Sec+ Objective 4

What is the SDLC? Explain it.

The Software Development Life Cycle (SDLC) is a systematic process for planning, creating, testing, and deploying software. It includes stages such as planning, requirements, design, code, testing, training and transition, and ongoing operations and maintenance. At the end, it experiences the end of life decommission.

What is DevOps? What is DevSecOps?

DevOps is a set of practices that combine software development (Dev) and IT operations (Ops) to shorten the development lifecycle and deliver high-quality software. DevSecOps extends DevOps by integrating security practices within the DevOps process, ensuring security is embedded throughout the software development lifecycle.

Continuous integration (CI)

A software development practice where code changes are automatically tested and merged into a shared repository to improve collaboration and reduce integration issues.

Continuous deployment (CD)

A software release process where code changes are automatically deployed to production after passing testing, enabling frequent and reliable updates.

What is a cookie? How can attackers use them to gain access to a session?

A cookie is a small piece of data stored on the user's device by the web browser while browsing a website. Attackers can exploit cookies through techniques like session hijacking, where they steal a user's session cookie to impersonate them, gaining unauthorized access to their account.

What are secure cookies?

Secure cookies are HTTP cookies that are only transmitted over secure HTTPS connections, helping to protect the cookie from being intercepted by attackers during transmission.

Explain code signing.

Code signing is a process that uses cryptographic techniques to verify the authenticity and integrity of software code, ensuring that the code has not been altered or tampered with since it was signed.

Cloud Access Security Brokers (CASBs)

Cloud Access Security Brokers (CASBs) are security solutions that act as intermediaries between users and cloud service providers, providing visibility, compliance, and data security across cloud applications.

Configuration Management Tools

Configuration Management Tools are software applications that help manage and automate the configuration of systems, ensuring consistency, compliance, and efficient deployment of software and infrastructure.

What are Baseline configurations?

Baseline configurations are standardized settings and configurations for systems that serve as a reference point to ensure security and compliance within an organization's IT environment. For example, you might want baseline configurations for Windows 11 desktops, Windows 11 laptops, and macOS laptops. Those standards can then be modified for specific groups, teams and divided settings.

What are the baselines through three phases of a baseline’s life cycle?

The baselines through the three phases of a baseline’s life cycle include establishing a baseline, deploying the security baseline, and maintaining the baseline to ensure ongoing compliance and security.

SCADA

Supervisory Control and Data Acquisition, a system used for industrial control and monitoring. SCADA systems collect real-time data from remote locations, enabling centralized monitoring and control of industrial processes.

ICSs

Integrated Control Systems

What are some security and privacy issues IoT devices commonly have?

Poor security practices such as weak default settings, lack of encryption, weak authentication, and insecure data storage.

Short support lifespans—may not be patched or updated

Vendor data-handling practice issues, including licensing and data ownership concerns.

How would you harden a cloud infrastructure?

Implementing security best practices such as using strong access controls, regular updates and patching, encryption of data at rest and in transit, and monitoring for security threats.

What is RTOS?

RTOS stands for Real-Time Operating System, which is designed to manage hardware resources and run applications with precise timing constraints, ensuring timely processing of data and events.

Explain the difference between bluesnarfing and bluejacking

Bluesnarfing refers to unauthorized access to information from a Bluetooth-enabled device, while bluejacking is the act of sending unsolicited messages to nearby Bluetooth devices.

Disassociation and jamming

The process of disconnecting a device from a network, often employed in wireless networks to disrupt communication. It can be initiated by legitimate management commands or by attackers trying to force devices to lose connection. Jamming, on the other hand, involves the deliberate interference of radio signals within a frequency range to block communication between devices.

Side Loading

The process of transferring files to a mobile device, typically via a USB connection, a MicroSD card, or by Bluetooth in order to install applications outside the official app store.

Site Survey

Moving throughout the entire facility to determine what existing networks are in place and to look at the physical structure for the location options for your access points.

SAE

Simultaneous Authentication of Equals. Apart of WPA-3 Slows down brute force attacks and makes them less likely to succeed.

