Index
Numbers
3-leg perimeter DMZ (Demilitarized Zones), 183
3DES (Data Encryption Standard), 486, 489
10 tape rotation backup scheme, 565
802.1X, 344
authentication procedure, 331
connection components, 331
A
AAA (Accounting, Authentication, Authorization)
captive portals, 337
cloud security, 195
context-aware authentication, 328
deauthentication attacks. See Wi-Fi, disassociation attacks
definition, 321
Diameter port associations, 221
extranets, 185
HMAC, 499
identification, 321
inherence factors, 322
intranets, 185
knowledge factors, 322
LEAP, 332
localized authentication, 329–337, 344
MFA, 327
MS-CHAP, 338
multifactor authentication, 337, 589
mutual authentication, 334
networks, 72
nonces, 235
PAM, Kerberos, 336
physical security, 321
possession factors, 322
reduced sign-ons, 328
remote authentication, 337–345
Remote Desktop Services, 336–337
web of trust, 529
authorization, 5
biometric readers, 326–327, 345
definition, 321
Diameter port associations, 221
FIM, 328
fingerprint readers/scanners, 326
RADIUS port associations, 221
ABAC (Attribute-Based Access Control), 365–366
accepting
cookies, 136
risk, 398
access (unauthorized), 6
access control
ACL, permissions, 371
Administrator accounts, 378
Bell-LaPadula, 364
Biba, 364
CAPTCHA, 383
centralized access control, 366
Clark-Wilson, 364
Ctrl+Alt+Del at logon, 379
DACL, 372
decentralized access control, 366
files/folders
copying, 376
moving, 376
groups, 371
guest accounts, 378
implicit deny, 366
job rotation, 368
least privilege, 367
MAC, 366
data labeling, 363
lattice-based access control, 364
rule-based access control, 364
mobile devices, 75
permissions
ACL, 371
DACL, 372
Linux file permissions, 373
privilege creep, 374
propagating, 375
SACL, 372
user access recertification, 374
policies
Account Lockout Threshold Policy, 382
Default Domain Policy, 379
SACL, 372
separation of duties, 368
users, 369
access recertification, 374
Account Expiration dates, 370
ADUC, 369
multiple user accounts, 371
time-of-day restrictions, 370
Account Expiration dates, 370
Account Lockout Threshold Policy, 382
accounting
AAA, 6
Diameter, port associations with, 221
RADIUS, port associations with, 221
ACK packets
SYN floods, 227
TCP/IP hijacking, 232
ACL (Access Control Lists)
DACL, 372
firewall rules, 258
permissions, 371
routers, 179
SACL, 372
active interception, malware delivery, 28
active reconnaissance (security analysis), 403
ActiveX controls, 137
acts (legislative policies), 616–617
ad blocking, browser security, 135
ad filtering, 58
adapters (network)
multiple network adapters, 559
adaptive frequency hopping, 306
add-ons
ActiveX controls, 137
malicious add-ons, 138
managing, 138
addresses (email), preventing/
troubleshooting spam, 40
administration
account passwords, 378
centrally administered management systems, 92
guest accounts, passwords, 378
HIDS, 57
offboarding, 76
onboarding, 76
removable media controls, 63
rootkits, 24
Alureon rootkits, 26
definition of, 26
Evil Maid Attack, 26
preventing/troubleshooting, 41
security plans, 7
administration interface (WAP), 295–296
ADUC (Active Directory Users and Computers), 369
adware, 23
AES (Advanced Encryption Standard), 64, 298, 482, 487–489
agents, SNMP, 444
aggregation switches, 177
agile model (SDLC), 146
agreements, copies of (DRP), 570
AH (Authentication Headers), IPsec, 534
aisles (HVAC), facilities security, 597
ALE (Annualized Loss Expectancy), quantitative risk assessment, 400–401
alerts, performance baselining, 440
ALG (Application-Level Gateways), 259
algorithms
asymmetric algorithms, 483
Diffie-Hellman key exchange, 491
RSA, 490
Blowfish, 489
CBC, 482
ciphers, 480
DEA, 486
defining, 480
ECDHE, 492
genetic algorithms, 496
HMAC, 499
IDEA, 486
MD5, 498
password hashing
birthday attacks, 503
key stretching, 504
NTLMv2 hashing, 502
pass the hash attacks, 502–503
RC
RC5, 489
RC6, 489
RIPEMD, 499
RSA, 490
3DES, 486
Blowfish, 489
DEA, 486
IDEA, 486
Threefish, 489
Twofish, 489
Threefish, 489
Twofish, 489
all-in-one security appliances, 266
alternative controls. See compensating controls
always-on VPN (Virtual Private Network), 342
analytical monitoring tools
Computer Management, 445
keyloggers, 447
net file command, 446
netstat command, 446
openfiles command, 445
static and dynamic analytical tools, 447
analyzing
data, incident response procedures, 631
protocols, 415
risk, IT security frameworks, 635
security, active/passive reconnaissance, 402–403
Angry IP Scanner, 414
anomaly-based monitoring, 436–437
ANT sensors (HVAC), facilities security, 598
anti-malware
software, 8
updates, 108
antivirus software
preventing/troubleshooting
Trojans, 35
worms, 35
Safe Mode, 34
anycast IPv6 addresses, 181
AP (Access Points)
Bluetooth AP, 306
evil twins, 297
isolating, WAP, 303
Rogue AP, 296
WAP, wireless network security
administration interface, 295–296
