Security+

Preventive Controls

Objective: Prevent security incidents from occurring.

Examples: Firewalls, Access control mechanisms (e.g., passwords, biometrics), Intrusion prevention systems (IPS), Security policies and procedures

Deterrent Controls

Objective: Discourage potential attackers from attempting to compromise a system.

Examples: Warning signs, Security awareness training, Visible security measures (e.g., security guards, CCTV)

Detective Controls

Objective: Detect and alert on security incidents as they occur.

Examples: Intrusion detection systems (IDS), Security information and event management (SIEM) systems, Audit logs and monitoring, Surveillance cameras

Corrective Controls

Objective: Correct and mitigate the impact of security incidents.

Examples: Antivirus and anti-malware software, Backup and recovery procedures, Patch management systems, Incident response plans

Compensating Controls

Security measures implemented to provide an alternative method of protecting assets when standard controls are not feasible.

Examples: Temporary access restrictions, Alternative authentication mechanisms, Additional monitoring when primary controls are down

Directive Controls

Objective: Specify acceptable practices and expected behavior.

Examples: Security policies and guidelines, Employee handbooks, Standard operating procedures (SOPs), Codes of conduct

Five Core Principles of Information Security (CIANA)

Confidentiality, Integrity, Availability, Non-Repudiation, Authentication

Gap Analysis Steps

Define the scope, Gather data about the current infrastructure, Analyze the data and identify the gaps, Develop a plan to bridge the gap

Honeypot

A honeypot is a decoy system or resource designed to attract and deceive attackers. It appears to be a legitimate part of the network but is isolated and monitored to gather information about attackers' tactics, techniques, and motives.

Honeynet

A honeynet is a network of honeypots that are interconnected to simulate a larger and more realistic environment for attracting and monitoring attackers. It allows organizations to capture and analyze broader attack patterns and behaviors.

Honeyfile

A honeyfile is a file or document that is intentionally created and placed in a network to act as bait for attackers. It contains seemingly valuable information that, if accessed or modified, triggers alerts and provides insights into unauthorized access attempts.

Honeytoken

A honeytoken is a piece of data or credential that is intentionally placed within an information system to serve as a decoy or indicator of unauthorized access. If a honeytoken is accessed or used, it alerts security teams to potential security breaches.

Non-Repudiation

A security principle ensuring that a party in a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. This is typically achieved through the use of cryptographic methods, such as digital signatures and public key infrastructure (PKI).

Five Factors of Authentication

Knowledge Factor: Something You Know, Possession Factor: Something You Have, Inherence Factor: Something You Are, Behavioral Biometrics: Something You Do, Location Factor: Somewhere You Are

PTZ

Pan-Tilt-Zoom

FRR

False Rejection Rate - How often a biometric system fails to allow a user access who should have had access

Chiper Lock

A Mechanical locking mechanism that uses a mechanical keypad for entry

Infrared Sensor

IR sensors can be either active or passive. Active IR sensors emit infrared light and measure the reflection, while passive IR sensors detect the infrared light naturally emitted by objects. Used in: Motion Detection, Remote Controls, Thermal Cameras, Temperature sensors

Microwave Sensor

A microwave sensor uses microwave radar to detect objects and motion. These sensors emit microwaves and measure the time it takes for the waves to be reflected back after hitting an object. Used in: Automatic Doors, Speed Radars, Occupancy Sensing, Motion sensors

Ultrasonic Sensor

An ultrasonic sensor uses ultrasonic sound waves to detect objects and measure distances. The sensor emits sound waves at a high frequency and measures the time it takes for the echo to return after hitting an object. Used in: Parking Assistance, Robotics, Industrial Automation

Shadow IT

A type of threat actor that creates internal threats by use of systems, devices, software, applications, and services within an organization without approval or knowledge of the organization's IT department. Does not have malicious intent.

Security Controls

Detective, Compensating, Directive, Corrective

Social Proof

A psychological and social phenomenon where individuals copy the actions of others in an attempt to reflect correct behavior for a given situation. This concept is often exploited in social engineering attacks

Typosquatting

"Typosquatting" is a form of cyber-attack where malicious actors register domain names that are similar to legitimate websites, often differing by a small typo or misspelling. Example: Real: Facebook.com | Fake: Facebo0k.com

Watering Hole Attack

A "watering hole attack" is a type of cyber-attack in which attackers compromise a specific website or set of websites that are frequently visited by a particular group, organization, or industry. The goal is to infect the visitors of these sites with malware.

Phishing

Phishing is a cyber-attack where attackers send fraudulent emails or messages pretending to be from reputable sources to trick individuals into revealing sensitive information, such as usernames, passwords, and credit card details.

