../ (dot-dot-slash) attack 76, 274–275
; (semicolon) 73
' (single quotation mark) 73
_ (underscore) 740
0phtCrack 44
2FA (two-factor authentication) 298
802.1X standard 510, 553–556, 562, 664–667, 673
A record (Address mapping record) 796
AAA (authentication, authorization, and accounting) framework 306
AAR (after action report) 928–929
ABAC (attribute-based access control) 638–645, 678, 679
acceptable use policies (AUPs) 898, 900
acceptance of risk 919
access control. See also 802.1X standard; identity; passwords
access control entries (ACEs) 643
access control lists (ACLs) 490, 528, 535, 643, 831
attribute-based 638–645, 678, 679
centralized versus decentralized 679
centralized/decentralized 640
delegation of access 662
identity and access management (IAM) 605, 633
implicit deny 680
least privilege 264, 630, 681, 908
open 150
types of 646
privileged access management (PAM) 678, 679
summary of 679
user access recertification 645
access control entries (ACEs) 643
access control lists (ACLs) 490, 528, 535, 643, 831
access points (APs)
rogue 99
accounting, AAA framework for 306
accounts 629–633. See also access control; passwords
administrator 908
harvesting 18
open 150
types of 646
policies 633
root 908
service 908
ACEs (access control entries) 643
ACI (Application Centric Infrastructure) 243
acknowledgement (ACK) packets 84
ACLs (access control lists) 490, 528, 535, 643, 831
acquisition, forensic
artifacts 853
cache 852
checksums 857
data breach notification laws 855–856
definition of 847
disk 848
firmware 851
integrity 856
operating system 850
order of volatility 848
on-premises versus cloud 853–854
random-access memory (RAM) 848–849
regulatory and jurisdictional 855
right-to-audit clauses 854
Active Directory Certificate Services (AD CS) utility 691
Active Directory Users and Computers (ADUC) 640
active reconnaissance 18, 204–205
active/active load balancing 488
active/passive load balancing 488
Activity Monitor 542
actors, threat
attributes of 122
AD. See Active Directory (AD)
additional or associated data (AEAD) 404
Address mapping record (A record) 796
Address Resolution Protocol. See ARP (Address Resolution Protocol)
address space layout randomization (ASLR) 76, 265, 272
addresses
MAC (media access control) 101, 511
network address allocation 443–444
network address translation 501, 529, 562
virtual IP 488
administrator accounts 908
admissibility, evidence 843
ADSP (Author Domain Signing Practices) 110
ADUC (Active Directory Users and Computers) 640
Advanced Encryption Standard (AES). See AES (Advanced Encryption Standard)
Advanced IP scanner 721
advanced persistent threats (APTs) 35, 120–121, 451, 770
AE (authenticated encryption) 404
AEAD (additional or associated data) 404
aerospace application-embedded systems 348–350
AES (Advanced Encryption Standard) 412, 430, 475, 552
AES-GCM 498
AES-GMAC 498
AFL (American Fuzzy Lop) 269
after action report (AAR) 928–929
aggregation, log 186
aggregators 526
Agile development methodology 258–259
agreement, terms of 948
AH (Authentication Header) 437, 520
AI (artificial intelligence) 50–51
AI (Asset Identification) 885, 941–942
AICPA (American Institute of Certified Public Accountants) 883
AI/ML (artificial intelligence and machine learning) 50–51
AIR (As-if Infinitely Ranged) integer model 77
air traffic control (ATC) 349–350
AirMagnet 99
AIS (automated indicator sharing) 125
aisles, hot/cold 386
ALE (annualized loss expectancy) 922
alerts, SIEM 788
ALG (application-level gateway) 529
Grover’s 402
Digital Signature Algorithm (DSA) 396, 412
Elliptic Curve Digital Signature Algorithm (ECDSA) 551–552
Message Digest Algorithm 5 (MD5) 55, 219
Secure Hash Algorithm (SHA) 55, 551–552
key generation 395
message authentication code (MAC) 410
online resources 498
public key 411
scheduling 488
Shor’s 402
signature verifying 395
signing 395
allocation, network address 443–444
allow lists 467, 578, 583, 822
ALTER DATABASE statement 71
ALTER TABLE statement 71
always-on VPN functionality 495
Amazon Web Services (AWS) 232–233, 244, 603, 853, 870
American Fuzzy Lop (AFL) 269
American Institute of Certified Public Accountants (AICPA) 883
amplification attacks 112
analytics logs 383
Android Auto 347
Angry IP scanner 721
annualized loss expectancy (ALE) 922
annualized rate of occurrence (ARO) 922
anomaly-based analysis 521–523
anonymization 945
anti-forensics 770
antimalware 452
antivirus software 451
anycast addresses 537
anything as a service (XaaS) 139, 232
AP isolation 562
Apache
HTTP Server 146
Mesos 240
web servers 794
APIs (application programming interfaces) 86
API-based keyloggers 42
infrastructure as code 241–243
inspection and integration 607, 610
security considerations 216
APP (Australia Privacy Principles) 220
Apple
CarPlay 347
macOS Activity Monitor 542
appliances, network 513–514. See also firewalls
aggregators 526
hardware security modules (HSMs) 524
jump servers 514
network intrusion detection systems (NIDSs) 517–518
advantages/disadvantages 519–520
anomaly-based analysis 521–523
heuristic-based analysis 521
promiscuous mode 517
stateful pattern-matching recognition 521
network intrusion prevention systems (NIPSs)
advantages/disadvantages 519–520
anomaly-based analysis 521–523
false positives/false negatives 519
heuristic-based analysis 521
application allow lists. See allow lists
application block/deny lists. See block/deny lists
Application Centric Infrastructure (ACI) 243
application development. See also application security
application provisioning and deprovisioning 260
automation and scripting 278–279
diversity 278
integrity measurement 261
Open Web Application Security Project (OWASP) 204, 276–277
programming testing methods
penetration testing 266
static and dynamic code analysis 269
software development environments 257–260
software development lifecycle (SDLC) 78, 261–262, 263–265, 468, 868
vulnerabilities and attacks 74–75
buffer overflows 75–76, 77, 149, 271–272, 275
code injection 149, 273–274, 276
cross-site request forgery (XSRF) 149, 272, 275
cross-site scripting (XSS) 54, 68–70, 110, 149, 272, 275, 601
directory traversal 75–76, 149, 274–275, 276
DLL injection 74
driver manipulation 89
LDAP injection 74
memory/buffer 77–78, 88, 149, 271–272, 275
privilege escalation 67–68, 201, 770
race conditions 79
remote code execution (RCE) 78, 146, 149, 275
SQL injection (SQLi) 54, 70–74, 273–274
application management, mobile 576–578
application programming interfaces. See APIs (application programming interfaces)
application scanners 182
application security 463–464, 475–476, 612. See also application development
allow lists 467, 578, 583, 822
application shielding 471
authentication 298
block/deny lists 467–468, 822–823
disk encryption 473
fuzzing 471
hardening 471
hardware root of trust 476–477
Hypertext Transfer Protocol (HTTP) 436–437, 465–466, 577
input validation 464
manual code review 470
mobile devices 581
registry 472
secure coding practices 468
secure cookies 465
self-encrypting drives (SEDs) 475–476
Trusted Platform Module (TPM) 477–478
application service providers (ASPs) 139, 231
application-aware devices 518
application-based segmentation 489–490
application-level gateways (ALGs) 529
approved lists 822
AppScan 204
APs (access points)
rogue 99
APT29 (Cozy Bear) 346
apt-get install snmp snmpwalk command 436
APTs (advanced persistent threats) 120–121, 451, 770
archive.org 147
Arduino 340
ARF (Asset Reporting Format) 885
ARO (annualized rate of occurrence) 922
ARP (Address Resolution Protocol)
spoofing 513
artifacts, forensic 853
artificial intelligence and machine learning (AI/ML) 50–51, 788
As-if Infinitely Ranged (AIR) integer model 77
ASLR (address space layout randomization) 76, 265, 272
ASPs (application service providers) 139, 231
assertion parties (SAML) 659
assertions 623
assessments, security. See security assessments
Asset Identification (AI) 885, 941–942
Asset Reporting Format (ARF) 885
ATC (air traffic control) 349–350
ATT&CK framework (MITRE) 18, 128–129, 176, 205, 223, 767–768
Attack Complexity (AC) metric 183
Attack Vector (AV) metric 183
attribute-based access control (ABAC) 638–645, 678, 679
audit trails 870
auditors 947
AUPs (acceptable use policies) 898, 900
Australia Privacy Principles (APP) 220
802.1X standard 510, 553–556, 562, 664–667, 673
attestation 294
authenticated encryption (AE) 404
authenticated modes 404
authentication applications 298
biometric systems 300, 378, 625–626, 869
crossover error rate (CER) 304
efficacy of 302
errors with 626
false acceptance rate (FAR) 303, 626
false rejection rate (FRR) 303, 626
gait analysis 302
iris recognition 301
retina scanning 301
vein authentication 302
voice/speech recognition 302
captive portals 559
Challenge-Handshake Authentication Protocol 673
challenge-response authentication (CRA) 571–572
by characteristic attributes 625–626
CIA (confidentiality, integrity, availability) 289
cloud versus on-premises requirements 306–307
context-aware authentication 658
embedded systems 363
Extensible Authentication Protocol (EAP) 553–556, 664–667
LEAP 666
federation 292–293, 556–557, 658
hardware security modules (HSMs) 656
HMAC-based one-time password (HOTP) 295–296
Kerberos 82–83, 89, 292, 553, 668–670, 673
Lightweight Directory Access Protocol (LDAP) 291, 442, 667–670
Lightweight Directory Access Protocol over SSL (LDAPS) 432
OpenID and OpenID Connect 663–664
by ownership 625
push notifications 299
remote
Challenge-Handshake Authentication Protocol (CHAP) 670–672, 673
Remote Access Service (RAS) 670–672
Security Assertion Markup Language (SAML) 659–661
Short Message Service (SMS) 296–297
single sign-on (SSO) 292, 373, 624, 658–659
static codes 298
summary of 673
time-based one-time password (TOTP) 295
token key 297
Trusted Platform Module (TPM) 294, 655
two-factor 298
Wi-Fi Protected Setup (WPS) 558–559
authentication attacks 55, 602
Authentication Header (AH) 437, 520
authentication servers 555, 665
Author Domain Signing Practices (ADSP) 110
authorized hackers 121
Auto (Android) 347
automated indicator sharing (AIS) 125
automation
application development 278–279
facility 345
autonomous underwater vehicles (AUVs) 353–354
AUVs (autonomous underwater vehicles) 353–354
availability 289
Availability Impact (I) metric 184
avalanche effect 463
avoidance, risk 918
awareness, risk 921
AWS (Amazon Web Services) 244, 603, 853
backdoors 42–43, 149, 271, 275
background checks 899
backups 158
cloud 326
copy 326
disk 326
image 326
NAS (network-attached storage) 326
offsite 327
online versus offline 326
snapshot 326
tape 326
baiting 19
bandwidth monitors 804
base groups 182
baseband radio 359
Bash 113
Basic Encoding Rules (BER) 697
basic input/output system (BIOS) 851
BCDR (business continuity and disaster recovery) 139, 232
BCPs (business continuity plans) 773–774, 929
beamforming 560
Bell-LaPadula 677
BER (Basic Encoding Rules) 697
BGP (Border Gateway Protocol) hijacking 535–536
BIA (business impact analysis) 773, 926–927
Biba 677
binaries 278
binary planting 74
biometric systems 300, 378, 625–626, 869
crossover error rate (CER) 304
efficacy of 302
errors with 626
false acceptance rate (FAR) 303, 626
false rejection rate (FRR) 303, 626
gait analysis 302
iris recognition 301
retina scanning 301
vein authentication 302
voice/speech recognition 302
BIOS (basic input/output system) 851
birthday attacks 56
BiSL (Business Information Services Library) 882
Bitcoin-related SMS scams 12
BitTorrent 529
black hat hackers 121
black-box testing 80
blackhole DNS servers 223
Blackhole exploit kit 44, 111–112
blanket purchase agreements (BPAs) 903
blind hijacking 84
blind SQL injection 73
block all. See implicit deny
block ciphers 411
block/deny lists 467–468, 578, 583, 822–823
blocking 417
Blowfish 412
Boolean technique 74
boot integrity
Unified Extensible Firmware Interface (UEFI) 459
Border Gateway Protocol (BGP) hijacking 535–536
bots and botnets 37–38, 111–112, 580
BPAs. See blanket purchase agreements (BPAs); business partnership agreements (BPAs)
BPDU (Bridge Protocol Data Unit) guard 512
bring-your-own-device (BYOD) 215, 572, 574–576, 581, 588–590, 826, 898
broadcast storm prevention 512
BPDU guard 512
loop protection 512
MAC filtering 513
buckets 605
buffer overflows 75–76, 77, 149, 271–272, 275, 522
BugCrowd 203
building loss 925
burning 386
Burp Suite Professional 204
buses, controller area network (CAN) 347–348
business continuity and disaster recovery (BCDR) 139, 232
business continuity plans (BCPs) 773–774, 929
business impact analysis (BIA) 773, 926–927
business partnership agreements (BPAs) 903
BYOD. See bring-your-own-device (BYOD)
cables
locks 379
malicious USB 48
CAC (Common Access Card) 629
cache
ARP cache poisoning 105
caching proxy 514
forensic acquisition 852
Cain and Abel 44
California Consumer Privacy Act (CCPA) 214, 220, 880
call management systems (CMSs) 351
Call Manager log files 799–800
CAM (content addressable memory) 106
cameras
centralized versus decentralized 375
closed-circuit television (CCTV) 376–377, 870
motion recognition 376
object detection 376
CAN (controller area network) bus 347–348
Canada, Personal Information Protection and Electronic Data Act (PIPEDA) 220
Canonical Encoding Rules (CER) 697
capital expenditure (CapEx) 598
captive portals 559
capture, packet. See packet capture and replay
capture the flag 902
CarPlay, Apple 347
carrier unlocking 584
CAs (certificate authorities) 466, 556, 689–691, 829
CASBs (cloud access security brokers) 142–143, 611–612, 614
CBC (Cipher Block Chaining) mode 405
CBT (computer-based training) 901
CBWFQ (class-based weighted fair queuing) 536
CCE (Common Configuration Enumeration) 886
CCleaner 51
CCPA (California Consumer Privacy Act) 214, 220, 880
CCSS (Common Configuration Scoring System) 886
CCTV (closed-circuit television) 376–377, 870
CD (continuous delivery) 279
CDP (clean desk policy) 23, 899, 900
cellular connection methods and receivers 572–573
