CISSP

(ISC)² has a Community you can join here to help you pass the exam: CISSP Study Group. They describe the benefits of earning your CISSP here: https://www.isc2.org/Certifications/CISSP

“Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program. With a CISSP, you validate your expertise and become an (ISC)² member, unlocking a broad array of exclusive resources, educational tools, and peer-to-peer networking opportunities.”

There is a brief overview of each domain on Brighttalk that will help you get an overview of what will be on the exam. https://www.brighttalk.com/webcast/260/366238?utm_source=(isc)2&utm_medium=brighttalk&utm_campaign=366238

To study the official CISSP flashcards, fill out the ISC2 form, and then you can access by domain.
https://cloud.connect.isc2.org/cissp-flashcards

If you want to create your own flashcards, Anki is a good choice: https://apps.ankiweb.net/

• Domain 1: Security and Risk Management
• Domain 2: Asset Security
• Domain 3: Security Architecture and Engineering
• Domain 4: Communication and Network Security
• Domain 5: Identity and Access Management
• Domain 6: Security Assessment and Testing
• Domain 7: Security Operations
• Domain 8: Software Development Security

Here’s an alphabetical glossary and study guide that can help you to pass the exam. The glossary is aggregated from multiple sources, including NIST. ttps://csrc.nist.gov/glossary

If you go into ChatGPT, and use the following prompt, it’ll spit out sample questions and output the correct answer at the bottom:

“I am a cybersecurity professional studying for the CISSP exam. Write a brief definition of Access Control System, and six sample multiple choice questions regarding Access Control System that I’m likely to see on the exam. Provide the correct letter answer at the bottom of each question.”

Access Control System

Question: What is an Access Control System?

Answer: A means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.

Chapter 2. Identity and Access Management

Access Control Tokens

Question: How are Access Control Tokens used?

Answer: They are used for determining validity of the token by the system for the point where it is read based on time, date, day, holiday, or other condition when controlling validation.

Chapter 2. Identity and Access Management

Accountability

Question: What is Accountability?

Answer: Accountability ensures that only authorized users are accessing the system and using it properly.

Chapter 2. Identity and Access Management

Advanced Threat Protection

Advanced threat protection (ATP) – relies on multiple types of security technologies, products, and research, each performing a different role, but still working seamlessly together to combat attacks from the core of the network to the end user device. The three-part framework is conceptually simple—prevent, detect, mitigate; however, it covers a broad set of both advanced and traditional tools for network, application and endpoint security, threat detection, and mitigation.

Advanced Persistent Threat

Advanced persistent threat (APT) – a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. Typically, their intention is to steal data rather than to cause damage to the network or organization. These attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry.

Annual Loss Expectancy

Formula: ALE = SLE * ARO

ALE = Annual Loss Expectancy. The SLE multipled by the ARO, which equates to the cost related to a particular risk.

SLE = Single Loss Expectancy. Expected negative impact related to a certain risk and the risk having been assessed.

ARO = Annual Rate of Occurrence. The number of times per year that a given impact is expected, expressed as a number.

Anti-virus/anti-malware (AV/AM)

Question: What does AV/AM provide protection against?
Answer: AV/AM (Anti-virus / anti-malware) provides protection against virus, spyware, and other types of malware attacks in web, email, and file transfer traffic. They are responsible for detecting, removing, and reporting on malicious code. By intercepting and inspecting application-based traffic and content, anti-virus protection ensures that malicious threats hidden within legitimate application content are identified and removed from data streams before they can cause damage. Using AV/AM protection at client servers/devices adds an additional layer of security.

Assets and Asset Management

Question: What is an asset?

Answer: Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.

Question: What is the asset lifecycle?

Answer: The phases that an asset goes through from creation (collection) to destruction.

Question: What is categorization?

Answer: The process of grouping sets of data, information, or knowledge that have comparable sensitivities (impact or loss ratings), and have similar security needs mandated by law, contracts, or compliance regimes.

Question: Who is responsible for protecting an asset that has value, while in their possession?

Answer: The custodian or data custodian.

If you’re interested in asset classes and categorization in ServiceNow, here’s the documentation: https://docs.servicenow.com/en-US/bundle/sandiego-it-service-management/page/product/asset-management/concept/c_AssetClasses.html

For classification and governance of data via Microsoft Purview, the documentation can be accessed here: https://www.microsoft.com/en-us/security/business/microsoft-purview

Question: What is defensible destruction?
Answer: Eliminating data using a controlled, legally defensible, and regulatory compliant way.

Attack Signature

Question: What is an attack signature?

Answer: A characteristic or distinctive pattern of attack that can be searched for using an automated set of rules that have been matched to previously identified attacks.

Attack Surface

Question: What is the defininition of Attack surface?

Answer: The sum of the different points where an unauthorized user can try to enter and attack a computer environment. While in the context of cybersecurity, we are referencing the software and hardware of a computer environment, an attack surface is also applicable elsewhere. For example, doors and windows represent the attack surface of a house because they are the points from which an intruder can enter.

Attribute-based Access Control

Question: What is Attribute-based Access Control?

Answer: It is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.

https://csrc.nist.gov/Projects/Attribute-Based-Access-Control

Audit / Auditing

Question: What is an Audit / Auditing?

Answer: The process of reviewing a system for compliance against a standard or baseline. Examples include audits of security controls, configuration baselines, and financial records.