Spear Phishing

Spear phishing is a targeted phishing attack aimed at a specific individual or organization. Attackers gather personal information about their target to craft a highly personalized and convincing email or message to deceive them into revealing sensitive information.

Whaling

Whaling is a type of phishing attack that targets high-profile individuals, such as executives or senior management, within an organization. The attacker impersonates a trusted entity to deceive the target into divulging sensitive information or authorizing significant financial transactions.

Vishing

Vishing, or voice phishing, involves attackers using phone calls to impersonate legitimate organizations or individuals to trick victims into providing personal information, such as credit card numbers or social security numbers.

Smishing

Smishing, or SMS phishing, involves attackers sending fraudulent text messages that appear to come from reputable sources. These messages often contain links or phone numbers that lead to phishing websites or prompt the victim to provide personal information.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is a sophisticated phishing attack where attackers spoof or compromise a legitimate business email account to deceive employees, partners, or customers into transferring money or sensitive information. BEC often targets employees with access to company finances or valuable data.

Invoice Scam

A type of social engineering attack where cybercriminals send fraudulent invoices to a business or individual, hoping to trick the recipient into making a payment to the attacker's account.

Baiting

"Baiting" is a type of social engineering attack where an attacker entices a victim with a lure, such as a seemingly harmless or appealing object, to trick them into compromising their security.

Piggybacking

Piggybacking occurs when an unauthorized person convinces an authorized person to allow them access into the facility.

Diversion Theft

Diversion Theft is a tactic used by criminals to distract or divert attention away from a target in order to carry out a theft or other criminal activity.

Threat Vector

A threat vector is the method or avenue by which a threat actor gains access to a target system or network in order to execute an attack.

Attack Vector

An attack vector is the specific technical method or process used by a threat actor to exploit a vulnerability or execute an attack once they have gained access via a threat vector.

Boot Sector Virus

A type of virus that infects the master boot record (MBR) of a hard drive, loaded into memory upon booting to take control of the computer before the operating system is loaded.

Macro Virus

A virus written in the same macro language used for software applications, typically embedded in documents and executed when the document is opened.

Program Virus

A virus that infects executable programs or applications, executing virus code when infected programs run.

Multipartite Virus

A sophisticated virus that can infect multiple parts of a system, making it challenging to remove.

Encrypted Virus

A virus that uses encryption to hide its code from antivirus software, decrypting itself when executed to perform malicious activities.

Polymorphic Virus

Complex file infectors that can create modified versions of itself to avoid detection yet retain the same basic routines after every infection.

Metamorphic Virus

A highly sophisticated virus that can change its own code by translating, editing, and rewriting it.

Armored Protection

Techniques used by malware to shield itself from detection and analysis by security researchers and antivirus software.

Malware

Any software intentionally designed to cause damage, disrupt operations, steal data, or harm the functionality, security, or privacy of computer systems, networks, or devices.

Worm

A type of standalone malware that replicates itself to spread to other computers without needing to attach to an existing program or file.

Trojan

A type of malware that disguises itself as legitimate software to deceive users into installing it for executing malicious activities.

RAT

A Remote Access Trojan that allows an attacker to gain unauthorized remote access and control over a compromised computer.

Botnet

A network of compromised computers controlled by an attacker to carry out malicious activities.

Command and Control (C&C or C2) node

A server or infrastructure used by attackers to maintain communication and control over compromised systems within a botnet.

Rootkit

A program or a collection of malicious software tools that give a threat actor remote access to and control over a computer or other system.

DLL

Dynamic Link Library is a file in Microsoft Windows containing code and data for use by multiple programs simultaneously to promote code reuse and modularization.

DLL Injection

A technique used to insert a malicious Dynamic Link Library (DLL) into the address space of another process to execute arbitrary code within the context of a legitimate application.

Kernel Mode

Also known as Supervisor Mode or Ring 0, refers to a privileged mode of execution where the operating system's kernel has unrestricted access to the hardware and system resources.

Logic Bomb

A type of malicious code or software program intentionally inserted into a system to execute a harmful action when certain conditions are met.

Keylogger

A type of malicious software or hardware device designed to record and monitor every keystroke made by a user on a computer or mobile device.

Impossible Travel

An activity where a user's account shows login attempts from geographically impossible locations within a short period of time.

Fileless Malware

A type of malicious code that operates in a computer's memory, usually in RAM, instead of on the hard drive and utilities such as PowerShell, Windows Management Instrumentation (WMI).

All Classification Levels (Highest to Lowest)

Top Secret

Secret

Confidential

Sensitive but Unclassified

Unclassified

Data in Transit Security Technologies

IPsec, SSL, TLS

PII

Personally Identifiable Information, a type of regulated data.

PHI

Protected Health Information, a type of regulated data.

PCI

Payment Card Information, a type of regulated data.

IP

Intellectual Property, a type of regulated data.