Center for Internet Security (CIS) 164, 881, 883
centralized access control 640, 679
centralized cameras 375
centralized controllers 242
CER (Canonical Encoding Rules) 697
CER (crossover error rate) 304, 626
.cer file extension 697
CERT (Community Emergency Response Team) 77
certificate authorities (CAs) 466, 556, 689–691, 829
certificate revocation lists (CRLs) 533, 689–690, 691, 829
certificate signing requests (CSRs) 689
chaining 696
expiration 693
formats 697
pinning 698
Subject Alternative Name 693
CFB (Cipher Feedback) mode 406
chain of trust 699
Challenge-Handshake Authentication Protocol (CHAP) 673
challenge-response authentication (CRA) 49–50, 102, 571–572
change management 909
CHAP (Challenge-Handshake Authentication Protocol) 82–83, 670–672, 673
characteristic attributes, authentication by 625–626
Check Point 518
chief information officers (CIOs) 903
chief security officers (CSOs) 930
chkdsk command 157
chmod command 644–645, 736–737
choose-your-own-device (CYOD) 588–590
CI (continuous integration) 279
CIA (confidentiality, integrity, availability) 221, 263, 289
CIDR (classless interdomain routing) netblock 203–204
CIOs (chief information officers) 903
Cipher Block Chaining (CBC) mode 405
Cipher Feedback (CFB) mode 406
CIRT. See incident response (IR) teams
CIS (Center for Internet Security) 164, 881, 883
CISA (Cybersecurity and Infrastructure Security Agency) 353–354
Cisco
Application Centric Infrastructure (ACI) 243
Application Policy Infrastructure Controller (APIC) 243
Cisco Discovery Protocol (CDP) 107
Email Security Appliance (ESA) 111
Identity Services Engine (ISE) 590
Mutiny Fuzzing Framework 269
security advisories and bulletins 179
Talos 347
Umbrella 509
Clark-Wilson 677
class-based weighted fair queuing (CBWFQ) 536
classification
classless interdomain routing (CIDR) netblock 203–204
clean desk policy (CDP) 23, 899, 900
clean pipe 112
clickjacking 84
client-based VPNs (virtual private networks) 497
clientless VPNs (virtual private networks) 497, 507–508
clientless web access 507
client-side execution 267
client-side validation 268
clock, secure 477
cloning
MAC (media access control) 106
SIM (subscriber identity module) cards 580, 584
closed-circuit television (CCTV) 376–377, 870
cloud access security brokers (CASBs) 142–143, 611–612, 614
cloud computing
advantages of 138
attacks and vulnerabilities 52–55, 123, 137–143, 601–603
backups 326
cloud access security brokers (CASBs) 142–143, 611–612, 614
cloud service providers (CSPs) 139, 233, 598, 853–854
definition of 138
fog and edge computing 234–235
managed detection and response (MDR) 234
managed service providers (MSPs) 233–234
off-premises versus on-premises services 234
resilience 325
security assessments 598
API inspection and integration 607, 610
dynamic resource allocation 607–608, 611
high availability across zones 603, 609
integration and auditing 604, 609
native versus third-party 615
virtual private cloud endpoint 608, 611
security solutions
application security 612
cloud access security brokers (CASBs) 611–612, 614
Secure Web Gateway (SWG) 613, 614
storage
encryption 605
high availability 606
permissions 605
replication 605
VPCs (virtual private clouds) 607, 608, 611
Cloud Controls Matrix 884
Cloud Security Alliance (CSA) 139, 603, 884
Cloud Service (Google) 603
cloud service providers (CSPs) 139, 233, 598, 853–854
Cloudflare 440
cloudlets 235
Cluster Server 488
CMSs (call management systems) 351
CMSS (Common Misuse Scoring System) 887
COBIT framework 882
code, infrastructure as 241–243
code camouflage 265
code injection 149, 273–274, 276
code signing 466–467, 695, 696
manual code review 470
cold aisles 386
cold sites 222
collection, log 186
command-and-control (C2) servers 37–38, 107
commands. See individual commands
comment delimiters 73
Common Access Card (CAC) 629
Common Configuration Enumeration (CCE) 886
Common Configuration Scoring System (CCSS) 886
Common Misuse Scoring System (CMSS) 887
common names (CNs) 692
Common Object Request Broker Architecture (CORBA) 86
Common Platform Enumeration (CPE) 886
Common Remediation Enumeration (CRE) 886
Common Security Advisory Framework (CSAF) 164
Common Vulnerabilities and Exposures (CVEs), Wi-Fi 78, 125, 146, 177, 571, 886
Common Vulnerability Reporting Framework (CVRF) 164
Common Vulnerability Scoring System (CVSS) 182–186, 886
Common Weakness Enumeration (CWE) 75, 886
Common Weakness Scoring System (CWSS) 887
communications
embedded systems
baseband radio 359
NarrowBand 358
subscriber identity module (SIM) cards 360
Community Emergency Response Team (CERT) 77
community ports 491
compensating controls 871, 872
compilers 278
compile-time errors 81–82, 266–267
compliance, software 918
computer certificates 696
computer incident response teams. See incident response (IR) teams
computer-based training (CBT) 901
Concealment 415
concentrators, VPN 495
confidence tricks 19
Confidential information 905, 941–942
Confidentiality Impact (C) metric 184
configuration management 164, 213
configuration reviews 182
mitigation techniques 824
certificates, updating/revoking 829–830
content filter/URL filter 828–829
data loss prevention (DLP) 825–826
firewall rules 825
mobile device management (MDM) 825–826
secure configuration guides 885–888
connection methods and receivers
Global Positioning System (GPS) 572, 584
near-field communication (NFC) 570–571
Radio frequency identification (RFID) 571–572
satellite communications (SATCOM) 573
secure implementation best practices 573–574
containment, incident response (IR) 763–764, 830–831
content addressable memory (CAM) 106
context-aware authentication 658
continuity of operations plans (COOPs) 774–775, 929
continuous delivery (CD) 279
continuous deployment 279
continuous integration (CI) 279
continuous monitoring 139, 278
continuous validation 278
Control Objectives for Information and Related Technology (COBIT) 882
control systems, diversity in 332
controller area network (CAN) bus 347–348
controller-pilot data link communications (CPDLC) 349–350
controls. See also physical security
managerial 868
convert command 156
cookie hijacking 465
cookies 465
cookies, secure 465
COOPs (continuity of operations plans) 774–775, 929
Coordinated Universal Time (UTC) 440, 845
COPE (corporate-owned, personally enabled) environments 572, 588
copy backups 326
CORBA (Common Object Request Broker Architecture) 86
corporate incidents 775
corporate-owned, personally enabled (COPE) environments 572, 588–590
correlation, log 186
correlation, Security Information and Event Management (SIEM) 788–789
Counter (CTR) mode 404, 408–409
counterintelligence 860
Counter-mode/CBC-MAC protocol (CCMP) 552
counters, secure 477
county names, certificate 692
cover-files 416
Cozy Bear 346
CPE (Common Platform Enumeration) 886
CRA (challenge-response authentication) 49–50, 102, 571–572
cracking passwords 46
CRE (Common Remediation Enumeration) 886
CREATE DATABASE statement 70
CREATE INDEX statement 71
CREATE TABLE statement 71
credentials
credentialed vulnerability scans 182, 349–350
harvesting 18
crimeware 44
criminal syndicates 120
Critical information 942
critical systems, identification of 929
CRLs (certificate revocation lists) 533, 689–690, 691, 829
crossover error rate (CER) 304, 626
cross-site request forgery (XSRF) 85–86, 149, 272, 275, 602
cross-site scripting (XSS) 54, 68–70, 110, 149, 272, 275, 464, 601
.crt file extension 697
cryptography 396. See also encryption; hashing; secure protocols
algorithms 498
cryptographic attacks
birthday 56
cryptographic protocols 551
Advanced Encryption Standard (AES) 552
Counter-mode/CBC-MAC protocol (CCMP) 552
Simultaneous Authentication of Equals (SAE) 551, 552
summary of 552
Wi-Fi Protected Access 2 (WPA2) 551
Wi-Fi Protected Access 3 (WPA3) 551–552
definition of 391
digital signatures 395–396, 520
diversity in 331
elliptic-curve cryptography (ECC) 399–400
data at rest 218
data in transit/motion 218
data in use/processing 218
disk 473
entropy 419
homomorphic 417
international mobile subscriber identity (IMSI) 49, 358, 584
mobile device management (MDM) 578–580
entropy 419
keys
ephemeral 403
key exchanges 399
key signing keys (KSKs) 427
length of 396
password 655
personal unblocking keys (PUKs) 360
stretching 397
zone signing keys (ZSKs) 427
authenticated 404
Cipher Block Chaining (CBC) 405
Cipher Feedback (CFB) 406
counter 404
Electronic Code Book (ECB) 404
Output Feedback (OFB) 407
unauthenticated 404
perfect forward secrecy 400–401
post-quantum 402
Public Key Cryptography Standards (PKCS) 412
computing 402
definition of 401
steganography 415
homomorphic 417
video 416
CSA (Cloud Security Alliance) 139, 603, 884
CSAF (Common Security Advisory Framework) 164
CSF (Cybersecurity Framework) 882, 884
CSIRT. See incident response (IR) teams
CSOs (chief security officers) 930
CSPs (cloud service providers) 139, 233, 598, 853–854
CSRF (cross-site request forgery) 602
CSRs (certificate signing requests) 689
CTR (Counter) mode 404, 408–409
custodians, data 946
CVE (Common Vulnerability and Exposure) 78, 125, 146, 177, 886
CVE Numbering Authorities (CNAs) 179
CVRF (Common Vulnerability Reporting Framework) 164
CVSS (Common Vulnerability Scoring System) 182–186, 886
CWE (Common Weakness Enumeration) 75, 886
CWSS (Common Weakness Scoring System) 887
Cybersecurity and Infrastructure Security Agency (CISA) 353–354
Cybersecurity Framework (CSF) 882, 884
cybersecurity insurance 918
cybersecurity resilience. See resilience
CYOD (choose-your-own-device) 588
DAC (discretionary access control) 674–676, 679
DAEAD (deterministic authenticated encryption with associated data) 404
DAI (Dynamic ARP Inspection) 105
DAST (dynamic application security testing) 470–471
data breaches
data types and asset classification 941–942
fines 940
identity theft 940
impact assessment 948
intellectual property theft 940
personally identifiable information (PII) 943
privacy enhancing technologies 944–945
privacy notices 949
protected health information (PHI) 944
reputation damage from 940
response and recovery controls 220–221
security roles and responsibilities 945–947
terms of agreement 948
data controllers 946
data custodians/stewards 946
data destruction, secure 386–387
Data Encryption Standard (DES) 412
data exposure 267
data in transit/motion 156, 218
data in use/processing 156, 218
data input 186
data labeling 676
data loss prevention (DLP) 139, 214–215, 453, 582, 586, 699, 825–826, 871
data owners 946
data privacy. See privacy breaches
data privacy officers (DPOs) 905
data processors 946
data protection officers (DPOs) 947
data recovery 859
data retention policies 775–776, 906
data sources
bandwidth monitors 804
Internet Protocol Flow Information Export (IPFIX) 811–813
log files 789
Domain Name System (DNS) 795–796
dump files 797
journalctl 802
network 790
security 793
Session Initiation Protocol (SIP) 800
syslog/rsyslog/syslog-ng 800–801
Voice over Internet Protocol (VoIP) 799–800
web server 794
in email 808
in files 809
on mobile devices 808
protocol analyzers 813
Security Information and Event Management (SIEM)
alerts 788
sensitivity 788
sensors 787
trends 788
vulnerability scan output 785–786
DC (direct current) 380
DCOM (Distributed Component Object Model) 86
DCS (distributed control systems) 343
DCT (Discrete Cosine Transforms) 417
DDoS (distributed denial-of-service) attacks 37–38, 54, 111–113, 601
dead box forensic collection 858
dead code 270
Dead Peer Detection (DPD) 501
deauthentication attacks 101
decentralized access control 640, 679
decentralized cameras 375
decentralized trust models 698
deception and disruption techniques
fake telemetry 223
honeyfiles 223
DeepSound 415
defense in depth 264
defrag command 158
defragmentation 158
degaussing 387
delegation of access 662
DELETE statement 70
delivery
continuous 279
demilitarized zones (DMZs) 384, 491
denial-of-service (DoS) attacks 88, 122, 267, 601, 770
deny lists 467–468, 578, 583, 822–823
Department of Defense (DoD) security standards 674
deployment, continuous 279
deprovisioning, application 260
DER (Distinguished Encoding Rules) 697
DES (Data Encryption Standard) 412
design constraints, embedded systems 361
authentication 363
cost 363
crypto 362
implied trust 363
inability to patch 362
network 362
power 361
range 363
destruction and disposal services 387
detective controls 869–870, 872
deterministic authenticated encryption with associated data (DAEAD) 404
deterrent controls 869, 870–871, 872
development environments 257–260
development lifecycle. See software development lifecycle (SDLC)
devices, forensic acquisition 850–851
devices, mobile. See mobile solutions
DFIR (Digital Forensics and Incident Response) 744
DHCP (Dynamic Host Configuration Protocol) 443
starvation attack 513
diagrams, configuration 213
Diamond Model of Intrusion Analysis 768–770
DigiCert 691
digital forensics. See forensics, digital
Digital Millennium Copyright Act 220
digital rights management (DRM) 67, 219–220
digital signal processors (DSPs) 359
Digital Signature Algorithm (DSA) 396, 412
digital signatures 395–396, 520
digital video recorders (DVRs) 376–377
direct current (DC) 380
directory services 291–292, 442
directory traversal 75–76, 149, 274–275, 276
disassociation attacks 101
disaster recovery plans (DRPs) 330–331, 772–773, 926, 928–930
disclosures, public 940
discovery tools
definition of 707
hping 717
ipconfig 710
ping6 716
Discrete Cosine Transforms (DCT) 417
discretionary access control (DAC) 674–676, 679
Disk Cleanup 157
Disk Defragmenter 158
disks
backups 326
encryption 473
forensic acquisition of 848
redundancy
multipath 319
Redundant Array of Inexpensive Disks (RAID) 315–316
Redundant Array of Inexpensive Disks (RAID) 869
Distinguished Encoding Rules (DER) 697
Distributed Component Object Model (DCOM) 86
distributed control systems (DCS) 343
distributed denial-of-service (DDoS) attacks 37–38, 54, 111–113, 601
