Network Security and Cybersecurity Principles: 802.1X, ACLs, and Threat Detection

802.1X

The IEEE standard that defines port-based security for network access control.

Acceptable use policy (AUP)

A document that provides network and system users with clear direction on permissible uses of information resources.

Access badges

Used for entry access via magnetic stripe and radio frequency ID (RFID) access systems and when including a picture, allow personnel to determine if the person is who they say they are, what areas or access they should have, and if they are an employee or a guest.

Access control list (ACL)

Rule that either permits or denies actions.

Access control standards

Describes the account life cycle from provisioning through active use and decommissioning.

Access restrictions

Security measures that limit the ability of individuals or systems to access sensitive information or resources.

Account lockout

Accounts are often locked out after failed login attempts. Since brute-force attacks often rely on multiple attempts to log in, this may be an indicator of compromise.

Acknowledgment

Ensuring that employees and business partners state that they are aware of the compliance requirements.

Active/active load balancer

A kind of load balancer that distributes the load among multiple systems that are online and in use at the same time.

Active/passive load balancer

A kind of load balancer that brings backup or secondary systems online when an active system is removed or fails to respond properly to a health check.

Active reconnaissance

A technique that directly engages the target in intelligence gathering.

Ad hoc reports

Reports that are produced as needed, typically in response to specific events or situations that require immediate attention or in-depth analysis.

Ad hoc risk assessment

Conducted in response to a specific event or situation, often performed quickly, to address a particular concern or set of circumstances.

Adaptive identity

Often called adaptive authentication, it leverages context-based authentication that considers data points like where the user is logging in from, what device they are logging in from, and whether the device meets security and configuration requirements.

Address resolution protocol (ARP)

A protocol that provides translations between MAC addresses and IP addresses on a local network.

Admissibility

Determination as to whether evidence is acceptable to be used in a court of law.

Advanced persistent threats (APTs)

Cybersecurity adversary characterized by a sophisticated series of related attacks taking place over an extended period of time.

Adversarial artificial intelligence (AI)

The use of artificial intelligence techniques by attackers for malicious purposes.

Adversary tactics, techniques, and procedures (TTPs)

The study of the methods used by cybersecurity adversaries when engaging in attacks.

Agents

Software that is deployed to endpoints allowing them to perform actions or to be controlled by a central server or service.

Agent-based scanning

The use of software agents installed on target devices to assist with vulnerability scans.

Agile

A software development model that is both iterative and incremental. The Agile methodology focuses on individuals and interactions over process and tools, working software over comprehensive documentation, customer collaboration over negotiation, and responding to change rather than following a plan.

Agility

The speed to provision cloud resources and the ability to use them for short periods of time.

Air gapped

A design that physically separates network segments, preventing network connectivity between those segments.

Algorithm

A set of rules, usually mathematical, that dictates how enciphering and deciphering processes are to take place.

Allow listing

The most effective form of input validation in which the developer describes the exact type of input that is expected from the user and then verifies that the input matches that specification before passing the input to other processes or servers.

Alteration

The unauthorized modification of information and a violation of the principle of integrity.

Amplified denial-of-service attacks

An amplified denial-of-service attack takes advantage of protocols that allow a small query to return large results like a DNS query.

Annualized loss expectancy (ALE)

The possible yearly cost of all instances of a specific realized threat against a specific asset. The ALE is calculated using the formula ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).

Annualized rate of occurrence (ARO)

The expected frequency that a specific threat or risk will occur (in other words, become realized) within a single year. Also known as probability determination.

Anomalous behavior recognition

Employees should be able to recognize when risky, unexpected, and/or unintentional behavior takes place.

Anomaly detection

A method of detecting abnormal or malicious events by looking for abnormal occurrences or violations of specified rules.

API

See application programming interfaces.

API-based CASB solution

Cloud Access Security Broker solutions do not interact directly with the user but rather interact directly with the cloud provider through the provider's API.

API inspection

A technology that scrutinizes API requests for security issues.

Application programming interfaces (APIs)

APIs allow application developers to interact directly with a web service through function calls.

Assessment

Reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement.

Asset criticality

Determination of the importance of an asset to the business.

Asset inventory

Systematic method of tracking hardware, software, and information assets owned by an organization.

Asset management

A process that the organization will follow for accepting new assets (such as computers and mobile devices) into inventory, tracking those assets over their lifetime, and properly disposing of them at the end of their useful life.

Asset value (AV)

A dollar value assigned to an asset based on actual cost and nonmonetary expenses.

Asymmetric key algorithms

Cryptographic algorithms that use two different keys: one key to encrypt and another to decrypt. Also called public key cryptography.

ATT&CK

A public knowledge base describing adversarial techniques and tactics maintained by MITRE.

Attack complexity metric (AC)

A metric that describes the difficulty of exploiting a vulnerability.

Attack surface

A system, application, or service that contains a vulnerability that might be exploited.

Attack vector metric (AV)

A metric that describes how an attacker would exploit a vulnerability.

