My Networking and Security Set (section 3 only)

circuit-level gateway firewall

a type of firewall that verifies the legitimacy of a network connection at the session layer by inspecting the TCP handshake, rather than the content of individual packets.

Once a session is deemed valid, it allows traffic to flow without further inspection, creating a virtual circuit to hide the internal host's IP address and improve performance.

faster and easier to manage, but they lack content inspection, making them vulnerable to attacks that exploit weaknesses in the session protocols themselves

*TCP Handshake: a three-step process used to establish a reliable connection between two devices, often referred to as the client and server

WPA2-PSK (AES)

the most compatible encryption type for older devices that is still considered secure, as devices manufactured after 2006 with a "Wi-Fi" logo must support it.

Role-Based Access Control (RBAC)

It simplifies access management to computer/network resources by assigning permissions to roles rather than to each individual user withing an org, which is more scalable and secure.

For example, a doctor role might have access to patient records, while a receptionist role can only see contact information, ensuring the principle of least privilege is followed. 

evil twin attack

a cyberattack where a hacker creates a fake Wi-Fi network with the same name (SSID) as a legitimate one to trick users into connecting.

Once connected, the hacker can intercept the user's traffic, steal sensitive data like passwords and financial information, or redirect them to a fake login page through a technique called man-in-the-middle.

This is particularly common in public places like coffee shops and airports. 

Hashing

This one-way process is used for security and integrity, as any change to the original data creates a completely different hash value, and it's virtually impossible to reverse the process to get the original data from the hash.

Common uses include password storage, verifying file integrity, and securing digital communications

Economy of Mechanism

is a security design concept that states security mechanisms should be as simple and small as possible. This is because complex designs are more likely to contain errors, making them harder to test, audit, and secure against vulnerabilities.

A simple system has fewer components, reducing the attack surface and making it easier to verify and maintain. 

also known as simplicity,

"fail-safe"

a system design principle where failure results in the system entering a secure state by default, such as blocking access to minimize harm.

FERPA (or the Family Educational Rights and Privacy Act)

a federal law that protects the privacy of students' educational records

General Data Protection Regulation (GDPR)

a European Union law that protects the personal data of individuals within the European Economic Area (EEA) by establishing rules for how organizations can collect, process, and store it.

Credential Stuffing Attack

criminals use bots to automatically test large lists of stolen username and password combinations against numerous websites.

It exploits the common user habit of reusing the same passwords across multiple online accounts.

If a user's credentials were exposed in a data breach on one site, an attacker hopes those same credentials will grant access to the user's other accounts. 

War Driving Attack

a hacking method where a person drives around an area and uses software and hardware to scan for vulnerable Wi-Fi networks to gain unauthorized access.

then try to crack passwords or exploit weaknesses to access the network,

War Chalking Attack

the practice of using chalk or other markers to draw symbols on public surfaces to indicate the presence and accessibility of open Wi-Fi networks.

Gramm-Leach-Bliley Act (GLBA)

a 1999 U.S. law that requires financial institutions to protect consumers' nonpublic personal information (NPI) and inform them of their privacy policies.

provide customers with a privacy notice and give them the option to opt out of sharing their information with third parties

Possession factor

Something you have

a physical object in your possession, most commonly used for two-factor authentication (2FA) to verify your identity

WPA3

strongest, newest, best new security features

the latest Wi-Fi security protocol that enhances security over WPA2 by offering stronger encryption, protection against brute-force attacks, and safer open-network connections.

Open design

a principle that states a system's security should not rely on the secrecy of its design or implementation, but rather on its robustness, making it secure even if the design is publicly known

Least Common Mechanism

a security design concept that minimizes the amount of shared components, data, or subsystems between different users or programs

use separate devices, tools, apps, and resources for different users or activities whenever possible

mechanisms used to access systems and resources should not be shared

Pharming Attack

a type of cybercrime that redirects users from a legitimate website to a fraudulent one without their knowledge, often to steal sensitive information like login credentials and financial data.

Asset Classification Policy

a plan that categorizes an organization's assets (like data, equipment, and intellectual property) based on their value, sensitivity, and risk to determine the appropriate level of security and handling

PCI DSS (Payment Card Industry Data Security Standard)

a set of rules and guidelines for businesses that handle credit card information to protect against fraud

Separation of Duties/Privilege

a fundamental internal control principle that prevents fraud and errors by dividing a single task's responsibilities among multiple people

critical tasks require more than one person to be involved to ensure security

PIPEDA (Personal Information Protection and Electronic Documents Act)

a Canadian federal law that governs the collection, use, and disclosure of personal information by private-sector organizations during commercial activities

Rule-Based Access Control (RuBAC)

a security method that determines access based on a set of programmed "if-then" rules that consider multiple contextual conditions like time, location, or device, in addition to the user and the resource

Complete mediation

requires every access attempt to a resource to be checked for authorization before it is granted.

checks permissions

Psychological acceptability

a design principle that ensures security and other systems are easy and intuitive for users to interact with, making them more likely to use them correctly.

AES (Advanced Encryption Standard)

a symmetric block cipher used for encrypting electronic data, converting it into an unintelligible form (ciphertext) using a shared secret key

Discretionary Access Control (DAC)

the owner of a resource can define access permissions, granting users the ability to read, write, or execute files and other objects

ABAC (attribute-based access control)

grants or denies access based on a dynamic evaluation of attributes related to the user, the resource being accessed, and environmental conditions

Content-Based Access Control (CBAC)

a system that grants or denies access based on the actual content of the data or the context of the request, rather than just user roles or static attributes

rogue access point

an unauthorized wireless access point (AP) connected to a secure network, created either maliciously by hackers to steal data or accidentally by employees

WPA2

strong, most common in use today

the most compatible encryption type for older devices

knowledge factor

something you know

requires a user to provide information only they should know, such as a password, PIN, or the answer to a security question

Inherence factor

something you are

requires a user to provide information only they should know, such as a password, PIN, or the answer to a security question

Script Kiddie

an individual who uses pre-written, automated malicious scripts and tools created by others to attack computer systems or networks.

They are considered unskilled hackers because they lack the technical expertise to create their own tools or understand how they work

Human-centered design (HCD)

a creative problem-solving approach that puts people at the core of the development process by focusing on user needs, wants, and pain points

zero trust policy

a cybersecurity framework based on the principle of "never trust, always verify," which assumes no user or device is trustworthy by default, even inside a network's perimeter

WEP/WPA Cracking

scanning and determine the pre-shared key

methods used to discover the passphrases or keys for wireless networks that use the (WEP) or (WPA/WPA2) security protocols

use stronger encryption protocol (WPA2 pr WPA3) to mitigate

Fraggle attack

sends spoofed UDP packets to a specific broadcast address

a type of network-based denial-of-service attack that uses spoofed UDP packets to flood a target network's broadcast address, causing its servers to be overwhelmed and crash

Injection

injects malicious data or script in a web application

broken authentication

use brute-force and dictionary attacks to gain access

sensitive data exposure

theft of encryption keys or MTM attack on clear test data in transit

security misconfiguration

attack on default user accounts or default configuration

default deny firewall

a security policy that blocks all network traffic unless a specific rule explicitly permits it, following a "deny by default, allow by exception" principle

this can slow performance due to their heavy processing demands

strong encryption algorithms