AP isolation, 303
evil twins, 297
firewalls, 302
MAC filtering, 302
placement of, 300
PSK, 298
rogue AP, 296
SSID, 296
VPN, 300
wireless point-to-multipoint layouts, 301
WLAN controllers, 303
WPS, 299
WLAN AP, 306
Apache servers, 201
application-aware devices, 269
Application layer (OSI model), 174
applications (apps)
arbitrary code execution, 155
back office applications, securing, 143
backdoor attacks, 22, 29, 153, 159
backward compatibility, 91
containerization, 112
DLL injections, 158
Excel, securing, 143
firewalls, 261
geotagging, 74
immutable systems, 146
integer overflows, 154
key management, 72
LDAP injections, 157
logs, 452
memory leaks, 154
MMS attacks, 73
mobile apps, security, 143
network authentication, 72
NoSQL injections, 157
null pointer dereferences, 154
Outlook, securing, 143
patch management, 142
programming
ASLR, 155
authenticity, 148
CIA triad, 146
code checking, 148
code signing, 148
error-handling, 148
integrity, 148
minimizing attack surface area, 147
obfuscation, 148
passwords, 147
patches, 148
permissions, 147
principle of defense in depth, 147
principle of least privilege, 147
quality assurance policies, 147
secure code review, 146
secure coding concepts, 144
threat modeling, 147
trusting user input, 147
vulnerabilities/attacks, 153–159
proxies, 264
security
back office applications, 143
Excel, 143
firewalls, 261
mobile apps, 143
network authentication, 72
Outlook, 143
patch management, 142
policy implementation, 140
secure coding concepts, 144
server authentication, 72
UAC, 140
Word, 143
server authentication, 72
service ports, 219
SMS attacks, 73
SQL injections, 156
transitive trust, 72
uninstalling, preventing/troubleshooting spyware, 36
unnecessary applications, removing, 90–91
user input, 147
Word, securing, 143
XML injections, 157
APT (Advanced Persistent Threats), 11, 22
arbitrary code execution, 155
archive.org, 202
armored viruses, 21
ARO (Annualized Rate of Occurrence), quantitative risk assessment, 400–401
ARP spoofing, 177
ASLR (Address Space Layout Randomization), 155
assessing
impact, 399
risk
impact assessment, 399
qualitative risk management, 399, 402
qualitative risk mitigation, 400
quantitative risk management, 400–402
residual risk, 398
risk acceptance, 398
risk avoidance, 398
risk reduction, 398
risk registers, 399
risk transference, 398
defining vulnerabilities, 396
general vulnerabilities/basic prevention methods table, 409–410
IT security frameworks, 635
managing vulnerabilities, 405–410
vulnerability scanning, 412–414
asymmetric algorithms, 483
Diffie-Hellman key exchange, 491
RSA, 490
attack guards, 227
attack surface, reducing, 94, 147
attack vectors, malware delivery, 26
attacks/vulnerabilities, programming
arbitrary code execution, 155
backdoor attacks, 22, 29, 153, 159
DLL injections, 158
integer overflows, 154
LDAP injections, 157
memory leaks, 154
NoSQL injections, 157
null pointer dereferences, 154
SQL injections, 156
XML injections, 157
attestation, BIOS, 62
auditing
audit trails, 451
computer security audits, 448
independent security auditors, 448
logging
application logs, 452
audit trails, 451
DFS Replication logs, 452
DNS Server logs, 452
file maintenance/security, 455–457
firewall logs, 453
system logs, 452
viewing security events, 450
manual auditing, 448
monitoring and, 434
SIEM, 460
system security settings, 457–460
AUP (Acceptable Use Policies), 618, 622
AAA, 5
captive portals, 337
CHAP, 345
MS-CHAP, 338
cloud security, 195
context-aware authentication, 328
deauthentication attacks. See Wi-Fi, disassociation attacks
definition, 321
Diameter, port associations with, 221
EAP
EAP-FAST, 332
EAP-MD5, 332
EAP-TLS, 332
EAP-TTLS, 332
LEAP, 332
extranets, 185
HMAC, 499
identification, 321
inherence factors, 322
intranets, 185
knowledge factors, 322
LEAP, 332
localized authentication, 329
mutual authentication, 334
Remote Desktop Services, 336–337
MFA, 327
MS-CHAP, 338
multifactor authentication, 337, 589
mutual authentication, 334
networks, 72
nonces, 235
PAM, Kerberos, 336
physical security, 321
possession factors, 322
RADIUS
port associations with, 221
reduced sign-ons, 328
remote authentication
Remote Desktop Services, 336–337
web of trust, 529
authenticators (802.1X), 331
authenticity, programming security, 148
authorization
AAA, 5
biometric readers, 326–327, 345
definition, 321
Diameter, port associations with, 221
FIM, 328
fingerprint readers/scanners, 326
RADIUS, port associations with, 221
automated monitoring, 435
automated systems, war-dialing, 587
automatically updating browsers, 128
automating cyber-crime. See crimeware
availability
VoIP, 191
avoiding risk, 398
awareness training, 7, 621–622
B
back office applications, securing, 143
Back Orifice backdoor attacks, 22, 29
back-to-back firewall/DMZ configurations, 259
back-to-back perimeter networks, 184
backdoors
