Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Index

A

AbuseIPDB, 275, 388
acceptable use policy (AUP), 160, 340
accessing hosts, 4–5, 282
account lockouts, 289
accounts
- management policy for, 156, 338
- storing information for, 37, 296
active defenses, 21, 289
active fingerprinting, 313
active scanners, 312
Activity Monitor, 43, 55, 298, 303
address space location randomization (ASLR), 148, 334
administrative control, 317
advanced encryption standard (AES), 22, 289
advanced persistent threat (APT)
- about, 199–200, 234, 335, 347, 354, 358, 373
- characteristics of, 59, 304
- as a threat actor, 37, 296
- threat actors associated with, 3, 282
adverse event, 183, 351
AFRINIC, 283
agent-based monitoring, 113–114, 322
agent-based scanning, 81, 89, 90, 313, 316
Agile software development, 139, 145, 330, 332, 333
air gap, 16, 18, 286, 287
air-gapped networks, using systems on, 22, 289
Akamai, 312
alerting thresholds, 221, 368
alerts
- filtering, 27, 292
- volume of, 366, of 218
allowlisting, 40, 293, 297
Amazon's Web Services (AWS) environment, 266–267
analyzing malware, 44, 299
Angry IP Scanner, 312, 342
annualized loss expectancy (ALE), 152, 336, 339, 386
annualized rate of occurrence (ARO), 152, 336, 339
anomalous behavior, 42, 298
anomaly analysis, 56, 303
antiforensic activities, 178
antimalware tools
- about, 300
- for email, 38, 296
antivirus package, 28, 293
Apache error log, 178, 348
APFS, 178, 348
API keys, 287–288
API-based CASB, 63, 307
API-based integration, 37, 280, 296, 390
APNIC, 283
application programming interfaces (APIs), 344
application/token-based multifactor authentication, 245, 377
approved exception, 115, 323
approved scanning vendor (ASV), 323
app.run.any, 39, 297
ARP tables, 111, 322
artificial intelligence (AI), 43, 298
asset inventory, 127, 327
asset value (AV), 386
at command, 39, 296
ATA Secure Erase command, 270, 374, 385
attack surface, reducing, 27, 71, 243, 248, 292, 309, 376, 379
attack vectors, 149, 169, 345
authenticated vulnerability scan, 185, 352
auth.log file, 27, 292
Authman, 291
automating
- automated testing tool, 204, 359
- deprovisioning, 154, 337
- recommended processes for, 63, 307
- security gates, 143, 332
auto-scaling, 389–390
availability analysis, 26, 231, 292, 372
awareness training, 14, 43, 65, 221, 285, 298, 308, 368
AWS secret keys, 72, 310

B

Babbage machine, 299–300
background investigation, 157, 339
backups, 105, 186, 189, 272, 320, 338, 351, 352, 353, 386
bandwidth consumption, 261
banner grabbing, 72, 103, 310, 320
Basic Metric Group, 220, 226, 366, 367
beaconing, 192, 275, 386, 387
behavioral analysis, 58–59, 303, 304
behavioral sources, 282
behavior-based analysis tool, 59, 305
behavior-based detection, 27, 292
/bin directory, 305
binaries, testing, 15, 285
binary diffing, 26, 291
biometric factors, 308
BIOS, 235, 332, 373
bit-by-bit acquisition, 349
bit.ly, 61, 306
blackhole, 287
blacklisting, 28, 293, 332
blind SQL injection, 88, 132, 315, 328, 375
Border Gateway Protocol (BGP), 205
BotScout, 44–45, 299
broken access control, 73, 310
browser developer, 126
brute-force attack
- about, 283
- against root account, 38–39, 296
bs parameter, 233, 372
buffer overflow attack, 202, 317, 323, 324, 358, 378
bug bounty, 166, 344
Burp Suite, 387
business continuity plan, 204, 360
business impact analysis (BIA), 257, 362, 363, 381
business process interruption issue, 225, 370
business requirements, changing, 224, 369
business rules, in data loss prevention (DLP) systems, 49, 300

