SY0-701: 4.0 (Security Operations) Flashcards
(278 cards)
1
Q
DLP (4.4)
A
Data Loss Prevention- Set up to monitor the data of a system while it’s in use, in transit, or at rest in order to detect any attempts to steal the data (hardware or software)
2
Q
Endpoint DLP Systems (4.4)
A
a piece of software that’s installed on a workstation or a laptop that monitors the data that’s in use on that computer
3
Q
Network DLP System (4.4)
A
A piece of software or hardware placed at the perimeter of the network to detect data in transit
4
Q
Storage DLP System (4.4)
A
Software installed on a server which inspects the data while it’s at rest
5
Q
Cloud-Based DLP System (4.4)
A
Usually offered as Software as a Service (SaaS) and it’s part of the cloud service and storage system
6
Q
Acquisition / Procurement (4.2)
A
Acquisition- Process of obtaining goods or services
Procurement- Encompasses the full process of acquiring goods and services, including all preceding steps
7
Q
BYOD (4.1)
A
Bring Your Own Device- Permits employees to use personal devices for work
-Employees have control over device security
8
Q
COPE (4.1)
A
Corporate-Owned, Personally Enabled- Involves the company providing a mobile device to employees for both work and personal use
9
Q
CYOD (4.1)
A
Choose Your Own Device- Offers a middle ground between BYOD and COPE by allowing employees to choose devices from a company-approved list
10
Q
Asset Management (4.2)
A
Refers to the systematic approach to governing and maximizing the value of items an entity is responsible for throughout their lifecycle
11
Q
Assignment / Allocation of Assets (4.2)
A
Every organization should designate individuals or groups as owners of the assets
12
Q
Asset Classification (4.2)
A
Involves categorizing assets based on criteria like function, value, or other relevant parameters as determined by the organization
13
Q
Asset Monitoring (4.2)
A
Maintaining an inventory/record of every asset including specifications, location, assigned users, and other relevant details
14
Q
Asset Tracking (4.2)
A
Takes asset monitoring a bit further; Involves maintaining a comprehensive inventory with asset specifications, locations, and assigned users, along with its condition and status using specialized software
15
Q
Asset Enumeration (4.2)
A
Involves identifying and counting assets, especially in large organizations or during times of asset procurement or retirement
16
Q
MDM (4.2)
A
Mobile Device Management- Lets organizations securely oversee employee devices, ensuring policy enforcement, software consistency, and data protection
17
Q
Special Publication 800-88 (4.2)
A
Guidelines for media sanitization- Guidance on media sanitization, destruction, and certification
18
Q
Media Sanitization (4.2)
A
Thorough process of making data inaccessible and irretrievable from a storage medium using traditional forensic methods
-Overwriting data
-Degaussing
-Encryption Techniques
19
Q
CE (Media Sanitization) (4.2)
A
Cryptographic Erase- Faster than deleting data because the cryptographic keys are what gets erased
20
Q
Media Destruction (4.2)
A
Ensures the physical device itself is beyond recovery or reuse
-Shredding
-Pulverizing
-Melting
-Incinerating
21
Q
Certification (Media Sanitization) (4.2)
A
An act of proof that the data or hardware has been securely disposed of
22
Q
Port (4.5)
A
Logical communication endpoint that exists on a computer or server
23
Q
Inbound Port (4.5)
A
Logical communication opening on a server that is listening for a connection from a client
24
Q
Outbound Port (4.5)
A
Logical communication opening created on a client in order to call out to a server that is listening for a connection
25
Well-Known Ports (4.5)
Ports 0 to 1023 are considered well-known and are assigned by the Internet Assigned Numbers Authority (IANA)
26
Registered Ports (4.5)
Ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols
27
Dynamic and Private Ports (4.5)
Port 49,152 to 65,535 can be used by any application without being registered with IANA
28
Protocol (4.5)
Rules governing device communication and data exchange
29
Port 21 (4.5)
Over TCP
FTP: File Transfer Protocol
Used to transfer files from host to host
30
Port 22 (4.5)
Over TCP
SSH: Secure Shell
SCP: Secure Copy Protocol
SFTP: Secure File Transfer Protocol
Provides secure remote terminal access as well as file transfer capabilities (SSH)
Provides secure copy functions (SCP)
Provides secure file transfers (SFTP)
31
Port 23 (4.5)
Over TCP
Telnet
Provides insecure remote control of another machine using a text-based environment; older version of SSH, unencrypted and therefore unsecure
32
Port 25 (4.5)
Over TCP
SMTP: Simple Mail Transfer Protocol
Provides the ability to send emails over the network
33
Port 53 (4.5)
Over TCP and UDP
DNS: Domain Name Server
Translates domain names into IP addresses
34
Port 69 (4.5)
Over UDP
TFTP: Trivial File Transfer Protocol
Used as a lightweight file transfer method for sending configuration files or network booting of an operating system
35
Port 80 (4.5)
Over TCP
HTTP: Hyper-Text Transfer Protocol
Used for unsecured web browsing
36
Port 88 (4.5)
Over UDP
Kerberos
