Comptia_security+_index

Index

Numbers 3DES, 438 A AAA protocols, 216 ABAC (access control model), 129-130 accept (risk response), 347 acceptable use policy/rules of behavior, 475 access control models, 122-130 ABAC, 129-130 DAC, 126-127 MAC, 127-129 role-based access control, 122-125 rule-based access control, 126 access point, 192 antenna types and placement, 196 band selection/width, 193 controller-based versus standalone, 193 fat versus thin, 193 MAC filtering, 195-196 signal strength, 197 SSID, 194-195 access violations, 255-257 account management (general concepts) account maintenance, 121 group-based access control, 124 least privilege, 116 location-based policies, 120 permission auditing and review, 372-373 recertification, 121 standard naming convention, 118 time-of-day restrictions, 120 usage auditing and review, 371-372 account policy enforcement credential management, 121-122 disablement, 119 expiration, 121 Group Policy, 100-102 lockout, 102 password complexity, 97-99, 102 password expiration, 99

password history, 101-102 password length, 102 password reuse, 101 recovery, 119 account types, 117 guest accounts, 117 privileged accounts, 117 service accounts, 117 shared and generic accounts/credentials, 118 user account, 117-118 ACL, 157-158 antispoofing, 158 firewalls, 161, 162 IDS, 187 implicit deny, 158 IPsec, 157-158 ports, 141, 153 router, 157-158 rule-based access control, 126 segmentation, 166 use case, 172 active-active (failover cluster, load balancing), 398-399 active-passive (failover cluster, load balancing), 398-399 active logging (strategic intelligence gathering), 500 active reconnaissance, 360 ad hoc mobile device, 250 zone, topology, 198 administrative (security control), 70-71 advanced malware tools, 290 adverse actions (policies), 480 adware, 276 AES, 63, 199, 433, 436, 437-438 affinity (load balancing, scheduler), 400 agent versus agentless (NAC), 212-213 aggregation SIEM, 370 switch, 160

agile (software development life-cycle model), 325 agreement types, 483-484 BPA, 484 ISA, 484 MOU/MOA, 484 SLA, 484 AH, 143, 153, 209 airgap (physical security, segmentation), 166 alarms (physical security), 388 ALE (risk assessment), 348 always-on VPN, 211 amplification, 309 ANT (mobile device connection), 245 antenna types and placement (wireless access point), 196 anti-malware, 287-289 antispoofing, 158, 172 antivirus, 288 application-based versus network-based (firewall), 161 application/multipurpose (proxy), 169-170 application attacks, 327-333 application blacklist, blacklisting, 233 application cells/containers (hypervisor), 76-77 application management (MDM), 245 application whitelist, whitelisting, 233, 245 APT (threat actor), 269 architecture and design weaknesses (vulnerability), 391 ARO (risk assessment), 348 ARP (protocol), 88, 141-142 ARP poisoning, 141-142, 306-307 asset management, 391 asset value, (risk assessment), 347 asymmetric algorithms. 439-445 Diffie-Hellman, 444 DHE, 444 ECDHE,444 groups, 444 DSA, 446 elliptic curve, 443-444 PGP/GPG, 450 RSA, 443 asymmetric encryption, 424, 432, 439-440

certificates, 441-442

confidentiality with encryption, 432-433 encrypting email, 448-450 HTTPS and TLS, 189, 450-451 introduction, 424-425 public and private keys, 445-446 RSA, 443 static versus ephemeral keys, 443 TPM, 238 attestation (secure boot), 237 attributes of threat actors, 268-270 authentication, authorization and accounting (AAA), 96-97 AAA protocols, 216 RADIUS server, 200 authentication issues (troubleshooting), 109- 110 authentication protocols (wireless) 201-202 EAP, 201 EAP-FAST, 201 EAP-TLS, 201 EAP-TTLS, 201 IEEE 802.1x, 199-201 PEAP, 201 RADIUS Federation, 201 automated alerting and triggers (SIEM), 370 automation/scripting, 230 automated courses of action, 230, 370 configuration validation, 359 continuous monitoring, 370, 371 avoid (risk response), 346 B backdoor, 272 background checks (policies), 479 backup concepts, 400-403 differential, 402 full, 401-402 incremental, 402-403 snapshots, 403 backup utilities, 401 band selection/width (wireless access point), 193 banner grabbing, 356 netcat, 367 barricades (physical security), 389 baseline deviation, 231

baselining (Secure DevOps), 325-326 BCRYPT, 428 benchmarks/secure configuration guides, 334 general purpose guides, 334 platform/vendor-specific guides, 334 application server, 334 network infrastructure devices, 334 operating system, 334 web server, 334 biometric factors, 106-107 crossover error rate, 107 facial recognition, 106 false acceptance rate, 106-107 false rejection rate, 107 fingerprint scanner, 106 iris scanner, 106 retinal scanner, 107 voice recognition, 106 biometrics mobile devices, 246 physical security, 385-386 BIOS (hardware/firmware security), 237 birthday attack, 311-312 black box, 362 blacklist, blacklisting, 233 Blowfish, 438-439 bluejacking, 205 bluesnarfing, 206 Bluetooth attacks, 206, 207 mobile device connection, 245 bollards (physical security), 389 bots, 276 BPA (agreement type), 484 bridge, 159 brute force attack, 311 buffer overflow, 317, 320, 327 burning (destruction and sanitization), 486 BYOD (mobile device deployment model), 243- 244 C CA, 454-456 cable locks (physical security), 390 CAC, 103-104