C

call list, 201, 358
CAPEC, 205
CAPTCHAs, 289
captive portal, 286
capturing network flows, 57, 304
causal factors, 226, 371
Center for Internet Security (CIS), 162, 274, 341, 387
central processing unit (CPU), 60, 305
CERT/CC, 364
certificate authority (CA), 329
certificates, replacing, 133, 264, 328, 383
certutil utility, 181, 349
chain of custody, 176–177, 179, 251, 348, 349, 352, 356, 380
change management process, 164, 209, 325, 361–362
checklist review, 202, 359
CIA triad, 264
classifying
- information, 162, 341
- threat actors, 30, 293
clear, purge, destroy, 184, 351
clock synchronization, 374
closed-source intelligence, 282
cloud access security broker (CASB), 50, 301, 306
Cloudflare, 312
CloudSploit, 310
cluster image, 278
cmd.exe command, 28, 32, 292, 294
code
- about, 147, 334
- obfuscating, 30, 294
- remote execution of, 26, 291
code of conduct, 156, 338
Common Platform Enumeration (CPE) data, 72, 310
common vulnerabilities and exposure (CVE), 365
Common Vulnerability Scoring System (CVSS), 103, 205, 217, 220, 223, 226, 248, 259, 320, 365, 366, 367, 369, 370, 371, 379, 382
community clouds, 6, 282
compensating controls, 160, 161, 217, 219, 225, 226, 249, 277, 335, 340, 344, 365, 369, 370, 380, 389
computer security incident response team (CSRT), 303
configuration management, 222, 368
configuring
- firewalls, 95, 317
- workstations, 101, 319
containerization
- distributing workloads, 19, 288
- tools for, 25, 291, 297
- virtualization compared with, 19, 288
containment, 205, 359
containment, eradication, and recovery, 182, 192, 197, 274, 350, 357
content distribution networks (CDNs), 78, 312
context-based authentication, 377
continuous scanning, 372
cookies, 90, 316
core dump, 267, 384
corporate policy, 212, 363
corrective control types, 155, 156, 338
CPU utilization, 51–52, 302
credential scanning, 89, 121, 131, 316, 325, 328, 329
credential stuffing attack, 283
credit card information, 87, 217, 315, 365
crime scene tape, 201, 358
critical assets, bundling, 44, 299
cross-site request forgery (XSRF/CSRF), 163, 328, 342
cross-site scripting (XSS) attacks, 73, 143, 144, 310, 317, 328, 332, 333, 342
cross-training, 161, 340
crypters, 294
cryptographic erase, 175
CSIRT, 360
Cuckoo, 62, 306
customer and executive communication, 221, 368
customer relationship management (CRM) tool, 301

D

Dark Web, 279, 390
darknets, 304, 306
dashboard (SIEM), 50, 301
data at rest, 300
data carving, 178, 348
data classification
- about, 105, 270, 320, 385
- policy for, 338
- procedures for, 382
data encoding, 331
data enrichment, 42, 46, 276, 298, 299, 388
data execution prevention (DEP), 148, 334
data exfiltration
- about, 277
- data flows and, 10, 284
data flows, data exfiltration and, 10, 284
data loss prevention (DLP)
- about, 49, 65, 250, 300, 308, 380
- systems for, 327
- tools for, 332
data ownership policy, 160, 161, 338, 340, 341
data poisoning, 342
data privacy, 320, 385
data remanence, 320, 385
data retention, 155, 320, 337, 338, 341, 385
database servers, 106, 321, 382
database service, 90–91, 316
database vulnerability scan, 104, 320
databases, encrypting, 165
datacenter networks, 77, 311
deception technology. see active defenses
degaussing, 351, 374
delivery, 168–169, 345
demilitarized zone (DMZ), 305
denial of critical services, 172, 346
denial of noncritical services, 172, 346
denial-of-service (DoS) attack
- about, 317
- risks in, 7, 283
- SYN floods and, 28, 293
deploying
- patches, 208, 242, 361, 375
- web application firewalls, 214
Design phase, in SDLC cycle, 139, 331
destination disk, 197
detection and analysis, 188, 197, 237, 374
deterrent controls, 338
/dev directory, 305
developers, 215, 364
device fingerprint, 245
DevSecOps, 332
Diamond framework, 168, 345
digital signatures, 308
directory permissions, 244
directory traversal attacks, 81, 248, 313, 378
disaster recovery, 204, 360
disaster recovery plans (DRPs), 362
disclosure, 215, 364
disk duplication tool, 384
disposition, 140, 145, 331, 333
DNS brute-force attack, 70, 309
DNS sinkhole, 171–172, 205, 346
DNS zone transfer, 309
Docker, as a containerization tool, 25, 291
documentation, 183, 351
documenting decisions, 153
$ (dollar sign), 141, 331
Domain-based Message Authentication, Reporting, and Compliance (DMARC), 29, 293, 389
DomainKeys Identified Mail (DKIM), 249, 379, 389
drive analysis, 182, 350
drive capacity consumption, 203
dual control, 155, 157, 338, 339
DVD-ROM, 269
dynamic analysis, 140, 301, 303, 331
dynamic analysis sandbox
- about, 16, 285
- malwr.com as a, 12, 284