Financial Data

A type of regulated data.

HIPPA

Regulation protecting PHI - Protected Health Information.

GDPR

General Data Protection Regulation, a comprehensive data protection law enacted by the European Union (EU).

DLP

Data Loss Prevention, a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.

PCI DSS

Payment Card Industry Data Security Standard, a security standard created by the Payment Card Industry Security Standards Council (PCI SSC)

Network DLP

Software or hardware that's placed at the perimeter of a network to detect data in transit and alert the network admin based on conditions set

Cloud-Based DLP System

Secures data stored in and transmitted through cloud services

Storage DLP

Installed on servers and storage systems, such as file servers, databases, and network-attached storage (NAS) devices to protect data at rest

Data Owner

Data owners are responsible for the classification, protection, use, and quality of one or more data sets.

Data Controller

Manages the purpose and means by which data is processed

Data Processor

Works under the data controller to assist in tasks like collecting, storing, or analyzing data. Processes the data on behalf of the data controller

Data Custodian

Responsible for data accuracy, privacy, security, and compliance (System admin)

Symmetric Encryption

Uses a single key for both encryption and decryption of data. The same key must be securely shared and kept secret between the communicating parties. This method is efficient and faster than asymmetric encryption.

Asymmetric Encryption

Uses a pair of keys: a public key and a private key. The public key is used to encrypt the data, while the private key is used to decrypt it. The public key can be shared openly, but the private key must be kept secure.

Block Cipher

An encryption algorithm that divides plaintext into fixed-size blocks, typically 64 or 128 bits, and then encrypts each block individually. The same key is used to encrypt and decrypt each block.

Stream Cipher

An encryption algorithm that encrypts plaintext one bit or byte at a time using a keystream. Unlike block ciphers, which process fixed-size blocks of data, stream ciphers encrypt data continuously, which can provide faster encryption for real-time communications.

Digital Signature

A cryptographic mechanism used to verify the authenticity and integrity of digital messages or documents. It provides assurance that the message or document was created by a known sender (authentication) and has not been altered since it was signed (integrity).

DH (Diffie-Hellman)

Diffie Hellman - Asymmetric algorithm commonly used for key exchange inside of VPN tunnels

Hashing Algorithms

MD5 (Message Digest Algorithm 5), SHA-1 (Secure Hash Algorithm 1), SHA-256 (Secure Hash Algorithm 256), SHA-3 (Secure Hash Algorithm 3), RIPEMD (RACE Integrity Primitives Evaluation Message Digest)

PtH

Pass the hash (PtH) is a hacking technique used to authenticate to a remote server or service by using the hashed credentials (password hash) instead of the plaintext password. This method bypasses the need to crack or obtain the actual password and can be used to gain unauthorized access to systems.

Birthday Attack

A type of cryptographic attack that exploits the mathematical probability of collisions in hash functions. It is named after the 'birthday paradox.'

Key Stretching

A technique used in cryptography to enhance the security of passwords or cryptographic keys by increasing the time and computational effort required to derive the original plaintext from its hashed form. This process makes brute-force attacks and other password cracking techniques more difficult and time-consuming. Repeatedly hashing the password to make it more random and longer than it originally appeared

Salting

A technique used in cryptography to strengthen the security of hashed passwords or other data by adding a random value (known as a salt) to the input before hashing. This random value ensures that even if two users have the same password, their hashed values will differ

Nonce

Number used once is a cryptographic term referring to a random or semi-random number that is generated for a specific purpose, typically to ensure the freshness and uniqueness of data in cryptographic communications or protocols. Nonces are used to prevent replay attacks and to add randomness to cryptographic operations.

TPM

A specialized hardware component designed to provide a secure foundation for various security-related functions in computing devices, particularly in the context of system integrity and cryptographic operations.

HSM

Hardware Security Module - a dedicated hardware device or appliance that provides secure storage, management, and use of cryptographic keys and sensitive data.

Steganography

The practice of concealing a message, file, image, or video within another message, file, image, or video.

Downgrade Attack

A type of cyber-attack where an attacker deliberately forces a system to use older or less secure versions of itself, weakening its security posture.

Ad hoc Risk Assessment

Conducted on an as-needed basis typically in response to an event that has the potential to introduce new risk and may be repeated.

Recurring Risk Assessment

Risk assessments occurring on a regular basis.

One Time Risk Assessment

Conducted one time for a specific purpose but is never repeated.

Continuous Risk Assessment

Ongoing monitoring and evaluation of risk.

MTBF

Mean Time Between Failures: The average time between failures of a system or component during operation.

RPO

Recovery Point Objective: The maximum acceptable amount of data loss measured in time.

RTO

Recovery Time Objective: The maximum acceptable amount of time to restore a system or process after a disaster or failure.