Distributed Ledger Technology (DLT) 409
DKIM (Domain Keys Identified Mail) 110, 426
DLL (dynamic link library) injection 74, 274
DLP (data loss prevention) 139, 214–215, 453, 582, 586, 699, 825–826, 871
DLT (Distributed Ledger Technology) 409
DMARC (Domain-based Message Authentication, Reporting & Conformance) 111
DMSSEC (Domain Name System Security Extensions) 796
DMZs (demilitarized zones) 384, 491
DNS (Domain Name System) 442–443
attacks 54
cloud-based 601
DDoS (distributed denial-of- service) 37–38, 54, 111–113, 601
DNS amplification attack 112
domain hijacking 108
prevalence of 107
URL redirection attacks 110
DNS Security Extensions (DNSSEC) 108, 426–427
DNS sinkholes 223
DNSSEC (Domain Name System Security Extensions) 108, 426–427, 442–443
docker images command 237
docker ps command 238
docker search command 239
Document Object Model (DOM) 68–69
documentation, forensic
admissibility of 843
chain of custody 844
legal hold 842
reports 846
timelines and sequence of events 844–845
time offset 844
timestamps 844
DOM (Document Object Model) 68–69
Domain Keys Identified Mail (DKIM) 110, 426
domain name resolution 442–443
Domain Name System. See DNS (Domain Name System)
domain validation (DV) certificates 694
Domain-based Message Authentication, Reporting & Conformance (DMARC) 111
DoS (denial-of-service) attacks 88, 601, 770
DPD (Dead Peer Detection) 501
DPOs (data privacy officers) 905
driver manipulation 89
drives. See disks
DRM (digital rights management) 67, 219–220
DROP INDEX statement 71
DROP TABLE statement 71
DRPs (disaster recovery plans) 772–773, 926, 928–930
DSA (Digital Signature Algorithm) 396, 412
DSPs (digital signal processors) 359
DTP (Dynamic Trunking Protocol) 106
dual parity, striping with (RAID) 316, 318
dual power supplies 321
due care 900
due diligence 900
due process 900
dump files 797
dumpster diving 13
duties, separation of 898, 900
DV (domain validation) certificates 694
DVRs (digital video recorders) 376–377
dynamic application security testing (DAST) 470–471
Dynamic ARP Inspection (DAI) 105
dynamic code analysis 269, 470–471
Dynamic Host Configuration Protocol. See DHCP (Dynamic Host Configuration Protocol)
dynamic link library (DLL) injection 74, 274
dynamic resource allocation 607–608, 611
Dynamic Trunking Protocol (DTP) 106
EAP (Extensible Authentication Protocol) 553–556, 664–667
LEAP 666
east-west traffic 492
ECB (Electronic Code Book) 404
ECC (elliptic-curve cryptography) 399–400
ECDSA (Elliptic Curve Digital Signature Algorithm) 551–552
EDR (endpoint detection and response) 452–453
education, user 22–24, 899, 901–902
EEA (European Economic Area) 214, 220
EER (equal error rate). See crossover error rate (CER)
eEye Digital Security, Retina Web Security Scanner 204
EFS (Encrypting File System) 694
EIGamal 412
electrical metallic tubing (EMT) 385
electromagnetic (EM) frequency band 102
Electronic Code Book (ECB) 404
electronic locks 379
electronic serial numbers (ESNs) 49, 584
Elliptic Curve Digital Signature Algorithm (ECDSA) 551–552
elliptic-curve cryptography (ECC) 399–400
elliptic-curve techniques 412
EM (electromagnetic) frequency band 102
attack vectors 122
certificates 696
email protocol port numbers 441
email servers 145
metadata in 808
Spam 13
SPIM (Spam over Internet Messaging) 13
synchronization 440
Email Security Appliance (ESA) 111
embedded systems
Arduino 340
communication considerations
baseband radio 359
NarrowBand 358
subscriber identity module (SIM) cards 360
constraints 361
authentication 363
cost 363
crypto 362
implied trust 363
inability to patch 362
network 362
power 361
range 363
definition of 339
Field-Programmable Gate Array (FPGA) 340
heating, ventilation, and air conditioning (HVAC) 352–353
industrial control systems (ICSs) 341–343
Internet of Things (IoT) 38, 98, 113, 344–346, 358, 414
medical systems 347
multifunction printers (MFPs) 354
Raspberry Pi 339
real-time operating systems (RTOSs) 355
smart meters 350
supervisory control and data acquisition (SCADA) 341–343
system on a chip (SoC) 356–357
Voice over Internet Protocol (VoIP) 350, 799–800
emergency preparedness logs 383
EMT (electrical metallic tubing) 385
Encapsulating Security Payload (ESP) 437, 503, 520
Encrypting File System (EFS) 694
data at rest 218
data in transit/motion 218
data in use/processing 218
disk 473
entropy 419
homomorphic 417
international mobile subscriber identity (IMSI) 49, 358, 584
mobile device management (MDM) 578–580
authenticated 404
Cipher Block Chaining (CBC) 405
Cipher Feedback (CFB) 406
Electronic Code Book (ECB) 404
Output Feedback (OFB) 407
unauthenticated 404
end of life (EOL) 904
end of service life (EOSL) 904
end users 947
endpoint detection and response (EDR) 452–453
endpoint DLP systems 214
endpoint protection 451
endpoint security solutions 822
approved lists 822
block/deny lists 467–468, 578, 583, 822–823
end-to-end headers (HTTP) 466
energy management, SCADA control systems 342–343
engagement, rules of 200
enterprise environments
API considerations 216
configuration management 213, 215–216
deception and disruption techniques
fake telemetry 223
honeyfiles 223
digital rights management (DRM) 219–220
DNS sinkholes 223
encryption 218
response and recovery controls 220–221
enterprise resource planning (ERP) 883
entropy 419
enumerations 886
env command 739
environmental disaster 924
environmental groups 182
environmental variables 740
environments, software development 257–260
known 198
partially known 199
EOL (end of life) 904
EOSL (end of service life) 904
ephemeral keys 403
equal error rate. See crossover error rate (CER)
eradication phase, incident response (IR) 764
ERP (enterprise resource planning) 883
compile-time errors 81–82, 266–267
error-based technique 74
input handling 80
escalation, privilege 67–68, 201, 941
escape attacks, VM (virtual machine) 248–249
escrow, key 699
ESNs (electronic serial numbers) 49, 584
ESP (Encapsulating Security Payload) 437, 503, 520
ethical hacking. See penetration testing
ETSI (European Telecommunications Standards Institute) 235
EU (European Union)
European Economic Area (EEA) 214, 220
European Telecommunications Standards Institute (ETSI) 235
General Data Protection Regulation (GDPR) 42, 214, 220, 356, 434, 453, 760, 855, 878–879, 947
Information Society Directive 220
EV (extended validation) certificates 694
time offset 844
timestamps 844
evidence, forensic
artifacts 853
cache 852
checksums 857
data breach notification laws 855–856
definition of 847
disk 848
firmware 851
integrity 856
operating system 850
order of volatility 848
on-premises versus cloud 853–854
random-access memory (RAM) 848–849
regulatory and jurisdictional 855
right-to-audit clauses 854
admissibility of 843
chain of custody 844
legal hold 842
preservation 858
reports 846
timelines and sequence of events 844–845
time offset 844
timestamps 844
exam preparation
final review and study 953–954
hands-on activities 953
Pearson Test Prep practice test 954
test lab, building 953
exam updates 02.0004–02.0026
exchanges, key 399
executives, security roles and responsibilities 945–947
exercises
walkthrough 766
exFAT 850
expiration, certificates 693
explicit allow/deny 528
Exploit code maturity (E) metric 184
exploit kits 44
Exploitability metrics 183–184
exploitation frameworks 747–748, 770
Extended Detection and Response (XDR) 189
extended validation (EV) certificates 694
Extensible Authentication Protocol. See EAP (Extensible Authentication Protocol)
Extensible Configuration Checklist Description Format (XCCDF) 885
Extensible Markup Language (XML) injection 74–75, 273–274
external actors 122
external risk 917. See also risk management
extinguishers, fire 381
f8-mode (SRTP) 430
FAA (Federal Aviation Administration) 348–349, 353, 382–383
facility automation 345
facility codes 373
fail-closed 927
fail-open 927
failure, single point of 156, 926
failure in time (FIT) 926
fake telemetry 223
false acceptance rate (FAR) 303, 626
false rejection rate (FRR) 303, 626
FAST (Flexible Authentication via Secure Tunneling) 556
Fast Identity Online (FIDO) 297
FAT 850
FDE (full-disk encryption) 473, 475–476
fdisk -l command 157
FEAT command 433
Federal Aviation Administration (FAA) 348–349, 353, 382–383
Federal Information Security Management Act (FISMA) 776
Federal Risk and Authorization Management Program (FedRAMP) 599
Federal Trade Commission (FTC) 17, 221
federated identity management (FIM) 658
federation 292–293, 623–624, 658, 672
FedRAMP (Federal Risk and Authorization Management Program) 599
FFmpeg 416
FIDO (Fast Identity Online) 297
Field-Programmable Gate Array (FPGA) 340
file and code repositories 127
file integrity monitors 542
head command 733
tail command 734
file servers 144
file transfer 440
File Transfer Protocol. See FTP (File Transfer Protocol)
fileless viruses 37
files
log 789
Domain Name System (DNS) 795–796
dump files 797
journalctl 802
network 790
security 793
Session Initiation Protocol (SIP) 800
syslog/rsyslog/syslog-ng 800–801
Voice over Internet Protocol (VoIP) 799–800
web server 794
metadata in 809
filtering
MAC (media access control) 513
packet 528
financial information. See personally identifiable information (PII)
Financial Services Information Sharing and Analysis Center (FS-ISAC) 124
fines 940
fingerprint authentication 300–301
fire
suppression 381
appliance 534
application-level gateway (ALG) 529
content URL/filtering 533
hardware versus software 534
multihomed connections 532
NAT gateway 529
network-based application layer 530
next-generation firewall (NGFW) 453–454, 524
packet filtering 528
personal 534
unified threat management (UTM) 524
web application 531
wireless security 562
firmware
firmware over-the-air (OTA) updates 583
forensic acquisition of 851
FIRST (Forum of Incident Response and Security Teams) 180
FISMA (Federal Information Security Management Act) 776
FIT (failure in time) 926
Flexible Authentication via Secure Tunneling (FAST) 556
flood, disaster analysis for 925
flooding, MAC (media access control) 106
FM200 381
footprinting 205
Forcepoint 533
Forefront Identity Manager 658
Foremost 415
Forensic Toolkit (FTK) 747, 850–851
forensics, digital
acquisition
artifacts 853
cache 852
checksums 857
data breach notification laws 855–856
definition of 847
disk 848
firmware 851
integrity 856
operating system 850
order of volatility 848
on-premises versus cloud 853–854
random-access memory (RAM) 848–849
regulatory and jurisdictional 855
right-to-audit clauses 854
data recovery 859
Digital Forensics and Incident Response (DFIR) 744
documentation/evidence
admissibility of 843
chain of custody 844
event logs 846
legal hold 842
reports 846
timelines and sequence of events 844–845
preservation 858
strategic intelligence/counterintelligence 860
tools
Autopsy 747
FTK Imager 747
memdump 745
WinHex 746
formats, certificate 697
Forum of Incident Response and Security Teams (FIRST) 180
forward proxy 516
FPGA (Field-Programmable Gate Array) 340
frameworks
FreeBSD 676
frequency distributions 159
FRR (false rejection rate) 303, 626
fsck command 158
FTC (Federal Trade Commission) 17, 221
FTK (Forensic Toolkit) 747, 850–851
FTP (File Transfer Protocol)
FTPS (File Transfer Protocol, Secure) 432–433
SFTP (Secure File Transfer Protocol) 434
full tunnel mode, SSL/TLS VPN 508
full-disk encryption (FDE) 473, 475–476
gait analysis 302
Galois Message Authentication Code (GMAC), AES in 498
Galois/Counter Mode (GCM) 498, 551–552
gamification 902
gapping 384
gateways
application-level 529
NAT 529
GCM (Galois/Counter Mode) 498, 551–552
GDPR (General Data Protection Regulation) 42, 214, 220, 356, 434, 453, 760, 855, 878–879, 947
general-purpose I/O GPIO framework extension (GpioClx) 477
generators 321
generic accounts 629
Generic Routing Encapsulation (GRE) 520
geographic dispersal 315
geotagging 572–573, 584, 586, 639
GitHub repositories 8, 18, 127, 203, 258
Global Positioning System (GPS) 572, 584
Global Regular Expression Print (grep ) 735–736
GMAC (Galois Message Authentication Code), AES in 498
Gnutella 530
Golden SAML attacks 293
Google Pay 584
OAuth 2.0 292
Secret Manager 604
governance, risk, and compliance (GRC) 880, 904–905
GpioGlx (general-purpose I/O GPIO framework extension) 477
GPOs (group policy objects) 474
GPS (Global Positioning System) 572, 584
Gramm-Leach-Bliley (GLB) Act 880
GraphQL 86
gray hat hackers 121
gray-box testing 80
GRC (governance, risk, and compliance) 880, 904–905
GRE (Generic Routing Encapsulation) 520
group policy objects (GPOs) 474
groups
base 182
environmental 182
temporal 182
Grover’s algorithm 402
guards 377
guest accounts 629
Guidelines for Evidence Collection and Archiving 848
HA (high availability) 329–330
HackerOne 203
hackers 121. See also penetration testing
hands-on activities 953
hard disks
backups 326
encryption 473
forensic acquisition of 848
redundancy
multipath 319
Redundant Array of Inexpensive Disks (RAID) 315–316
hardening
applications 471
hardware root of trust 476–477
hardware security modules (HSMs) 478, 524, 587, 656
Hardware Shield 851
hashcat 749
HashCorp Nomad 240
Hashed Message Authentication Mode (HMAC) 295–296, 551–552
avalanche effect 463
collisions 463
Digital Signature Algorithm (DSA) 396
Elliptic Curve Digital Signature Algorithm (ECDSA) 551–552
Hashed Message Authentication Mode (HMAC) 295–296
Message Digest Algorithm 5 (MD5) 55, 219
padding 463
Secure Hash Algorithm (SHA) 55, 463, 551–552
SHA-256 463
HAVA (Help America Vote Act) 880
head command 733
headers, HTTP (Hypertext Transfer Protocol) 465–466
Health Insurance Portability and Accountability Act (HIPAA) 453, 880, 940, 944
heat maps 559
heating, ventilation, and air conditioning (HVAC) 352–353
Help America Vote Act (HAVA) 880
heuristic-based analysis 521
heuristic-based intrusion detection 521
HID Global 629
HIDSs (host intrusion detection systems) 215, 456, 578, 586
high availability (HA) 329–330
hijacking
blind 84
cookie 465
TCP/IP 84
URL 44
hijacking, domain 108