E

eavesdropping, 109, 322, 327
ec2-user, 171, 346
ECC, 22, 289
e-discovery, 185, 352, 358
Electronic Discovery Reference Model (EDRM), 358
email
- forwarding, 35, 295
- headers, 29, 293
- headers from, 54–55, 303
- servers, 108, 321
- signature block, 38, 296
emergency change, 202, 358
Encapsulating Security Payload (ESP), 41–42, 297
encrypting
- databases, 165
- improper, 166
end-of-life (EOL), 325
endpoint detection and response (EDR), 34, 49, 66, 295, 301, 308
endpoint forensics, 191
end-to-end encryption, 312
enterprise resource planning (ERP) software, 73, 310
entrusted network segment, 348
environmental metric group, 224, 370
Eraser, 348, 355
escalation, 213, 348, 363
escalation of privilege, 93, 317
/etc directory, 60, 305
/etc/group, 272, 386
evasion techniques, nmap and, 79, 312
event logs, 228, 371
Event Viewer, 169, 345
events, 245, 377
evidence
- in incident reports, 219, 366
- log entries in, 224, 369
- production procedure, 261, 382
Executive Report, 362, 372
executive summary, 216, 223, 365, 368
expired certificates, 21, 288
exploit code, maturity of, 219, 366
exploit developers, 257, 381
exposure factor (EF), 152, 336, 386
Extensible Markup Language (XML), 250, 380
external networks, exposure to, 254, 380–381
external scans, 115, 262, 323, 383

F

Facebook, 356
Fail2ban, 39, 297
false positive, 241
false positive report, 106–107, 321
Family Educational Rights and Privacy Act (FERPA), 314
FAT32, 185, 351
fault injection, 330, 381
feasibility, 147, 334
Federal Information Security Management Act (FISMA), 364
federated identity protocols, 25, 291
federation
- identity protocols for, 20, 288
- integrating with, 23, 290
file carving, 267, 384
file command, 349
File Transfer Protocol (FTP), 260, 362, 382
files, deleted, 188
FileVault, 175, 347
filtering
- alerts, 27, 292
- traffic, 51, 301
financial value, 316
fingerprinting, 304, 322
firewalls
- about, 31, 238, 294, 313, 374
- configuring, 95, 317
- logs, 237, 374
- rules for, 127, 327
firmware protection, 143, 332
flow logs
- about, 12–13, 285
- with heuristic analysis, 53, 302
forwarding email, 35, 295
FTK Imager Lite, 193, 349, 355
full-disk encryption (FDE)
- about, 17, 286, 308, 380
- infrastructure-as-a-service and, 6–7, 283
function-as-a-service (FaaS), 4, 282
fuzz testing, 138, 140, 256, 290, 330, 331, 381
fuzzers, 146, 166, 334, 344

G

GET command, 48, 300
getfacl, 174, 347
GNU debugger, 342
Google Chrome, 101, 179, 319, 349
graphs, for binary diffing, 26, 291
grep command, 295, 321
Group Policy Object (GPO), 114, 322–323
GUI tools, 55, 303
guidelines, 158, 339

H

hacktivists, 49, 300, 306
hard disk drives (HDDs), 305
hardware firewall, 225, 370
hardware tokens, 280
hash values, 235, 373
hashing, 18, 287, 299–300
Health Insurance Portability and Accountability Act (HIPAA), 314
heuristic analysis
- about, 268, 371
- flow logs with, 53, 302
hibernation file, 191, 267, 384
High Severity Report, 83, 314, 363
honeynet, 19, 287
honeypots, 14, 234, 240, 285, 287, 373, 375
horizontal scaling, 19, 287–288
host firewalls, 17, 286
Host-Based Intrusion Detection System (HIDS), 332
hostname, 219, 367
hosts
- accessing, 4–5, 282
- authentication of, 135, 328
hosts file, modifying, 169, 345
htop command, 295
human resources (HR), 62, 216, 307, 365
hybrid clouds, 64, 282, 308
Hypertext Transfer Protocol (HTTP)
- about, 107, 321
- port for, 26, 291
Hypertext Transfer Protocol Secure (HTTPS)
- about, 93, 317
- port for, 26, 291, 319
hypervisor, 86, 315
hypothesis formation, 43, 298

