CompTIA Security+ Study Guide 601

Confidentiality

The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.

integrity

The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.

Availability

The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.

Non-repudiation

The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

National Institute of Standards and Technology (NIST)

Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.

security control

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Technical

A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.

Operational

A category of security control that is implemented by people.

Managerial

A category of security control that gives oversight of the information system.

Access control lists (ACL)

A collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read only, read/write, and so on).

Detective Control

A type of security control that acts during an incident to identify or record that it is happening.

Corrective Control

A type of security control that acts after an incident to eliminate or minimize its impact.

Physical

A type of security control that acts against in-person intrusion attempts.

Deterrent

A type of security control that discourages intrusion attempts.

Compensating

A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.

ISO 27001

A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.

Cloud Security Alliance (CSA)

Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.

Statements on Standards for Attestation Engagements (SSAE)

Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 Type II report is created for a restricted audience, while SOC3 reports are provided for general consumption.

SOC2 Type I report

assesses the system design

SOC2 Type 2 report

assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. _ reports are highly detailed and designed to be restricted. They should only be shared with the auditor and regulators and with important partners under non-disclosure agreement (NDA) terms

SOC2 Type 3 report

a less detailed report certifying compliance with SOC2. SOC3 reports can be freely distributed

Center for Internet Security

A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).

Payment Card Industry Data Security Standard (PCI DSS)

Information security standard for organizations that process credit or bank card payments.

Open Web Application Security Project (OWASP)

A charity and community publishing a number of secure application development resources.

Sarbanes-Oxley Act (SOX)

A law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization's financial and business operations.

General Data Protection Regulation (GDPR)

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.

Gramm-Leach-Bliley Act (GLBA)

A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual's financial information that is held by financial institutions.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996.

California Consumer Privacy Act (CCPA)

A law that allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with.

Vulnerability

A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.

Threat

The potential for an entity to exercise a vulnerability (that is, to breach security).

Risk

the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability.

black hat

An unauthorized hacker operating with malicious intent.

white hat

A hacker engaged in authorized penetration testing or other security consultancy.

gray hat hacker

A hacker who analyzes networks without seeking authorization, but without overtly malicious intent.

script kiddie

An inexperienced, unskilled attacker that typically uses tools or scripts created by others.

Advanced Persistent Threat (APT)

An attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware.

shadow IT

Computer hardware, software, or services used on a private network without authorization from the system owner.

attack surface

The points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.

attack vector

A specific path by which a threat actor gains unauthorized access to a system.

Supply chain

An attack that targets the end-to-end process of manufacturing, distributing, and handling goods and services.

criminal syndicate

A type of threat actor that uses hacking and computer fraud for commercial gain.

State actors

A type of threat actor that is supported by the resources of its host country's military and security services.

Hacktivists

An threat actor that is motivated by a social issue or political cause.

dark web

Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.

Behavioral threat research

narrative commentary describing examples of attacks and TTPs gathered through primary research sources.

TTPs

Threat research is a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures

Reputational threat intelligence

Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains.

Threat data

computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.

cyber threat intelligence (CTI)

The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.

Closed/proprietary

Software code or security research that remains in the ownership of the developer and may only be used under permitted licence conditions.

Vendor websites

proprietary threat intelligence is not always provided at cost. All types of security, hardware, and software vendors make huge amounts of threat research available via their websites as a general benefit to their customers. One example is Microsoft's Security Intelligence blog

Information Sharing and Analysis Centers (ISACs)

Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.

Open source intelligence (OSINT)

Publicly available information plus the tools used to aggregate and search it.

indicator of compromise (IoC)

A sign that an asset or network has been attacked or is currently under attack.

threat data feed

Signatures and pattern-matching rules supplied to analysis platforms as an automated feed.

Structured Threat Information eXpression (STIX)

A framework for analyzing cybersecurity incidents.

Automated Indicator Sharing (AIS)

Threat intelligence data feed operated by the DHS.

threat map

Animated map showing threat sources in near real-time.