Network authentication protocol
37
Port 110 (4.5)
Over TCP
POP3: Post Office Protocol version 3
Responsible for retrieving email from a server
38
Port 119 (4.5)
Over TCP
NNTP: Network News Transfer Protocol
Used for accessing newsgroups
39
Port 135 (4.5)
Over TCP and UDP
RPC: Remote Procedure Call
Facilitates communication between different system processes
40
Ports 137, 138, and 139 (4.5)
Over TCP and UDP
NetBIOS
Networking protocol suite
41
Port 143 (4.5)
Over TCP
IMAP: Internet Message Access Protocol
Allows access to email messages on a server
42
Port 161 (4.5)
Over UDP
SNMP: Simple Network Management Protocol
Manages network devices
43
Port 162 (4.5)
Over UDP
SNMP Trap
Responsible for sending SNMP trap messages
44
Port 389 (4.5)
Over TCP
LDAP: Lightweight Directory Access Protocol
Facilitates directory services
45
Port 443 (4.5)
Over TCP
HTTPS: Hyper-Text Transfer Protocol Secure
Provides secure web communication
46
Port 445 (4.5)
Over TCP
SMB: Server Message Block
Used for file and printer sharing over a network
47
Ports 465 and 587 (4.5)
Over TCP
SMTPS: Simple Mail Transfer Protocol Secure
Provides secure SMTP communication
48
Port 514 (4.5)
Over UDP
Syslog
Used for sending log messages
49
Port 636 (4.5)
Over TCP
LDAPS: Lightweight Directory Access Protocol Secure
LDAP communication over SSL/TLS
50
Port 993 (4.5)
Over TCP
IMAPS: Internet Message Access Protocol Secure
Used for secure email retrieval over SSL/TLS
51
Port 995 (4.5)
Over TCP
POP3S: Post Office Protocol Secure
Used for secure email retrieval over SSL/TLS
52
Port 1433 (4.5)
Over TCP
Microsoft SQL
Used to facilitate communication with Microsoft SQL Server
53
Ports 1645 and 1646 (4.5)
Over TCP
RADIUS TCP
Used for remote authentication, authorization, and accounting
54
Ports 1812 and 1813 (4.5)
Over UDP
RADIUS UDP
Used for authentication and accounting as defined by the Internet Engineering Task Force (IETF)
55
Port 3389 (4.5)
Over TCP
RDP: Remote Desktop Protocol
Enables remote desktop access
56
Port 6514 (4.5)
Over TCP
Syslog TLS
Used in a secure syslog that uses SSL/TLS to encrypt the IP packets using a certificate before sending them across the IP network to the syslog collector
57
ACL (4.5)
Access Control List- A rule set that is placed on firewalls, routers, and other network infrastructure devices that permit or allow traffic through a particular interface
58
IAM (4.6)
Identity and Access Management- Systems and processes used to manage access to information in an organization to ensure that the right individuals have access to the right resources at the right times for the right reasons
59
Identification (4.6)
Process where a user claims an identity to a system, typically using a unique identifier like a username or an email address
60
Authentication (4.6)
Process of verifying the identity of a user, device, or system and this involves validating the credentials provided by the user against a database of authorized users
61
Authorization (4.6)
Process that determines what permissions or levels of access the user has
62
Accounting (4.6)
Process of tracking and recording user activities
63
IAM 4 Steps (4.6)
Identification
Authentication
Authorization
Accounting
64
Provisioning (4.6)
Process of creating new user accounts, assigning them appropriate permissions, and providing users with access to systems
65
Identity Proofing (4.6)
Process of verifying the identity of a user before the account is created
66
Interoperability (4.6)
The ability of different systems, devices, and applications to work together and share information
67
Attestation (4.6)
Process of validating that user accounts and access rights are correct and up-to-date
68
MFA (4.6)
Multi-Factor Authentication- Security system that requires more than one method of authentication from independent categories of credentials to verify the users identity
69
Passkeys (4.6)
Users can create and access online accounts without needing to input a password; public key is stored on server and private key is stored on users device (therefore if server is compromised the attacker only gets the public key)
70
Password Security (4.6)
Measures the passwords ability to resist guessing and brute-force attacks
71
Password Policy Characteristics (4.6)
Length- should be 12-16 characters
Complexity- mix case, numbers and symbols
Reuse- using the same password for different accounts increases risk
Expiration- mandates regular password changes (no longer recommended because users are more likely to reuse passwords
Age- length of time password has been in use
72
Password Managers (4.6)
Tools that store, generate, share, and autofill passwords to enhance security
73
Passwordless Authentication (4.6)
Provides improved security and a more user-friendly experience
-Biometrics
-Hardware tokens
-One-time passwords (OTP- e.g. code sent to phone or email)
-Magic links (email link automatically logs user into website)
-Passkeys (integrates with browser or operating system
74
SSO (4.6)
Single Sign-On- Authentication process that allows a user to access multiple applications or websites by logging in only once with a single set of credentials
75
IdP (4.6)