cage (physical security Faraday cage), 395

cameras comparing detection and prevention controls, 74 embedded system, 236, 251, 253, 277 mobile device, 235, 236, 243, 249 physical security, 385, 387 shoulder surfing, 279 captive portals, 202 capture system image (forensics), 495 capture video (forensics), 497 carrier unlocking (mobile device), 250 CBC (cipher mode), 435 CCMP, 199, 201, 202, 206, 207 cellular (mobile device connection), 244 CER (certificate format), 461- 462 certificate, 441-442 asymmetric encryption, 439-440 certificate authority, 454 certificate chaining, 455 certificate formats, 461-463 certificate issues, 458-459 certificate types, 460-461 CRL, 459 CSR, 456 digital signature, 66-67 DNSSEC, 148 email, 446-450 HTTPS transport encryption, 450-452 OCSP, 459 Pinning, 459 PKI components, 454-461? registration, 456 revoking certificates, 457 smart cards, CAC, PIV, 103-104 stapling, 459 certificate and key management, 458 certificate chaining (PKI concept), 455-456 certificate formats, 461-463 CER (certificate format), 461-462 DER (certificate format), 461- 462 P12 (certificate format), 462-463 P7B (certificate format), 462 PEM (certificate format), 462 PFX (certificate format), 462- 463

certificate issues, 458-459 certificate types, 460-461

code signing (digital signature), 460 domain validation, 461 email, 460 extended validation, 461 machine/computer, 460 root, 455-456 SAN, 461 self-signed, 461 user, 460 wildcard, 461 certificate-based authentication, 103 CAC, 103-104 IEEE 802.1x, 191 PIV, 103-104 smart cards 103 chain of custody, 498-499 change management security control, 71, 73 policy, 232 version control and, 326 CHAP (identity and access services), 214 chmod, 257 chroot, 234 cipher modes, 434, 435 CBC, 435 CTM, 435 ECB, 435 GCM, 435 stream versus block, 434 cipher suites, 435, 452-453 clean desk (policies), 477 clickjacking, 314 cloud access security broker, 242 cloud deployment models, 239-242 community, 242 hybrid, 242 IaaS, 240-241 PaaS, 240 private, 242 public, 242

SaaS, 240 cloud storage, 239 code obfuscation (camouflage), 323 code quality and testing, 324 code reuse (and dead code), 323 code signing

certificate type, 460 secure coding, 322-323 cold site, 410 collision, 312, 313 command line tools, 80-88, 366-367 arp, 88 chmod, 257 chroot, 234 ipconfig/ip/ifconfig, 84-85 netcat, 367 netstat, 86 nmap, 366-367 nslookup/dig ping, 82-84 tcpdump, 366 tracert, 87-88 common misconfigurations, 357 community (cloud model), 242 compensating (security control), 74-75 competitors (threat actor), 269 compiled versus runtime code, 319 configuration compliance scanner, 359 confusion, 433, 434 connection methods (mobile devices), 244-245 ANT, 245 Bluetooth, 245 cellular, 244 infrared, 245 NFC, 245 SATCOM, 244 USB, 245 Wi-Fi, 244 containerization (MDM), 246 content management (MDM), 246 context-aware authentication(MDM), 247 continuing education (policies), 501-502 continuity of operation planning, 409 after-action reports, 412 alternate business practices, 406 alternate processing sites, 406, 409-410, 413

exercises/tabletop, 412 failover, 398-399, 413 continuous integration (Secure DevOps), 325 control diversity (defense-in- depth), 382-383 controller-based versus standalone (wireless

access point), 193 COPE (mobile device deployment model), 243 corporate-owned (mobile device deployment model), 243 corrective (security control), 74 correlation (SIEM), 370 correlation engine (location), 371 credential management, 121-122 credentialed versus noncredentialed, 358 critical systems identification (BIA), 406 CRL, 457-459 cross-site request forgery, 333 cross-site scripting, 332 crossover error rate (biometric factor), 107 crypto modules, 453 crypto service provider, 453 crypto-malware, 274 cryptographic attacks (password attacks) 309- 313 cryptographic protocols (wireless) CCMP, 199 TKIP, 199 WPA, 198 WPA2, 198 CSR, 456-457 CTM (cipher mode), 435 custom firmware (mobile device), 248 CYOD (mobile device deployment model), 244 D DAC (access control model), 126-127 data-at-rest, 142, 254, 432-433 data-in-transit, 142, 143, 172, 189, 205, 254, 432- 433, 450 data-in-use, 432 data acquisition (forensics) 495-498 capture system image, 495 capture video, 497 network traffic and logs, 496 record time offset, 497-498 screenshots, 498 take hashes, 496 witness interviews, 498 data destruction and media sanitization, 486- 487

burning, 486 degaussing, 487 pulping, 487 pulverizing, 487 purging, 487 shredding, 487 wiping, 486 data execution prevention, 289-290 data exfiltration, 258 data exposure (preventing, secure coding techniques), 322 data retention, 487-488 data roles (responsibilities), 490 owner, 490 privacy officer, 490 steward/custodian, 490 data sanitization tools, 486-487 data sensitivity labeling and handling, 485 confidential, 485 PHI, 485, 488-489 PII, 485, 488-489 private, 485 proprietary, 485 public, 485 database security, 255 DDoS, 140, 270, 276, 304 default configuration (vulnerability), 226-227 defense-in-depth/layered security, 382-383 control diversity, 382-383 administrative, 383 technical, 382 host-based firewall, 160 malware, 287-288 preventive control, 72 unified threat management, 170 user training, 383 vendor diversity, 383 degaussing (destruction and sanitization), 487 deployment models (mobile devices), 243-244 BYOD, 243-244 COPE, 243 Corporate-owned, 243