I

ICS, 324
identification phase, 201, 358
identifying risks, 209, 362
identity providers (IDPs), 246, 377
ifconfig command, 54, 302, 354
Immunity Debugger, 342
impact, of attacks, 74, 172, 173, 311
impersonation, 150
implementing
- compensating controls, 219
- logging, 272, 386
incident escalation process, 224, 369
incident remediation, 292
incident reports, 222, 368
incident response process, 188, 352
incident response reports, 370
incident response KPI, 222, 368
incident response team (IRT), 215, 217, 218, 221, 303, 364, 365, 366, 367
indicators of compromise (IoCs), 44, 64, 259, 299, 307, 382
industrial control system (ICS), 82, 88, 314, 315, 324
INDX files, 371
information
- asset value, 90, 316
- classifying, 162, 341
- limiting, 71, 309
information security management system (ISMS), 341
information sharing and analysis centers (ISACs), 3, 54, 62, 282, 303, 307
informational report, 95–96, 317
infrastructure-as-a-service (IaaS), 6–7, 78, 202, 283, 312, 359
input validation, 117, 130, 146, 324, 328, 331, 334
insiders, 306, 323
integration, API-based, 37, 296
integrity loss, 192, 355
intellectual property, 306
intelligence
- criteria for, 3, 282
- sources for gathering, 12, 284
interactive behavior analysis, 57, 304
internal network vulnerability scan, 260, 382
internal scans, 93, 115, 262, 317, 323, 383
Internet Corporation for Assigned Names and Numbers (ICANN), 311
intrusion detection system (IDS), 299, 308
intrusion prevention system (IPS), 245, 300, 301, 313, 314, 377, 384
IP address
- about, 219, 367
- randomizing, 327
- spoofing, 81, 313
- zero-trust networks and, 63, 307
IP reputation, 53, 302
ipconfig, 354
IPsec, 96, 288, 289, 318
ISO 27001, 272, 341, 386
isolation, 182, 189, 238, 350, 354, 374

J

Java, 162
job rotation, 339
jump box, for providing access, 15–16, 285
jump kit, 194, 356
jump server. see jump box

K

Kerberos, 288
kernel-mode drivers, 99, 318
key loggers, multifactor authentication and, 20, 288
key performance indicators (KPIs), 366
kill command, 34, 295
knowledge factors
- about, 247, 378
- for multifactor authentication, 18, 287
Kubernetes, as a containerization tool, 25, 291

L

LACNIC, 283
Lambda, 282
latency, 6, 232, 283, 372
law enforcement, incident response team and, 218, 366
least privilege, 338
legacy applications, 212
legacy systems, 214, 364, 370
legal hold, 251, 380
less command, 295
lessons learned reviews, 177, 188, 222, 225, 348, 350, 353, 368
leveraging threat intelligence, 371
Lightweight Directory Access Protocol (LDAP), 290, 323, 329
link failure, 228, 371
live images, to external drives, 229, 371
live memory imaging, 348
load balancing, 79, 312, 330
local file inclusion (LFI), 164, 343
Lockheed Martin Cyber Kill Chain, 236, 359, 373
logging
- implementing, 148, 272, 335, 386
- infrastructure for, 25, 291
- intrusion detection and, 141, 331
logic bombs, 308
logical acquisition, 179, 349
logical segmentation, 17, 286
logs
- denial-of-service (DoS) attack and storage of, 7, 283
- troubleshooting, 49, 56, 300, 303
ls command, 294
LSASS.EXE, 305

M

MAC address, 53, 141, 263, 302, 331
machine learning (ML), 43, 47, 298, 299–300
maintenance, scheduling, 214, 363
malware
- analyzing, 44, 299
- pervasiveness of, 70, 309
malware analysis sandbox, 62, 306
malware beaconing, 51, 301
malware binary, analyzing, 50, 301
MALWARESCAN.EXE, 60, 305
malwr.com, 12, 284
managed detection response (MDR), 297
managerial control, 164
mandatory vacations, 153, 337, 339
Master File Tables, 371
maturity, of exploit code, 219, 366
maxOS-based systems, 43, 298
MD5, 15, 285
mean time to compromise, 276, 388
mean time to defend, 277, 389
mean time to detect, 218, 249, 366
mean time to remediate, 220, 366
mean time to respond, 366, 368
media life span, 264
media practice sessions, 226, 370
media sanitization clearing, 351
media training, 216, 365
medical records, 137
mem command, 294
memorandum of understanding (MOU), 211, 362, 363, 381
memory analysis, 354
memory pressure, 56–57, 298, 303
memory usage, monitoring, 52, 302
memstat command, 294
metadata, purging, 309
MetaScan, 304
Metasploit, 342
Microsoft Internet Information Services (IIS), 93, 317
Microsoft Office document metadata, 183, 351
Microsoft SQL, port for, 309
Microsoft SQL Server, port for, 319
Microsoft Windows servers, SharePoint on, 87, 315
Microsoft Word, 196, 356
Minibis, 62, 306
MISP tool, 46–47, 299
mitigation service, 74, 311
MITRE ATT&CK framework, 62–63, 169, 307, 345, 360, 365
monitoring
- memory usage, 52, 302
- procedures for, 382
Mopar, 205
more command, 295
multifactor authentication, 17, 18, 23, 286, 287, 289
multi-interface drive adapter, 201
multitenancy, public cloud for, 60, 306
mutation testing, 330, 381
MySQL, port 3306 for, 70, 309