backdoor attacks, 22, 29, 153, 159
malware delivery, 29
RAT, 29
wired network/device security, 288–289
backups, 8
battery backups, 552
data, 557
10 tape rotation backup scheme, 565
differential data backups, 563–565
full data backups, 563
grandfather-father-son backup scheme, 565
incremental data backups, 563–564
snapshot backups, 566
Towers of Hanoi backup scheme, 566
disaster recovery
drills/exercises, 570
fire, 567
flood, 568
loss of building, 568
power loss (long-term), 568
theft/malicious attacks, 568
generators
considerations for selecting, 554
types of, 553
hard disks, 107
redundancy planning
battery backups, 552
employees, 562
fail-closed, 549
fail-open, 549
failover redundancy, 548
single points of failure, 547–548
standby generators, 553
succession planning, 562
websites, 561
unsavable computers, malware, 40
backward compatibility, 91
badware, 37
baiting, social engineering attacks, 589–591
banner grabbing, 414
baselining, 105
alerts, 440
baseline reporting, 438
Performance Monitor, 439
standard loads, 438
System Monitor, 440
battery backups, 552
battery-inverter generators, 554
BCC (Blind Carbon Copy), preventing/troubleshooting spam, 40
BCP (Business Continuity Plans), 569
behavior-based monitoring, 436–437
Bell-LaPadula access control model, 364
BER (Basic Encoding Rules) format, certificates, 524
BIA (Business Impact Analysis), BCP, 569
Biba access control model, 364
biometric readers, physical security, 326–327, 345
BIOS (Basic Input/Output System)
attestation, 62
boot order, 61
external ports, disabling, 61
flashing, 60
measured boot option, 62
passwords, 60
root of trust, 62
secure boot option, 61
updates, 108
birthday attacks, 503
bit torrents, malware delivery, 27
BitLocker, disk encryption, 64–65
black book phone number encryption, 477–480
black-box testing, 149
black hats, 9
Blackhole exploit kits, 27
blackhole lists, 230
blackholes, 230
blacklists
applications, 92
OS hardening, 92
preventing/troubleshooting spam, 40
blackouts (power supplies), 550
blind hijacking, 233
blocking cookies, 136
Blowfish, 489
blue hats, 10
Bluetooth
adaptive frequency hopping, 306
AP, 306
frequency hopping, 306
NFC, 306
boot order, BIOS, 61
botnets
malware delivery, 28
ZeroAccess botnet, 28
bots, 22
BPA (Business Partner Agreements), 623–624
bridges, 178
broadcast storms, 441
brownouts (power supplies), 550
browsers
automatically updating, 128
company requirements, 128
functionality, 129
HTTP connections, 71
OS, determining, 128
PAC files, 263
preventing/troubleshooting spyware, 35
security, 129
ad-blocking, 135
advanced security settings, 138–139
LSO, 137
mobile devices, 135
passwords, 139
policy implementation, 129, 131
pop-up blocking, 135
security zones, 135
temporary files, 138
updates, 135
user training, 133
vulnerabilities/fixes, 128
brute-force attacks
password cracking, 419
buildings
loss of (disaster recovery), 568
security
butt sets, wiretapping, 293
BYOD (Bring Your Own Device), mobile device security, 74–78
C
CA (Certificate Authorities)
chain of trust, 528
CRL, 527
CSR, 525
horizontal organization, 528
key escrow, 528
key recovery agents, 528
mapping certificates, 527
revoking certificates
CRL, 527
OCSP, 528
social engineering and, 527
validating certificates, 525
verifying certificates with RA, 527
VeriSign certificates, 72, 525
web of trust, 529
cable loops, switches, 177
cabling
interference
EMI, 290
RFI, 291
PDS, 295
twisted-pair cabling, 290
wiretapping, 293
UTP cabling, 292
wired network/device security, 290–295
wiring closets, 294
CAC (Common Access Cards). See smart cards
Caesar Cipher, 478
Cain & Abel, password cracking, 417–418
California SB 1386, 617
CallManager, privilege escalation, 288
CAM (Content Addressable Memory) tables, MAC flooding, 176
Camtasia 9, 91
Camtasia Studio 8, 91
CAN (Controller Area Networks), vehicles and facilities security, 600
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), 383
captive portals, 337
capturing
network traffic, incident response procedures, 631
screenshots, incident response procedures, 631
system images, incident response procedures, 630
video, incident response procedures, 631
cardkey systems, 324
carrier unlocking, mobile devices, 69
CASB (Cloud Access Security Brokers), 197
CBC (Cipher Block Chaining), 482
CBC-MAC (Cipher Block Chaining Message Authentication Code) protocol, 298
CCI (Co-Channel Interference). See crosstalk
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), 298
CCTV (Closed-Circuit Television), 323
cell phones. See mobile devices
cellular networks, 308
centralized access control, 366
centrally administered management systems, 92
CER (Canonical Encoding Rules) format, certificates, 524
CER (Crossover Error Rates), biometric readers, 326
certificates
digital certificates
CA, 525
CRL, 527
CSR, 525
key escrow, 528
key recovery agents, 528
mapping, 527