CYOD, 244 VDI, 244 DER (certificate format), 461-462 DES, 438

detection versus prevention controls (security control), 74 detective (security control),73 deterrent (security control), 74 development life-cycle models, 324-325 waterfall versus agile, 324-325 Diameter, 216 dictionary attack, 310 differential (backups), 402 Diffie-Hellman, 433, 444 DHE, 444 ECDHE,444 Groups, 444 diffusion, 433, 434 dig (command), 149 digital cameras botnets, 276-277 mobile devices, 243 secure systems design, 235, 236 USB OTG, 249 digital signatures, 66-67, 103-104, 425, 427, 445-448 code signing, 322 DNSSEC, 148 OCSP, 459 prevent spear phishing, 284 Rayburn box, 441 S/MIME, 450 signing email, 446-448 smart cards, CAC, PIV, 103-104 directory services use case, 145 disablement (account management policy), 73, 89, 119, 121 disassociation attack, 202 disaster recovery, 411-412 disk redundancies, 396-397 dissolvable agent (NAC), 212-213 distributive allocation (high availability, scalability), 398 DLL injection, 319 DLP, 257-258, 357 cloud-based, 258-259 data exfiltration, 258 mail gateway (email), 171 removable media, 257-258

USB blocking, 257-258

DMZ (zone, topology), 163-165 DNS poisoning 148-149, 308 DNSSEC, 148, 308 domain hijacking, 315 domain name resolution use case, 147-149 domain validation (certificate), 461 DoS, 140, 304, 185, 204, 207, 270, 304 downgrade attack, 453-454 driver manipulation, 315-316 DSA, 446 dumpster diving, 280 dynamic analysis (such as fuzzing), 324 E EAP, 201 EAP-FAST, 201 EAP-TLS, 201 EAP-TTLS, 201 ECB (cipher mode), 435 elasticity, 75 elliptic curve, 443-444 email (certificate), 460 email and web use case, 144-145 embedded systems, 250-254 vulnerabilities, 251 EMI (hardware/firmware security), 236 EMP (hardware/firmware security), 236 encryption asymmetric algorithms, 435-439 confidentiality, 63, 254, 432 full device encryption, 245-246 mail gateway, 172 secure coding techniques, 332-333 symmetric algorithms, 439-435 end-of-life systems (vulnerabilities), 239 enforcement and monitoring for (mobile devices), 247-250 ad hoc, 250 camera use, 249 carrier unlocking, 250 custom firmware, 248

external media, 249 firmware OTA updates, 248 GPS tagging, 247 jailbreaking, 248 MMS, 249

payment methods, 249 recording microphone, 249 rooting, 248 sideloading, 248 SMS, 249 tethering, 250 third-party app stores, 248 USB OTG, 249 Wi-Fi direct, 250 Enterprise (wireless security method), 199-201 environment (secure staging & deployment), 235 development, 235 production, 235 staging, 235 test, 235 environmental controls (physical security), 391- 393 fire suppression (physical security), 393 hot and cold aisles (physical security), 392 HVAC (physical security), 391-393 ephemeral key, 443, 444 errata, 5 error-handling, 318, 320 322, 330, 331 escalation of privilege (penetration testing), 361 ESP, 143, 153, 209 event deduplication (SIEM), 371 evil twin, 204 exit interviews (policies), 479-480 expiration (account management policy), 121 exploitation frameworks, 365 extended validation (certificate), 461 external media (mobile device), 249 external storage devices (secure systems design), 235-236 extranet (zone, topology), 163-165 F facial recognition (biometric factor), 106 failover clusters, 67, 395, 397- 400, 413 false acceptance rate (biometric factor), 106-107 false negative

NIPS/NIDS, 186-187 false positive NIPS/NIDS, 186-187 vulnerability scanning, 358

false rejection rate (biometric factor), 107 Faraday cage (physical security), 395 fat versus thin (wireless access point), 193 fault tolerance, 67, 395, 396 disk redundancies, 396-397 power redundancies, 400 server redundancy, 397 FDE (hardware/firmware security), 237 federation, 114-115, 201 fencing/gate, 388 file integrity check, 289 file system security (identity and access management), 255-257 file transfer use case, 142-143 fingerprint scanner (biometric factor), 106 fire suppression (physical security), 393 firewall, 160-163 ACL, 126, 153, 157-158, 160, 162 antispoofing, 158 application-based versus network-based, 161 blocking ping, 84 control diversity, 382 defense-in-depth, 382-383 DMZ, 163-165 host-based firewalls, 160-161 ICMP, 141 implicit deny, 158 IPsec, 209 lack of firewall (vulnerability), 346 logs, 368 network access control, 211-212 NIDS (sensors), 183-184 ports, 150, 153 rule-based access control, 126 separation and segmentation (logical), 166 stateful versus stateless, 141, 162 stateless firewall rules, 162 technical control, 70 unified threat management (UTM), 170- 171

vendor diversity, 383 web application firewall, 163 firmware OTA updates (mobile device), 248 forensics (basic concepts), 493-500

forward proxy, 167-168 frameworks exploitation frameworks, 365 industry-specific frameworks, 334 industry-standard frameworks and reference architectures, 334 national versus international frameworks, 334 non-regulatory, 334 regulatory, 334 FTPS, 143 full (backups), 401-402 full device encryption (MDM), 245-246 fuzzing, 324 G GCM (cipher mode), 435 general security policies, 481-483 personal email, 481 social media networks/applications, 481- 482 geofencing (MDM), 247 geographic considerations (backups, disaster recovery), 404-405 data sovereignty, 405 distance, 405 legal implications, 405 location selection, 405 off-site backups, 405 geolocation (MDM), 247 GPS tagging (mobile device), 247 gray box, 362 group-based access control, 124 Group Policy, 100-103 account lockout policy, 102 application whitelisting and blacklisting, 233 baseline and integrity measurements, 231 directory services, 145 NTLM/NTLMv2 (pass the hash), 311 password policy, 101-102, resiliency and automation, 230 guest (zone, topology), 198 guest account, 117