Question: You are validating assessment and audit strategies. You want to make sure that all auditors are following the processes and procedures defined by the company’s audit policies. Which type of audit should you use?

Answer: Third-party. This is the best type of audit since you want to ensure that both internal and external auditors are following policies and procedures.

Chapter 1. The Information Security Environment

https://www.isc2.org/Training/Self-Study-Resources/CISSP/Chapter-1

Authentication

Authentication – the process of determining whether someone or something is actually who or what they claim to be. In computer networks, the purpose of authentication is to make sure that only known and authorized persons and devices have access to the network. (Contrast this with authorization)

Authentication Token

Authentication token – also known as hardware token, security token, USB token, cryptographic token, software token, virtual token, or key fob, and are used to prove a person’s identity electronically. The token is used in addition to or in place of a password for stronger authentication, to prove that the person is who they claim to be.

Authorization

Authorization – a security mechanism used to determine user/client privileges or access levels related to system resources, including computer programs, files, services, data, and application features. Authorization is normally preceded by authentication for user identity verification.

Availability

Availability – The assurance of timely and reliable access to and use of information by authorized users.

Backup

Question: What is the top responsibility of the tape librarian?

Answer: To receive, record, and release backups stored on media. They check in, check out media, and sanitize the media when it’s returned for reuse.

Baiting

Baiting – the threat actor leaves behind a portable storage device, such as a USB stick, with an enticing label and in a public area. When the victim inserts the device into their computer, it becomes infected.

Behavior Monitoring

Behavior monitoring – observing activities of users, information systems, and processes and measuring the activities against organizational policies and rule, baselines of normal activity, thresholds, and trends.

Baseline

Question: What is the definition of baseline?

Answer: A documented, lowest level of security configuration allowed by a standard or organization.

Biba Model

Question: In reviewing your company’s security model, the existing model:

1. Establishes confidentiality such that people can’t read access classified at a higher level than their clearance.
2. Forbids users with a specific clearance from writing data to a document with a low level clearance level.

You note that the current model doesn’t account for somebody with a low clearance level from writing data to a higher level than their clearance, and you need to implement a model to mitigate this. Which of the following security tenets should the new model focus on?

Answer: Since the existing model is focused on integrity and you need to mitigate by preventing “Write Up” you need to implement the Biba Model.

Bot/Botnet

Bot/Botnet – a network of private computers infected with malicious software and controlled as a group without the owner’s knowledge, and used to perform a DDoS attack, steal data, or send spam. The threat actor controlling a botnet is sometimes referred to as a “bot-herder”.

Breach

Breach – the moment a hacker successfully exploits a vulnerability in a computer or device, and gains access to its files and network. Some states like California require breach notification. https://oag.ca.gov/privacy/databreach/reporting and provide a list of public disclosures: https://oag.ca.gov/privacy/databreach/list

Business email compromise (BEC)

Business email compromise (BEC)

The FBI defines 5 major types of BEC scams:

• CEO Fraud: Here the attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.
• Account Compromise: An employee’s email account is hacked and is used to request payments to vendors. Payments are then sent to fraudulent bank accounts owned by the attacker.
• False Invoice Scheme: Attackers commonly target foreign suppliers through this tactic. The scammer acts as if they are the supplier and request fund transfers to fraudulent accounts.
• Attorney Impersonation: This is when an attacker impersonates a lawyer or legal representative. Lower level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge to question the validity of the request.
• Data Theft: These types of attacks typically target HR employees in an attempt to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such as CEO Fraud.

Business Continuity and Disaster Recovery

Question: When planning a disaster recovery solution, the amount of data loss should be lower than what?

Answer: The recovery point objective.

Question: Which plan provides for continuity of office space, opens and maintains lines of communication, and provides for data center failover?
Answer: The business continuity plan.

CIA Triad

Question: Which three security concepts make up the CIA Triad?

Answer: Confidentiality, Integrity, and Availability

CIA Triad

Question: What best encompasses the primary goals and objectives of security? Answer: The CIA triad: Confidentiality, Integrity, and Availability.

Explanation: Confidentiality represents the concept that sensitive data should be kept away from unauthorized individuals. Integrity means that data remains authentic and unaltered. Availability ensures reliability and access to system resources.

Question: What are some sample tools to ensure C-I-A?

Answer:

Confidentiality – AES

Integrity – SHA256

Availability – RAID

Question: A Security Manager is applying access controls to ensure that employees in his company are not able to read files that are not directly related to their job functions. What goal of information security are they enforcing?

Answer: Confidentiality

Question: What is confidentiality?

Answer: The property that data or information is not made available or disclosed to unauthorized persons or processes.

Question: What is integrity?

Answer: The property of information whereby it is recorded, used, and maintained in a way that ensures its completeness, accuracy, internal consistency, and usefulness for a stated purpose.

Question: What is availability?

Answer: Timely and reliable access to and use of information by authorized users.

CEO fraud

CEO fraud – see Spearphishing.

Cipher

Cipher – a cryptographic algorithm used to encrypt data or information.

Classification

Question: What is classification?

Answer: The process of recognizing the impacts to the organization if its information suffers any security compromise – to its confidentiality, integrity, availability, non-repudiation, authenticity, privacy, or safety-related characteristics. Classifications are derived from the compliance mandates the organization must operate within, whether these be law, regulation, contract-specified standards, or other business expectations.