validation, 525
verifying with RA, 527
VeriSign certificates, 72, 525
web of trust, 529
post-certification process, 655
public key cryptography, 484
chain of custody (evidence collection), 629
change management policies, 619, 622
CHAP (Challenge-Handshake Authentication Protocol), 345
MS-CHAP, 338
PPTP and, 533
session theft, 232
cheat sheets, exam preparation, 649–650
checkpoints, VM disk files, 114
Christmas Tree attacks, 228
chromatic dispersion, 294
CIA triad, 4
availability, 5
confidentiality, 5
integrity, 5
secure code review, 146
CIDR (Classless Interdomain Routing), 187
cipher locks, 324
ciphers
algorithms as, 480
Caesar Cipher, 478
defining, 480
RC
RC5, 489
RC6, 489
stream ciphers, 482
Vernam ciphers. See one-time pads
circuit-level gateways, 259
Cisco routers, 178
Clark-Wilson access control model, 364
clean desk policy, 592
clearing (data removal), 626
clear-text passwords, 443
CLI (Command-Line Interface), closing open ports, 224
clickjacking, 233
client-side attacks, 236
closets (wiring), 294
cloud computing
community clouds, 194
CSP, 194
definition, 192
DLP systems, 59
hybrid clouds, 194
IaaS, 193
MaaS, 194
P2P networks and, 198
PaaS, 193
private clouds, 194
public clouds, 194
SaaS, 193
SECaaS, 193
security
authentication, 195
CASB, 197
data access security, 196
encryption, 196
passwords, 195
programming standardization, 196
server defense
network controllers, 199
services, 197
social media and, 197
XaaS, 194
clusters, 561
cluster tips, 626
data remanence, 626
failover clusters, 560
load-balancing clusters, 560
code checking, programming security, 148
code injections, 159
DLL injections, 158
LDAP injections, 157
NoSQL injections, 157
SQL injections, 156
XML injections, 157
XSRF, 156
XSS, 156
code signing, programming security, 148
coding
ASLR, 155
authenticity, 148
CIA triad, 146
code checking, 148
code signing, 148
error-handling, 148
integrity, 148
minimizing attack surface area, 147
obfuscation, 148
passwords, 147
patches, 148
permissions, 147
principle of defense in depth, 147
principle of least privilege, 147
quality assurance policies, 147
SDLC
agile model, 146
V-shaped model, 145
waterfall model, 145
secure code review, 146
secure coding concepts, 144
testing methods
black-box testing, 149
compile-time errors, 150
dynamic code analysis, 152
fuzz testing, 152
gray-box testing, 149
penetration tests, 149
runtime errors, 150
sandboxes, 149
SEH, 150
stress testing, 149
white-box testing, 149
threat modeling, 147
trusting user input, 147
vulnerabilities/attacks
arbitrary code execution, 155
backdoor attacks, 22, 29, 153, 159
DLL injections, 158
integer overflows, 154
LDAP injections, 157
memory leaks, 154
NoSQL injections, 157
null pointer dereferences, 154
SQL injections, 156
XML injections, 157
cold and hot aisles (HVAC), facilities security, 597
cold sites, 561
collecting/preserving evidence (incident response procedures), 629, 632–633
collisions, MD5, 498
command-line scripting, network attacks, 235
community clouds, 194
company policies
data sensitivity
classifying data, 615
DHE, 616
equipment recycling/donation policies, ISA, 625
personal security policies, 617
change management policies, 619, 622
due diligence, infrastructure security, 621–623
offboarding, 620
privacy policies, 618
separation of duties/job rotation policies, 619, 622
vendor policies, 623
ISA, 624
MoU, 624
compatibility (backward), 91
compensating controls, 405
compile-time errors, 150
compliance
GRC, 617
licensing compliance violations, 632
CompTIA exams
exam preparation checklist, 647–650
grading scale, 647
post-certification process, 655
registration, 650
Computer Management, 445
computers
security audits, 448
confidence tricks (cons), social engineering, 588
confidential information, classifying (data sensitivity), 615
confidentiality (CIA triad), 5, 146
configuration baselines, 105
configuring
managing configurations, 102
PAC files, 263
routers, secure configurations, 178
conserving hard disk space, 91
console (WAP). See administration interface
consolidating services, 144
contacts, DRP, 569
containerization (applications), 112
containment phase (incident response procedures), 628
content filtering, 58
Internet, 265
routers, 179
context-aware authentication, 328
contingency planning. See BCP; ITCP
contracts
ISA, 624
MoU, 624
cookies
accepting/blocking, 136
definition of, 136
Flash cookies. See LSO
persistent cookies, 136
privacy alerts, 136
session hijacking, 137
session theft, 232
tracking cookies, 137
XSS, 137
COOP (Continuity of Operations Plan). See BCP
COPE (Corporate Owned, Personally Enabled) mobile devices, security, 74
copying files/folders, 376
corrective controls, 405
crashes. See system failure
crimeware, 27. See also malware
critical systems/data, hierarchical lists of (DRP), 570
critical updates, 98
CRL (Certificate Revocation Lists), 527