EAP

Extensible Authentication Protocol. It is a flexible authentication framework frequently used in wireless networks and point-to-point connections. EAP allows for various authentication methods, such as tokens, certificates, and passwords, enabling a range of secure authentication mechanisms to be implemented. This protocol is commonly associated with 802.1X, which is a network access control standard that uses EAP to enforce authentication before granting devices access to the network. EAP is essential for ensuring secure, authenticated access to network resources.

PEAP

Protected Extensible Authentication Protocol. An authentication protocol that encapsulates a second authentication protocol inside a secure TLS (Transport Layer Security) tunnel

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) for users who connect and use a network service. RADIUS is primarily used by Internet Service Providers and enterprises for remote access. When a user attempts to connect to a network, the RADIUS server checks the user’s credentials against a user database, typically using a shared secret between the server and the network access server (NAS).

COPE

Corporate Owned Personally Enabled. The organization owns and manages the device allowing reasonable personal use while meeting enterprise security and control needs.

BYOD

Bring Your Own Device. The user owns and manages the device. Provides the greatest level of freedom and lower cost, but greater risk to the company.

CYOD

Choose Your Own Device. The organization provides and maintains the device, but allows the user to choose it.

What are some common techniques for hardening mobile devices?

Updating and patching the OS, enabling remote wipe functionality, requiring passcodes, setting automatic lock screens, and turning off Bluetooth

MDM

Mobile Device Management. MDM tools target iOS and Android phones, tablets and similar devices. MDM solutions allow IT departments to deploy, manage, and monitor mobile devices for corporate and personal use.

List some features companies use for MDM and UEM.

Application management, content management, remote-wipe, geolocation and geofencing, screen locks password PINs, biometrics, context-aware authentication, containerization, storage segmentation, Full-device encryption, push notifications

Static Code Analyzer

A way developers test the security of the applications. Think about Static Application Security Testing (SAST). Helps identify security flaws

Code Signing

Checking to see if the same code in a downloaded application is the same as the manufacturer. Prevents downloading malware onto a system. Code can be digitally signed through asymmetric encryption.

Embedded Systems

computer systems that are built into other devices. Industrial machinery, appliances, and cars are all places where you might find these. Use RTOS.

Explain the importance of asset management within a company

It is important to identify, classify, and keep inventory of assets in a company. This allows the company in the event of an incident to know what assets were affected by the incident. If companies do not keep inventory, it can be difficult to know what was stolen, compromised, or disposed of with sensitive data.

Explain the decommissioning process. Explain some methods of decommissioning.

Removing the device or system from service, removing it from inventory, and ensuring no sensitive data remains on the system. Degaussing a drive is a quick way to destroy the data with electromagnetic field. Only works with magnetic media. Because of wear-leveling and to eliminate the most risk or data loss, pulverizing, incinerating, and shredding work as well.

Threat Intelligence

A method for security professionals to learn about changes in the threat environment.

What does enumeration mean? (Asset Management)

The process of listing all parts of an asset. CPU, memory, storage device, keyboard, mouse.

Dynamic Code Analysis

Relies on the execution of code while providing it with input to test the software. May be done with automated tools or manually.

Package Monitoring

The process of keeping track of all the third-party libraries or packages used in your organization, understanding what they do, and being aware of any potential vulnerabilities.

Risk Tolerance

The amount of risk acceptable to an organization

Physical Segmentation

Separate Devices, multiple units, separate infrastructure. EX. 2 switches. One switch has customer A and the other switch has customer B

Logical Segmentation

Using VLANs to separate devices. Separating logically instead of physically. All devices are still on one physical switch.

SNMP Trap

When a device configured to use SNMP encounters an error.

SIEM

Security and Information Event Management. A device and software that have broad security capabilities, which are typically based on the ability to collect and aggregate log data from a variety of sources and then to perform correlation and analysis activities with that data.

Sensor

Typically software agents that are placed in environments such as cloud infrastructure, a remote datacenter, or other locations where volumes of unique data are being generated, or where a specialized device is needed because of data acquision needs are not being met by existing capabilities.

Give some features of a SIEM and its biggest threat

Able to see trends, alarms and alerts with rules, allow dashboards depending on the information. Alert fatigue is the biggest threat.

SOAR

Security Orchestration, Automation, and Response. A tool that allows you to quickly assess the attack surface of an organization, the state of the systems, and where issues may exist

Application Allow Lists

Lists applications and files that are allowed to be on a system and prevent anything that is not on the list from being installed or run

ACLs

Application Control List. Essential security protocols that specify which applications are permitted to run on a system or network.