Clearing

Question: What is clearing?

Answer: The removal of sensitive data from storage devices in such a way that there is assurance the data may not be reconstructed using normal functions or software recovery utilities.

Clickbait

Clickbait – an online advertisement, which may be false, and whose main purpose is to attract users to another website. Sometimes this website or the advertisement itself contains malware.

Compliance

Question: What is the definition of compliance?

Answer: Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.

Question: What do compliance programs ensure?

Answer: They ensure that an organization’s information security controls are consistent with the laws, regulations, and standards that govern the organization’s activities.

Controls

Question: What are three types of applicable controls?

Answer:

1. Technological/logical. Implemented with or by automated or electronic systems.
2. Physical. Implemented through a tangible mechanism.
3. Administrative. Implemented through policy and procedure.

Question: Security stakeholders that are looking to deploy a new security control should develop a business case for that control, True or False?

Answer: True.

Control Categories

Question: What are the seven control categories?

Answer:

1. Directive. Controls that impose mandates or requirements.
2. Preventative. Controls that prohibit a certain activity. i.e. Access Control
3. Compensating. Controls that mitigate the effects or risks of the loss of primary controls.
4. Detective. Controls that recognize hostile or anomalous activity. Log files are an example.
5. Corrective. Controls that react to a situation in order to perform remediation or restoration.
6. Recovery. Controls designed to restore operations to a known good condition following a security incident.

Question: What category would Access Control be placed in?

Answer: Preventative.

Control Frameworks

Question: What do Control Frameworks do?

Answer: They define controls and control elements, allow for standardization of control implementation, and include evaluation criteria or mechanisms to verify controls are effective.

Question: To ensure security operations follows the proper control framework, you are asked by a customer to focus on technology solutions that will discourage malicious activities. Which type of control framework should you focus on?

Answer: Deterrent

Question: What are the five types of controls?

Answer:

1. Detective: Designed to detect errors or irregularitites that may have occurred.
2. Corrective: Designed to correct errors or irregularities that have been detected.
3. Preventative: Designed to keep errors or irregularities from occurring in the first place.
4. Manual
5. Automated

Question: What are the most common Control Frameworks?
Answer:

• COBIT – used by auditors
• ISO/IEC 27001 Standard that covers cybersecurity control objectives
• ISO 27002 goes beyond control objectives
• ISO 27701 covers privacy
• ISO 31000 guidance for risk management programs
• NIST Security and Privacy Controls. NIST 800-53 Mandatory for federal government agencies (also referred to as NIST Special Pubs)
• NIST Cybersecurity Framework – provides a common language for describing cybersecurity risk. Helps identify and prioritize actions. https://www.nist.gov/cyberframework

Credential (or account) harvesting

Credential (or account) harvesting – a targeted attack that steals a large number of usernames, passwords, and email addresses.

Credential Stuffing

Credential stuffing – a spearphishing attack using stolen credentials, often monetized by selling credentials on dark web forums, and beneficial in establishing bona fides for targeting other high-value accounts, especially executives and finance department employees, to harvest their credentials and gain unauthorized access to devices and networks.

Cross-site scripting (XSS)

Cross-site scripting (XSS) – the process of adding malicious code to a genuine website to gather user information with a malicious intent. XSS attacks are possible through security vulnerabilities found in Web applications and are commonly exploited by injecting a client-side script. Although JavaScript is usually employed, some attackers also use VBScript, ActiveX or Flash. Cross-site scripting is one of the OWASP Top 10. https://owasp.org/www-project-top-ten/

Cryptography

Question: What are the main benefits of Cryptography?

Answer:

• Confidentiality
• Access Control
• Integrity
• Authentication (Proof of Origin)
• Non-repudiation

Question: What is the maximum key length for the Blowfish cipher?

Answer: 448 bits

Question: What is the mathematical function used in encryption and decryption that can be simple or complex?

Answer: An algorithm.

Cybercrime

Question: Define cybercrime

Answer: An act that involves the use of information, information systems, or information technologies in ways that violate the laws that pertain to the system and the information in question.

Data Diddling

Question: What is Data Diddling?

Answer: Data Diddling is where data is altered as it is entered into a computer system, either by a data entry clerk, or a virus.

DLP – Data Loss Prevention

Question: What is Data Loss Prevention?

Answer: Cisco has a great definition of DLP here: https://www.cisco.com/c/en/us/products/security/email-security-appliance/data-loss-prevention-dlp.html
“Data loss prevention, or DLP, is a set of technologies, products, and techniques that are designed to stop sensitive information from leaving an organization.

Data can end up in the wrong hands whether it’s sent through email or instant messaging, website forms, file transfers, or other means. DLP strategies must include solutions that monitor for, detect, and block the unauthorized flow of information.”

Data Subjects PII and Privacy

Question: Who is the data subject? Answer: The person who is identified or described by the data

Question: What is PII?

Answer: Personally identifiable information. Any data about a human being that could be used to identify that person.

Question: What is the definition of privacy?

Answer: The right of a human individual to control the distribution of information about themselves.

Digital Certificates

Question: In Public-key infrastructure, PKI public keys are published how?

Answer: Digital certificates enable assymmetric key exchanges where both private and public keys are distributed.