H hacktivist (threat actor), 268 hardware/firmware security (secure systems design), 236 BIOS, 237 EMI, 236 EMP, 236 FDE, 237 hardware root of trust, 238 HSM, 238 secure boot and attestation, 237 SED, 237 supply chain, 236 TPM, 237-238 UEFI, 237 hardware root of trust (hardware/firmware security), 238 hardware security module, 238 hashing, 64-66, 105, 111, 311-313, 424, 425-432 hashing algorithms, 425-432 HMAC, 426-427, 430-432 MD5, 425-426 RIPEMD, 427 SHA, 426 HIDS, 182-183 high availability, 397-398 failover clusters, 398 load balancers, 399-400 hijacking and related attacks, 314-315 HIPS, 187 HMAC, 64-66, 111, 426-427, 430-432 hoax, 279-280 home automation (embedded systems), 252 honeynets (zone, topology), 190 Honeypot, 187, 190, 191 host-based firewalls, 160-161 host health checks (NAC), 211-212 hot and cold aisles (physical security), 392 hot site, 409-410 HOTP/TOTP, 104-105 how to use this book, 2-3 HSM (hardware/firmware security), 238 HTTPS, 450-452 data-in-transit, 432 secure protocol, 143, 145, 149

transport encryption, 450-452

HVAC

embedded system, 252 physical security, 391-393, 394

documented incident types/category definitions, 491 exercise, 492

hybrid (cloud model), 242 hypervisor, 75-77 application cells/containers, 76-77 Type I, 76 Type II, 76 I IaaS, 240-241 ICMP, 141, 157, 162 amplification attack, 309 ping command, 83, 84, ping scan, 353 protocol numbers, 141, 153 ICS, 252 identification, 96-97, 106, 109, 115 identifying lack of security controls, 358 identifying vulnerabilities and misconfigurations, 356-357 IDS/IPS, 182-187 IEEE 802.1x authentication (certificate-based), 191 authentication (RADIUS and VPN), 214- 215 wireless (RADIUS), 200-201 wireless authentication (Enterprise mode), 199-201 immutable systems (Secure DevOps), 326 impact (BIA) 407 finance, 407 life 407 property, 407

reputation, 407 safety, 407 impact (risk assessment, registers), 347, 349, 350 impersonation, 279 implementation versus algorithm selection, 453 implicit deny, 158, 160, 162 improper certificate and key management, 458 improperly configured accounts (risk), 115 proper account management practices 115-122 incident response plan, 491-492 cyber-incident response teams, 491-492

reporting requirements/escalation, 492 roles and responsibilities, 492 incident response process, 492-493 containment, 493 eradication, 493 identification, 493 lessons learned, 493 preparation, 492 recovery, 493 incremental (backups), 402-403 industry-standard frameworks and reference architectures, 334 industry-specific frameworks, 334 national versus international, 334 non-regulatory, 334 regulatory, 334 infrared detection (physical security), 389 facial recognition (biometrics), 106 mobile device connection, 245 infrastructure as code (Secure DevOps), 326 initial exploitation, 361 injection, 319, 320, 330, 331, 332 input handling 317, 319-321 insider (threat actor), 268 integer overflow, 317 integrity measurement, 230-231 intermediate CA, 455 Internet Key Exchange, 143, 209 intranet (zone, topology), 163-165 intrusive (testing), 363 intrusive versus nonintrusive testing, 363 IoT, 252 IP spoofing, 305 ipconfig/ip/ifconfig (commands), 84-85 IPsec, 143, 209,

ACLs, 157-158 HMAC, 426 host-based firewalls, 160 NAT interoperability, 165 protocol numbers, 153 secure file transfer, 143 tunneling protocol (VPN), 209

iris scanner (biometric factor), 106 ISA (agreement type), 484 IV, 433 IV attack 205 J jailbreaking (mobile device), 248 jamming, 204 job rotation (policies), 477 K Kerberos (identity and access services), 110-111 key escrow (PKI concept), 460 key exchange asymmetric encryption, 439-440, 446 cipher suites, 452 Diffie-Hellman, 444 HTTPS transport encryption 450-452 Internet Key Exchange, 143, 209 key management certificate and key management, 458 physical security, 390 key strength, 429, 439 key stretching, 428-429 BCRYPT, 428 PBKDF2, 429 keylogger, 275 known plain text attack (and cipher text attack), 313-314 L lack of vendor support (vulnerabilities), 239 LDAP (identity and access services), 111 LDAPS, 111-112, 145 least functionality, 226-227 least privilege, 116 group-based privileges, 124-125 onboarding, 480 permission auditing and review, 372 permission issues and access violations, 255

separation of duties, 476 technical control, 70 training and compliance issues, 502 legal and compliance (data issues), 489-490