Common Vulnerabilities and Exposures (CVE)

Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

Trusted Automated eXchange of Indicator Information (TAXII)

A protocol for supplying codified information to automate incident detection and analysis.

footprinting

The phase in an attack or penetration test in which the attacker or tester gathers information about the target before attacking it.

pathping

Windows utility for measuring latency and packet loss along a route.

mtr

Utility combining the ping and traceroute commands.

Simple Network Management Protocol (SNMP)

Protocol for monitoring and managing network devices. _ works over UDP ports 161 and 162 by default.

Nmap Security Scanner

Versatile port scanner used for topology, host, service, and OS discovery and enumeration.

service discovery

The practice of using network scans to discover open TCP and UDP ports, plus information about the servers operating them.

TCP SYN (-sS)

this is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.

UDP scans (-sU)

scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.

Port range (-p)

by default, Nmap scans 1000 commonly used ports, as listed in its configuration file. Use the -p argument to specify a port range.

fingerprinting

Identifying the type and version of an operating system (or server application) by analyzing its responses to network scans.

netstat

Utility to show network information on a machine running TCP/IP, notably active connections and the routing table.

nslookup/dig

Software tool for querying DNS server records.

theHarvester

Utility for gathering results from open source intelligence queries. It works by scanning multiple public data sources to gather emails, names, subdomains, IPs, URLs and other relevant data.

dnsenum

packages a number of tests into a single query, as well as hosting information and name records, _ can try to work out the IP address ranges that are in use.

curl

is a command line client for performing data transfers over many types of protocol. This tool can be used to submit HTTP GET, POST, and PUT requests as part of web application vulnerability testing. curl supports many other data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.

Nessus

The list of services and version information that a host is running can be cross-checked against lists of known software vulnerabilities.

Packet analysis

The act of examining protocol headers and payloads within individual network packets or frames.

Protocol analysis

The act of examining protocol usage statistics over a network link.

tcpdump

a command line packet capture utility for Linux, The utility will then display captured packets until halted manually

Well-known tools used for packet injection

Dsniff, Ettercap, Scapy, and hping

hping

an open-source spoofing tool that provides a penetration tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs.

tcpreplay

A command-line utility that replays packets saved to a file back through a network adapter.

remote access trojan (RAT)

Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.

exploitation framework

Suite of tools designed to automate delivery of exploits against common software and firmware vulnerabilities.

Metasploit

A platform for launching modularized attacks against known software vulnerabilities.

Sn1per

Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites.

Netcat

Utility for reading and writing raw data over a network connection.

data breach event

where confidential data is read or transferred without authorization. A privacy _ is where personal data is not collected, stored, or processed in full compliance with the laws or regulations governing personal information. A _ can also be described as a data leak. A data breach can be intentional/malicious or unintentional/accidental.

Data exfiltration

the methods and tools by which an attacker transfers data without authorization from the victim's systems to an external network or media.

Vendor management

Policies and procedures to identify vulnerabilities and ensure security of the supply chain.

Security Content Automation Protocol (SCAP)

A NIST framework that outlines various accepted practices for automating vulnerability scanning.

Common Vulnerability Scoring System (CVSS)

A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

Non-intrusive (or passive) scanning

An enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes to a target. More generally, passive reconnaissance techniques are those that do not require direct interaction with the target.

Active scanning

probing the device's configuration using some sort of network connection with the target. Active scanning consumes more network bandwidth and runs the risk of crashing the target of the scan or causing some other sort of outage. Agent-based scanning is also an active technique.

Open Vulnerability and Assessment Language (OVAL)

an XML schema for describing system security state and querying vulnerability reports and information.

Extensible Configuration Checklist Description Format (XCCDF)

an XML schema for developing and auditing best-practice configuration checklists and rules. Previously, best-practice guides might have been written in prose for system administrators to apply manually. XCCDF provides a machine-readable format that can be applied and validated using compatible software.

Rules of engagement

Agreeing scope, operational parameters, and reporting requirements for a penetration test.

Black box

An assessment methodology where the assessor is given no privileged information about the configuration of the target of assessment.

White box

An assessment methodology that simulates an inside attacker that knows everything about the target.