Distributed Denial of Service (DDoS) Attack

Distributed denial of service (DDoS) attack – the systematic orchestration of a large number of compromised systems spread across the Internet (see Botnets), each rapidly generating network requests to a target system. This flood of requests overwhelms the target server, resulting in the server’s inability to respond to legitimate requests. For DDoS mitigation, there’s a Forrester Wave report that lists Cloudflare, Akamai Technologies, Radware, and Imperva as leaders. https://www.cloudflare.com/forrester-wave-ddos-mitigation-2021/

Deep packet inspection (DPI)

Deep packet inspection (DPI) – is the act of examining the payload or data portion of a network packet as it passes through a firewall or other security device. DPI identifies and classifies network traffic based on signatures in the payload. It examines packets for protocol errors, viruses, spam, intrusions, or policy violations.

Deepfake

Deepfake – an audio or video clip that has been edited and manipulated to seem real or believable. They can easily convince people into believing a certain story or theory that may have political or financial consequences.

DNS

Question: DNS Poisoning is BEST described as what?

Answer: Altering a DNS cache with malicious DNS records. This causes the client to send legitimate traffic to an attacker.

Question: The DNS Security Extensions (DNSSEC) are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. How are DNSSEC queries and responses encrypted?

Answer: DNSSEC enabled queries and responses are encrypted by private-key cryptography.

DNS Poisoning

Question: DNS Poisoning is BEST described as what?

Answer: Altering a DNS cache with malicious DNS records. This causes the client to send legitimate traffic to an attacker.

DNSSEC

Question: The DNS Security Extensions (DNSSEC) are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. How are DNSSEC queries and responses encrypted?

Answer: DNSSEC enabled queries and responses are encrypted by private-key cryptography.

Drive-by

Drive-by – refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device. A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw. This initial code that is downloaded is often very small (so you probably wouldn’t notice it), since its job is often simply to contact another computer where it can pull down the rest of the code on to your smartphone, tablet, or computer. Often, a web page will contain several different types of malicious code, in hopes that one of them will match a weakness on your computer.

Due Care and Due Diligence

Question: What is Due Care?

Answer: Due Care is a legal and ethical duty owed by a provider to a customer, and the actions taken by provider to fulfill that duty. Due care reflects a judgement of the circumstances or an event which would cause a prudent person to take action. Due care is the standard to which a governing body would be held.

Question: What is due diligence?

Answer: Due diligence are the measures taken to manage, oversee, monitor, and assess the successful accomplishment and continued applicability of a duty of due care. Due diligence requires a higher standard of research and application of knowledge than due care. Due diligence is not measured by any absolute standard.

Economic Espionage Act

Question: What is the Economic Espionage Act? When was it passed?

Answer: Congress passed the Economic Espionage Act in 1996 to fight industrial espionage. If an organization or individual is caught stealing trade secrets with the intent of selling them to a foreign power, the agent or individual can be fined up to $500,000 per offense or $10 million of perpetrated by an organization.

Encryption

Encryption – the process of converting readable information into unintelligible code in order to protect the privacy of the data.

Question: What happens with Assymetric Encryption?
Answer: Different keys are used for encryption and decryption, and the decryption key is impossible to determine even if you have the encryption key.

Question: Do TLS and Secure Shell use symmetric encryption or asymmetric encryption?

Answer: TLS and SSH use both symmetric and asymmetric encryption by using asymmetric encryption to securely exchange a secret key which is then used for symmetric encryption.

Question: What is block size?

Answer: (from Wikipedia): “In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size. Both the input (plaintext) and output (ciphertext) are the same length; the output cannot be shorter than the input – this follows logically from the pigeonhole principle and the fact that the cipher must be reversible – and it is undesirable for the output to be longer than the input.” https://en.wikipedia.org/wiki/Block_size_(cryptography)

Exit Interviews

Question: What is the primary reason for doing an exit interview once an employee is quit or is fired?

Answer: To review the company’s NDA and/or non-compete agreements that the employee signed.

Exploit

Exploit – a malicious application or script that can be used to take advantage of a computer’s vulnerability.

Firewall

Firewall – a hardware appliance or software application that is intended to prevent unauthorized access or illicit malware from writing to a computer, device, or network.

Governance

Question: What is governance?

Answer: The process of how an organization is managed: usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make these decisions. The security practitioner must understand how the organization functions, then determine how the security department can help the organization meet its goals.

Question: What is the Governance Committee?

Answer: The formal body of personnel determines how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

Question: What are the Six Governance System Principles?

Answer:

1. Provide Stakeholder Value
2. Holistic Approach
3. Dynamic Governance System
4. Governance Distinct from Management
5. Tailored to Enterprise Needs
6. End-to-End Governance System

Question: When upper management instructs its employees to complete their goals and provides oversight, what is that called?

Answer: Governance.

Question: What is the definition of security governance?

Answer: The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.

Question: Who is ultimately responsible for corporate governance?

Answer: The board of directors.

Hashing

Question: Which security control best detects integrity issues?

Answer: Hashing.

Identity Theft

Identity theft – steals Personally Identifiable Information (PII), typically for economic gain.

Impersonator

Impersonator – a person who pretends to be someone else for entertainment or fraud.

Intellectual Property

Question: What is intellectual property?

Answer: Creations of the mind: inventions; literary and artistic works; and symbols, names and images used in commerce.

Intrusion detection system (IDS)

Intrusion detection system (IDS) – software that automatically alerts administrators when someone or something is trying to compromise an information system.

