM system: Real-time monitoring, uses a correlation engine
- SIEM system: The wrong input filter produces a false positive
- Load balancer: Manages a high volume of web traffic
- Firewall/DDoS mitigator: Prevents DDoS attacks
- Screen locks
- Strong password
- Full device encryption: Requires a TPM chip
- Printer/MFD: Can be attacked and is the network interface
- Whitelist: Allowed applications and their EXE files or DLL binaries
- Blacklist: Banned applications
- Application not running: 99% of time, add to whitelist
- Hardened operating system: Has no vulnerabilities
- Change username and password immediately
- Prevent connecting directly to the internet
- Difficult firmware updates
- Waterfall: One stage finishes before the next stage begins
- Agile: Can start multiple phases, similar to scrum, customer satisfaction paramount
- Staging: Testing with production data, roll back changes before moving to production
- White box pen tester: Test application for vulnerabilities
- SCADA network, water purification, oil and gas refineries
- IoT: Refrigerator, wearable technology, home automation
- HVAC: Regulates temperature using hot and cold aisles
- Camera systems: Captures motion, provides non-repudiation, deterrent and detective controls
- Stored procedure: Sealed script as the best way to prevent SQL injection attacks.
- Input validation: Controls input, prevents SQL injection, buffer and integer overflow attacks.
- Baseline: List of applications before and after to see changes. Only method to detect zero-day attacks.
- Obfuscation: Masks or obscures code.
- Steganography: Hides data inside other data.
- Sandboxing: Isolates applications for testing and patching if they are dangerous.
- Elasticity: Pay for the amount of resources you use, easily adjustable
- Private cloud: Single-tenant, which means more control
- Public cloud: Multi-tenant
- Community cloud: Same industry sharing the cost of resources
- IaaS: Desktops, servers, switches, firewall, or pbx
- IaaS: Install OS, patch and configure it – more control
- SaaS: Lease bespoke application – no customization
- PaaS: Hosts your applications – you manage and customize
- SECaaS: Identity management
- VDI: Isolated desktop for contractors or employees
- CASB: Enforces policies for cloud clients
- Type I hypervisor: Bare-metal, Hyper V, ESX, Zen
- Type II hypervisor: Install on an OS, for example, Oracle Virtual Box
- Host: Hosts virtual machines, needs fast disk space, CPU cores, and RAM
- System sprawl: Host/guest running out of resources
- Guest: A user's virtual machine
- Containers: Isolated guest
- Sandboxing: Isolated application for testing, patching, or because it is dangerous
- Chroot Jail: Linux sandbox
- Snapshot: Used for rolling back guests, fastest backup
- VM sprawl: Unmanaged guest
- VM escape: Attacks the host
- Master image: Produces a consistent baseline
- Non-persistent configuration: Can be rolled back
- RAID 5: Single parity and can lose one disk, 3-32 disks
- RAID 6: Double parity and can lose two disks
- Continuous monitoring: Alerts you immediately
- Snapshots: Virtual machines revert back to an earlier state
- Security guards: Check the identification of people, prevents access
- HVAC: Regulates temperature using hot and cold aisles
- Protected distribution: Protects cables
- Conduits: Protect cables
- Faraday cables: Prevents emissions of data and wireless leaving or entering a network
- Cable locks: Prevent the theft of mobile devices
- Mantrap: Prevents access to buildings or data centers
- Screen filters: Prevents shoulder surfing
- Key management: Prevents keys being taken away overnight and from being cut