Identity Provider- System that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network
76
Protocols used with single sign-on (SSO) (4.6)
LDAP/LDAPS- Lightweight Directory Access Protocol
OAuth- Open Authorization
SAML- Security Assertion Markup Language
77
OAuth (4.6)
Open standard for token-based authentication and authorization that allows an individuals account information to be used by third-party services without exposing the users password (e.g. when you sign on a website using Google account)
78
SAML (4.6)
Security Assertion Markup Language- A standard for logging users into applications based on their sessions in another context; allows services to separate from identity providers and removes the need for direct user authentication
79
Federation (4.6)
Process that allows for the linking of electronic identities and attributes to store information across multiple distinct identity management systems
80
Federation Login Process (4.6)
Login Initiation
Redirection to an identity provider
Authenticating the user
Generation of an assertion
Returning to a service provider
Verification and access
81
PAM (4.6)
Privileged Access Management- Solutions that helps organizations restrict and monitor privileged access within an IT environment
82
PAM key components (4.6)
Just-In-Time Permissions (JIT Permissions)
Password Vaulting
Temporal Accounts
83
JIT Permissions (4.6)
Security model where administrative access is granted only when needed for a specific period
84
Password Vaulting (4.6)
Technique used to store and manage passwords in a secure environment, such as in a digital vault
85
Temporal Accounts (4.6)
Used to provide time-limited access to resources, and they are automatically disabled or deleted after a certain period of time
86
MAC (reference access) (4.6)
Mandatory Access Control- Employs security labels to authorize user access to specific resources; used in environments of high data security where users cant modify their own permissions
87
DAC (4.6)
Discretionary Access Control- Resources owner determines which users can access each resource
88
RBAC (Role) (4.6)
Role-Based Access Control- Assigns users to roles and uses these roles to grant permissions to resources
89
RBAC (Rule) (4.6)
Rule-Based Access Control- Enables administrators to apply security policies to all users
90
ABAC (4.6)
Attribute-Based Access Control- Uses object characteristics for access control decisions
91
Resource Attributes (4.6)
File creation date, resource owner, file owner, and data sensitivity
92
Time-of-day Restrictions (4.6)
Controls restrict resource access based on request times (e.g. don't allow user logins during midnight hours)
93
Principle of Least Privilege (4.6)
A user should only have the minimum access rights needed to perform their job functions and tasks, and nothing additional or extra
94
Permission/Authorization Creep (4.6)
Occurs when a user gains excessive rights during their career progression in the company
95
UAC (4.6)
User Access Control- A mechanism designed to ensure that actions requiring administrative rights are explicitly authorized by the user
96
DAC (SELinux) (4.5)
Discretionary Access Control- Each object has a list of entities that are allowed to access it
97
Context-Based Permission (4.5)
Permission schemes that are defined by various properties for a given file or process
98
Baselining (4.5)
Process of measuring changes in the network, hardware, or software environment
99
Security Template (4.5)
A group of policies that can be loaded through one procedure
100
Group Policy Editors (4.5)
gpedit (Windows)
101
Group Policy (4.5)
Set of rules or policies that can be applied to a set of users or computer accounts within an operating system
102
SELinux (4.5)
Security-Enhanced Linux- Set of controls (default context-based permission scheme) that are installed on top of another Linux distribution like CentOS or Red Hat Linux
defines 3 main contexts for each file and process
1. User- Defines what users can access an object(*_u)
2. Role- Defines what roles can access a given object (*_r)
3. Type- Groups objects together that have similar security requirements or characteristics
4. Level- Used to describe the sensitivity level of a given file, directory, or process
103
SELinux User Types (4.5)
Unconfined_u (All Users)
User_u (Unprivileged users)
Sysadmin_u (System Administrators)
Root (Root User)
104
SELinux Modes (4.5)
Disabled- SELinux is essentially turned off, and so MAC is not going to be implemented
Enforcing- All the SELinux security policies are being enforced
Permissive- SELinux is enabled but the security policies are not enforced
105
SELinux Policy Types (4.5)
Targeted- Policies are enforced only for specified objects
Strict- Policies are enforced for every object
106
Secure Baseline (4.1)
Standard security configuration applied to guarantee minimum security for a system, network, or application
107
Secure Baseline Steps (4.1)
Establish- Set up a system including security and applications and then create image
Deploy- Apply baseline image to assets
Maintain- Ensure systems are locked down and continually install patches/updates etc.