cross-site scripting. See XSS
cryptanalysis attacks (password cracking method), 419
cryptography. See also encryption
asymmetric key algorithms, 483
black book phone number encryption, 477–480
Caesar Cipher, 478
ciphers
algorithms as, 480
defining, 480
stream ciphers, 482
ECDHE, 492
hash functions
HMAC, 499
MD5, 498
RIPEMD, 499
keys
DEK, 488
Diffie-Hellman key exchange, 484, 491
KEK, 488
key stretching, 504
MEK, 488
private key cryptography, 481
public key cryptography, 481–484
quantum cryptography, 493
steganography, defining, 485
symmetric key algorithms, 481–482
cryptoprocessors. See HSM
CSO (Chief Security Officers), disaster recovery planning, 570
CSP (Cloud Service Providers), 194
CSR (Certificate Signing Requests), 525
CSU (Channel Service Units), 179
Ctrl+Alt+Del at logon, 379
custody, chain of (evidence collection), 629
CVE (Common Vulnerabilities and Exposures), 200–201
cyber-crime, automating. See crimeware
cyber-criminals, 11
CYOD (Choose Your Own Device), mobile device security, 74
D
DAC (Discretionary Access Control), 361–365
DACL (Discretionary Access Control Lists), 372
damage/loss control (incident response procedures), 630
Darkleech, 201
darknet, 198
data access security, cloud security, 196
data analysis, incident response procedures, 631
data at rest, defining, 477
10 tape rotation backup scheme, 565
differential data backups, 563–565
disaster recovery, 562
10 tape rotation backup scheme, 565
differential data backups, 563–565
full data backups, 563
grandfather-father-son backup scheme, 565
incremental data backups, 563–564
snapshot backups, 566
Towers of Hanoi backup scheme, 566
full data backups, 563
grandfather-father-son backup scheme, 565
incremental data backups, 563–564
snapshot backups, 566
Towers of Hanoi backup scheme, 566
data centers, mantraps, 589
asymmetric algorithms, 483
Blowfish, 489
CBC, 482
ciphers
algorithms as, 480
defining, 480
stream ciphers, 482
cryptography
black book phone number encryption, 477–480
Caesar Cipher, 478
quantum cryptography, 493
data at rest, defining, 477
data in transit, defining, 477
data in use, defining, 477
DEA, 486
defining, 480
Diffie-Hellman key exchange, 484, 491–492
ECB, block ciphers, 482
ECDHE, 492
IDEA, 486
keys
DEK, 488
Diffie-Hellman key exchange, 484, 491
KEK, 488
key stretching, 504
MEK, 488
private key cryptography, 481
public key cryptography, 481–484
password hashing
birthday attacks, 503
key stretching, 504
NTLMv2 hashing, 502
pass the hash attacks, 502–503
PKI
defining, 521
L2TP, 534
PPTP, 533
PRNG, 495
RC
RC5, 489
RC6, 489
RSA, 490
steganography, defining, 485
Threefish, 489
Twofish, 489
web of trust, 529
data exfiltration, 378
data handling (DHE), sensitive data, 616
data in transit, defining, 477
data in use, defining, 477
data labeling, MAC, 363
Data Link layer (OSI model), 174
data redundancy, RAID
RAID 0, 555
RAID 0+1, 556
RAID 10, 556
data removal, 8
clearing, 626
destroying storage media (physical data removal), 627
purging, 626
data sensitivity
classifying data, 615
data handling (DHE), 616
data storage segmentation, mobile devices, 75
data validation. See input validation
databases (relational)
normalization, 157
DDoS (Distributed Denial-of-Service) attacks, 229–230, 240
DEA (Data Encryption Algorithm), 486
deauthentication attacks (Wi-Fi). See disassociation attacks (Wi-Fi)
decentralized access control, 366
default accounts, wired network/device security, 286
Default Domain Policy, 379
defragmenting hard disks, 107
DEK (Data Encryption Keys), 488
deleting data
clearing, 626
destroying storage media (physical data removal), 627
purging, 626
delivery systems (malware)
active interception, 28
attack vectors, 26
backdoors, 29
bit torrents, 27
botnets, 28
Easter eggs, 30
email, 26
exploit kits, 27
FTP servers, 26
instant messaging, 26
keyloggers, 27
logic bombs, 29
media-based delivery, 27
memory cards, 27
optical discs, 27
P2P networks, 27
privilege escalation, 29
smartphones, 27
software, 26
threat vectors, 26
time bombs, 29
typosquatting, 27
URL hijacking, 27
USB flash drives, 27
user error, 27
websites, 27
zip files, 26
zombies, 28
DER (Distinguished Encoding Rules) format, certificates, 524
DES (Data Encryption Standard), 486, 489
designing networks
back-to-back perimeter networks, 184
bridges, 178
cellular networks, 308
cloud computing
community clouds, 194
CSP, 194
definition, 192
hybrid clouds, 194
IaaS, 193
MaaS, 194
P2P networks and, 198
PaaS, 193
private clouds, 194
public clouds, 194
SaaS, 193
SECaaS, 193
services, 197
social media and, 197
XaaS, 194
CSU, 179
DMZ
3-leg perimeter DMZ, 183
back-to-back perimeter networks, 184
documenting network design, 309
DSU, 179
firewalls, back-to-back perimeter networks, 184
Internet, 183
IP addresses, ports and, 222
LAN
routers, 178
WAN versus, 182
NAT
firewall effect, 180