legal hold (forensics), 499 license compliance violation (availability/ integrity), 233 lighting (physical security), 388 likelihood of occurrence, (risk assessment), 347, 349, 350 live boot media, 228 load balancer, 67, 169, 399-400 active-active (failover cluster), 398-399 active-passive (failover cluster), 398-399 scheduling, 399-400 affinity, 400 round-robin, 399 virtual IPs, 400 location-based policies (account management), 120 lock types (physical security), 384-386, 389-390 lockout (account policies), 102 logic bomb, 271-271 logs access logs (physical security), 388 active logging (strategic intelligence gathering), 500 events anomalies, 367-369 firewall, 368 network traffic and logs (forensics), 496 router, 368-369 WORM (SIEM), 371 M MAC (access control model), 127-129 MAC filtering (wireless access point), 195-196 MAC spoofing, 305 machine/computer (certificate), 460 mail gateway (email), 171-172 DLP, 171 encryption, 172 spam filter 171 malware, 270-277 man-in-the-browser, 315 man-in-the-middle, 306-307 mandatory vacations (policies), 475 mantrap, 280, 386-387

master image, 229 MD5, 64-66, 111, 289, 311, 312, 352, 424, 425- 426

media gateway, 167 memory buffer vulnerabilities, 316-319 memory leak, 316-317 memory management, 316-319 MFD, 236 misconfiguration (vulnerability), 226-227 misconfigured devices access points, 207 content filter, 171 firewall, 162 mission-essential functions (BIA), 406 mitigate (risk response), 346-347 MMS (mobile device), 249 mobile device management concepts, 245-247 application management, 245 biometrics, 246 containerization, 246 content management, 246 context-aware authentication, 247 full device encryption, 245-246 geofencing, 247 geolocation, 247 passwords and pins, 246 push notification services, 247 remote wipe, 246 screen locks, 246 storage segmentation, 246 mobile devices, 243-250 model verification, 324 modes of operation, 435 motion detection (physical security), 73, 388- 389 MOU/MOA (agreement type), 484 MTBF 409 MTTR 409 MS-CHAP (identity and access services), 214 multifactor authentication, 97- 109 something you are, 106-107 something you do, 108 something you have, 103-105 something you know, 97-103 somewhere you are, 107-108 N NAC, 211-213

agent versus agentless, 212-213

dissolvable versus permanent, 212-213 host health checks, 211-212 NAT (zone, topology), 165 nation state (threat actor), 269 national versus international (frameworks), 334 NDA (policies), 479 netcat (command), 367 netstat (command), 86 network access control, 211-213 network address allocation use case, 146 network mapping, 354 network scanners, 352-354 active reconnaissance, 360 network mapping, 354 rogue system detection, 355-356 zenmap, 353-354 network traffic and logs (forensics), 496 new threats and anti-malware, 288 and educating users, 291 and zero- day, 316

NFC

attack, 205 mobile device connection, 245 NIDS, 183-186

NIPS/NIDS Analytics, 186

false negative, 186 false positive, 186

anomaly-based detection, 184 data sources and trends, 185 heuristic/behavioral detection, 186 in-band versus out-of-band, 187 inline versus passive, 187 rules, 186 sensor and collector placement, 183-184 signature-based detection, 184 nmap (command), 366-367 non-persistence, 78 live boot media, 228 revert to known state, 77-78 rollback to known configuration, 78 snapshots, 77-78 non-regulatory (frameworks), 334 nonce, 214, 311, 433 nonintrusive (testing), 363

normalization, 328-330 nslookup (command), 149 NTLM (identity and access services), 111 O OAUTH (identity and access services), 115 obfuscation code obfuscation (camouflage), 323 cryptography, 436 steganography, 64, 444-445 use case supporting obfuscation, 63, 64 object identifiers (OID), 456 OCSP, 459 off-site backups, 405 on-premise versus hosted versus cloud (cloud model), 239 onboarding/offboarding, 480 online versus offline (brute force attack), 310 online versus offline CA (PKI concept), 456 Open (wireless security method), 199-201 open-source intelligence, 268 OpenID Connect (identity and access services), 115 operating systems, 227-33 appliance, 228 application whitelisting/blacklisting, 233 disable default accounts/passwords, 227 disabling unnecessary ports and services, 227 kiosk, 228 least functionality, 226-227 mobile OS, 227 network, 228 secure configurations, 228-230 server, 227 trusted operating system, 228 types, 227-228 workstation, 227 order of restoration backups, 402-403 continuity of operations, 405 order of volatility, 494-495 organized crime (threat actor), 269 owner (data role and responsibilities), 490

P P12 (certificate format), 462-463 P7B (certificate format), 462 PaaS, 240 PAP (identity and access services), 214 pass the hash, 311 passive reconnaissance, 360 passive versus active (tools), 363 passively testing security controls, 358 password complexity, 97-99, 102 expiration (password policy), 99 history (password policy), 101-102 length, 97-98, 102 reuse, 101 password cracker, 352 rainbow table attacks, 312 vulnerability scanning, 357 wireless scanners/cracker, 354-355 passwords and pins (MDM), 246 patch management, 68, 231, 251 patch management tools, 231, 358 payment methods, (mobile device), 249 PBKDF2, 429 PEAP, 201 PEM (certificate format), 462 penetration testing, 359-363 penetration testing versus vulnerability scanning, 363 perfect forward secrecy, 443 peripherals (secure systems design), 235-236 digital cameras, 236 displays, 235 external storage devices, 235-236 printers/MFDs, 236 Wi-Fi-enabled MicroSD cards, 236 wireless keyboards, 235 wireless mice, 235 permanent agent (NAC), 212-213 permission auditing and review, 372-373 permission issues, 255-257 persistence, 362 personal email (policies), 481 personnel issues (troubleshooting), 502-503 insider threat, 268