Intrusion prevention system (IPS)

Intrusion prevention system (IPS) – a system that monitors a network for malicious activities, logs the information, attempts to block the activity, and reports it.

IP Reputation

Question: What is IP Reputation

Answer: Cisco explains the importance of IP Reputation in relation to security here: https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_14-0/b_ESA_Admin_Guide_ces_14-0/b_ESA_Admin_Guide_12_1_chapter_0101.pdf

“Sender IP reputation filtering is the first layer of spam protection, allowing you to control the messages that come through the email gateway based on senders’ trustworthiness as determined by theSender IP Reputation Service.

The email gateway can accept messages from known or highly reputable senders — such as customers and partners — and deliver them directly to the end user without any content scanning.

Messages from unknown or less reputable senders can be subjected to content scanning, such as anti-spam and anti-virus scanning, and you can also throttle the number of messages you are willing to accept from each sender. Email senders with the worst reputation can have their connectionsrejected or their messages bounced based on your preferences.”

“The IP Reputation Score is a numeric value assigned to an IP address based on information from the IP Reputation Service. The IP Reputation Service aggregates data from over 25 public blocked lists and open proxy lists, and combines this data with global data from Talos to assign a score from -10.0 to +10.0.”

For how to work on your organization’s IP reputation as an email sender, take a look at this article from Sendx: https://www.sendx.io/resources/ip-reputation-checker

Juice Jacking

Juice jacking – a security exploit in which an infected USB charging station is used to compromise connected devices.

Keylogger

Keylogger – a technology that tracks and records consecutive key strokes on a keyboard.

Logical Memory Addressing

Question: What type of memory addressing is used by applications?

Answer: Logical memory addressing.

Malicious Code

Malicious code – program code intended to perform an unauthorized function or process that will have an adverse impact on the confidentiality, integrity, or availability of an information system.

Malware

Malware – malicious software that brings harm to a computer system. Types of malware include worms, viruses, Trojans, spyware, adware, and ransomware.

Mitigation Techniques

Question: What are some mitigation techniques? Answer:

1. ACLs
2. Digital Signatures – provide a measure of integrity, trust, and assurance on code or data.
3. Disk Quotas – prevent hard drive from becoming full and crashing. Application would be more stable.
4. Encryption
5. Secure Logging – a record used to identify what occurred. Hacker can’t tamper with log files.

Next generation firewall (NGFW)

Next generation firewall (NGFW) – a class of firewall, as software or hardware, that is capable of detecting and blocking complicated attacks by enforcing security measures at the protocol, port, and application level.

Passive Attack

Passive attack – an actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations. Phishing – presenting a misleading interface to users or otherwise masquerading as a trusted entity in an effort to get the user to voluntarily supply confidential information such as usernames, passwords, credit card information, and so forth. Commonly delivered by email.

Non-repudiation

Question: What is non-repudiation?

Answer: Non-repudiation is the inability to deny. In cryptography, it is a security service by which evidence is maintained so that the sender and the recipient of data cannot deny having participated in the communication.

Question: What are the two types of non-repudiation?

Answer: 1) Non-repudiation of origin – the sender cannot deny having sent a particular message. 2) Non-repudiation of delivery – a receiver cannot say that they received a different message than the one they actually received.

OSI Model

Question: In the OSI Model, which layer defines the type of media to be used?

Answer: Layer 1

Question: Which layer in the OSI model determines the availability of the receiving program and checks to see if enough resources exist for that communication.

Answer: Layer 7, the Application layer.

Penetration Testing

Question: What are the five phases of penetration testing? Answer:

1. Planning / Footprinting
2. Information gathering and discovery / enumeration
3. Vulnerability scanning
4. Exploitation
5. Reporting

Phishing

Question: What is Phishing?

Answer: From the Cisco website: “Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually performed through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine. Phishing is a common type of cyber attack that everyone should learn about in order to protect against email threats.”

https://www.cisco.com/c/en/us/products/security/email-security/what-is-phishing.html

Question: What are two of the methods used by threat actors to compromise your device when conducting phishing campaigns?
Answer: Attachments to emails and embedded hyperlinks within emails.

Question: What do Secure Email Gateways provide?

Answer: Threat emulation, Sandboxing, DLP, and Antivirus scanning.

The Anti-phishing Working Group (APWG) works on solutions to phishing using SPF and other techniques to prevent Business Email Compromise. https://apwg.org/ is their domain.

They also publish a report on phishing trends you can view here: https://apwg.org/trendsreports/

PII

Question: What is PII?

Answer: Personally identifiable information. Any data about a human being that could be used to identify that person.

Policy, Standards, Procedures, and Guidelines.

Question: What is the difference between Policy, Standards, Procedures, and Guidelines? Answer:

Policy is the written aspect of governance (including security governance)

Standards are specific mandates explicitly stating expectations of performance or conformance.

Procedures are explicit, repeatable activities to accomplish a specific task

Guidelines are similar to standards because they describe best practices and expectations of activity to best accomplish tasks and attain goals, but unlike standards, they are not mandated, but instead are recommendations and suggestions.

Pretexting

Pretexting – fabricated scenario that convinces a targeted victim to disclose privileged information.

Privacy

Question: What is the definition of privacy?

Answer: The right of a human individual to control the distribution of information about themselves.

Real User Monitoring (RUM)

Question: Which type of monitoring does analysis of traffic or the requests of users?