N

National Cyber Security Authority, 364
National Cyber Security Center, 364
National Software Reference Library, 286
nation-state actors, 64, 306, 308
natural language processing, 301
Nessus, 128, 274, 327, 387
netcat, 40, 297, 312
NetFlow, 47, 108, 300, 302
netstat command, 34, 295
Network Address Translation (NAT) environment, 148, 334
network firewalls, 8, 33, 283, 286, 294, 325
network flows, 57, 300, 304
network hosts, 79, 312
network IPS, 91, 98, 316, 318
network scans, 4, 282
network segmentation
- about, 16, 25, 120, 150, 286, 291, 324, 335
- uses for, 23, 289
network tap, 300
Network Time Protocol (NTP), 97, 318, 366, 372, 383, 389
network traffic, Wireshark for gathering, 11, 284
New Technology File System (NTFS), 348
next-generation firewalls (NGFWs), 306
NIST SP 800-61, 221, 368
NIST SP 800-88, 262, 374, 383
nmap, 77, 79, 312
Nmap scans
- about, 78, 229, 235, 242, 271, 273, 309, 312, 357, 371, 373, 376, 385, 387
- commands, 236
- Common Platform Enumeration (CPE) data and, 72, 310
- proxy support for, 72, 310
- TCP SYN, 71, 309
- wireless routers and, 71, 309
nondisclosure agreements (NDAs), 366

O

OAuth, 20, 25, 63, 286, 288, 290, 291, 307, 336
obfuscating code, 30, 294
Onion Router (TOR), 390
Online Certificate Status Protocol (OCSP), 293
on-path (man-in-the-middle) attack, 378
on-site networks, performing scans from, 80, 313
open redirect, 240–241, 375
Open Source Security Testing Methodology Manual (OSS TMM), 359
Open Web Application Security Project (OWASP), 143, 332–333, 342
OpenFlow, 19, 287
OpenID, 20, 25, 288, 291
OpenID Connect, 63, 290, 307
open-source collection, 62, 307
open-source intelligence (OSINT)
- about, 3, 282
- for intelligence gathering, 12, 284
- port scans as a source, 64, 308
OpenSSH, 265, 384
OpenSSL, 99, 103, 318, 319
OpenVAS, 199, 357
operating systems, 243, 268, 376, 384
Oracle Database TNS Listener Poison Attack vulnerability, 126, 326
Oracle databases
- about, 30, 294
- patches for, 124, 326
- port for, 101, 309, 319
order of volatility, 239, 353, 356, 375, 385
organizational governance, 221, 367
organizational policies, 276, 388
output encoding, 143, 332
output validation, 146, 334
outsourcing, 184, 351

P

packers, for obfuscating code, 30, 294
packet analyzer, 297
packet capture tool, 199
packet header flags, 79, 312
packet loss, 6, 283
packet sniffing, 302
Pacu, 310
parallel test, 203, 359
parameterized queries, 144, 248, 333, 379
passive defenses, 285
passive discovery techniques, 344
passive fingerprinting, 80, 313
passive network mapping, 77, 312
passive network monitoring, 128, 327
passwd binary, 35, 295
password spraying attack, 7, 247, 283, 378
passwordless authentication, 306, 390
passwords, complexity rules for, 288
PASTA process, 365
patch management, 380
Patch Report, 314, 363
patching
- about, 125, 164, 183, 213, 219, 223, 270, 326, 350, 363, 366, 369
- automated, 290
- compensating control and, 217, 365
- deploying, 208, 242, 361, 376, l375
- procedures for, 382
- scheduling, 208–209, 361
- servers, 75, 311
Payment Card Industry (PCI) compliance reporting, 222, 368
Payment Card Industry Data Security Standards (PCI DSS), 79, 84, 87, 96–97, 102, 263, 270, 306, 313, 314, 315, 318, 319, 323, 324, 330, 340, 342, 383, 385
PCI Technical Report, 362, 372
peer-to-peer botnets, 304
peer-to-peer communication, 278, 389
permissions
- directory, 244
- for scans, 127, 208, 327, 361
persistence, scheduled tasks and, 59, 305
personal health information (PHI), 306
personally identifiable information (PII), 61, 306, 354
phishing attacks
- about, 263, 383
- awareness training for, 14, 285
- SOAR for, 44, 299
PHP language, 382
phpinfo file, 328
physical access, 21, 289
physical security controls, 338
PINs, 64, 308
plain-text authentication, 322
platform-as-a-service (PaaS), 282
playbooks, 198, 357, 375
pluggable authentication module (PAM), 346
Point-to-Point Tunneling Protocol (PPTP), 288
policies, 244, 376
POODLE vulnerability, 99, 318
port scanning, 64, 175, 284, 308
Portable Network Graphics (PNG) processing, 102, 319
Portmon, 51, 302
ports
- 22, 59, 133, 305, 329
- 23, 85, 255, 314, 381
- 80, 24, 26, 84, 111, 290, 291, 314, 382
- 389, 116, 323
- 139, 96, 317
- 443, 10, 26, 284, 291, 319
- 445, 96, 317
- 515, 75, 311
- 631, 75, 311
- 636, 10, 284
- 1433, 203, 319
- 1521, for Oracle databases, 101, 319
- 3306, for MySQL, 70, 309
- 3389, 10, 27, 40, 85, 284, 292, 297, 314
- 8080, 10, 284
- 8443, 10, 284
- 9100, 75, 311
- about, 335
- troubleshooting, 70, 309
- for web servers, 84, 314
Post Office Protocol v3 (POP3), 321
Postgres, port for, 309
post-incident communications, 215, 364
post-incident recovery, 183
postmortem forensics, 192, 355
precursor, 182, 350
preparation phase, 174, 204, 261, 347, 382
preventive security controls, 150, 159, 165, 336, 338, 340
printers, 149, 256
private clouds, 282
privileged accounts
- about, 20, 288
- tools for management of, 24, 290
privileged escalation attack, 168, 193, 345, 355
proactive network segmentation, 173–174
proactive risk assessment, 292
procedure document, 155
processor security extensions, 22, 289
promiscuous mode, 80, 313
proprietary intelligence, 282
proprietary system, 225, 370
Prowler, 310
proxy scans, 72, 310
ps command, 321
PS utility, 29, 293
public clouds
- about, 282
- for multitenancy, 60, 306
public key encryption (PKI), 170, 346
purge, validate, and document, 178
purging, 184, 309, 347, 351
PuTTY, 324