HIPAA (Health Insurance Portability and Accountability Act) 453, 880, 940, 944
HIPSs (host intrusion prevention systems) 454–455, 523
Hitachi 476
HMAC (Hashed Message Authentication Mode) 295–296, 551–552
HMAC-based one-time password (HOTP) 295–296
HMI (human-machine interface) 341
hoaxes 19
holds, legal 842
HOME environment variable 740
homomorphic encryption 417
homomorphic steganography 417
honeyfiles 223
hop-by-hop headers (HTTP) 466
horizontal privilege escalation 67–68
host command 716
host intrusion detection systems (HIDS) 215, 456, 578, 586
host intrusion prevention systems (HIPSs) 454–455, 523
host security. See also application security
antimalware 452
antivirus software 451
boot integrity
Unified Extensible Firmware Interface (UEFI) 459
data loss prevention (DLP) 453
hashing 463
host intrusion detection systems (HIDS) 215, 456, 578, 586
host intrusion prevention systems (HIPSs) 454–455, 523
next-generation firewall (NGFW) 453–454
Host-based IPSs (HIPSs) 523
hot aisles 386
hot sites 221
hotfixes and patches 160–164, 179–180, 362, 474–475
HOTP (HMAC-based one-time password) 295–296
hotspots 585
hping command 717
Hping.org 717
HSMs (hardware security modules) 478, 524, 587, 656
HTTP (Hypertext Transfer Protocol) 465–466, 577
human resources (HR) personnel 901
human-machine interface (HMI) 341
HUMINT (human intelligence) 18
HVAC (heating, ventilation, and air conditioning) 352–353
hybrid attacks 749
hyper-jacking 248
Hypertext Transfer Protocol. See HTTP (Hypertext Transfer Protocol)
hypervisors 325
attacks 601
hypervisor-based keyloggers 42
IA (information assurance). See risk management
IaaS (infrastructure as a service) 139, 231, 603, 853
IaC (infrastructure as code) 241–243, 260
IACS 342
IACS (industrial automation and control systems) 342, 343
IAM (identity and access management) 633
identity and access lifecycle 633–635
account audits 635
disablement 635
privileges provisioning 635
registration and identity validation 633–635
policy 605
IBM
AppScan 204
Data Encryption Standard (DES) 412
QRadar 526
IC (integrated circuit) cards 373
ICCIDs (unique serial numbers) 360
ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) 362
ICSs (industrial control systems) 353–354
identification phase, incident response (IR) 763
identity. See also authentication; certificates; passwords
federation 623
identity and access management (IAM) 633–635
identity and access lifecycle 633–635
policy 605
baiting 19
credential harvesting 18
hoaxes 19
identity theft 940
impersonation/pretexting 19
invoice scams 17
reconnaissance 18
identity providers (IdPs) 292, 623–624, 661
Secure Shell (SSH) keys 628
smart cards 629
Identity Services Engine (ISE) 590
IdPs (identity providers) 292, 623–624, 661
IDSs (intrusion detection systems). See HIDSs (host intrusion detection systems); network intrusion detection systems (NIDSs)
IEEE 802.1X standard 510, 553–556, 562, 664–667, 673
IETF (Internet Engineering Task Force)
IPFIX (Internet Protocol Flow Information Export) 187
RFC (request for comments) 128
IIS (Internet Information Services) 146, 697, 794
IKE (Internet Key Exchange)
IKEv1 Phase 1 negotiation 498–501
IKEv1 Phase 2 negotiation 501–503
image backups 326
IMAP (Internet Message Access Protocol) 438–439
IMEI (international mobile equipment identity) 49, 584
immutability 263
impact assessment 184, 920, 921, 948
impersonation 19
impossible travel time 639
IMSI (international mobile subscriber identity) encryption 358, 584
in-band SQL injection 73
incident response (IR) plans
business continuity plans (BCPs) 773–774, 929
continuity of operations plans (COOPs) 774–775, 929
data retention policies 775–776
Diamond Model of Intrusion Analysis 768–770
disaster recovery plans (DRPs) 772–773
exercises
walkthrough 766
incident response teams 175, 760, 775–776
MITRE ATT&CK framework 18, 128–129, 176, 205, 223, 767–768
process and lifecycle
eradication 764
identification 763
recovery 764
stakeholder management 771–772
incident response (IR) teams 175, 760, 775–776
indicators of compromise (IoCs) 123, 762, 832, 853
industrial automation and control systems (IACS) 342, 343
industrial camouflage 377
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) 362
industrial control systems (ICSs) 341–343, 353–354
Industry 4.0 342
influence campaigns 21
information assurance (IA). See risk management
Information Sharing and Analysis Centers (ISACs) 123–125
Information Society Directive 220
information systems security officers (ISSOs) 930, 947
Information Technology Infrastructure Library (ITIL) 882
information technology operations 263
InfraGard 128
infrastructure as a service (IaaS) 139, 231, 603, 853
infrastructure as code (IaC) 241–243, 260
inherent risk 921
inheritance, of permissions 644–646
Initial Contact 501
initialization vectors (IVs) 103, 403
injection 70
DLL (dynamic link library) 74
LDAP (Lightweight Directory Access Protocol) 74, 144
SQL (Structured Query Language) 54, 70–74, 273–274, 464
XML (Extensible Markup Language) 74–75
inline prevention detection systems (IPSs) 523–524
input validation 80, 81, 267–268, 464
INSERT INTO statement 70
insurance, cybersecurity 918
integrated circuit (IC) cards 373
integration
continuous 279
integrity 289
boot
Unified Extensible Firmware Interface (UEFI) 459
forensic acquisition 856
integrity control 378
Intel Hardware Shield 851
intellectual property theft 917, 940
intelligence
automated indicator sharing (AIS) 125
Information Sharing and Analysis Centers (ISACs) 123–125
intelligence fusion 177
MITRE ATT&CK framework 18, 128–129, 176, 205, 223, 767–768
strategic 860
Structured Threat Information eXpression (STIX) 125–127
Trusted Automated eXchange of Indicator Information (TAXII) 125–127
vulnerability databases 125
interconnection security agreements (ISAs) 903
intermediate certificate authorities 696
internal actors 122
internal information 905
internal risk 917. See also risk management
international mobile equipment identity (IMEI) 49, 584
international mobile subscriber identity (IMSI) 49, 358, 584
International Organization for Standardization (ISO) 881, 884, 893
Internet Engineering Task Force (IETF)
IPFIX (Internet Protocol Flow Information Export) 187
RFC (request for comments) 128
Internet Information Services (IIS) 146, 697, 794
Internet Key Exchange. See IKE (Internet Key Exchange)
Internet Message Access Protocol (IMAP) 438–439
Internet of Things (IoT) 38, 98, 113, 344–346, 358, 414
Internet Protocol. See IP (Internet Protocol)
Internet Protocol Flow Information Export (IPFIX) 187, 524, 811–813
Internet Security Association and Key Management Protocol (ISAKMP) 497
Internet service providers (ISPs) 808
Intigriti 203
intrusion detection systems. See host intrusion detection systems (HIDS)
intrusion detection systems (IDSs). See network intrusion detection systems (NIDSs)
intrusion phase, cyber kill chain 770
intrusion prevention systems. See host intrusion prevention systems (HIPSs)
intrusive scans 182
investigations, data sources for
bandwidth monitors 804
Internet Protocol Flow Information Export (IPFIX) 811–813
log files 789
Domain Name System (DNS) 795–796
dump files 797
journalctl 802
network 790
security 793
Session Initiation Protocol (SIP) 800
syslog/rsyslog/syslog-ng 800–801
Voice over Internet Protocol (VoIP) 799–800
web server 794
metadata
in email 808
in files 809
on mobile devices 808
protocol analyzers 813
Security Information and Event Management (SIEM)
alerts 788
sensitivity 788
sensors 787
trends 788
vulnerability scan output 785–786
invoice scams 17
IoCs (indicators of compromise) 123, 762, 832, 853
IoT (Internet of Things) 38, 98, 113, 344–346, 358, 414
IP (Internet Protocol). See also IPsec
addresses
virtual 488
configuration management 213
IP proxy 514
IP scanners
definition of 721
ipconfig command 710
IPFIX (Internet Protocol Flow Information Export) 187, 524, 811–813
IPsec 247, 437–438, 497. See also IKE (Internet Key Exchange)
Authentication Header (AH) 437
Encapsulating Security Payload (ESP) 437, 503
IKEv1 Phase 1 negotiation 498–501
IKEv1 Phase 2 negotiation 501–503
passthrough 501
IPSs (intrusion prevention systems). See HIPSs (host intrusion prevention systems); network intrusion detection systems (NIDSs)
IR. See incident response (IR) plans
iris recognition 301
ISACA COBIT framework 882
ISACs (Information Sharing and Analysis Centers) 123–125
ISAKMP (Internet Security Association and Key Management Protocol) 497
ISAs (interconnection security agreements) 903
ISE (Identity Services Engine) 590
ISO (International Organization for Standardization) 881, 884, 893
ISPs (internet service providers) 808
ISSOs (information systems security officers) 930, 947
issuers, certificate 692
IT contingency planning (ITCP) 929
IT security frameworks 881–884
ITIL (Information Technology Infrastructure Library) 882
ITU-T X.690 encoding formats 697
IVs (initialization vectors) 103, 403
Japan’s Personal Information Protection Act (JPIPA) 220
JavaScript Object Notation (JSON) injection 273–274
JavaScript-based keyloggers 43
journalctl 802
jump servers 514
jurisdictional forensic intervention 855
Kali forensics 850
Katacoda 239
KBA (knowledge-based authentication) 625, 656–657
KDC (key distribution center) 668
KE (Key Exchange) 500
Kerberoasting TGS 292
Kerberos 82–83, 89, 292, 553, 668–670, 673
kernel-based keyloggers 42
Key Exchange (KE) 500
.key file extension 697
key recovery agents 699
key signing keys (KSKs) 427
keys 688
ephemeral 403
escrow 699
generation algorithms for 395
key distribution center (KDC) 668
key exchanges 399
key signing keys (KSKs) 427
length of 396
mobile device management (MDM) 577–578
password 655
personal unblocking keys (PUKs) 360
Public Key Cryptography Standards (PKCS) 412
stretching 397
zone signing keys (ZSKs) 427
knowledge-based authentication (KBA) 625, 656–657
known environment/white box testing 198, 468–469
KSKs (key signing keys) 427
L0phtCrack 47
L2F (Layer 2 Forwarding Protocol) 508
L2TP (Layer 2 Tunneling Protocol) 494, 505–508
LANG environment variable 740
last known good configuration (LKGC) 329
lateral traffic 492
Layer 2 attacks
ARP cache poisoning 105
MAC cloning attacks 106
MAC flooding attacks 106
security best practices 106–107
Layer 2 Forwarding Protocol (L2F) 508
Layer 2 security 512
Bridge Protocol Data Unit (BPDU) guard 512
loop protection 512
MAC filtering 513
Layer 2 Tunneling Protocol (L2TP) 494, 505–508
LCP (Link Control Protocol) 44
LDAP (Lightweight Directory Access Protocol)
injection attacks 144, 273–274, 291, 442, 667–670
Lightweight Directory Access Protocol over SSL (LDAPS) 432
LDAPS (Lightweight Directory Access Protocol over SSL) 432
LEAP (Lightweight EAP) 666
least functionality 152
least privilege 264, 630, 681, 908
least significant bit (LSB) steganography 416–417
least-trusted zones 825
legacy platforms 165
legal hold 842
lessons learned phase, incident response (IR) 764–765
libraries, third-party 265
licensing 918
lifecycle
account audits 635
disablement 635
privileges provisioning 635
registration and identity validation 633–635
incident response (IR)
eradication 764
identification 763
recovery 764
lighting, security 380
lightweight cryptography 414–415
Lightweight Cryptography Project 415
Lightweight Directory Access Protocol. See LDAP (Lightweight Directory Access Protocol)
Lightweight Directory Access Protocol over SSL (LDAPS) 432
Lightweight EAP (LEAP) 666
Link Control Protocol (LCP) 44
Linux
Kali Linux 415
Linux Kernel 236
System Monitor 542
lists
certificate revocation 829
live boot media 329
live box forensics 858
load balancing
active/active 488
active/passive 488
definition of 488
scheduling 488
Virtual IP address 488
Local Security Authority Subsystem Service (LSASS) 47–48
locality attribute (certificates) 692
Lockheed Martin 770
locks and lockout programs 378–379, 579, 639
log collectors 186
log files 789
aggregation 186
analytics 383
collection of 186
correlation of 186
Domain Name System (DNS) 795–796
dump files 797
emergency preparedness 383
journalctl 802
normalization of 186
review 182
risk 920
Session Initiation Protocol (SIP) 800
syslog/rsyslog/syslog-ng 800–801
visitor 383
Voice over Internet Protocol (VoIP) 799–800
web server 794
logistics, SCADA control systems 343
loop protection 512
LS_COLORS environment variable 740
LsaLogonUser 90
LSASS (Local Security Authority Subsystem Service) 47–48
LSB (least significant bit) steganography 416–417
MaaS (monitoring as a service) 139, 232
MAC (mandatory access control) 588, 676, 679, 905
MAC (media access control) 511
addresses 511
cloning attacks 106
filtering 513
flooding attacks 106
spoofing 101
MACB (Modified, Accessed, Changed, and Birth) times 844
machine certificates 696
machine learning. See AI/ML (artificial intelligence and machine learning)
macOS Activity Monitor 542
macros 113
MACs (message authentication codes) 399, 410
MAIL environment variable 740
malicious software. See malware
Maltego 203
malware 113
antimalware 452
bots and botnets 37–38, 111–112
definition of 33
fileless viruses 37
malvertising 40
mobile device security countermeasures 580
permanent damage from 45
potentially unwanted programs (PUPs) 40–42
time bombs 39
MAM (mobile application management) 585–587
managed detection and response (MDR) 234
managed power distribution units (PDUs) 322–323
managed security service providers (MSSPs) 233–234
managed service providers (MSPs) 233–234
management
managerial controls 868
roles and responsibilities 945–947
Management Information Bases (MIBs) 436
mandatory access control. See MAC (mandatory access control)
mandatory vacation policies 900
man-in-the-middle (MITM) attacks. See on-path (man-in-the-middle) attacks
manipulating files. See file manipulation
manual code review 470
manufacturing, SCADA control systems 342
mapping
many-to-one 690
one-to-one 690
masking, data 945
Mavituna Security Netsparker 204
maximum transmission unit (MTU) discovery 717