108
ESS (4.1)
Extended Service Set Configuration- Involves multiple wireless access points working together to create a unified and extended coverage area for users in a large building or facility
109
Optimal Wireless Channels for 2.4GHz Range (4.1)
Channels 1, 6, and 11 (When selected the listed channels won't interfere with each other)
110
Site Survey (4.1)
Process of planning and designing a wireless network to provide a solution
111
Heat Map (4.1)
Graphical representation of the wireless coverage, the signal strength, and frequency utilization data at different locations on a map
112
WEP (4.1)
Wired Equivalency Protocol- Outdated 1999 wireless security standard meant to match wired LAN security for wireless networks
64-bit- 40 bits of key data with 24-bits of initialization vector
128-bit- 104 bits of key data with 24-bits of initialization vector
113
WPA (4.1)
Wi-Fi Protected Access- Introduced in 2003 as a temporary improvement over WEP while the more robust IEEE 802.11i standard was in development
114
WPA2 (4.1)
Wi-Fi Protected Access 2- Improved data protection and networks access control by addressing weaknesses in WPA version; replaced TKIP with the AES (Advanced Encryption Standard) protocol and adopted CCMP for stronger Encryption
115
TKIP (4.1)
Temporal Key Integrity Protocol- Generates new 128-bit keys for each packet, eliminating WEPs key-reuse vulnerabilities
116
WPA3 (4.1)
Wi-Fi Protected Access 3- Latest version using AES (Advanced Encryption Standard) encryption and introducing new features like SAE (Simultaneous Authentication of Equals), OWE (Enhanced Open/Opportunistic Wireless Encryption), updated cryptographic protocols, and management protection frames
117
CCMP (4.1)
Counter Cipher Mode with Black Chaining Message Authentication Code Protocol
118
AES (4.1)
Advanced Encryption Standard
119
MIC (4.1)
Message Integrity Code
120
SAE (4.1)
Simultaneous Authentication of Equals- Enhances security by offering a key establishment protocol to guard against offline dictionary attacks
121
OWE (4.1)
Enhanced Open/Opportunistic Wireless Encryption- Major advancement in wireless security, especially for networks using open authentication
122
Cryptographic Protocol (4.1)
Uses a newer variant of AES (Advanced Encryption Standard) known as the AES GCMP (Galois Counter Mode Protocol)
123
GCMP (4.1)
Galois Counter Mode Protocol- Supports 128-bit AES (Advanced Encryption Standard) for personal networks and 192-bit AES for enterprise networks with WPA3
124
Management Protection Frames (4.1)
Required to protect network from key recovery attacks; prevents eavesdropping, forging, and tampering
125
AAA Protocol (4.1)
Authentication, Authorization, and Accounting Protocol- Plays a vital role in network security by centralizing user authentication to permit on authorized users to access network resources
126
RADIUS (4.1)
Remote Authentication Dial-In User Service- Client/server protocol offering AAA (Authentication, Authorization, Accounting) services for network users
127
TACACS+ (4.1)
Terminal Access Controller Access-Control System Plus- Separates the functions of AAA (Authentication, Authorization, Accounting) to allow for more granular control over processes
128
Authentication Protocols (4.1)
Confirm user identity for network security and authorized access
1. EAP- Extensible Authentication Protocol
2. PEAP- Protected Extensible Authentication Protocol
3. EAP-TTLS- Extensible Authentication Protocol-Tunneled Transport Layer Security
4. EAP-FAST- Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling
129
EAP (4.1)
Extensible Authentication Protocol- Authentication framework that supports multiple authentication methods
130
PEAP (4.1)
Protected Extensible Authentication Protocol- Authentication protocol that secures EAP within an encrypted an authenticated TLS (Transport Layer Security) tunnel
131
EAP-TTLS (4.1)
Extensible Authentication Protocol-Tunneled Transport Layer Security- Authentication protocol that extends TLS (Transport Layer Security) support across multiple platforms
132
EAP-FAST (4.1)
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling- Developed by Cisco, it enables secure re-authentication while roaming within a network without full authentication reach time
133
Application Security (4.1)
Critical aspect of software development that focuses on building applications that are secure by design
134
Application Security Areas (6) (4.1)
Input Validation
Secure Cookies
Static Code Analysis
Dynamic Code Analysis
Code Signing
Sandboxing
135
Input Validation (4.1)
Acts as a gatekeeper to ensure that applications only act on well-defined and uncontaminated data
136
Validation Rules (4.1)
Rules that delineate acceptable and unacceptable inputs
137
SAST (4.1)
Static Application Security Testing (aka Static Code Analysis)- A method of debugging an application by reviewing and examining its source code before the program is ever run
138
Manual Code Review (4.1)
Performing the code review using a human instead of a static analysis tool
139
Dynamic Code Analysis (4.1)
Testing method that analyzes an application while it's running
140
Fuzzing (4.1)
aka Fuzz Testing- Finds software flaws by bombarding it with random data to trigger crashes and security vulnerabilities
141
Stress Testing (4.1)
Type of software testing that evaluates the stability and reliability of a system under extreme conditions
142
Code Signing (4.1)
Technique used to confirm the identity of the software author and guarantee that the code has not been altered or corrupted since it was signed