Q

qualitative risk assessment, 154, 249, 337, 379
Qualys Top 20 Report, 362, 372
quantitative risk assessment, 154, 337
query parameterization, 331

R

rainbow table attack, 283
random access memory (RAM), 305
random sampling, 166, 344
Rank Software, 298
Rapid Application Development (RAD), 330, 332
RAW files, 176, 187, 351, 353
real-time black hole list (RBL), 379
Reaver malware, 46–47, 299
reconnaissance stage, 12, 70, 106, 110, 284, 309, 321
Recon-ng, 342
recurrence, 220, 367
reformatting, 347
reg.exe, 32–33, 294
regional Internet registry for Europe, the Middle East, and parts of Central Asia (RIPE), 9, 283
registry, 239, 375
regression testing, 138, 330, 334
regulatory bodies, 216, 365
regulatory compliance, 275, 388
regulatory requirements, 224, 369
relevancy, 249, 380
remediation
- prioritization of, 104, 320
- timeliness of, 83, 87, 97, 101, 314, 315, 318, 319
Remote Desktop Protocol (RDP), 10, 27, 40, 85, 284, 292, 297, 314, 382
remote execution of code, 26, 291
removal, 242, 376
reputational sources, 3, 282
Resource Monitor, 26, 51–52, 291, 302, 303
retention policy, 352
reverse engineering, 57, 304
rights, removing, 165
risk acceptance
- about, 137, 153, 330, 337
- determining severity of, 150, 336
risk appetite, 136, 329
risk avoidance, 151, 152, 336, 337
risk identification, 154, 209, 337, 362
risk mitigation, 151, 160, 239, 335, 336
risk transference, 151, 153, 336, 337
root account, brute-force attacks against, 38–39, 296
root level, 305
root-cause analysis (RCA)
- about, 204, 222, 368, 379
- stages of, 367
rootkits, 74, 310
routers, 286
rules of engagement (RoE), 155, 158, 338, 339
runas command, 321
running strings, 304
runtime packers, for obfuscating code, 30, 294

