SEC Domain Review

DAC

Discretionary Access Control, Owner controls permissions, most flexible, least secure

MAC

Mandatory Access Control, Labels/clearance levels set by admin, military style

RBAC

Role-Based Access Control, Permissions assigned to roles, users get roles, most common enterprise

ABAC

Attribute-Based Access Control Conditions-based — time, location, device, department

RuBAC

Rule-Based Access Control, Access is granted or denied based on predefined rules, such as time of day, IP address, or system conditions.

Rule-Based Access Control vs RBAC

Rule-based = if/then logic (firewall rules); RBAC = job role permissions

Least Privilege

Minimum access needed to do the job — nothing more

Separation of Duties

No one person completes a sensitive task alone — prevents fraud

Need to Know

Clearance alone isn't enough — must need it for your role

PICERL Order (IRP)

Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned

Containment vs Eradication

Contain first (stop spread), then eradicate (remove cause) — order matters

Lessons Learned

Always last IR step — document what happened and how to improve

IR Preparation

Policies, playbooks, tools, training — done BEFORE incident

White Box Pentest

Tester has full knowledge of systems — most thorough

Gray Box Pentest

Partial knowledge — simulates insider or credential exposure

Black Box Pentest

No prior knowledge — simulates external attacker

Passive Reconnaissance

No direct contact — OSINT, DNS lookup, public records

Active Reconnaissance

Direct contact with target — scanning, enumeration, touching systems

Rules of Engagement

Written authorization defining scope and limits — must exist before testing

Pivot

Use compromised system to attack others inside the network

IOC

Indicator of Compromise, Evidence of malicious activity

Indicators of Malicious Activity — types

Account lockouts, impossible travel, resource spikes, out-of-cycle logins, missing logs

Impossible Travel

Login from NYC then Tokyo 10 min later — impossible, flag it

IRP

Incident Response Plan

Out-of-Cycle Login

Activity outside normal hours — possible IOC

Resource Consumption Spike

Sudden CPU/bandwidth/memory spike — possible malware or cryptomining

SQL Injection

User input alters database query — use parameterized queries to prevent

XSS Stored vs Reflected

Stored = saved in DB, hits every visitor; Reflected = in URL, hits one user

CSRF

Forces authenticated user to submit a request — forges action on their behalf

SSRF

Server fetches attacker-controlled URL — internal network exposure

Buffer Overflow

Write past buffer bounds → overwrite memory → execute arbitrary code

Race Condition

Two processes access shared resource simultaneously → unpredictable behavior

DLL Injection

Malicious DLL loaded into a running process — used for persistence/privilege

SSH port

22 — also used by SFTP

SFTP vs FTPS

SFTP = SSH tunnel (port 22); FTPS = FTP + TLS/SSL (port 990) — completely different protocols

HTTPS port

443

LDAPS port

636 — LDAP over SSL/TLS

SNMPv3 port

161 — SNMPv3 adds encryption + auth (v1/v2 are cleartext, avoid)

DNSSEC

Adds digital signatures to DNS — prevents DNS spoofing/cache poisoning

SLA

Service Level Agreement Defines performance guarantees — uptime, response time

MOU

Memorandum of Understanding Intent to work together — NOT legally binding

MOA

Memorandum of Agreement Binding commitment — stronger than MOU

MSA

Master Service Agreement Ongoing services framework — covers future work without new contracts

BPA

Business Partners Agreement Terms between business partners — profit sharing, responsibilities

ISA

Interconnection Security Agreement Governs system-to-system connections between orgs — security requirements

NDA

Non-Disclosure Agreement Confidentiality — protects sensitive info shared between parties

MOU vs MOA trick

MOU = understanding (intent only); MOA = agreement (binding)