143
Sandboxing (4.1)
Security mechanism that is used to isolate running programs by limiting the resources and the changes they can make to a system
144
Persistent Agent (4.5)
Network access is granted using software installed on a device requesting network access
145
NAC (4.5)
Network Access Control- Scans devices for their security status before granting network access, safeguarding against both known and unknown devices
146
Non-Persistent Agent (4.5)
Network access is granted by users connect to Wi-Fi, access a web portal, and click a link for login
147
Time-Based Network Access Control (4.5)
Users can only log onto network during specific times of the day
148
Location-Based Network Access Control (4.5)
Users can only log on from specified areas/locations
149
Web Filtering (4.5)
Technique used to restrict or control the content a user can access on the Internet
150
Agent-Based Web Filtering (4.5)
Installing a small piece of software known as an agent on each device that will require web filtering
151
Centralized Proxy (4.5)
Server that acts as an intermediary between an organizations end users and the Internet
152
URL Scanning (4.5)
Used to analyze a websites URL to determine if it is safe or not to access
153
Content Categorization (4.5)
Websites are categorized based on content, like social media, adult content, or gambling, which are frequently restricted in the workplace
154
Block rules (4.5)
Specific guidelines set by an organization to prevent access to certain websites or categories of websites
155
Reputation-Based Filtering (4.5)
Blocking or allowing website based on their reputation score which is usually determined by a third party website
156
DNS Filtering (4.5)
Technique used to block access to certain websites by preventing the translation of specific domain names to their corresponding IP addresses
157
DKIM (4.5)
DomainKeys Identified Mail- Allows the receiver to check if the email was actually sent by the domain it claims to be sent from and if the content was tampered with during transit
158
SPF (4.5)
Sender Policy Framework- Email authentication method designed to prevent forging sender addresses during email delivery
159
DMARC (4.5)
Domain-based Message Authentication, Reporting, and Conformance- An email validation system designed to detect and prevent email spoofing
160
Email Gateway (4.5)
Server or system that serves as the entry and exit point for emails
161
On-Premise Email Gateway (4.5)
Physical server that is located within an organizations own data center or premises that provides an organization with full control over their email system
162
Cloud-Based Email Gateway (4.5)
Email gateway that is hosted by third-party cloud service providers to provide greater scalability and ease of maintenance
163
Hybrid Email Gateway (4.5)
Used to combine the benefits of both on-premise and cloud-based gateways into a single offering
164
Spam Filtering (4.5)
Process of detecting unwanted and unsolicited emails and preventing them from reaching as users email inbox
165
EDR (4.5)
Endpoint Detection and Response- Category of security tools that monitor endpoint and network events and record the information in a central database; not as comprehensive as XDR (Extended Detection and Response)
166
FIM (4.5)
File Integrity Monitoring- Used to validate the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline
167
XDR (4.5)
Extended Detection and Response- Security strategy that integrates multiple technologies into a single platform to improve detection accuracy and simplify the incident response process; more comprehensive than EDR (Endpoint Detection and Response)
168
UBA (4.5)
User Behavior Analytics- Deploys big data and machine learning to analyze user behaviors for detecting security threats
169
UEBA (4.5)
User and Entity Behavior Analytics- Built upon the foundation of UBA (User Behavior Analytics) with monitoring of entities as an addition function
170
Protocol (4.5)
Set of rules or procedures for transmitting data between electronic devices
171
Secure Protocol (4.5)
HTTPS instead of HTTP
FTPS instead of FTP
SSH instead of Telnet
IMAPS instead of IMAP
POP3S instead of POP3
SMTPS instead of SMTP
SNMPS instead of SNMP
172
Port (4.5)
Logical construct that identifies specific processes or services in a given system
Well Known = 0 - 1,023 (system processes and services)
Registered Ports = 1,024 - 49,151 (software applications)
Dynamic/Private Ports = 49152 - 65,535 (client-side connections)
173
Transport Method (4.5)
Refers to the way data is moved from one place to another, usually using either TCP (has error checking built in) or UDP (no error checking or delivery assurance) to transmit the data
174
Vulnerability Management (4.3)
Systematic and ongoing process of identifying, evaluating, prioritizing, and mitigating vulnerabilities
175
Package Monitoring (4.3)
Ensures that the libraries and components that the application depends on are secure and up-to-date
176
Penetration Testing (4.3)
Used to simulate a real-world attack on a system to evaluate its security posture
177
Threat Intelligence (4.3)
Continual process used to understand the threats faced by an organization
178
System and Process Audits (4.3)
Process that involves conducting a comprehensive review of the information system, security policies, and procedures
179
Threat Intelligence Feed (4.3)
Continuous stream of data related to potential or current threats to an organizations security
180
OSINT (4.3)
Open Source Intelligence- Intelligence that is collected from publicly available sources including reports, forums, news articles, blogs, and social media posts