personal email, 475, 480 policy violation, 480 social engineering, 278-287 social media, 292, 481-483 training, 500-502 personnel management (policies), 474-483? acceptable use policy/rules of behavior, 475 adverse actions, 480 background checks, 479 clean desk, 477 continuing education, 501-502 exit interviews, 479-480 job rotation, 477 mandatory vacations, 475 NDA, 479 role-based awareness training, 500-501 data owner, 500 executive user, 501 privileged user, 501 system administrator, 500 system owner, 500-501 user, 501 separation of duties, 476 onboarding, 480 PFX (certificate format), 462-463 PGP/GPG, 450 PHI, 261, 485, 488-489 phishing, 281-284 physical (isolation, airgap), 166 physical (security control), 71-72, 383-395 physical access control (identity and access management) proximity cards, 384, 385, 386 smart cards, 385 physical security controls, 383-395 PII, 261, 485, 488-489 ping (command), 82-84 pinning (PKI concept), 459 PIV, 103-104

pivot (penetration testing), 361 PKI components CA, 454-456 intermediate CA, 455 CRL, 457-459 OCSP, 459

CSR, 456-457 certificate, 441-442 public key, 439-445 private key, 439-445 object identifiers (OID), 456 PKI concepts, 454- certificate chaining, 455-456 key escrow, 460 online versus offline CA, 456 pinning, 459 stapling, 459 trust model, 455-456 pointer dereference, 318-319 port security IEEE 802.1x, 191 MAC filtering, 195-196 switch (physical port) 155

ports

comparing ports and ports, 157 disabling unnecessary ports and services, 227 firewall rules, 150, 153 logical ports, 149-153 physical ports, 155 port security, 155 taps and port mirror, 183 power redundancies

preservation (of data, forensics), 495-498 preventive (security control), 72-73 principles (social engineering principles), 292- 295 authority, 293 intimidation, 293 consensus, 293 scarcity, 294 familiarity, 294 trust, 294-295 urgency, 294 printers/MFDs

secure systems design, 236 embedded systems, 250-251 privacy impact assessment (BIA), 407-408 privacy officer (data role and responsibilities), 490 privacy threshold assessment (BIA), 407-408 private (cloud model), 242

private key, asymmetric encryption, 424, 432, 439-445 certificate formats, 462-463 digital signature, 425 email, 446-450 HTTPS, 450-452 improper certificate and key management, 458 key escrow, 460 Rayburn box, 441 recovery agent, 460 registration and CSRs, 456-457 revoking certificates, 457 smart cards,103 TPM, 238 privilege escalation, 117-118, 287, 304, 358, 361 privileged accounts, 117 proper error handling, 322 proper input validation, 319-321 protected distribution/protected cabling (physical security), 394 protocol analyzer, 364-366 capture clear text, 110, 142, 311, 432 capture MAC and IP address, 497 connected to switch, 155 flood attack, 156 IDSs and IPSs, 182, 187 promiscuous mode, 85 protecting cabling, 394 sniffing attack, 140 tcpdump, 366 tracert command, 87 wireless attack, 195 WPA attack, 198 protocols (secure protocols), 140-149 DNSSEC, 148 FTPS, 143 HTTPS, 143, 145, 149 LDAPS, 111-112, 145 S/MIME, 450 secure POP/IMAP, 144-145

SFTP, 143 SNMPv3 SRTP, 142 SSH, 143 SSL/TLS, 143

provisioning and deprovisioning, 327 proximity cards, 207, 384, 385 tailgating and mantraps, 386-387 proxy 167-170 application/multipurpose, 169-170 forward proxy, 167-168 reverse proxy, 169 transparent, 168-169 pseudo-random number generation, 433, 434 PSK (wireless security method), 199-201 public (cloud model), 242 public key asymmetric encryption, 424, 432, 439-445 certificate formats, 462-463 digital signature, 425 email, 446-450 HTTPS, 450-452 Rayburn box, 441 registration and CSRs, 456-457 smart cards,103 TPM, 238 public key infrastructure (PKI) 454-462 pulping (destruction and sanitization), 487 pulverizing (destruction and sanitization), 487 purging (destruction and sanitization), 487 push notification services (MDM), 247 Q qualitative (risk assessment), 349 quantitative (risk assessment), 347- 349 R race conditions, 321 RADIUS identity and access services, 214-215 RADIUS Federation, 201 RAID (0, 1, 5, 6, 10), 396-397 rainbow table attack, 312-313 random number generation, 433, 434 ransomware, 274-275 RAT, 274 Rayburn box, 441

RC4, 438 recertification (account management), 121 record time offset (forensics), 497-498

recording microphone (mobile device), 249 recovery of data, forensics, 499 password recovery, 119 recovery sites, 409-410 cold site, 410 hot site, 409-410 warm site, 410 redundancy, 67 disk redundancies, 396-397 power redundancies, 400 server redundancy, 397 refactoring, driver manipulation, 315-316 regulatory (frameworks), 334 remote access use case, 145-146 VPNs, 207-211 remote attestation, 237 remote wipe (MDM), 246 removable media control (DLP), 257-258 replay attack, 110, 142, 206-207, 313 resource exhaustion (vulnerability), 270 retinal scanner (biometric factor), 107 reverse proxy, 169 revert to known state (snapshot, virtualization), 77-78 RFID attack, 206-207 RIPEMD, 427 risk assessment, 346-350 risk register, (risk assessment), 350, 351 risk response techniques, 346-347 accept, 347 avoid, 346 mitigate, 346-347 transfer, 346 role-based access control, 122-125 role-based awareness training (policies), 500- 501 data owner, 500 executive user, 501 privileged user, 501 system administrator, 500 system owner, 500-501