Attestation

A primary outcome of an audit by an auditor. It is a formal statement that the auditors have reviewed the controls and found that they are both adequate to meet the control objectives and working properly.

Attribute-based access control (ABAC)

An advanced implementation of a rule-based access control model that uses policies that include multiple attributes for rules.

Auditability

Cloud computing contracts should include language guaranteeing the right of the customer to audit cloud service providers.

Audits

Formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party.

Authentication

Verifies the claimed identity of system users and is a major function of cryptosystems.

Authentication header (AH)

Uses hashing and a shared secret key to ensure integrity of data and validates senders by authenticating the IP packets that are sent.

Authority

A key principle that relies on the fact that most people will obey someone who appears to be in charge or knowledgeable, whether or not they actually are.

Authorized attackers

Hackers who act with authorization and seek to discover security vulnerabilities with the intent of correcting them.

Availability

Ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.

Availability metric (A)

A metric that describes the type of disruption that might occur if an attacker successfully exploits a vulnerability.

Backdoors

An opening left in a program application (usually by the developer) that allows additional access to data.

Background check

A process designed to uncover any criminal activity or other past behavior that may indicate that a potential employee poses an undetected risk to the organization.

Badges

Forms of physical identification and/or of electronic access control devices.

Bare-metal hypervisor

See Type I hypervisor.

BC-DR

See business continuity and disaster recovery.

Behavior-based detection

An intrusion discovery mechanism used by intrusion detection systems (IDSs) that detects abnormal and possible malicious activities by learning normal activities.

BIA

See business impact analysis.

Biometrics

Widely available on modern devices, with fingerprints and facial recognition being the most broadly adopted and deployed.

Birthday attack

An attack on cryptographic hashes, based on the birthday theorem.

Blackmail attacks

Attacks seeking to extort money or other concessions from victims by threatening to release sensitive information or launching further attacks.

Blind content-based SQL injection

The perpetrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack.

Blind SQL injection

A kind of SQL injection attack that is conducted when the attacker doesn't have the ability to view the results directly.

Blind timing-based SQL injection

Penetration testers may use the amount of time required to process a query as a channel for retrieving information from a database.

Block ciphers

Operate on 'chunks' or blocks of a message and apply the encryption algorithm to an entire message block at the same time.

Block storage

Allocates large volumes of storage for use by virtual server instance(s).

Blockchain

A distributed and immutable open public ledger that prevents tampering with records stored among many different systems.

Bluejacking

Hijacking a Bluetooth connection to eavesdrop or extract information from devices.

Bluesnarfing

An attack that allows hackers to connect with your Bluetooth devices without your knowledge and extract information from them.

Blue team

Defenders who must secure systems and networks from attack.

Bluetooth

A wireless standard commonly used to pair accessories to mobile phones or computers.

Board of directors

Has ultimate authority over the organization as the owners' representatives.

Bollards

Posts or other obstacles that prevent vehicles from moving through an area.

Bot

An automated software program (network robot) that collects information on the web; in its malicious form, it is a compromised computer being controlled remotely.

BPA

See business partners agreement.

BPDU

See bridge protocol data unit.

Brand impersonation

A type of phishing attack that uses emails intended to appear to be from a legitimate brand.

Bridge Protocol Data Unit (BPDU) guard

A switch security feature that blocks Spanning Tree Protocol (STP) attacks by preventing updates from unauthorized ports.

Bring your own device (BYOD)

The user brings their own personally owned device.

Broadcast storm

A flood of unwanted broadcast network traffic.

Brute-force attacks

A type of attack that systematically tries all possibilities for a password until achieving a successful result.

Buffer overflow

A type of denial-of-service (DoS) attack that occurs when more data is put into a buffer than it can hold, thereby overflowing it.

Bursting

Leveraging public cloud capacity when demand exceeds the capacity of private cloud infrastructure.

Business constraints

In terms of vulnerability, they may limit the organization from conducting resource-intensive vulnerability scans during periods of high business activity to avoid disruption of critical processes.

Business continuity and disaster recovery

Outline the procedures and strategies to ensure that essential business functions continue to operate during and after a disaster, and that data and assets are recovered and protected.

Business email compromise (BEC)

Relies on using apparently legitimate email addresses to conduct scams and other attacks.

Business impact analysis (BIA)

A formal process designed to identify the mission-essential functions within an organization and facilitate the identification of the critical systems that support those functions.

Business partners agreement (BPA)

Exists when two organizations agree to do business with each other in a partnership.

CA

See certificate authority.

CAM table

Maps MAC addresses to IP addresses, allowing a switch to send traffic to the correct port.

Capture the flag (CTF)

An exercise that pits technologists against one another in an attempt to attack a system and achieve a specific goal, such as stealing a sensitive file.

Card cloning attack

A kind of attack that focuses on capturing information from cards like RFID and magstripe cards often used for entry access.

Carrier unlocking

Allows mobile phones to be used with other cellular providers.

CASB

See cloud access security broker.

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)

Encryption technology used in the WPA2 protocol. It implements AES (Advanced Encryption Standard) with a 128-bit key as a stream cipher.