181
Proprietary Third-Party Feeds (4.3)
Threat intelligence feeds that are provided by commercial vendors, usually under a subscription service type of business model
182
Dark Web (4.3)
Part of the Internet tat is intentionally hidden and inaccessible through standard web browsers
183
Responsible Disclosure (4.3)
Term used to describe the ethical practice where a security researcher discloses information about vulnerabilities in a software, hardware, or online service
184
CVE (4.3)
Common Vulnerability and Exposures- System that provides a standardized way to uniquely identify and reference known vulnerabilities in software and hardware
185
EF (4.3)
Exposure Factor- Used as a quantifiable metric to help a cybersecurity professional understand the exact percentage of an asset that is likely to be damaged or affected if a particular vulnerability is exploited
186
Risk Tolerance (4.3)
Refers to the level of risk that an organization is willing to accept in pursuit of its objectives and before action is deemed necessary to mitigate the risk
187
Vulnerability Response and Remediation (4.3)
Strategies that identify, assess, and address vulnerabilities in a system or network to strengthen an organizations security posture
188
Cybersecurity Strategies (4.3)
Patching
Purchasing cybersecurity insurance policies
Network segmentation
Implementing compensating controls
Granting exceptions and exemptions
189
Validating Vulnerability Remediation (4.3)
Rescans
Audits
Verification
190
Vulnerability Reporting (4.3)
Process of documenting aand communicating details about security weaknesses identified in software or systems to the individuals or organzations responsible for addressing the issue
191
Internal Reporting (4.3)
Involves the identification, documentation, and communication of the organizations vulnerabilities within the organizational structure
192
External Reporting (4.3)
Involves discussions with the vendors, partners, customers, or the public at large, depending on the specific vulnerability involved
193
Responsible Disclosure Reporting (4.3)
Art of disclosing vulnerabilities ethically and judiciously to the affected stakeholders before making the announcement to the public at large
194
System Monitoring (4.4)
Observation of computer system, including the utilization and consumption of its resources
195
Baseline (4.4)
Established performance metrics and data points for standard behavior of a system, network, or application
196
Application Monitoring (4.4)
Emphasizes the management and monitoring of software application performance and availability
197
Infrastructure Monitoring (4.4)
observation of the performance and availability of an organizations physical and virtual infrastructure
198
Log Aggregation (4.4)
Process of collecting and consolidating log data from various sources into a centralized location
199
Alerting (4.4)
Involves setting up notification to inform relevant stakeholders when specific events or conditions occur
200
Scanning (4.4)
Involves examining systems, networks, or applications to identify vulnerabilities, configuration issues, or other potential problems
201
Vulnerability Scan (4.4)
Checks for vulnerabilities in systems, networks, or applications by comparing the systems state against databases of vulnerabilities
202
Configuration Scan (4.4)
Checks for misconfiguration that could impact system performance or security
203
Code Scan (4.4)
Checks the source code of an application for potential issues, such as security vulnerabilities or coding errors
204
Reporting (4.4)
Involves generating summaries or detailed reports based on the collected and analyzed data
205
Archiving (4.4)
Involves storing data for long-term retentions and future reference, including organizations log data, performance data, and incident data
206
Alert Response and Remediation or Validation (4.4)
Involves taking appropriate actions in response to alerts and ensuring that the identified issues have been effectively addressed
207
Remediation (4.4)
Steps used to resolve the identified issues or vulnerabilities
208
Validation (4.4)
Involves verifying that the remediation implemented was actually successful and has effectively addressed the given issue or vulnerability
209
Quarantining (4.4)
Isolating a system, network, or application to prevent the spread of a threat and limit its potential impact
210
Alert Tuning (4.4)
Adjusting alert parameters to reduce errors, false positive, and to improve the overall relevance of the alerts being generated by a given system
211
SNMP (4.4)
Simple Network Management Protocol- Internet protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior
212
SNMP Trap Message (4.4)
Simple Network Management Protocol Trap Message- A message that's sent from a network device to an SNMP management system without being solicited by the system
213
Granular Trap Message (4.4)
Sent message to get a unique objective identifier to distinguish each message as a unique message being received
214
OID (4.4)
Object Identifier (used with SNMP- Simple Network Management Protocol- trap messages)
215
MIB (4.4)
Management Information Base- Used to describe the structure of the management data of a device subsystem using a hierarchical namesapace containing object identifiers
216
Verbose Trap (4.4)
Simple Network Management Protocol Trap- May be configured to contain all the information about a given alert or event as a payload
217
SNMPv3 (4.4)
SNMPv1 and v2 both transmit in plaintext. V3 offer...