Answer: Real User monitoring.

Recovery Point Objective

Question: When planning a disaster recovery solution, the amount of data loss should be lower than what?

Answer: The recovery point objective.

Risk

Question: What is the definition of risk?

Answer: The possibility of damage or harm and the likelihood that damage or harm will be realized.

Question: What is the definition of acceptable risk?

Answer: The level of risk, and if a particular risk is suitable relative to the rewards offered by conducting operations.

Question: What is risk impact assessment?

Answer: Risk impact assessment is the process of assessing the probabilities and consequences of risk events if they are realized. The results of this assessment are then used to prioritize risks to establish a most-to-least-critical importance ranking. Ranking risks in terms of their criticality or importance provides insights to the project’s management on where resources may be needed to manage or mitigate the realization of high probability/high consequence risk events.

Ransomware

Ransomware – a type of malware program that infects, locks or takes control of a system and demands ransom to undo it. Ransomware attacks and infects a computer with the intention of extorting money from its owner. Email is the predominant attack vector because it relies on a single click to circumvent controls. Ransomware may also be referred to as a crypto-virus, crypto-Trojan or crypto-worm.

Rogue AP

Rogue AP – a wireless access point that has been installed on a secure network without the authorization of a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

Rogue Security Software

Rogue security software – a victim is convinced to purchase fake malware removal but instead installs malware on their device.

Rootkit

Question: What is a Rootkit?
Answer: A Rootkit is a type of malware that allows cybercriminals to remotely control your computer. Rootkits are especially damaging because they are hard to detect, making it likely that this type of malware could live on your computer for a long time.

Question: What malicious software would most likely be used to attain or maintain elevated privileges? Answer: Rootkit. Rootkits disguise themselves as system-level resources to help avoid detection. They often have kernel-level access and are difficult to remove.

Salami Attack

Question: What is a Salami Attack?

Answer: An attack on a computer network which involves the intruder siphoning off small amounts of money from a file and placing them in another file that he or she can access.

https://www.oxfordreference.com/view/10.1093/acref/9780191744150.001.0001/acref-9780191744150-e-2812

Sandbox

Sandbox – a security mechanism for separating running programs to an area segmented off from the device/network operating system and applications. It is used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users, and untrusted websites. The sandbox limits the actions and resources available to the constrained item, allowing the item to be evaluated, while preventing any harm or damage to be caused to the host system or related data or storage devices.

Secure Access Service Edge (SASE)

Question: What is Secure Access Service Edge? (SASE)

Answer: Cisco defines Secure Access Service Edge as “Secure access service edge (SASE) is a network architecture that combines VPN and SD-WAN capabilities with cloud-native security functions such as secure web gateways, cloud access security brokers, firewalls, and zero-trust network access.”

https://www.cisco.com/c/en/us/products/security/what-is-sase-secure-access-service-edge.html

Secure Email Gateway

Question: What is a Secure Email Gateway?

Answer: Whatis.com defines Secure Email Gateways as:

“An email security gateway is a product or service that is designed to prevent the transmission of emails that break company policy, send malware or transfer information with malicious intent.

Businesses of all sizes use email security gateways to prevent data loss, perform email encryption, compensate for weak partner security and protect against known and unknown malware. Solution types for email security gateways include private cloud, hybrid cloud, hardware appliances,virtual appliances and email server-based products. These solutions offer similar functions, and many providers offer more than one form.”

https://www.techtarget.com/whatis/definition/email-security-gateway

If you look at the FortiMail Secure Email Gateway solution from Fortinet, as an example, it provides protection against:

• Spam
• Phishing
• Spear-phishing and Whale phishing
• Malicious Attachments and URLs
• Ransomware
• Zero-day Threats
• Impersonation
• Business Email Compromise (BEC)

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiMail.pdf

Secure socket layer (SSL)

Secure socket layer (SSL) -encrypted traffic inspection – protects endpoint clients as well as Web and application servers from potentially hidden threats. SSL inspection intercepts and inspects encrypted traffic for threats before routing it to its destination. It can be applied to client-oriented traffic, such as users connected through a cloud-based site, or to Web and application server traffic. Using SSL inspection allows policy enforcement on encrypted Web content to prevent potential intrusion from malicious traffic hidden in SSL content. While SSL inspection adds security by screening for threats attempting to bypass protections by riding on encrypted traffic, the resultant tradeoff is a decrease in throughput speed.

Secure Web Gateway

Secure web gateway – an on-premise or cloud-delivered network security service. Sitting between users and the Internet, secure web gateways provide advanced network protection by inspecting web requests against company policy to ensure malicious applications and websites are blocked and inaccessible. A secure web gateway includes essential security technologies such as URL filtering, application control, data loss prevention, antivirus, and https inspection to provide organizations with strong web security.

Security Control Frameworks

Question: What are some of the most common security control frameworks?

Answer:

• ISO 27001 / 27002
• COBIT
• ITIL
• RMF
• CSA STAR

Security Models

Most are some of the most common security models?

• Bell-LaPadula (Confidentiality)
• Biba (Integrity)
• Brewer and Nash (Confidentiality)
• Clark-Wilson (Integrity) Graham-Denning (Confidentiality and Integrity Harrison, Ruzzo, Ullman (Integrity)

Sender Policy Framework (SPF)

Question: What is Sender Policy Framework (SPF)?