MBR (master boot record) 35–36, 851
MDM (mobile device management) 152, 574–576, 825–826, 908
application and content management 576–578
bring-your-own-device (BYOD) 215, 572, 574–576, 581, 588–590, 826, 898
choose-your-own-device (CYOD) 588–590
corporate-owned, personally enabled (COPE) 572, 588–590
enforcement and monitoring 581–585
metadata 808
mobile application management (MAM) 585–587
SEAndroid 588
security concerns and countermeasures 578–581
unified endpoint management (UEM) 587–588
virtual desktop infrastructure (VDI) 589
MDR (managed detection and response) 234
mean time between failures (MTBF) 926
mean time to failure (MTTF) 926
mean time to repair (MTTR) 926
Measurement System Analysis (MSA) 904
MEC (multi-access edge computing) 235
media access control. See MAC (media access control)
medical systems 347
MEIDs (mobile equipment identifiers) 49, 584
memdump 745
memorandum of understanding (MOU) 903
memory management 265. See also buffer overflows
ARP cache poisoning 105
content addressable 106
random-access memory (RAM) 849–850
runtime 477
static random-access memory (SRAM) 340
virtual 850
vulnerabilities 77–78, 149, 271–272, 275
memory-injection-based keyloggers 43
Men & Mice Logeater 796
Mentor Nucleus RTOS 347
message authentication codes (MACs) 399, 410
Message Digest Algorithm 5 (MD5) 55, 219
metadata
in email 808
in files 809
on mobile devices 808
Meterpreter scripts 90
MFA (multifactor authentication) 304–306, 579, 656–657
MFPs (multifunction printers) 354
MicroSD hardware security modules (HSMs) 587
microsegmentation 240–241, 489–490
Microsoft
Cluster Server 488
Disk Defragmenter 158
Exchange 145
Forefront Identity Manager 658
Internet Information Services (IIS) 146
security advisories and bulletins 179
Security Bulletins 146
SQL Server 273
Visual Basic for Applications (VBA) 113
Web Application Proxy 516
Windows Defender Firewall 457
Windows Server 144
Mimikatz 90
minimal privilege 681
mission-essential functions 929
mitigation 919, 921. See also segmentation
configuration changes 824
certificates, updating/revoking 829–830
content filter/URL filter 828–829
data loss prevention (DLP) 828
firewall rules 825
mobile device management (MDM) 825–826
endpoint security solutions 822
application approved lists 822
application block list/deny list 822–823
approved lists 822
block/deny lists 467–468, 578, 583, 822–823
isolation 830
Security Orchestration, Automation, and Response (SOAR) 188–189, 832
playbooks 834
runbooks 833
ATT&CK framework 18, 128–129, 176, 205, 223, 767–768
Common Vulnerabilities and Exposures (CVE) 125, 146, 177
Common Weakness Enumeration 75
PRE-ATT&CK framework 18
MMS (Multimedia Messaging Service) 583, 585
mobile equipment identifiers (MEIDs) 49, 584
mobile solutions
Common Vulnerabilities and Exposures (CVEs) 571
connection methods and receivers 570
Global Positioning System (GPS) 572, 584
near-field communication (NFC) 570–571
radio frequency identification (RFID) 571–572
satellite communications (SATCOM) 573
secure implementation best practices 573–574
mobile application management (MAM) 585–587
mobile device management (MDM) 215, 574–576
application and content management 576–578
bring-your-own-device (BYOD) 572, 574–576, 581, 588–590, 826, 898
choose-your-own-device (CYOD) 588–590
corporate-owned, personally enabled (COPE) 572, 588–590
enforcement and monitoring 581–585
mobile application management (MAM) 585–587
SEAndroid 588
security concerns and countermeasures 578–581
unified endpoint management (UEM) 587–588
virtual desktop infrastructure (VDI) 589
Modified, Accessed, Changed, and Birth (MACB) times 844
Modified Base Metrics 185
moisture detection systems 382
bandwidth 804
file integrity monitors 542
mobile device management (MDM) 581–585
monitoring as a service (MaaS) 139, 232
performance baselining 539–542
motion recognition 376
MOU (memorandum of understanding) 903
moves, MAC 511
MSA (Measurement System Analysis) 904
MSPs (managed service providers) 233–234
MSSPs (managed security service providers) 233–234
MTBF (mean time between failures) 926
MTTF (mean time to failure) 926
MTTR (mean time to repair) 926
MTU (maximum transmission unit) discovery 717
multi-access edge computing (MEC) 235
multicast addresses 537
multifactor authentication (MFA) 304–306, 579, 656–657
multifunction printers (MFPs) 354
multihomed connections 532
Multimedia Messaging Service (MMS) 583, 585
Multi-Party Coordination and Disclosure special interest group 180
multiparty risks 918
multipath I/O 319
multitenancy 601
Multi-User Multiple Input (MU-MIMO) 560–561
Mutiny Fuzzing Framework 269
MySQL 273
NAC (network access control) 510–511, 871. See also 802.1X standard
naming conventions 213
NarrowBand 358
NarrowBand-Internet of Things (NB-IoT) 358
NAS (network-attached storage) 326, 375
NAT (network address translation) 443–444, 501, 529, 562
Nation State attacks 346
National Cyber Awareness System (NCAS) 576
National Institute of Standards and Technology (NIST) 884
cloud computing defined by 139
Cybersecurity Framework (CSF) 884
Digital Signature Algorithm (DSA) 396
firewall guidelines 825
isolation guidelines 830
mobile device security guidelines 826
National Vulnerability Database (NVD) 125, 177, 199
NIST Cybersecurity Framework (CSF) 882
Protecting Controlled Unclassified Information 828
Risk Management Framework (RMF) 884
National Security Agency (NSA) 55, 498
National Vulnerability Database (NVD) 125, 177, 199
NAT-T (NAT Traversal) 501
NB-IoT (NarrowBand-Internet of Things) 358
NCAS (National Cyber Awareness System) 576
nCircle WebApp360 204
NDA (nondisclosure agreement) 901
near-field communication (NFC) 50, 100, 102–103, 570–571
negatives, false 181, 519, 520
net time command 669
NetStumbler 99
network access control (NAC) 510–511, 871. See also 802.1X standard
network ACLs (access control lists) 535
network address translation (NAT) 443–444, 501, 529, 562
network and port scanners 182
network attached storage (NAS) 375
network attacks. See also network design, secure
DDoS (distributed denial-of-service) 113
DNS (Domain Name System)
DDoS (distributed denial-of-service) 37–38, 54, 111–113, 601
DNS amplification attack 112
domain hijacking 108
prevalence of 107
URL redirection attacks 110
Layer 2
ARP cache poisoning 105
MAC cloning attacks 106
MAC flooding attacks 106
security best practices 106–107
malware 113
bots and botnets 37–38, 111–112
definition of 33
fileless viruses 37
permanent damage from 45
potentially unwanted programs (PUPs) 40–42
time bombs 39
on-path attacks 54, 84–85, 103, 602
password attacks
brute-force 45
dictionary-based 45
password cracking 46
password spraying 45
rainbow tables 47
script execution 113
wireless 98
bluejacking 100
disassociation and deauthentication 101
initialization vector (IV) 103
near-field communication (NFC) 102–103
radio frequency identification (RFID) 49, 102
rogue access points 99
network controllers 144
network design, secure. See also firewalls; network attacks; network reconnaissance; network resilience
access control lists (ACLs) 535, 643, 831
broadcast storm prevention 512
Bridge Protocol Data Unit (BPDU) guard 512
loop protection 512
MAC filtering 513
DLP (data loss prevention) systems 215
Domain Name System (DNS) 509–510
load balancing
active/active 488
active/passive 488
definition of 488
scheduling 488
Virtual IP address 488
file integrity monitors 542
performance baselining 539–542
network access control (NAC) 510–511
aggregators 526
hardware security modules (HSMs) 524
jump servers 514
network intrusion detection systems (NIDSs) 215, 223, 517–524, 870. See also network reconnaissance
network intrusion prevention systems (NIPSs) 99, 519, 869
network-based intrusion prevention system (NIPS) 518–524
network segmentation
east-west traffic 492
example of 489
screened subnets 491
virtual local-area networks (VLANs) 490–491
zero trust 494
out-of-band management 510–511
port spanning/port mirroring 537–538
quality of service (QoS) 536
virtual private networks (VPNs) 507, 606
always-on VPN functionality 495
clientless versus client-based 497
concentrators 495
definition of 494
HTML5 508
IKEv1 Phase 1 negotiation 498–501
IKEv1 Phase 2 negotiation 501–503
IPsec 497
Layer 2 Tunneling Protocol (L2TP) 508
SSL (Secure Sockets Layer) 505–508
network forensic analysis tools (NFATs) 852–853
network interface card (NIC) teaming 320
network intrusion detection systems (NIDSs) 99, 215, 223, 517–518, 870. See also network reconnaissance
advantages/disadvantages 519–520
anomaly-based analysis 521–523
heuristic-based analysis 521
promiscuous mode 517
stateful pattern-matching recognition 521
network intrusion prevention systems (NIPSs) 99, 519, 869
network logs 790
Network Policy Server (NPS) 495
network reconnaissance 18, 770
definition of 707
hping 717
ipconfig 710
ping6 716
network resilience
definition of 319
network interface card (NIC) teaming 320
network segmentation. See segmentation
Network Time Protocol (NTP) 112, 440, 490, 790
Network Time Security (NTS) 440
network video recorders (NVRs) 375
network-attached storage (NAS) 326
network-based application layer firewalls 530
New Technology File System (NTFS) 156, 646, 850. See also permissions
Nexpose 204
next-generation firewall (NGFW) 453–454, 524
next-generation IPS systems (NGIPSs) 523
NFATs (network forensic analysis tools) 852–853
NFC (near-field communication) 50, 570–571
NFC (near-field communication) attacks 102–103
NGFW (next-generation firewall) 453–454, 524
NGIPSs (next-generation IPS systems) 523
NIC (network interface card) teaming 320
NIDSs (network intrusion detection systems) 99, 215, 223, 517–518, 869, 870. See also network reconnaissance
advantages/disadvantages 519–520
anomaly-based analysis 521–523
heuristic-based analysis 521
promiscuous mode 517
stateful pattern-matching recognition 521
Nikto 204
Nimda 37
NIPSs (network intrusion prevention systems) 99, 523, 869
advantages/disadvantages 519–520
anomaly-based analysis 521–523
false positives/false negatives 519
heuristic-based analysis 521
NIST (National Institute of Standards and Technology) 396, 881
noise detection 382
Nomad 240
noncredentialed vulnerability scans 182
nondisclosure agreements (NDAs) 901
nonintrusive vulnerability scanners 182
notifications
of privacy and data breaches 941
public 940
push 299
Novec 1230 381
NPS (Network Policy Server) 495
NSA (National Security Agency) 55, 498
NT LAN Manager (NTLM) 89
NTFS (New Technology File System) 156, 646, 850. See also permissions
NTLM (NT LAN Manager) 89
NTP (Network Time Protocol) 112, 440, 490
NTS (Network Time Security) 440
Nucleus RTOS 347
null pointer dereferences 75, 271–272
NVD (National Vulnerability Database) 125, 177, 199
NVRs (network video recorders) 375
Oakley 497
OAS (OpenAPI Specification) 87
object detection 376
object identifiers (OIDs) 691
OCIL (Open Checklist Interactive Language) 885
OCSP (Online Certificate Status Protocol) 691, 698
OEM (original equipment manufacturer) 459
OFB (Output Feedback) mode 407
offboarding policies 575, 899, 900
Office of Personnel Management (OPM) attack 300–301
offline backups 326
offline password cracking 46
off-premises services 234
offsite storage 327
Off-The-Record Messaging 400–401
OIDs (object identifiers) 691
OLDPWD environment variable 740
onboarding policies 575, 899, 900
one-time passwords (OTPs) 627
time-based 295
one-to-one mapping 690
one-way functions 219
online backups 326
Online Certificate Status Protocol (OCSP) 691, 698
online password cracking 46
on-path (man-in-the-middle) attacks 54, 84–85, 103, 602
on-premises environments, vulnerabilities in 137–143
on-premises services 234
Opal 476
Open Checklist Interactive Language (OCIL) 885
Open Network Environment 882
open permissions 150
Open Source Security Testing Methodology Manual (OSSTMM) 199
Open Systems Interconnection (OSI) model 103, 614, 615
Open vSwitch Database Management Protocol (OVSDB) 243
Open vSwitch (OVS) 243
Open Vulnerability and Assessment Language (OVAL) 164, 885
Open Web Application Security Project. See OWASP (Open Web Application Security Project)
Open1X 554
OpenAPI Specification (OAS) 87
OpenCv 416
open-source intelligence (OSINT) 7–8, 18, 120–121, 124, 203
OPENSSL_CONF environment variable 740
operating systems (OSs)
forensic acquisition 850
trusted operating systems (TOSs) 905
operation, modes of (encryption)
authenticated 404
Cipher Block Chaining (CBC) 405
Cipher Feedback (CFB) 406
Electronic Code Book (ECB) 404
Output Feedback (OFB) 407
unauthenticated 404
operational expenditure (OpEx) 598
operational technology (OT) 113
The Orange Book 674
order of volatility 848
organization attribute (certificates) 692
organizational incidents 775
organizational security. See also forensics, digital; incident response (IR) plans
benchmarks and secure configuration guides 885–888
exploitation frameworks 747–748
head command 733
tail command 734
IP scanners
definition of 721
IT security frameworks 881–884
network reconnaissance
definition of 707
hping 717
ipconfig 710
ping6 716
packet capture and replay
definition of 742
Tcpreplay 742
Wireshark 743
policies
breadth and scope of 897
change management/change control 909
classification and governance 904–905
clean desk policy 23, 899, 900
data retention 906
definition of 893
due care 900
due diligence 900
due process 900
mandatory vacations 898–899, 900
onboarding/offboarding 899, 900
privacy 897
procedures versus 893
user education and awareness training 901–902
privacy and data breach consequences
data types and asset classification 941–942
fines 940
identity theft 940
impact assessment 948
intellectual property theft 940
notifications 941
personally identifiable information (PII) 943
privacy enhancing technologies 944–945
privacy notices 949
protected health information (PHI) 944
reputation damage 940
security roles and responsibilities 945–947
terms of agreement 948