S

safety systems, 172
sandbox
- about, 271, 386
- for automated antimalware tools, 38, 296
- deploying patches in, 242, 376
- patching in, 126, 326
- running software in a, 65, 308
- for testing binaries, 15, 285
- tool for, 39, 297
Sandboxie, 39, 297
Sarbanes-Oxley (SOX) Act, 314
Scalpel, 382, 384
scanner maintenance, 98, 318
scans
- frequency of, 100, 117, 120, 122, 137, 319, 324, 325, 330
- importance of, 116, 323
- permissions for, 127, 208, 327, 361
- sensitivity level for, 210, 362
- sensitivity of, 89, 112, 116–117, 137, 316, 322, 324
- of UDP ports, 11, 284
SCAP, 299
scheduling
- maintenance, 214, 363
- patching, 208–209, 361
- persistence and scheduled tasks, 59, 305
scope statement, 217, 366
ScoutSuite, 74, 310
screened subnet, 60, 73, 305, 310, 322
script kiddies, 62, 275, 306, 388
<SCRIPT> tag, 267, 384
sdelete command, 192
secure access service edge (SASE), 61, 306
secure administrative host. see jump box
secure domain registration, 309
secure shell (SSH)
- about, 170, 257, 346
- logs, 197, 357
- on port 22, 133, 329
- on port 1433, 203
- port forwarding, 80–81, 313
- server, 59, 305, 311
- tunneling, 80–81, 313
Secure Sockets Layer (SSL), 82, 288, 313
Security Assertion Markup Language (SAML), 20, 22, 24, 25, 288, 289, 290, 291, 293
security gates, automating, 143, 332
security incident, 174, 347
security information and event management (SIEM) system
- about, 297, 299
- capabilities of, 42, 298
- dashboard for, 50, 301
- SOAR compared with, 47, 300
security operations center (SOC), 351
security orchestration, automation, and response (SOAR) system
- about, 29, 41, 45, 268, 293, 297, 299, 384
- logins and, 42–43, 298
- for phishing attacks, 44, 299
- SIEM compared with, 47, 300
security patches, 93, 110, 317, 322
security through obscurity, 338
segmentation, 23, 266, 276, 290, 388
self-signed certificates, 8, 283
Sender Policy Framework (SPF), 278, 379, 389
separation of duties, 153, 157, 161, 337, 338, 340, 341
server accounts, reviewing and securing, 125
Server Message Block (SMB), 323
server-based scanning, 133, 328
serverless environment, 24, 290
servers patching, 75, 311
service access, 308
service level agreements (SLAs), 211, 212, 218, 223, 362, 363, 366, 367, 369, 381, 388
service level objectives (SLOs), 220, 275, 367, 388
service replacement, 35, 295
SERVICES.EXE, 305
session hijacking, 148, 239, 335, 375, 378
session IDs, 145, 333
setfacl, 346
sFlow, 47, 300
SHA-256, 22, 133, 289, 329
shadow files, 61, 306
SharePoint, 87, 315
shim cache, 256, 381
shutdown scripts, 198, 357
signature-based analysis, 299–300
signature-based attack detection methods, 228, 371
SIM swapping, 18, 287
Simple Mail Transfer Protocol (SMTP), 311, 382
Simple Network Management Protocol (SNMP), 100, 302, 319
single loss expectancy (SLE), 271, 339, 386
single sign-on (SSO) implementation, 20, 288
slack space, 190, 191, 198, 352, 357
S/MIME, 389
SMS messages, attacks against, 18, 287
snapshotting, 348
sniffer, 300
sniffing tool, 77, 312
social media review, 284
software threat modeling, 343
software-as-a-service (SaaS), 73, 236, 310, 373
software-defined networks (SDNs)
- about, 24, 290
- layers of, 23, 289
software-defined wide area networks (SDWANs), 300
solid-state drives (SSDs), 305
-sp flag, 80, 313
Spamhaus, 379
sparse acquisition, 349
Spiral model, 145, 332, 333
spoofing target IP addresses, 81, 313
SQL injection attack, 9, 92, 96, 97, 98, 144, 146, 149, 284, 316, 317, 318, 322, 333, 334, 335
SQL Server, 90–91, 316
SQLite, 179, 349
ssh command, 80–81, 313
sshd service, 39, 296
stakeholders, 220, 278, 389
standard scan, 102, 319
standards, 160, 340
static analysis, 16, 50, 140, 247, 285, 301, 303, 304, 331
static code analysis, 139, 335
storing account information, 37, 296
stress testing, 138, 330, 334, 381
strings, running, 304
strings command, 36, 295
Structured Threat Information Expression language (STIX), 74, 293, 310
su command, 321
succession planning, 156, 338, 340
sudo command, 50–51, 65, 109, 301, 308, 321, 346
supervisory control and data acquisition (SCADA), 88, 315, 324
supplemented, 182
suspension, 179, 349
switches, 286
SYN floods, 28, 269, 293
SYN-based port scanning, 233, 372
syslog levels, 60, 305
system administrator, 208, 210, 361, 362
System Monitor, 303