private IPv4 addresses, 180
private IPv6 addresses, 181–182
public IPv4 addresses, 180
static NAT, 180
OSI model, 173
layers of, 174
TCP/IP model versus, 175
PAT, IPv4 addresses, 180
PBX equipment, 191
ports
application service ports, 219
associated protocols table, 219–221
closing open ports, 224
dynamic ports, 218
FTP servers, 223
inbound ports, 219
IP addresses and, 222
outbound ports, 219
port zero security, 224
private ports, 218
ranges, 218
registered ports, 218
scanning for open ports, 223
TCP reset attacks, 225
unnecessary ports, 224
well-known ports, 218
protocols and port associations
associated protocols table, 219–221
Diameter, 221
DNS, 220
FCIP, 221
HTTP, 220
IMAP, 220
iSCSI, 221
Kerberos, 220
L2TP, 221
LDAP, 221
Ms-sql-s, 221
NetBIOS, 220
NNTP, 220
POP3, 220
PPTP, 221
RADIUS, 221
RDP, 221
RPC, 220
RTP, 222
SMB, 221
SMTP, 220
SNMP, 220
SNMPTRAP, 220
SSH, 219
Syslog, 221
TACACS+, 220
Telnet, 220
TFTP, 220
routers
ACL, 179
Cisco routers, 178
content filtering, 179
firewalls, 178
IPS, 179
secure configurations, 178
secure VPN connectivity, 179
SATCOM, 308
switches, 175
aggregation switches, 177
ARP spoofing, 177
DHCP starvation attacks, 177
fail-open mode, 176
looping, 177
physical tampering, 177
STP, 177
TCP/IP model versus OSI model, 175
telephony
PBX equipment, 191
VoIP, 191
VoIP, 191
VPN, WAP, 300
WAN
LAN versus, 183
routers, 178
wired network/device security, 285
default accounts, 286
network attacks, 289
remote ports, 289
Telnet, 289
wireless network security
cellular networks, 308
documenting network design, 309
geofences, 308
GPS, 308
RFID, 307
SATCOM, 308
third-party wireless adapter connections, 296
VPN, 300
wireless protocols, 298
wireless transmission vulnerabilities, 304–305
destroying storage media (data removal), 627
detecting rootkits, 24
detective controls, 405
device drivers, updates, 99
DFS (Distributed File System) Replication logs, 452
DHCP snooping, 177
DHCP starvation attacks, 177
DHE (Data-Handling Electronics), sensitive data, 616
DHTML (Dynamic HTML), hover ads, 59
Diameter, port associations with, 221
dictionary attacks (password cracking method), 419
differential data backups, 563–565
Diffie-Hellman key exchange, 484, 491–492
digital certificates
CA, 525
CRL, 527
CSR, 525
key escrow, 528
key recovery agents, 528
mapping, 527
PKI
BER format, 524
CA, 525
CER format, 524
DER format, 524
dual-sided certificates, 523
DV certificates, 522
EV certificates, 522
multidomain certificates, 523
OV certificates, 522
P12/PFX format, 524
PEM format, 524
SAN field, 523
single-sided certificates, 523
wildcard certificates, 523
X.509 standard, 522
revoking
CRL, 527
OCSP, 528
validation, 525
verifying with RA, 527
VeriSign certificates, 72, 525
web of trust, 529
digital signatures, public key cryptography, 484
disabling
default accounts, 286
external ports, 61
guest accounts, 286
hardware, virtualization, 115
LSO, 137
SSID broadcasting, 262
disassociation attacks (Wi-Fi), 305
disaster recovery
data backups, 562
10 tape rotation backup scheme, 565
differential data backups, 563–565
full data backups, 563
grandfather-father-son backup scheme, 565
incremental data backups, 563–564
snapshot backups, 566
Towers of Hanoi backup scheme, 566
drills/exercises, 570
DRP
agreements, copies of, 570
BCP, 569
contacts, 569
critical systems/data, hierarchical lists of, 570
drills/exercises, 570
impact determination, 569
fire, 567
flood, 568
loss of building, 568
power loss (long-term), 568
theft/malicious attacks, 568
disaster-tolerant disk systems, RAID, 558
disk duplexing, 556
disk encryption
FDE, 64
SED, 64
diversion theft, social engineering attacks, 586, 590
DLL injections, 158
DLP (Data Loss Prevention), 59, 267
DMZ (Demilitarized Zones)
3-leg perimeter DMZ, 183
back-to-back configurations, 259
back-to-back perimeter networks, 184
firewalls, 259
DNS (Domain Name Servers)
amplification attacks, 230, 240
blackholes, 230
logs, 452
pharming, 237
port associations with, 220
sinkholes, 230
unauthorized zone transfers, 237, 241
zone transfers, 258
DNSBL (DNS Blackhole Lists), 230
documentation (file network), 309
domain controllers
IE domain controller-managed policies, 131–132
KDC, tickets, 334
domains
Default Domain Policy, 379
donating/recycling equipment policies, 625
door access, physical security
cardkey systems, 324
cipher locks, 324
mantraps, 326
proximity sensors, 325
security tokens, 325
smart cards, 325
DoS (Denial-of-Service) attacks
flood attacks, 226
UDP flood attacks, 227
Xmas attacks, 228
fork bombs, 229
permanent DoS attacks, 229
spoofed MAC addresses, 305
dot dot slash attacks. See directory traversals
double-tagging attacks, 189
downgrade attacks, 532
drive lock passwords, 61
driver updates, 99
DRM (Digital Rights Management), jailbreaking, 288
drones, facilities security, 601
DRP (Disaster Recovery Plans)