Answer: Sender Policy Framework (SPF) is an email authentication method for detecting forged sender email addresses during the delivery of the email.

Question: What attributes does Sender Policy Framework (SPF) provide?

Answer: It strengthens the authentication method, and stops unknown threats.

If you’re interested in how this works in relation to Microsoft 365 email servers, read this article: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing?view=o365-worldwide

The Anti-phishing Working Group (APWG) works on solutions to phishing using SPF and other techniques to prevent Business Email Compromise. https://apwg.org/ is their domain.

They also publish a report on phishing trends you can view here: https://apwg.org/trendsreports/

Security information and event management (SIEM)

Security information and event management (SIEM) – also known as security incident and event management, it provides a comprehensive and centralized view of the security scenario of an IT infrastructure, to identify, monitor, record and analyze security events or incidents in real-time. Most SIEM systems deploy multiple collection agents to gather security-related events from end-user devices, servers, network equipment and specialized security equipment like firewalls, AV/AM or IPS. The collectors forward events to a centralized management console, which performs inspections, flags anomalies, and notifies the IRT (Incident Response Team) of any security violating events.

Smishing

Smishing – also known as SMS phishing; occurs when a cell phone receives a SMS (Instant Message or IM) from a fake person or entity. The unsuspecting cell phone user will respond to a fake SMS and visit a URL, inadvertently downloading malware and installing a Trojan without the user’s knowledge. Phishing is all about extracting useful information, so in the case of SMS phishing, the Trojan harvests the data areas of the cellphone and transmits them to the person who created the Trojan at the earliest opportunity.

Social Engineering

Social engineering – the art of manipulating people to obtain confidential information or to have them do something that they did not intend.

Social Media Deception

Social Media Deception – an attacker manipulates content and creates fake online profiles.

Spam

Spam – the abuse of electronic messaging systems, such as e-mail, text messaging, social networks or VoIP, to indiscriminately send unsolicited bulk messages. Most SPAM is advertising, but some may include malicious code, malicious hyperlinks or malicious attachments.

Spearphishing, Whaling, CEO Fraud, and Business Email Compromise (BEC)

Spearphishing, whaling, CEO fraud, and business email compromise (BEC) – a form of social engineering attack that is targeted to victims who have an existing digital relationship with an online entity such as a bank or retail website. A spear phishing message is often an e-mail although there are also text message and VoIP spear phishing attacks as well, which looks exactly like a legitimate communication from a trusted entity. The attack tricks the victim into clicking on a hyperlink to visit a company website only to be re-directed to a false version of the website operated by attackers. The false website will often look and operate similarly to the legitimate site and focus on having the victim provide their logon credentials and potentially other personal identity information such as answers to their security questions, an account number, their social security number, mailing address, email address and/or phone number. The goal of a spear phishing attack is to steal identity information for the purpose of account takeover or identity theft.

Spoofing

Spoofing – a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver, with the intent to gain an advantage or the trust of the receiver. It is most prevalent in communication mechanisms that lack a high level of security, such as IP address, MAC address, and email address.

Spyware

Spyware – malware used to infiltrate a user’s system without their knowledge, to monitor activity, collect keystrokes and passwords, and harvest data (account information, logins, financial data). Spyware exploits user and application vulnerabilities and is often attached to free online software downloads or to links that are clicked by users. It is also often used to disable firewall or anti-malware software while consuming CPU activity to increase an endpoint’s vulnerability to attack.

Subject

Question: What is a subject?

Answer: The natural person who is identified or described by the data.

SQL Injection

SQL injection – a computer attack in which malicious code is embedded in a poorly designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed. SQL injection is an OWASP Top Ten: https://owasp.org/Top10/A03_2021-Injection/

System Mitigations

Question: What are some of the most common System Mitigations?

Answer:

• Patch / Update
• General Network Protections: network segmentation, firewall devices, network intrusion prevention and detection
• Host Protections: Antivirus, Host IPS, Host Firewall, and Disk Encryption
• User Education: Anti-phishing campaigns, social engineering awareness, etc.

System Security Capabilities

Question: What are the most commonly employed System Security Capabilities?

Answer:

• Access Control
• Processor States
• Memory Management
• Process Isolation
• Data Hiding
• Abstraction Layers
• Security Kernel
• Encryption
• Code Signing
• Audit and Monitoring
• Virtualization / Sandbox
• Hardware Security Modules
• File System Attributes

Tailgating

Tailgating – unauthorized person who bypasses physical access controls, often by distracting and then closely following an authorized person into a controlled room or building.

Trojan Horse

Trojan horse – a form of malware where a malicious payload is imbedded inside of a benign host file which is used to deceive users into downloading and installing malware. When a user accesses the host file, the malicious payload is automatically deposited onto their computer system, and allows the cyber-criminal to conduct a variety of attacks such as stealing or destroying data, installing more malware, modifying files, monitoring user activity, or conducting denial of service (DoS) on targeted web addresses.

Unified threat management (UTM)

Unified threat management (UTM) – an approach to information security that combines several key elements of network security hardware and software into a comprehensive security solution, including a single management and reporting point for the security administrator. This contrasts with the traditional method of having point solutions for each security function.

USB Baiting

USB baiting – compromised USB drives can be used to inject malicious code, redirect a user to phishing websites, or give a hacker access to a user’s computer.