user, 501 rollback to known configuration (snapshot, virtualization), 78

rogue AP, 203 rogue system detection, 355-356 root (certificate), 455-456 rooting (mobile device), 248 rootkit, 277 ROT13, 436 round-robin (load balancing, scheduler), 399 router 147, 154, 156-158 ACLs 141, 157-158 aggregation switch, 160 antispoofing, 158 attribute-based access control, 129 Layer 3 switch (comparison), 166 logs, 368-369 NAT and PAT, 165 physical security, 383, 390 ping (blocked), 84 ports, 141, 150-153 rule-based access control, 126 NIDS (sensors), 183 SDN (comparison), 189-190 separation and segmentation, 166 TACACS+, 215-216 tracert (command), 87 use cases, 172 wireless, 192-193, SNMP, 172 routing and switching use case, 172 RPO, 408 RSA, 443 RTO, 408 RTOS, 253 rule-based access control, 126 S S/MIME, 450 SaaS, 240 safe (physical security), 390 SAML (identity and access services), 114 SAN (certificate), 461 sandboxing chroot, 234 code quality and testing, 324 secure staging & deployment, 234

salt and key stretching, 428-429

and rainbow table attacks, 312-313 SATCOM (mobile device connection), 244 SCADA, 252 scalability, 75, 398, 399 scanners/cracker (wireless), 354-355 scheduling, 399-400 screen filter, 279 screen locks (MDM), 246 screenshots (forensics), 498 script kiddie (threat actor), 268 SDN, 129, 189-190 secret algorithm, 433 secure baseline, 230-231 secure boot (and attestation), 237 secure cabinets/enclosures (physical security), secure coding techniques, 319- 327 Secure DevOps, 324-327 continuous integration, 325 baselining, 325-326 immutable systems, 326 infrastructure as code, 326 security automation, 325 secure POP/IMAP, 144-145 secure token (identity and access services), 112 Security as a Service, 241-242 security automation (Secure DevOps), 325 security control types, 69-75 administrative, 70-71 compensating, 74-75 corrective, 74 deterrent, 74 detection versus prevention controls, 74 detective,73 physical, 71-72, 383-395 preventive, 72-73 technical, 70 security device/technology placement collectors, 183-184 DDoS mitigator, 171 filters, 167-168, 170-171 firewalls, 160-165 load balancers, 399

proxies, 167-168 sensors, 183-184 SSL (TLS) accelerators, 188-189 taps and port mirror, 183

VPN concentrator, 208 security guards (physical security), 387 security through obscurity, 64, 323, 436 SED (hardware/firmware security), 237 segregation/segmentation/isolation (secure network) logical (network, VLAN), 166 physical (airgap), 166 router, 166 switch (use case) 172 virtualization, 77 VLAN, 167 self-signed (certificate), 461 separation of duties (policies), 476 server-side versus client-side execution and validation, 320-321 server redundancy, 397 service accounts, 117 service attack, 140, 304 session hijacking, 314 session keys (symmetric encryption) 435, 439, 450, 452 SFTP, 143 SHA, 64-66, 311, 312, 424, 426 shared and generic accounts/credentials, 118 Shibboleth (identity and access services), 115 shielding (physical security), 394-395 shimming, driver manipulation, 315 shoulder surfing, 279 shredding (destruction and sanitization), 487 sideloading (mobile device), 248 SIEM, 370-373 aggregation, 370 automated alerting and triggers, 370 correlation, 370 event deduplication371 logs/WORM, 371 time synchronization, 370-371 signal strength (wireless access point), 197 signs (physical security), 384 single point of failure, 395-396, 396-401 single sign-on (SSO), 112-115, 200 site-to-site (VPN), 210

SLA (agreement type), 484 SLE (risk assessment), 348 smart cards, 103

smart devices/IoT (embedded systems), 252 home automation, 252 wearable technology, 252 SMS (mobile device), 249 snapshots backups, 403 virtualization, 77-78 SNMP, 156, 172 SoC, 252 social media networks/applications (policies), 481-482 social engineering, 278-287 something you are, 106-107 something you do, 108 something you have, 103-105 something you know, 97- 103 somewhere you are, 107-108 spear phishing, 284 special purpose (embedded system), 253-254 aircraft/UAV, 254 medical devices, 253-254 vehicles, 253-254 split tunnel versus full tunnel (VPN), 209-210 spyware, 275 SQL injection 320, 330-332 SRTP, 142 SSH, 143, 145-146, 151, 207, 310, 362, 367 SSID (wireless access point), 194-195 SSL SSL versus TLS, 144, 450-451 weak/deprecated algorithms, 434 SSL/TLS accelerators, 188-189 SSL decryptors, 189 standard naming convention (account management), 118 standard operating procedure, 474 stapling (PKI concept), 459 STARTTLS, 143, 144 stateful versus stateless (firewall), 141, 162 stateless firewall rules, 162 static code analyzers, 324 steganography, 64. 372, 425, 444-445 steganography tools 444-445 steward/custodian (data role and responsibilities), 490 storage segmentation (MDM), 246

stored procedures, 331-332 strategic intelligence/counterintelligence gathering, 500 active logging, 500