agreements, copies of, 570
BCP, 569
contacts, 569
critical systems/data, hierarchical lists of, 570
drills/exercises, 570
impact determination, 569
DSU (Data Service Units), 179
dual-sided certificates, 523
due diligence, infrastructure security, 621–623
dumpster diving, social engineering attacks, 588–590
duties
segregation of, 405
DV (Domain Validation) certificates, 522
DyFuCA (Internet Optimizer), 26
dynamic and static analytical monitoring tools, 447
dynamic code analysis, 152
dynamic ports, 218
E
EAP (Extensible Authentication Protocol), 330–332
Easter eggs, malware delivery, 30
eavesdropping, social engineering attacks, 588–590
ECB (Electronic Codebook), block ciphers, 482
ECC (Elliptic Curve Cryptography), 492–493
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral), 492
educating users, 591–593, 621–622
elite hackers, 10
address links, preventing/troubleshooting spam, 40
BCC, preventing/troubleshooting spam, 40
blacklists, preventing/troubleshooting spam, 40
identity theft emails, 26
lottery scam emails, 26
malware delivery, 26
open mail relays, preventing/troubleshooting spam, 39
spam, 25
definition of, 26
preventing/troubleshooting, 41
spam honeypots, 266
whitelists, preventing/troubleshooting spam, 40
email servers, security, 199–200
emergency response detail (incident response procedures), 629
EMI (Electromagnetic Interference), cabling, 290
EMP (Electromagnetic Pulses), 599
employees
clean desk policy, 592
first responders (incident response procedures), 629
offboarding, 620
personal security policies, 617
change management policies, 619, 622
due diligence, infrastructure security, 621–623
offboarding, 620
privacy policies, 618
separation of duties/job rotation policies, 619, 622
succession planning, 562
vetting, 592
emulators, 111
asymmetric key algorithms, 483
Blowfish, 489
CBC, 482
ciphers
algorithms as, 480
defining, 480
stream ciphers, 482
cloud security, 196
cryptography
black book phone number encryption, 477–480
Caesar Cipher, 478
quantum cryptography, 493
data at rest, defining, 477
data in transit, defining, 477
data in use, defining, 477
DEA, 486
defining, 480
Diffie-Hellman key exchange, 484, 491–492
ECB, block ciphers, 482
ECDHE, 492
encrypted viruses, 20
FTP servers, 202
full device encryption, mobile devices, 70
hard drives
FDE, 64
SED, 64
IDEA, 486
keys
DEK, 488
Diffie-Hellman key exchange, 484, 491
KEK, 488
key stretching, 504
MEK, 488
private key cryptography, 481
public key cryptography, 481–484
mobile devices, 67
password hashing, 500
birthday attacks, 503
key stretching, 504
NTLMv2 hashing, 502
pass the hash attacks, 502–503
PKI
certificates, 522–524, 528–530
defining, 521
L2TP, 534
PPTP, 533
S/MIME, 531
PRNG, 495
RC
RC5, 489
RC6, 489
RSA, 490
steganography, defining, 485
symmetric key algorithms, 481–482
Threefish, 489
Twofish, 489
USB devices, 63
viruses, preventing/troubleshooting, 33
web of trust, 529
whole disk encryption, 108
end-of-chapter questions, exam preparation, 648
endpoint DLP systems, 59
enumeration, 414
ephemeral mode
Diffie-Hellman key exchange, 492
ECDHE, 492
equipment recycling/donation policies, 625
eradication phase (incident response procedures), 628
ERP (Enterprise Resource Planning), IT security frameworks, 635
error-handling
compile-time errors, 150
programming security, 148
runtime errors, 150
SEH, 150
escrow, certificate keys, 528
ESP (Encapsulating Security Payloads), IPsec, 535
Ethernet
FCoE, 221
Ethernet switching. See switches
ethical hackers, 9
EV (Extended Validation) certificates, 522
events (security)
audit trails, 451
failure to see events in security logs, 450
incidents versus, 627
SIEM, 460
evidence, collecting/preserving (incident response procedures), 629, 632–633
Evil Maid Attacks, 26
evil twins, WAP, 297
exams
preparing for
exam preparation checklist, 647–650
grading scale, 647
post-certification process, 655
registering for, 650
Excel (MS), securing, 143
exception-handling, SEH, 150
expenses/man hours, tracking (incident response procedures), 632
explicit allow firewall rule (ACL), 258
explicit deny firewall rule (ACL), 258
exploit kits, malware delivery, 27
exposing sensitive data, 151
external ports, disabling, 61
F
F2F (Friend-to-Friend) networks, 198
facilities
loss of (disaster recovery), 568
security
fail-closed, redundancy planning, 549
fail-open, redundancy planning, 549
fail-open mode, switches, 176
failover clusters, 560
failover redundancy, 548
failure-resistant disk systems, RAID, 557
failure-tolerant disk systems, RAID, 558
failures
single points of (redundancy planning), 547–548
system failure, 6
false acceptances, biometric readers, 326, 345
false negatives
IDS, 56
IPS, 270
false positives
IDS, 56
NIPS, 270
false rejection, biometric readers, 326, 345
fault tolerance, 557
FCIP (Fiber Channel over IP), port associations with, 221