Confidentiality using encryption (DES for earlier implementations and 3DES or AES for newer implementations)
Integrity using hashes
Authentication by validating source of messages
218
SIEM (4.4)
Security Information and Event Manager- Solution that provides real-time or near-real-time analysis of security alerts that are generated by network hardware and applications
219
Agent (SIEM) (4.4)
Software agent installed on each system, such as a server or workstation, from which the SIEM (Security Information and Event Manager) needs to collect log data
220
Agentless (SIEM) (4.4)
Under this approach, the SIEM (Security Information and Event Manager) system directly collects log data from each system using standard protocols such as SNMP (Simple Network Management Protocol) or WMI (Windows Management Instrumentation)
221
SIEM Software examples (4.4)
Security Information and Event Manager- Splunk, ELK or Elastic Stack, ArcSight, QRadar
222
CVSS (4.4)
Common Vulnerability Scoring System- Used to provide a numerical score to reflect the severity of a given vulnerability
0.0 = None
0.1 - 3.9 = Low
4.0 - 6.9 = Medium
7.0 - 8.9 = High
9.0 - 10.0 = Critical
223
Antivirus Software (4.4)
fundamental security tool that protects systems against malware, including viruses, worms, trojans, ransomware, and spyware
224
DLP Systems (4.4)
Data Loss Prevention Systems- Used to monitor and control data endpoints, network traffic, and data store in the cloud to prevent potential data breaches from occurring
225
NIDS (4.4)
Network Intrusion Detection System- Passively identify potential threats
226
NIPS (4.4)
Network Intrusion Prevention System- Actively identify and block or prevent potential threats
227
Firewalls (4.4)
Serve as a barrier between a trusted internal network and an untrusted external network
228
Vulnerability Scanner (4.4)
Tools that identify security weaknesses in a system, including missing patches, incorrect configurations, and other types of known vulnerabilities
229
SCAP (4.4)
Security content Automation Protocol- Open standards that automate vulnerability management, measurement, and policy compliance for systems in an organization
230
3 Main languages used within SCAP (4.4)
OVAL- Open Vulnerability and Assessment Language
XCCDF- Extensible Configuration Checklist Description Format
ARF- Asset Reporting Format
231
OVAL (4.4)
Open Vulnerability and Assessment Language- XML (extensible Markup Language) schema for describing system security states and querying vulnerability reports and information
232
XCCDF (4.4)
Extensible Configuration Checklist Description Format- XML (Extensible Markup Language) schema for developing and auditing best-practice configuration checklists and rules
233
ARF (4.4)
Asset Reporting Format- XML (Extensible Markup Language) schema for expressing information about assets and the relationships between assets and reports
234
CCE (4.4)
Common Configuration Enumeration- Scheme for provisioning secure configuration checks across multiple sources
235
CPE (4.4)
Common Platform Enumeration- Scheme for identifying hardware devices, operating systems, and applications
236
CVE (4.4)
Common Vulnerabilities and Exposures- List of records where each item contains a unique identifier used to describe a publicly known vulnerability
237
Benchmark (4.4)
Set of security configuration rules for some specific set of products to provide a detailed checklist that can be used to secure systems to a specific baseline
238
FPC (4.4)
Full Packet capture- Captures the entire packet, including the header and the payload for all traffic entering and leaving a network
239
Flow Analysis (4.4)
Relies on a flow collector, which records metadata and statistics rather than recording each frame that passes through the network
240
NetFlow (4.4)
A Cisco developed means of reporting network flow information to a structured database
241
IPFIX (4.4)
Internet Protocol Information Export- Defines traffic flows based on shared packet characteristics
242
Zeek (4.4)
Software that passively monitors a network like a sniffer, but only logs full packet capture of potential interest
243
MRTG (4.4)
Multi router Traffic Grapher- Creates graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using SNMP (Simple Network Management Protocol)
244
single Pane of Glass (4.4)
A central point of access for all the information, tools, and systems
245
Implementing Single Pane of Glass (4.4)
Define requirements
Identify and integrate data sources
Customize the interface
Develop SOPs and documentation
Continuously monitor and maintain the solution
246
Incident Response Cycle (7 phases) (4.8)
1. Preparation
2. Detection
3. Analysis
4. Containment
5. Eradication
6. Recovery
7. Post-Incident activity/lessons learned
247
threat Hunting (4.8)