RCA

Root Cause Analysis. A systematic process used to identify the fundamental reasons for incidents or problems within an organization. The objective of RCA is to prevent recurrence by understanding not just the immediate cause, but also the underlying issues that contributed to the event. RCA employs a variety of analytical tools and techniques, such as the '5 Whys' method, cause-and-effect diagrams, and failure mode and effects analysis (FMEA).

SCAP

The Security Content Automation Protocol. A collection of standards, specifications, and protocols used to automate the assessment and management of security vulnerabilities in a computer system. EX. for when all vulnerability scanning tools scan the same system and label with different names for one vulnerability.

Screened Subnet

A switch that is an additional layer of security between you and the internet. Public access to public resources. Private data remains inaccessible.

Federation

Commonly used for many web services. Be aware of

1. the principle, typically a user

2. Identity providers, who provide identity and authentication services via an attestation process

3. Service providers who provide services to users whose identities have been attested to by an identity provider and then the requested information

Attestation

A formal verification that something is true

Provisioning and Deprovisioning

The creation and deletion of accounts

PAM

Privileged access management. Tools that can be used to handle administrative and privileged accounts, ensuring that the concept of least privilege is maintained by helping admins specify only the minimum set of privileges needed for a role or task.

PAM tool: JIT

Just-in-time permissions. Granted and revoked only when needed. Prevents users from having ongoing access when they don’t need that access on an ongoing basis.

PAM tool: Password Vaulting

Access to privilege accounts without needing a password. Important and commonly used to ensure that passwords are available for emergencies and outages

PAM tool: Ephemeral accounts

Temporary accounts with limited lifespans. May be used for guest or specific purposes in an organization when a user needs access but should not have an account on an ongoing basis.

MAC

Mandatory Access Control. (Not to be confused with a MAC address on a computer) Systems rely on the operating system to enforce control set by a security policy admin

DAC

Discretionary Access Control. An access control scheme where the owner of a resource (such as files, objects, or other resources) has the flexibility to determine who is allowed access and what privileges they have. In DAC systems, users can grant or deny access permissions at their discretion, often making it user-friendly and familiar to those accustomed to personal computing environments, like home PCs.

RuleBAC

Rule Based Access Control. Applied using a set of rules, or access control lists, that apply to various objects or resources. Common example would be a firewall ruleset

SPF

Sender Policy Framework. An email authentication protocol designed to prevent unauthorized senders from sending email messages on behalf of a domain. SPF allows domain owners to specify which mail servers are permitted to send email for that domain by publishing an SPF record in the Domain Name System (DNS). When receiving an email, the recipient's mail server checks the SPF record of the sending domain to verify if the email originated from an authorized server. If the server matches, the email is accepted, helping reduce spam and phishing threats.

CHAP

Challenge Handshake Authentication Protocol. A network authentication protocol that uses a challenge-response mechanism to verify the identity of a user or host. During the authentication process, the server sends a challenge to the client. The client responds by using a hash function to combine the challenge with a shared secret (password). The server performs the same hash function and compiles its own response. If both responses match, authentication is successful.

Posture Assessment

Performing checks on all systems that have different configurations to evaluate their cybersecurity posture. Ensuring that security controls are effectively implemented and functioning.

EDR

Endpoint Detection and Response. Different method of threat protection. Scales to meet the number of increasing threats. Detect a threat, investigate with root cause analysis, and respond to the threat.

XDR

Extended Detection and Response. An evolution of EDR. Has improved missed detections, false positives, and long investigation times. Adds network based detection. Be able to monitor a large amount of data and to correlate that together to detect abnormal events. Can set baselines on behavior to catch the threat early.

LDAP

Lightweight Directory Access Protocol. Used for accessing large directories of data on a network.

SAML

Security Assertion Markup Language. Allows the authentication of a user to a third party database. Instead of maintaining your own database of users, you can use one that’s already been created elsewhere

OAuth

Authorization Framework. Determines what resources a user will be able to access. EX. When a third party application wants access to your Google Account. Third party will ask for authorization.

What are the 6 steps in the incident response cycle?

Preparation, detection, analysis, containment, eradication, recovery