regulations and standards
General Data Protection Regulation (GDPR) 214, 220, 878–879, 947
Payment Card Industry Data Security Standard (PCI DSS) 881
shell and script environments
PowerShell 740
Python 741
organizational units (OUs) 692
organizational validation (OV) certificates 694
organized crime 120
original equipment manufacturer (OEM) 459
orthogonal frequency-division multiple access (OFDMA) 561
OSI (Open Systems Interconnection) model 103, 614, 615
OSINT (open-source intelligence) 7–8, 18, 120–121, 124, 203
OSSTMM (Open Source Security Testing Methodology Manual) 199
OT (operational technology) 113
OTA (over-the-air) technology 572–573, 583, 585
OTPs. See one-time passwords (OTPs)
out-of-band management 510–511
out-of-band SQL injection 73
Output Feedback (OFB) mode 407
outsourced code development 155
OV (organizational validation) certificates 694
OVAL (Open Vulnerability and Assessment Language) 164, 885
overflows
buffer 75–76, 77, 149, 271–272, 275, 522
over-the-air (OTA) technology 572–573, 583, 585
OVS (Open vSwitch) 243
OVSDB (Open vSwitch Database Management Protocol) 243
OWASP (Open Web Application Security Project) 204, 276–277
OWASP Proactive Controls 276–277
OWASP Testing Project 276
OWASP Web Security Testing Guide 199
top 10 vulnerabilities in web applications 70
Top 10 Web Application Security Risks 277
Zed Attack Proxy 204
owners, data 946
ownership, authentication by 625
P12/PFX format 697
PaaS (platform as a service) 139, 232, 853
PAC (proxy autoconfiguration) file 515
packet assemblers/disassemblers (PADs) 137–138
packet capture and replay 187
definition of 742
Tcpreplay 742
Wireshark 743
packet filtering 528
packet sniffers 559
PacketFence 510
packet-switching exchanges (PSEs) 137–138
padding 463
PADs (packet assemblers/disassemblers) 137–138
pagefiles, forensic acquisition of 849–850
palette modification 417
Palo Alto security advisories and bulletins 179
PAM (privileged access management) 678, 679
PAMs (pluggable authentication modules) 670
PAMs (Programmable Attribute Maps) 851
PANs (personal area networks) 570
PAP (Password Authentication Protocol) 670–671
parity, striping with (RAID) 316, 318
partially known environment 199
passive prevention detection systems (IPSs) 523–524
passive reconnaissance 203–204
Password Authentication Protocol (PAP) 670–671
passwords
attacks
brute-force 45
dictionary-based 45
password cracking 46
password spraying 45
rainbow tables 47
definition of 636
HMAC-based one-time password (HOTP) 295–296
mobile device management (MDM) 579, 582
one-time passwords (OTPs) 627
Password Authentication Protocol (PAP) 670–671
password keys 655
password vaults 655
system-generated 638
time-based one-time password (TOTP) 295
user-generated 638
Pastebin 18
patches and hotfixes 160–164, 179–180, 362, 474–475
PATH environment variable 740
pattern-matching, stateful 521
payment methods, mobile 584, 586
PCI DSS (Payment Card Industry Data Security Standard) 453, 881
PDS (protective distribution system) 385
PDUs (power distribution units) 322–323
Peach 270
PEAP (Protected Extensible Authentication Protocol) 554, 556, 666
Pearson Test Prep practice test 954
peer to peer (P2P) networks 143
PEM (Privacy-enhanced Electronic Mail) 697
.pem file extension 697
cleanup 202
known environment 198
methodologies 199
partially known environment 199
passive reconnaissance 203–204
post-exploitation techniques 201
Penetration Testing Execution Standard (PTES) 199
Perfect Forward Secrecy (PFS) 399–400, 502
performance baselining 539–542
Performance Monitor tool 540–542
Performance tool 539
open 150
privilege creep 645
types of 646
persistence 201
personal area networks (PANs) 570
personal firewalls 534
personal identification numbers (PINs) 360, 579
Personal Identity Verification (PIV) cards 629
Personal Information Protection and Electronic Documents Act (PIPEDA) 220, 880
personal unblocking keys (PUKs) 360
personally identifiable information (PII) 82, 216–218, 268, 577, 856, 897, 901, 943
person-made disasters 924
breadth and scope of 897
clean desk policy 23, 899, 900
data retention 906
definition of 893
due care 900
due diligence 900
due process 900
mandatory vacations 898–899, 900
onboarding/offboarding 575, 899, 900
personnel credential policy 906–908
privacy 897
procedures versus 893
summary of 900
PFS (Perfect Forward Secrecy) 399–400, 502
PHI (protected health information) 856, 944
phone call authentication 299–300
physical security 872
access control vestibules 372–373
air gap 384
alarms 374
attacks
cloud-based attacks 52–55, 601–603
malicious flash drives 48
malicious USB cables 48
supply-chain attacks 51
cameras
centralized versus decentralized 375
closed-circuit television (CCTV) 376–377
motion recognition 376
object detection 376
fire suppression 381
industrial camouflage 377
lighting 380
physical locks 379
protected cable distribution system 385
screened subnets 384
secure data destruction 386–387
visitor logs 383
PIA (Privacy Impact Assessments) 948
piggybacking 15
PII (personally identifiable information) 82, 216–218, 268, 577, 856, 897, 901, 943
Ping of Death 88
ping6 command 716
PINs (personal identification numbers) 360, 579
PIPEDA (Personal Information Protection and Electronic Documents Act) 220, 880
PIR (Post Incident Review) 764–765
PIV (Personal Identity Verification) cards 629
pivoting 201
PKCS (Public Key Cryptography Standards) 412
PKI (public key infrastructure) 84–85, 556
certificate authorities (CAs) 556, 689–691, 829
certificates
chaining 696
expiration 693
formats 697
pinning 698
Subject Alternative Name 693
definition of 685
key escrow 699
key management 688
key recovery agent 699
stapling 698
trust model 698
PKIX (Public Key Infrastructure Exchange) 694
plans
business continuity 773–774, 929
disaster recovery 772–773, 926
incident response (IR)
business continuity plans (BCPs) 773–774, 929
continuity of operations planning (COOP) 774–775
data retention policies 775–776
Diamond Model of Intrusion Analysis 768–770
disaster recovery plans (DRPs) 772–773, 926
incident response teams 760, 775–776
MITRE ATT&CK framework 128–129, 176, 205, 223, 767–768
stakeholder management 771–772
platform as a service (PaaS) 139, 232, 853
platform configuration registers (PCRs) 294
playbooks 834
PLCs (programmable logic controllers) 341, 343
pluggable authentication modules (PAMs) 670
PlugX RAT 35
PMBOK (Project Management Body of Knowledge) 882
PNAC. See 802.1X standard
pointer dereferencing 75–76, 271–272
point-of-sale (POS) systems 353
Point-to-Point Tunneling Protocol (PPTP) 494, 558
poisoning
ARP (Address Resolution Protocol) 105, 722
DNS (Domain Name System) 108–110
account 633
change management/change control 909
classification and governance 904–905
definition of 893
group policy objects (GPOs) 474
Identity and Access Management (IAM) 605
personnel
breadth and scope of 897
clean desk policy 23, 899, 900
due care 900
due diligence 900
due process 900
mandatory vacations 898–899, 900
onboarding/offboarding 575, 899, 900
personnel credential policy 906–908
privacy 897
summary of 900
procedures versus 893
user education and awareness training 901–902
POP (Post Office Protocol) 438–439
port security 106, 511. See also 802.1X standard
port numbers 441
port spanning/port mirroring 537–538
port taps 538
port-based network access control (PNAC) 553–554
protocols associated with 152–154
Switched Port Analyzer (SPAN) 537–538
vulnerabilities 151
portals, captive 559
PortSwigger Burp Suite Professional 204
POS (point-of-sale) systems 353
positives, true/false 181–182, 518, 520
POST (power-on self-test) 851
Post Incident Review (PIR) 764–765
Post Office Protocol (POP) 438–439
post-exploitation techniques 201
post-quantum cryptography 402
potentially unwanted programs (PUPs) 40–42
power distribution units (PDUs) 322–323
power loss 925
power resilience
definition of 320
generators 321
managed power distribution units (PDUs) 322–323
uninterruptible power source (UPS) 320–321
power-on self-test (POST) 851
PPTP (Point-to-Point Tunneling Protocol) 494, 558
PRE-ATT&CK 18
predictive analysis 127
preferred roaming list (PRL) 572
PREMIS (Preservation Metadata Implementation Strategies) 805
preparation phase, incident response (IR) 762–763
prepending 17
preservation, forensic 858
Preservation Metadata Implementation Strategies (PREMIS) 805
preshared key (PSK) 103, 551, 557–558
pretexting 19
preventative controls 869, 872
principals 623
printenv command 739
privacy breaches 220. See also identity
data types and asset classification 941–942
fines 940
identity theft 940
impact assessment 948
intellectual property theft 940
notifications of 941
personally identifiable information (PII) 943
privacy enhancing technologies 944–945
privacy notices 949
privacy policies 897
protected health information (PHI) 944
reputation damage from 940
security roles and responsibilities 945–947
terms of agreement 948
privacy enhancing technologies 944–945
Privacy Impact Assessments (PIA) 948
Privacy-enhanced Electronic Mail (PEM) 697
Private information 942
private information sharing centers 124
private keys 436
privilege
creep 645
escalation 67–68, 201, 770, 941
least 681
minimal 681
provisioning 635
privileged access management (PAM) 678, 679
Privileges Required (PR) metric 183
PRNG (pseudorandom number generator) 49–50, 102, 571–572
procedures, policies versus 879, 893
production 260
Programmable Attribute Maps (PAMs) 851
programmable logic controllers (PLCs) 341, 343
programming testing methods
penetration testing 266
static and dynamic code analysis 269
programming vulnerabilities. See vulnerabilities
Project Management Body of Knowledge (PMBOK) 882
promiscuous mode 517
promiscuous ports 491
Proprietary information 942
protected cable distribution system 385
Protected Extensible Authentication Protocol (PEAP) 554, 556, 666
protected health information (PHI) 856, 944
protective distribution system (PDS) 385
protocol analyzers 813
protocols. See individual protocols
provisioning, application 260
proxy autoconfiguration (PAC) file 515
forward proxy 516
transparent proxy 516
PSEs (packet-switching exchanges) 137–138
pseudo-anonymization 945
pseudocodes 79
pseudorandom number generator (PRNG) 49–50, 102, 571–572
PSK (preshared key) 103, 551, 557–558
PTES (Penetration Testing Execution Standard) 199
public incidents 775
public information 905
public information sharing centers 124
public key algorithms 411
Public Key Cryptography Standards (PKCS) 412
public key infrastructure. See PKI (public key infrastructure)
Public Key Infrastructure Exchange (PKIX) 694
public keys 437
public notifications and disclosures 941
PUKs (personal unblocking keys) 360
pulping 386
pulverizing 387
PUPs (potentially unwanted programs) 40–42
push notifications 299
PWD environment variable 740
QKD (quantum key distribution) 401–402
QoS (quality of service) 536
QRadar 526
qualitative risk management 921–922, 923
qualitative-to-quantitative score mapping 186
quality assurance (QA) 260, 261
quality of service (QoS) 536
Qualys 204
quantitative risk management 922–923
computing 402
definition of 401
quantum key distribution (QKD) 401–402
quick mode, IKE 501
race conditions 79
Radamsa 269
radio, baseband 359
radio frequency identification (RFID) attacks 49, 102, 571–572
radio frequency interference (RFI) 383–384
RADIUS (Remote Authentication Dial-In User Service) 556–557, 672–673
RAID (Redundant Array of Inexpensive Disks) 315–316, 869
Rainbow Series 674
rainbow tables 47
RainbowCrack 47
RAM (random-access memory), forensic acquisition of 848–849
rapid application development (RAD) 262
Rapid STP 512
Rapid7 Nexpose 204
RAs (registration authorities) 690
RAS (Remote Access Service) 670–672
Raspberry Pi 339
RATs (remote access Trojans) 148
RBAC (role-based access control) 677, 679, 899
RC4 (Rivest Cipher 4) 412
RCE (remote code execution) 78, 146, 149, 275
RCS (Rich Communication Services) 585
RCSA (risk control self-assessment) 920
RDBMS (relational database management system) 273
RDP (Remote Desktop Protocol) 472
Real-Time Monitoring Tool (RTMT) 799
real-time operating systems (RTOSs) 347, 355
Real-Time Transport Protocol (RTP) 152. See also Secure Real-Time Transport Protocol (SRTP)
reception desks 378
recertification, user access 645
reconnaissance. See network reconnaissance
Recon-ng 203
disaster recovery planning 928–930
recovery point objective (RPO) 929
recovery time objective (RTO) 929
Red Hat security advisories and bulletins 179
redaction 945
redirection attacks, URL 110
reduced sign-on 656
definition of 315
disk
multipath 319
Redundant Array of Inexpensive Disks (RAID) 315–316
geographic dispersal 315
network
definition of 319
network interface card (NIC) teaming 320
power
definition of 320
generators 321
managed power distribution units (PDUs) 322–323
uninterruptible power source (UPS) 320–321
Redundant Array of Inexpensive Disks (RAID) 315–316, 869
refactoring, driver 89
reference architecture 884
Reflected XSS attacks 68
reflection 112
regedit command 472
registers, risk 920
registration, identity 633–635
registration authorities (RAs) 690
registry 472
regulations and standards
General Data Protection Regulation (GDPR) 214, 220, 878–879, 947
Payment Card Industry Data Security Standard (PCI DSS) 881
regulatory forensic intervention 855
relational database management system (RDBMS) 273
Reliable Event Logging Protocol (RELP) 800
relying parties (SAML) 659
Remediation Level (RL) metric 185
remote access 442
Remote Access Service (RAS) 670–672
remote access Trojans (RATs) 148
remote authentication
Challenge-Handshake Authentication Protocol (CHAP) 670–672, 673
Remote Access Service (RAS) 670–672
Remote Authentication Dial-In User Service (RADIUS) 556–557, 672–673
remote code execution (RCE) 78, 146, 149, 275
Remote Desktop Connection 152
Remote Desktop Protocol (RDP) 472
remote terminal units (RTUs) 341
remotely operated underwater vehicles (ROVs) 353–354