Cybersecurity methods for finding hidden threats not caught by regular security monitoring
248
Intelligence Fusion and Threat Data (4.8)
Use SIEM (Security Information and Event Manager) and analysis platforms to spot concerns in the logs and real-world security threats
249
Root Cause Analysis (4.8)
A systematic process to identify the initial source of the incident and how to prevent it from occurring again
250
Root Cause Analysis Process (4.8)
Define the scope of the incident
Determine the causal relationships
Identify an effective solution
Implement and track the solution
251
TTX (4.8)
Tabletop Exercise- Exercises simulate incident within a control framework
252
Digital Forensics (4.8)
Process of investigating and analysing digital devices and data to uncover evidence for legal purposes
253
Digital Forensics Procedures (4.8)
Identification
Collection
Analysis
Reporting
254
Identification (Digital Forensics) (4.8)
Ensures the safety of the scene, secures it to prevent any evidence contamination, and determines the scope of the evidence to be collected
255
Collection (Digital Forensics) (4.8)
Refers to the process of gathering, preserving, and documenting physical or digital evidence in various fields
256
Analysis (Digital Forensics) (4.8)
Involves systematically scrutinizing the data to uncover relevant information, such as potential signs of criminal activity. hidden files, timestamps, and user interactions
257
Reporting (Digital Forensics) (4.8)
Involves documenting the finding, processes, and methodologies used during a digital forensic investigation
258
Order of Volatility (4.8)
Dictates the sequence in which data sources should be collected and preserved based on their susceptibility to modification or loss
1. Collect data from systems memory
2. Capture data from the system state
3. Collect data from the storage devices
4. Capture network traffic and logs
5. Collect remotely store or archived data
259
Chain of Custody (4.8)
Documented and verifiable record that tracks the handling, transfer, and preservation of digital evidence from the moment it is collected until it is presented in a court of law
260
Disk Imagin (4.8)
Involves creating a bit-by-bit or logical copy of a storage device, preserving its entire content, including deleted files and unallocated space
261
File Carving (4.8)
Focuses on extracting files and data fragments from storage media without relying on the file system
262
Legal Hold (4.8)
Formal notification that instructs employees to preserve all potentially relevant electronic data, documents, and records
263
Electronic Discovery (4.8)
Process of identifying, collecting, and producing electronically stored information during legal proceedings
264
Data Acquisition (4.8)
The method and tools used to created a forensically sound copy of the data from a source device, such as system memory or a hard disk
265
Log File (4.9)
A file that records either events that occur in an operating system or other software that runs or messages between different users of a communication software
266
Journalctl (4.9)
Linux command line utility used for querying and displaying logs from the journal, which is responsible for managing and storing log data on a Linux machine
267
NXLog (4.9)
A multi-platform log management tool that helps to easily identify security risks, policy breaches, or analyze operational problems
268
Metadata (4.9)
Data the describes other data by providing an underlying definition or description by summarizing basic information about data that makes finding and working with particular instances of data easier
269
SOAR (4.7)
Security, Orchestration, Automation, Response
270
Playbook (4.7)
Checklist of actions for specific incident responses
271
Runbook (4.7)
Automated versions of playbooks with human interaction points
272
REST (4.7)
REpresentational State Transfer- Architectural style that uses standard HTTP methods and status codes, uniform resource identifiers, and MIME (Multipurpose Internet Mail Extensions) types
273
SOAP (4.7)
Simple Object Access Protocol- Protocol that defines a strict standard with a set structure for the message, usually in XML (eXtensible Markup Language) format
274
CURL (4.7)
Tool to transfer data to or from a server using one of the supported protocols
275
Runbook (4.7)
Automated version of a Playbook and includes clearly defined interaction points for human intervention and analysis
276
Orchestration (4.7)
Coordinated and sequenced execution of multiple automated tasks, ensuring they work harmoniously within a larger, complex process
277
Continuous Delivery (4.7)
Software development practice where new code changes are automatically tested and prepared for a release that allows for reliable, manual deployments to a production environment at any chosen time
278