T

tabletop exercise, 202, 359
Tamper Data, 387
tamper-proof seals, 197, 356
tarpits, 15, 285, 287
tcpdump, 276, 388–389
technical controls, 159, 162, 340, 341
Technical Report, 211, 231–232, 314, 362, 363, 372
telnet, 76, 85, 311, 314
testing
- binaries, 15, 285
- systems for, 136, 329
- vulnerability scanners, 30–31, 294
threat actors
- APTs as, 37, 296
- associated with advanced persistent threat (APT), 3, 282
- classifying, 30, 293
- defined, 150
threat feeds, 299
threat hunting, 47, 299, 300
threat information, types of, 52–53, 302
threat intelligence
- leveraging, 371
- recipients of information about, 5, 62, 282, 307
threat modeling, 292
3DES, 22, 289
time synchronization, 277
time to resolve critical vulnerabilities metric, 234, 373
time zones, 49, 300
timeline, 218, 366
top command, 33, 34, 291, 294, 295
traceroute, 311
tracking chain of custody, 251, 380
traffic, filtering, 51, 301
training and transition, 147, 334
Transport Layer Security (TLS), 20, 21, 48, 288, 289, 300
Tripwire, 28, 42, 292, 298
Trojan horses, 308
troubleshooting
- logs, 56, 303
- ports, 70, 309
true positive, 137, 330
Truman, 62, 306
Trusted Automated eXchange of Intelligence Information (TAXII), 293
trusted system binary kit, 190, 354
two-person control, 157, 338, 339

U

Ubuntu, 205
UEFI, 332
uncredentialed external scan, 237, 374
Unicode, 332
Unknown Device Report, 213, 314, 363
unprotected storage, 73, 310
unvalidated input, 139
updating vulnerability feeds, 133, 328
upgrading
- Nessus, 128, 327
- web servers, 118
- Windows, 105, 320
URL analysis, 50, 301
usage, improper, 214, 364
USB devices, 288
USB token, 308
US-CERT, 215, 364
user acceptance testing (UAT), 138, 330, 334
User Datagram Protocol (UDP) ports
- scanning, 11, 284
- UDP scan, 78, 312
user entity behavior analytics (UEBA), 44, 297, 299, 301
user input validation, 247, 378

V

validation, 196, 356
vendor testing and audits, 73, 310
version detection, 107, 321
virtual LANs (VLANs)
- about, 286
- isolation, 286
- tagging, 286
virtual private networks (VPNs)
- about, 96, 286, 289, 318
- Encapsulating Security Payload (ESP) and, 41–42, 297
virtualization
- containerization compared with, 19, 288
- tool for, 297
virtualized systems, 88, 315
viruses, 308
VirusTotal, 16, 25, 58, 286, 291, 304
VMware host, 17, 86, 286–287, 315
VoIP hacks, 18, 287
volume encryption
- about, 17, 286
- infrastructure-as-a-service and, 6–7, 283
vulnerabilities. see also specific topics
- marking as exceptions, 132, 328
- severity of, 243–244, 376
vulnerability feeds
- about, 282
- updating, 133, 328
vulnerability management tools, 24, 290
vulnerability scanning
- about, 9, 284
- automated, 23, 290
- testing, 30–31, 294
- tool for, 162

W

Wapiti, 357
Waterfall software development, 142, 330, 332
web application firewalls (WAFs), 131, 142, 149, 214, 328, 332, 335
web application reconnaissance tool, 163
web application SQL injection, 126, 326
web content filtering, 322
web proxy, 143, 332
web server logs, 40–41, 62, 297, 307
web servers
- about, 203, 259, 382
- embedded, 116
- port 8080 and, 10, 284
- port 8443 and, 10, 284
- ports for, 84, 314
- upgrading, 118
website certificates, expiration of, 21, 288
whitelisting. see allowlisting
WHOIS query, 9, 50, 63, 76, 77, 283, 301, 307, 311, 312
wide area network (WAN), 306
Windows
- about, 263
- command prompt, 196
- file auditing, 50, 301
- patches, 86–87, 315
- ports for, 96, 317
- registry, 371
- system files, 193, 356
- upgrading, 105, 320
Windows Event ID, 35, 295
Windows Hello, 306
Windows Performance Monitor, 25, 291
Windows Quick Format option, 350
Windows server, port 3389 for, 85, 314
Windows System Restore, 355
Windows Update, 122–123, 325
WINLOGIN.EXE, 305
wiping tool, 384
wired networks, 78, 312
wireless authentication logs, 228, 371
wireless networks, 78, 312
wireless routers, Nmap scans and, 71, 309
Wireshark
- about, 235, 373
- for capturing download traffic, 49, 300
- for gathering network traffic, 11, 284
- for passive network mapping, 77, 312
workstations
- about, 75, 311
- configuring, 101, 319
worms, 64, 308
WPA3 Enterprise, 78, 312, 371
write blocker, 176, 347

X

X.509 certificates, 321

Z

ZAP, 342, 357, 387
zero wipe, 286
zero-day attacks, 371
zero-trust networks
- about, 61, 306
- IP address and, 63, 307
zero-write drives, 237
zone transfers, 77, 311

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Index

Create new playlist

Sign In

Sign Up

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Z

Table of Contents for
Index