removable media 123
replay, packet
definition of 742
Tcpreplay 742
Wireshark 743
replication
storage area networks (SANs) 323
virtual machines (VMs) 324–325
Report Confidence (RC) metric 185
reports
after action report (AAR) 928–929
forensic 846
SIEM (Security Information and Event Management) 187
repositories, file/code 127
Representational State Transfer (REST) 86
request for comments (RFC) 128
backups
cloud 326
copy 326
disk 326
image 326
NAS (network-attached storage) 326
offsite storage 327
online versus offline 326
snapshot 326
tape 326
definition of 311
high availability (HA) 329–330
network
definition of 319
network interface card (NIC) teaming 320
power
definition of 320
generators 321
managed power distribution units (PDUs) 322–323
uninterruptible power source (UPS) 320–321
on-premises versus cloud 325
redundancy
definition of 315
geographic dispersal 315
Redundant Array of Inexpensive Disks (RAID) 315–316, 869
replication
storage area networks (SANs) 323
virtual machines (VMs) 247–249, 324–325
resolution, domain name 442–443
resource allocation, dynamic 607–608, 611
resource policies 246, 603, 609
resource records (RRs) 795
response and recovery controls 220–221
REST (Representational State Transfer) 86
RESTful APIs 240
retention, risk 919
retention policies 775–776, 906
retina scanning 301
Retina Web Security Scanner 204
reuse, code 270
revert to known state 329
review logs 182
reviews, configuration 182
revoking certificates 829
RFC (request for comments) 128
RFI (radio frequency interference) 383–384
RFID (radio frequency identification) attacks 49, 102, 571–572
Rich Communication Services (RCS) 583, 585
riding, session 602
rights management 219–220, 640–645
right-to-audit clauses 854
Rijndael. See Advanced Encryption Standard (AES)
business impact analysis 926–927
disaster recovery planning 928–930
external versus internal risk 917
residual risk 919
control risk 921
inherent risk 921
residual risk 921
risk appetite 921
risk awareness 921
risk control assessment 920
risk control self-assessment (RCSA) 920
risk matrix/heat map 920
risk mitigation 921
risk avoidance 918
Risk Management Framework (RMF) 884
risk matrix/heat map 920
risk mitigation 919
risk registers 920
risk transference 918
supply chain risk management (SCRM) 920
risky login 639
RMF (Risk Management Framework) 884
robot sentries 378
rogue access points 99
role-based access control (RBAC) 677, 679, 899
role-based training 902
roles and responsibilities, security 945–947
rolling codes 102
root certificate authorities 696
root certificates 696
port spanning/port mirroring 537–538
quality of service (QoS) 536
Routing and Remote Access Service (RRAS) 495
ROVs (remotely operated underwater vehicles) 353–354
RPO (recover point objective) 929
RRAS (Routing and Remote Access Service) 495
RRs (resource records) 795
RSA 412
RTMT (Real-Time Monitoring Tool) 799
RTO (recovery time objective) 929
RTOSs (real-time operating systems) 347, 355
RTP (Real-Time Transport Protocol) 152. See also Secure Real-Time Transport Protocol (SRTP)
RTUs (remote terminal units) 341, 343
rule-based access control 677, 678, 679
runbooks 833
runtime memory 477
SaaS (software as a service) 138, 231, 444, 853
SAE (Simultaneous Authentication of Equals) 101, 551, 552
safes 385
salting 47, 82, 397–398, 462–463
SAM (Security Accounts Manager) 89
SAML (Security Assertion Markup Language) 659–661
Samsung 476
SAN (Subject Alternative Name) field 694–695
sanitizing mobile devices 579
SANs (storage-area networks) 142, 323
Santos, Omar 953
SASE (Secure Access Service Edge) 582
SAST (static application security testing) 468–469
SATCOM (satellite communications) 573
SCADA (supervisory control and data acquisition) systems 341–343
scans
biometric. See biometric systems
IP scanners
definition of 721
Common Vulnerability Scoring System (CVSS) 182–186
false negative 181
false positives 181
intrusive versus nonintrusive 182
noncredentialed 182
SCAP (Security Content Automation Protocol) 883, 885–888
scheduling algorithms 488
SCP (secure copy) 456
screen locks 579
PowerShell 740
Python 741
script kiddies 120
SCRM (supply chain risk management) 166, 920
Scrum 258
SDLC (software development lifecycle) 78, 261–262, 263–265, 468, 868
SDN (software-defined networking) 241–243, 882
SDV (software-defined visibility) 243
SD-WAN (software-defined wide-area network) 246
Seagate Technology 476
SEAndroid 588
search engine optimization (SEO) 808
SEC (Securities and Exchange Commission) 941
SECaaS (security as a service) 139
Secret information 905, 941–942
Secret Manager 604
Secure Access Service Edge (SASE) 582
secure copy (SCP) 456
Secure File Transfer Protocol (SFTP) 434, 441
Secure Hash Algorithm (SHA) 55, 463, 551–552
Secure Key Exchange Mechanism (SKEME) 497
secure protocols. See also individual protocols
definition of 426
use cases
directory services 442
domain name resolution 442–443
email and web 440
file transfer 441
network address allocation 443–444
remote access 442
routing and switching 443
subscription services 444
time synchronization 440
voice and video 440
Secure Real-Time Transport Protocol (SRTP) 152, 430–431
Secure Shell (SSH) 427–428, 625, 628, 739–740
Secure Sockets Layer (SSL) 82–83, 436, 441
Transport Layer Security Inspection (TLSI) 215–216
Secure Web Gateway (SWG) 613, 614
Secure/Multipurpose Internet Mail Extensions (S/MIME) 428–429
Securities and Exchange Commission (SEC) 941
Security Accounts Manager (SAM) 89
security administrators 947
security as a service (SECaaS) 139
Security Assertion Markup Language (SAML) 292, 659–661
security assessments. See also SIEM (Security Information and Event Management)
in cloud 598
control risk 921
inherent risk 921
residual risk 921
risk appetite 921
risk awareness 921
risk control assessment 920
risk control self-assessment (RCSA) 920
risk matrix/heat map 920
risk mitigation 921
security advisories and bulletins 177–180
Security Orchestration, Automation, and Response (SOAR) 188–189, 832
vulnerability scans
credentialed versus noncredentialed 182
false negatives 181
false positives 181
intrusive versus nonintrusive 182
Security Content Automation Protocol (SCAP) 883, 885–888
security controls
cloud
API inspection and integration 607, 610
compute 611
high availability across zones 603, 609
integration and auditing 604, 609
cloud computing
compute 607
dynamic resource allocation 607–608, 611
native versus third-party 615
virtual private cloud endpoint 608, 611
security incident response simulations (SIRS) 766–767
security incident response team (SIRT). See incident response (IR) teams
Security Information and Event Management. See SIEM (Security Information and Event Management)
security officers 947
Security Onion 953
security operations centers (SOCs) 123, 175–176, 223, 379, 760, 762, 776
Security Orchestration, Automation, and Response (SOAR) 188–189, 832
playbooks 834
runbooks 833
security posture assessments (SPAs) 539
Security Requirements metrics 185
Security-Enhanced Linux (SELinux) 588, 676
SEDs (self-encrypting drives) 475–476
segmentation 607, 610, 831–832
east-west traffic 492
example of 489
screened subnets 491
virtual local-area networks (VLANs) 490–491
zero trust 494
Segmented Integer Counter Mode (SRTP) 430
SEH (structured exception handling) 81, 267
SELECT statement 70
self-encrypting drives (SEDs) 475–476
self-signed certificates 695, 698
SELiux (Security-Enhanced Linux) 588
semi-authorized hackers 121
semicolon (;) 73
Sender Policy Framework (SPF) 110, 426
sensitive data exposure 82
Sensitive information 942
sensors 345, 381–382, 524–525, 787
sentiment analysis 188
Sentinel 204
SEO (search engine optimization) 808
serial numbers, certificate 692
serverless architecture 243–244
servers 144
authentication 665
command-and-control [C2] 108
email 145
file 144
jump 514
Microsoft Cluster Server 488
network controllers 144
Network Time Protocol (NTP) 490
forward proxy 516
transparent proxy 516
virtual network computing (VNC) 632
web
log files 794
server-side execution 267
server-side request forgery (SSRF) 85–86
server-side validation 268
service nxlog start command 803
service providers (SPs) 292, 623, 661
service set identifiers (SSIDs) 98, 205, 532
service-level agreements (SLAs) 53, 273–274, 600, 902–903
services integration 246
session hijacking 54, 83, 465, 601
Session Initiation Protocol (SIP) 351, 431, 800
session replay 83
session theft 83
SET (Social Engineering Toolkit) 10
SFC (System File Checker) command 158
SFTP (Secure File Transfer Protocol) 434, 441
SHA (Secure Hash Algorithm) 55, 551–552
shadow IT 121
share permissions 646. See also permissions
shared accounts 629
shell and script environments
PowerShell 740
Python 741
SHELL environment variable 740
shielding, application 471
shimming, driver 89
Shor’s algorithm 402
Short Message Service (SMS) 12, 296–297, 583, 585
shoulder surfing 14
shredding 386
sideloading 581
SIEM (Security Information and Event Management) 186–188, 526, 869–870
alerts 788
sensitivity 788
sensors 787
trends 788
SIFT workstation 850
signatures, digital 395–396, 466–467, 520
signature verifying algorithms 395
signature-based intrusion detection 519–520
signing algorithms 395
SIM (subscriber identity module) cards 49, 360, 580, 584
Simple Network Management Protocol version 3 (SNMPv3) 434–436, 443
Simple Object Access Protocol (SOAP) 86
Simultaneous Authentication of Equals (SAE) 101, 551, 552
single loss expectancy (SLE) 922
single point of failure 156, 926
single quotation mark (') 73
single sign-on (SSO) 292, 373, 624, 658–659
sinkholes, DNS 223
SIP (Session Initiation Protocol) 351, 431, 800
SIRS (security incident response simulations) 766–767
SIRT. See incident response (IR) teams
sites, physical 385
site-to-site configuration 495
SKEME (Secure Key Exchange Mechanism) 497
SKEYID 500
SLAs (service-level agreements) 53, 273–274, 600, 902–903
SLE (single loss expectancy) 922
Sleuth Kit 850
smart devices 345
smart factories 342
smart meters 350
S/MIME (Secure/Multipurpose Internet Mail Extensions) 428–429
smishing 12
SMS (Short Message Service) 12, 296–297, 583, 585
SNMPv3 (Simple Network Management Protocol version 3) 434–436, 443
snmpwalk v3 command 436
SOAP (Simple Object Access Protocol) 86
SOAR. See Security Orchestration, Automation, and Response (SOAR)
SOC (System and Organization Controls) 884
SoC (system on a chip) 356–357, 477, 571
social engineering attacks
dumpster diving 13
hybrid warfare 22
identity fraud 17
baiting 19
credential harvesting 18
hoaxes 19
impersonation/pretexting 19
invoice scams 17
reconnaissance 18
influence campaigns 21
phishing and spear phishing 9–12
piggybacking 15
prepending 17
principles of 21
reasons for effectiveness 21
shoulder surfing 14
smishing 12
Spam 13
Spam over Internet Messaging (SPIM) 13
tailgating 15
user security awareness education 22–24
war-dialing 13
Social Engineering Toolkit (SET) 10
social media
attacks and vulnerabilities 22, 123, 143
as research source 128
social media analysis 899
SOCs (security operations centers) 123, 175–176, 223, 379, 760, 762, 776
software application development. See application development
software as a service (SaaS) 138, 231, 444, 853
software compliance/licensing 918
software development environments 257–260
software development lifecycle (SDLC) 78, 261–262, 263–265, 468, 868
software diversity 278
software integrity measurement 261
Software of Unknown Providence (SOUP) 347
software-defined networking (SDN) 241–243, 882
software-defined visibility (SDV) 243
software-defined wide-area network (SD-WAN) 246
solid-state drives (SSDs), forensic acquisition of 848
SOUP (Software of Unknown Providence) 347
Spam 13
Spam over Internet Messaging (SPIM) 13
SpamCop 13
SPAN (Switched Port Analyzer) ports 537–538
Spanning Tree Protocol (STP) 105, 512
spanning-tree portfast bpduguard command 512
SPAs (security posture assessments) 539
specialized embedded systems 346–347
communication considerations
baseband radio 359
NarrowBand 358
subscriber identity module (SIM) cards 360
constraints 361
authentication 363
cost 363
crypto 362
implied trust 363
inability to patch 362
network 362
power 361
range 363
heating, ventilation, and air conditioning (HVAC) 352–353
medical systems 347
multifunction printers (MFPs) 354
real-time operating systems (RTOSs) 355
smart meters 350
system on a chip (SoC) 356–357
Voice over Internet Protocol (VoIP) 350, 799–800
speech recognition 302
SPF (Sender Policy Framework) 110, 426
SPI (stateful packet inspection) 528, 562
SpiderFoot 203
SPIM (Spam over Internet Messaging) 13
Splunk 526
spoofing
ARP (Address Resolution Protocol) 105, 513
MAC (media access control) 101, 106
spraying, password 45
SPs (service providers) 292, 623, 661
SQL (Structured Query Language) 273
SQL injection (SQLi) 54, 70–74, 273–274, 464, 602
SQL Server 273
SquidProxies 514
SRAM (static random-access memory) 340
SRTP (Secure Real-Time Transport Protocol) 152, 430–431
SSAE (Statement on Standards for Attestation Engagements) 881, 883, 884
SSDs (solid-state drives), forensic acquisition of 848
SSH (Secure Shell) 427–428, 625, 628, 739–740
ssh command 427
SSIDs (service set identifiers) 98, 205, 532
SSL (Secure Sockets Layer) 82–83, 436, 441
Transport Layer Security Inspection (TLSI) 215–216
SSL Inspection (SSSI) 215
SSO (single sign-on) 292, 373, 624, 658–659
SSRF (server-side request forgery) 85–86
SSSI (SSL Inspection) 215
staging 259
stakeholder management 771–772
standard load 540
standards. See regulations and standards
stapling 698
starvation attack, DHCP 513
stateful packet inspection (SPI) 528, 562
stateful pattern-matching recognition 521
stateless packet inspection 528
Statement on Standards for Attestation Engagements (SSAE) 881, 883, 884
statements, SQL (Structured Query Language) 70
static application security testing (SAST) 468–469
static code analysis 269, 468–469
static codes 298
static random-access memory (SRAM) 340