Virtual private network (VPN)

Virtual private network (VPN) – a tool that extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Encryption is a common, although not an inherent, part of a VPN connection. Virus – a type of malware aimed to corrupt, erase or modify information on a computer before spreading to others. Virus signature – a virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it to be identified. One signature may contain several virus signatures, which are algorithms or hashes that uniquely identify a specific virus. Antivirus software uses a virus signature to find a virus in a computer file system, allowing to detect, quarantine, and remove the virus.

Vishing

Vishing – a form of phishing attack which takes place over VoIP. In this attack, the attacker uses VoIP systems to be able to call any phone number with no toll-charge expense. The attacker often falsifies their caller-ID in order to trick the victim into believing they are receiving a phone call from a legitimate or trustworthy source such as a bank, retail outlet, law enforcement or charity. The victims do not need to be using VoIP themselves in order to be attacked over their phone system by a vishing attack.

WAF – Web Application Firewall

Question: – What does a web application firewall monitor and block?

Answer: HTTP and HTTPS traffic. It can block malicious traffic to and from an application.

Question: – What types of common attacks does a WAF block?

Answer:

• SQL Injection https://owasp.org/www-community/attacks/SQL_Injection
• Cross-site Scripting https://owasp.org/www-community/attacks/xss/
• File Inclusion https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
• Security Misconfigurations https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html

Question: – What technology preceded WAF?

Answer: Application Firewalls.

For a list of threats prevented for Fortinet WAF, take a look at: https://www.fortinet.com/products/web-application-firewall/fortiweb/what-is-waf

This is what Fortinet WAF helps defend against as far as the OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Injection attacks

When untrusted data is sent to an interpreter, an attacker can inject malicious code.

Broken authentication

If authentication mechanisms are not implemented properly, attackers can expose these vulnerabilities.

Sensitive data exposure

Since many web applications and APIs lack data security, attackers can exploit sensitive financial, healthcare, and personal information.

XML external entities (XXE)

Many legacy XML processors evaluate extremal entities, which can be leveraged to disclose internal files.

Broken access controls

When user access and restrictions are not enforced, unauthorized users can potentially access confidential files.

Security misconfiguration

Default or ad-hoc configurations can lead to security misconfigurations that lead to vulnerabilities.

Cross-site scripting (XSS)

When an application includes untrusted data without validation, XSS flaws occur that can be used to perform attacks.

Insecure deserialization

Leads to remote code execution which can be used to perform attacks.

Using components with known vulnerabilities

Components often run with the same privileges as the application. If a vulnerability occurs, all components and applications can be compromised.

Insufficient logging and monitoring

Logging and monitoring that does not integrate with an incident response technology creates insufficient processes.

Outside the OWASP Top 10, Fortinet WAF defends against:

Bots

Programs that interact with our applications and often mimic human interaction. Good bots may be allowed to interact with an application, and include: search engines, virtual assistants, and content aggregators (e.g., price comparison sites). Bad bot activity can include: web scraping, competitive data mining, personal and financial data harvesting, account takeover, digital ad fraud, and transaction fraud.

Malicious uploads

Many web applications allow users to upload their own content, which can include a variety of malicious code payloads.

Unknown vulnerabilities

Signature-based solutions cannot protect against newly discovered vulnerabilities. A robust WAF solution must be able to defend against threats for which no signatures exist.

Zero-day attacks

Attacks that target previously unknown flaws in an application. When a threat actor discovers a zero-day vulnerability, they can use it to exploit systems that do not have additional defensive measures in place, such as a WAF.

Distributed Denial of Service (DDoS)

The use of a large number of systems, often a botnet of compromised computers, to overwhelm an application so that it cannot respond to user requests. DDoS attacks can attempt to simply overwhelm the system with traffic or may attempt to exploit a flaw in the application logic to achieve the same result.

Question: Which action can a modern WAF do?

Answer: Stop any user action should it exceed their network permissions.

Question: Which firewall is positioned between a web application and the internet?

Answer: A Web Application Firewall

Question: Which protocol traffic does a web application firewall (WAF) monitor?

Answer: HTTP

Watering Hole Attack

Question: What is a watering hole attack?

Answer: It is a malware attack in which the attacker observes the websites often visited by a person or a particular group, and infects those sites with malware.

Web Filtering

Question: What is Web Filtering?

Answer: Web Filtering allows you to explicitly allow web sites, or to pass web traffic uninspected both to and from known-good web sites in order to accelerate traffic flows. The most advanced web content filtering technology enables a wide variety of actions to inspect, rate, and control perimeter web traffic at a granular level. Using web content filtering technology, these appliances can classify and filter web traffic using multiple pre-defined and custom categories.

Question: What is the first line of defense against web-based attacks?
Answer: Web Filtering

Question: What types of technologies have web filtering built in?
Answer: Firewalls, proxy servers, sandbox technology, wireless access points.

Whaling

Whaling – see Spearphishing.

Worm

Worm – a self-replicating, self-propagating, self-contained form of malware that uses networking mechanisms to spread itself to other systems. Generally, the damage caused by a worm is indirect and due to the worm’s replication and distribution activities consuming all system resources. A worm can be used to deposit other forms of malware on each system it encounters.

Zero-day Exploits

Zero-day exploits – leveraging software bugs that previously were unknown to the general security community in order to gain access to, or elevate privileges on, a computer system.