stream versus block (cipher mode), 434 stress testing, 324 substitution cipher, 436 subscription services use case, 149 supply chain (hardware/firmware security), 236 supply chain assessment (risk assessment), 351 switch, 154-156 flood guard, 156 Layer 2 versus Layer 3, 166 loop prevention, 155-156 port security, 155 symmetric algorithms, 435-439 3DES, 438 AES, 437-438 Blowfish/Twofish, 438-439 DES, 438 RC4, 438 system sprawl and undocumented assets (vulnerability), 391 T tabletop exercise, 412 TACACS+ (identity and access services), 215-216 take hashes (forensics), 496 tailgating, 280, 386-387 tcpdump (command), 366 technical (security control), 70 templates, 230 testing penetration testing authorization, 359 vulnerability testing authorization, 359 tethering (mobile device), 250 third-party app stores (mobile device), 248 third-party libraries and SDKs, 323 threat actors (types and attributes), 268-270, 344-345 threat assessment, 344-345 environmental, 345 internal versus external, 345 manmade, 345 time-of-day restrictions (account management), 120

time synchronization Kerberos, 110 SIEM, 370-371 use case, 146 TKIP, 199, 201, 202, 206, 207 TLS AH, 209 certificate, 456 cipher suites, 452-453 downgrade attack, 453-454 EAP-Tunneled TLS, 201 EAP-TLS, 201 ESP, 209 HMAC, 426 HTTPS, 145, 450-452 LDAPS, 112, 144 PEAP, 201 secure file transfer, 143 secure IMAP, 144 SSL/TLS accelerators, 188-189 SSL decryptors, 189 Tunnel mode, 209 tunneling protocol (VPN), 209 Transport mode, 209 tokens, 104-1505 hardware (key fob), 104 software (in a software application), 105 tokens/cards (physical security), 385 TOTP, 104-105 TPM (hardware/firmware security), 237-238 tracert (command), 87-88 track man-hours (forensics), 500 transfer (risk response), 346 transitive trust, 113 transparent (proxy), 168-169 Transport mode (TLS), 209 Trojan, 273 trust model (PKI concept), 455-456 trusted operating system, 228 Tunnel mode (TLS), 209 tunneling/VPN, 209-210 remote access, 208-211

site-to-site, 210 tunneling protocol (TLS for VPN), 209 Twofish, 438-439 Type I (hypervisor), 76

Type II (hypervisor), 76 typo squatting, 314 U UAV, 254 UEFI (hardware/firmware security), 237 unauthorized software, 233 unencrypted credentials/clear text, 110, 364-365 unified threat management (UTM), 170-171 untrained users (vulnerability), 291 URL hijacking, 314 usage auditing and review, 371-372 USB (mobile device connection), 245 USB OTG (mobile device), 249 UTM, 170-171 use case 62-63, 142-146 directory services, 145 domain name resolution, 147-149 email and web, 144-145 file transfer, 142-143 high resiliency, 434 low latency, 459 low power devices, 444 network address allocation, 146 protocols, 141-149 remote access, 145-146 resource versus security constraints, 68 routing and switching, 172 time synchronization,146 subscription services, 149 supporting authentication, 97 supporting confidentiality, 63 supporting integrity, 64 supporting non-repudiation, 66 supporting obfuscation, 64 voice and video, 142 user (certificate), 460 V VDI (mobile device deployment model), 244 VDI/VDE (virtual desktops), 78 vendor diversity (defense-in-depth), 383 version control and change management, 326 virtual IPs (load balancing), 400

virtualization, 75-80

viruses, 271 vishing, 285 VLAN (isolating traffic), 166 VM escape protection, 79 VM sprawl avoidance, 79 voice and video use case, 142 voice recognition (biometric factor), 106 VPN concentrator, 208 always-on VPN, 211 IPsec, 209 AH, 209 ESP, 209 Tunnel mode, 209 Transport mode, 209 remote access versus site-to-site, 207, 208, 210-211 split tunnel versus full tunnel, 209-210 TLS, 209 vulnerability scanner, 351, 356-358 active reconnaissance, 360 configuration compliance scanner, 359 credentialed versus non-credentialed, 358 integrity measurements for baseline deviation, 231 passive versus active tools, 363 vulnerability scanning, 356-358 vulnerable business processes, 406 W waterfall (software development life-cycle model), 324-325 watering hole attack, 280-281 warm site, 410 weak/deprecated algorithms, 434 weak cipher suites (vulnerability, downgrade attack), 453-454 weak configuration (vulnerability), 226-227 weak implementations (downgrade attack), 453-454 weak security configurations, 226, 230-231 wearable technology, 252

web application firewall, 163 whaling, 284 white box, 362 whitelist, whitelisting, 233, 245 Wi-Fi direct (mobile device), 250 Wi-Fi (mobile device connection), 244 Wi-Fi-enabled MicroSD cards (secure systems design), 236 wildcard (certificate), 461 wiping (destruction and sanitization), 486 wireless attacks, 202-207 keyboards (secure systems design), 235 mice (secure systems design), 235 scanners/cracker, 354-355 security, 192-202 zone, topology, 198 wireless security methods PSK versus Enterprise versus Open, 199- 201 WPS, 203 captive portals, 202 witness interviews (forensics), 498 WPA/ WPA2, 198, 199, 200-201, 202, 203, 206 WPS, 203 X XOR, 433, 435 Z zenmap, 353-354 zero day, 185, 190, 253, 289, 292, 316 zones/topologies, 163-165, 198 ad hoc, 198 DMZ, 163-165 extranet, 163-165 guest, 198 honeynets, 190 intranet, 163-165 NAT, 165 wireless, 198