Stegais 415
steganography 415
homomorphic 417
video 416
Steghide 415
stego-files 416
stewards, data 946
sticky sessions 489
STIX (Structured Threat Information eXpression) 125–127
storage
cloud 610
encryption 605
high availability 605
permissions 605
replication 605
secure 477
storage DLP systems 215
vulnerabilities 156
storage-area networks (SANs) 142, 323
Stored (persistent) XSS attacks 68
stored procedures 273
STP (Spanning Tree Protocol) 105, 512
strategic intelligence 860
stream ciphers 410
stretching, key 397
structured exception handling (SEH) 81, 267
Structured Query Language. See SQL (Structured Query Language)
Structured Threat Information eXpression (STIX) 125–127
Stuxnet 363
Subject Alternative Name (SAN) 693, 694–695
subnets
subscriber identity module (SIM) cards 49, 360, 580, 584
supervisory control and data acquisition (SCADA) systems 341–343
supply chains
business partnership agreements (BPAs) 903
supply chain risk management (SCRM) 166, 920
surge protectors 159
Swagger (OpenAPI) 87
swap files, forensic acquisition of 849–850
SWG (Secure Web Gateway) 613, 614
Switched Port Analyzer (SPAN) ports 537–538
switching 443
email and web 440
time 440
synchronization (SYN) packets 84
System and Organization Controls (SOC) 884
System Information 161
system integration 155
System Monitor 542
system on a chip (SoC) 356–357, 477, 571
System Restore 158
systemd 802
system-generated passwords 638
systeminfo command 161
tables, rainbow 47
TACACS+ (Terminal Access Controller Access Control System Plus) 672–673
tactics, techniques, and procedures (TTPs) 128, 176, 767, 809
tailgating 15
Talos 347
tamper resistance 477
tape backups 326
taps, port 538
TAXII (Trusted Automated eXchange of Indicator Information) 125–127
TCB (trusted computing base) 676
TCG (Trusted Computing Group), Opal 476
Tcl 241
TCP (Transmission Control Protocol) 503
TCP/IP hijacking 84
Tcpreplay 742
TCSEC (Trusted Computer System Evaluation Criteria) 674
teaming, network interface card (NIC) 320
teams, incident response (IR) 760, 775–776
Teardrop 88
Technical Guide to Information Security Testing and Assessment (NIST) 199
TEE (trusted execution environment) 476
telemetry, fake 223
temperature sensors 382
temporal groups 182
Temporal Key Integrity Protocol (TKIP) 552
temporary files 157
Tenable Network Security Nessus 204
TERM environment variable 740
Terminal Access Controller Access Control System Plus (TACACS+) 672–673
terms of agreement 948
testing 259
black-box 80
gray-box 80
known environment/white box 468–469
cleanup 202
known environment 198
methodologies 199
partially known environment 199
passive reconnaissance 203–204
post-exploitation techniques 201
rules of engagement 200
static and dynamic code analysis 269
white-box 80
tethering 584
TGTs (ticket-granting tickets) 668
THC Hydra 749
theft
disaster analysis 925
identity 940
intellectual property 917
mobile device 580
session 83
“third countries” 220
third-party destruction and disposal services 387
third-party libraries 265
threat actors
attributes of 122
threat feeds 176
threat intelligence
automated indicator sharing (AIS) 125
Information Sharing and Analysis Centers (ISACs) 123–125
MITRE ATT&CK framework 128–129
Structured Threat Information eXpression (STIX) 125–127
Trusted Automated eXchange of Indicator Information (TAXII) 125–127
vulnerability databases 125
threat maps 127
threat modeling 264
thumbprint algorithm 692
ticket-granting tickets (TGTs) 668
tickets, Kerberos 668
delay 74
offset 844
synchronization 440
time bombs 39
time of check (TOC) attacks 79
time of use (TOU) attacks 79
time-based logins 639
time-based one-time password (TOTP) 295
Time Machine 158
time-to-live (TTL) 795
TKIP (Temporal Key Integrity Protocol) 552
TLS (Transport Layer Security) 82–83, 88, 108, 351, 410, 436, 441, 556, 577, 656, 698
TLSI (Transport Layer Security Inspection) 215–216
TMSAD (Trust Model for Security Automation Data) 887
TOC (time of check) attacks 79
token key 297
token-based authentication 297
tokenization 218, 461–462, 945
Top 10 Web Application Security Risks 277
Top Secret information 905, 941–942
TOS (trusted operating system) 160, 905
ToS (type of service) bits 536
Toshiba 476
TOTP (time-based one-time password) 295
TOU (time of use) attacks 79
TPM (Trusted Platform Module) 294, 459–460, 477–478, 524, 655
traffic
east-west 492
lateral 492
training, user 22–24, 899, 901–902
Transaction Signature (TSIG) 108
transference of risk 918
Transmission Control Protocol (TCP) 503
transparent proxy 516
Transport Layer Security Inspection (TLSI) 215–216
Transport Layer Security (TLS) 82–83, 88, 108, 351, 410, 436, 441, 556, 577, 656, 698
transport mode, IPsec 438, 503
traversal, directory 75–76, 149, 274–275, 276
Triple DES 412
TRNG (true random number generators) 477
true random number generators (TRNGs) 477
trust
models 698
Trusted Computer System Evaluation Criteria (TCSEC) 674
zero 494
Trust Model for Security Automation Data (TMSAD) 887
Trusted Automated eXchange of Indicator Information (TAXII) 125–127
trusted computing base (TCB) 676
Trusted Computing Group (TCG) 476
trusted execution environment (TEE) 476
trusted operating system (TOS) 160, 905
Trusted Platform Module (TPM) 294, 459–460, 477–478, 524, 655
trusted zones 825
Try-SQL Editor 71
TSIG (Transaction Signature) 108
TTLS (Tunneled Transport Layer Security) 556
TTPs (tactics, techniques, and procedures) 128, 176, 767, 809
Tunneled Transport Layer Security (TTLS) 556
tunneling 495–496, 505–508, 556
two-factor authentication (2FA) 298
Twofish 412
two-person integrity control 378
Type I errors 626
Type II errors 626
type of service (ToS) bits 536
UAC (User Account Control) 67
UAs (user agents) 800
UAVs (unmanned aerial vehicles) 353–354
ubuntu keyword 239
UDP (User Datagram Protocol) 503
UEFI (Unified Extensible Firmware Interface) 459, 851
UEM (unified endpoint management) 587–588, 825
Umbrella 509
unauthenticated modes 404
unauthorized hackers 121
Unclassified information 941–942
underscore (_) 740
unicast addresses 537
unified endpoint management (UEM) 587–588, 825
Unified Extensible Firmware Interface (UEFI) 459, 851
unified threat management (UTM) 495, 524
uniform resource locators (URLs)
redirection attacks 110
URL hijacking 44
uninterruptible power source (UPS) 320–321
union operator 73
unique serial numbers (ICCIDs) 360
Universal Serial Bus. See USB (Universal Serial Bus)
UNIX 144
unmanned aerial vehicles (UAVs) 353–354
UPDATE statement 70
updates, exam 02.0004–02.0026
UPN (User Principal Name) 696
UPS (uninterruptible power source) 320–321
URLs (uniform resource locators)
redirection attacks 110
URL hijacking 44
US Computer Emergency Readiness Team (US-CERT) 576
US Office of Personnel Management (OPM) attack 300–301
USB (Universal Serial Bus)
condoms 379
malicious USB cables 48
USB OTG (USB On-The-Go) 583
USB sticks 123
US-DMCA (Digital Millennium Copyright Act) 220
use case analysis 882
user access recertification 645
User Account Control (UAC) 67
user accounts. See accounts
user agents (UAs) 800
user behavior analysis 188
user certificates 696
User Datagram Protocol (UDP) 503
USER environment variable 740
User Interaction (UI) metric 184
User Principal Name (UPN) 696
user security awareness education 22–24
user-controlled input 464
user-generated passwords 638
UTC (Coordinated Universal Time) 845
UTM (unified threat management) 495, 524
vacations, mandatory 898–899, 900
validation
continuous 278
validity dates, certificate 692
variables, environmental 740
/var/log directory 791
VBA (Visual Basic for Applications) 113
VDEs (virtual desktop environments) 139, 232
VDIs (virtual desktop infrastructures) 139, 232
vein authentication 302
vendor management 155, 156, 331, 902–903
ver command 161
Veracode Web Application Security 204
vertical privilege escalation 67
vestibules, access control 372–373
video
forensic video analysis 842–843
secure 440
steganography 416
virtualization 606, 610. See also VPNs (virtual private networks)
APIs (application programming interfaces)
infrastructure as code 241–243
cloud computing
cloud service providers (CSPs) 233
community cloud 233
fog and edge computing 234–235
hybrid cloud 233
managed detection and response (MDR) 234
managed service providers (MSPs) 233–234
off-premises versus on-premises services 234
public cloud 232
VPCs (virtual private clouds) 607, 608, 611
definition of 247
IP addresses 488
memory 850
resource policies 246
serverless architecture 243–244
services integration 246
VDEs (virtual desktop environments) 139, 232
VDIs (virtual desktop infrastructures) 139, 232, 589
VLANs (virtual local-area networks) 490–491, 831
VMs (virtual machines) 324–325
VNC (virtual network computing) servers 632
VPCs (virtual private clouds) 607, 608, 611
viruses
antivirus software 451
fileless 37
visitor logs 383
Visual Basic for Applications (VBA) 113
VLANs (virtual local-area networks) 490–491, 831
VMs (virtual machines) 324–325
VNC (virtual network computing) servers 632
voice, secure 440
voice recognition 302
VoIP (Voice over Internet Protocol) 350, 799–800
volatility, order of 848
VPCs (virtual private clouds) 607, 608, 611
VPNs (virtual private networks) 99
always-on functionality 495
clientless versus client-based 497, 507
definition of 494
HTML5 508
IKEv1 Phase 1 negotiation 498–501
IKEv1 Phase 2 negotiation 501–503
Layer 2 Tunneling Protocol (L2TP) 508
site-to-site configuration 495, 496–497
VPN concentrators 495
vulnerabilities
cloud-based versus on-premises 137–143
code injection 149, 273–274, 276
cross-site request forgery (XSRF) 149, 272, 275
cross-site scripting (XSS) 54, 68–70, 110, 149, 272, 275, 601
dark web 143
directory traversal 149, 274–275, 276
impact of cybersecurity breaches and attacks 165–166
legacy platforms 165
memory/buffer 77–78, 149, 271–272, 275
peer to peer (P2P) networks 143
remote code execution (RCE) 78, 146, 149, 275
server defense 144
email servers 145
file servers 144
network controllers 144
social media 143
vulnerability databases 125
vulnerability scans 180–181, 559
Common Vulnerability Scoring System (CVSS) 182–186
false negative 181
false positives 181
intrusive versus nonintrusive 182
noncredentialed 182
VUPEN Web Application Security Scanner 204
w command 631
WADL (Web Application Description Language) documents 87
WAF (web application firewall) 198, 531
walkthrough exercises 766
WAP (Wireless Application Protocol) 558, 585
WAPs (wireless access points) 98, 101, 513, 559
war driving 205
war flying 205
war-dialing 13
warm sites 221
waterfall development methodology 257–258
weak defaults 346
wearables 345
Web Application Description Language (WADL) documents 87
web application firewall (WAF) 198, 531
Web Application Proxy 516
web application scanners 182
Web form–grabbing keyloggers 43
web of trust 698
web pages, metadata from 808–809
web protocol port numbers 441
web servers
logs 794
Web Services Description Language (WSDL) documents 87
web synchronization 440
WebApp360 204
webification 507
Websense 533
weighted random early detection (WRED) 536
WEP (Wired Equivalent Privacy) 102
WER (Windows Error Reporting) 853
Western Digital 476
white hat hackers 121
white teams 206
white-box testing 80
WhiteHat Sentinel 204
whoami command 632
Wi-Fi
vulnerabilities and exposures 571
Wi-Fi ad hoc 584
Wi-Fi direct 584
Wi-Fi disassociation attack 101
WPA2 (Wi-Fi Protected Access 2) 551
WPA3 (Wi-Fi Protected Access 3) 551
WPS (Wi-Fi Protected Setup) 558–559
Wigle 205
Windows Defender Firewall 457
Windows Error Reporting (WER) 853
Windows Event Viewer 791–792, 846
Windows Performance Monitor 540–542
Windows Performance tool 539
Windows PowerShell 630
WinGate 514
WinHex 746
Wired Equivalent Privacy (WEP) 102
wireless access points (WAPs) 98, 101, 513, 559
Wireless Application Protocol (WAP) 558, 585
wireless LAN (WLAN) controllers 558
wireless networks 547, 557–558
bluejacking 100
disassociation and deauthentication 101
initialization vector (IV) 103
mobile device security countermeasures 580
near-field communication (NFC) 102–103
radio frequency identification (RFID) 49, 102
authentication protocols 556–557
cryptographic protocols 551
Advanced Encryption Standard (AES) 552
Counter-mode/CBC-MAC protocol (CCMP) 552
Simultaneous Authentication of Equals (SAE) 551, 552
summary of 552
Wi-Fi Protected Access 2 (WPA2) 551
Wi-Fi Protected Access 3 (WPA3) 551–552
installation considerations
AP isolation 562
captive portals 559
controller and access point security 562–563
firewalls 562
heat maps 559
IEEE 802.1X standard 562
Multi-User Multiple Input (MU-MIMO) 560–561
orthogonal frequency-division multiple access (OFDMA) 561
Wi-Fi Analyzer tools 559
Wi-Fi Protected Setup (WPS) 558–559
wireless access point (WAP) placement 559
Wireless Transport Layer Security (WTLS) 558
WLAN (wireless LAN) controllers 558
workstations, hardening 159–160
WORM (write once read many) device 789
WPA2 (Wi-Fi Protected Access 2) 551
WPA3 (Wi-Fi Protected Access 3) 551
WPS (Wi-Fi Protected Setup) 558–559
wrap 77
write once read many (WORM) devices 789
WSDL (Web Services Description Language) documents 87
WTLS (Wireless Transport Layer Security) 558
wuapp.exe 161
X.509 standard 694
X.690 encoding formats 697
XaaS (anything as a service) 139, 232
XCCDF (Extensible Configuration Checklist Description Format) 885
XDR (Extended Detection and Response) 189
Xiao 415
XML (Extensible Markup Language)
XSD (XML Schema Definition) 86
XXE (XML External Entity) 74
XSRF (cross-site request forgery) 85–86, 149, 272, 275
XSS (cross-site scripting) 54, 68–70, 110, 149, 272, 275, 464, 601
X-Ways Software Technology AG 746
XXE (XML External Entity) 75
YOLO (You Only Look Once) 376
YubiKey 297
Zed Attack Proxy 204
zero trust 494
zero-day vulnerabilities 149, 275, 276, 522
Zimbra 145
zones
high availability across 603, 609
zone signing keys (ZSKs) 427
zone transfers 109
ZSKs (zone signing keys) 427
3.144.16.254