FCoE (Fibre Channel over Ethernet), 221
FDE (Full Disk Encryption), 64
FEXT (Far End Crosstalk), 292
file servers, security, 198–199
file systems, OS hardening, 105–106
fileless malware, 24
files/folders
copying, 376
IT folder
advanced security settings, 459–460
permissions, 458
log file maintenance/security, 455–457
moving, 376
net file command, analytical monitoring, 446
openfiles command, analytical monitoring, 445
filters
ad filtering, 58
Internet content filtering, 265
NAT filtering, 259
packet filtering, 258
Spam filters, 38
stateless packet filters, spoofing attacks, 259
web security gateways, 265
FIM (Federated Identity Management), 328
final network documentation, 309
fingerprint readers/scanners, physical security, 326
fingerprinting, 403
fire
disaster recovery, 567
suppression
special hazard protection systems, 596
FireFox, secure connections, 525
firewalls
back-to-back perimeter networks, 184
closing open ports, 224
firewall effect, NAT, 180
flood guards, 227
IPFW, 54
iptables, 54
logs, 453
network perimeter security
ACL firewall rules, 258
ALG, 259
application firewalls, 261
back-to-back firewall/DMZ configurations, 259
basic implementation diagram, 256
circuit-level gateways, 259
firewall logs, 260
multihomed connections, 262
NAT filtering, 259
packet filtering, 258
SOHO router/firewall Internet sessions, 260
SPI, 258
web application firewalls, 262
NGFW, 532
personal firewalls, 53
IPFW, 54
iptables, 54
PF, 54
SOHO router/firewall configuration, 55
Windows Firewall, 54
ZoneAlarm, 54
PF, 54
routers, 178
SOHO routers, 178
spam firewalls, 38
updates, 108
WAP, 302
ZoneAlarm, 54
first responders (incident response procedures), 629
FIT (Failure In Time), quantitative risk assessment, 402
Flash
cookies. See LSO
malicious add-ons, 138
pop-up ads, 59
flash drives, encryption, 63
Flash Player Settings Manager, disabling LSO, 137
flashing, BIOS, 60
flood attacks
UDP flood attacks, 227
Xmas attacks, 228
flood guards, 227
floods, disaster recovery, 568
Fluke, 417
folders/files
copying, 376
IT folder
advanced security settings, 459–460
permissions, 458
log file maintenance/security, 455–457
moving, 376
net file command, analytical monitoring, 446
openfiles command, analytical monitoring, 445
forensics, incident response procedures
data analysis, 631
licensing reviews, 632
network traffic, 631
screenshots, 631
system images, 630
tracking man hours/expenses, 632
video, 631
witness statements, 631
fork bombs, 229
forward proxies, 264
frequency hopping, 306
FTP (File Transfer Protocol), 225
port associations with, 219
servers
malware delivery, 26
ports and, 223
protocol analysis, 443
FTPS (FTP Secure), 225
full data backups, 563
full device encryption, mobile devices, 70
fuzz testing, 152
G
gas-engine generators, 553
Gates, Bill, 588
gateways
ALG, 259
circuit-level gateways, 259
web security gateways, 265
generators
backup generators
considerations for selecting, 554
types of, 553
battery-inverter generators, 554
fuel sources, 554
gas-powered generators, 553
permanently installed generators, 553
portable generators, 553
power output, 554
standby generators, 553
starting, 554
uptime, 554
genetic algorithms, 496
geofences, 308
GinMaster Trojan, 67
glass-box testing. See white-box testing
GLB (Gramm-Leach-Bliley) act, 617
Gnutella, firewall logs, 260
Google, name change hoax, 588
GPG (GNU Privacy Guard) and PGP, 495
GPMC (Group Policy Management Console), 133
GPS (Global Positioning Systems)
geofences, 308
mobile devices, 70
wireless network security, 308
GPT rootkits, preventing/troubleshooting, 38
grading scale, CompTIA exams, 647
grandfather-father-son backup scheme, 565
gray-box testing, 149
gray hats, 10
grayware, 23
GRC (Governance, Risk and Compliance), 617
GRE (Generic Routing Encapsulation), 342
Group Policies
GPMC, 133
Import Policy From window (Windows Server), 104
Local Group Policy Editor, 103
groups, access control, 371
guessing (password cracking method), 418
guest accounts, disabling, 286
H
hackers. See also threat actors
black hats, 9
blue hats, 10
elite hackers, 10
ethical hackers, 9
gray hats, 10
thinking like a hacker, 9
white hats, 9
Hackers, 361
hacktivists, 11
Hanoi backup scheme, Towers of, 566
happy birthday attacks, 503
hard disks
backups, 107
conserving disk space, 91
data removal
clearing, 626
destroying storage media (physical data removal), 627
purging, 626
defragmenting, 107
drive lock passwords, 61
encryption
FDE, 64
SED, 64
whole disk encryption, 108
fault tolerance, 557
maintaining, 109
restore points, 107
hardening OS, 89
applications
backward compatibility, 91
blacklisting, 92
whitelisting, 92
attack surface, reducing, 94
baselining, 105
centrally administered management systems, 92
configuration management, 102
least functionality, 90
Linux, starting/stopping services, 95–97
macOS/OS X, starting/stopping services, 96–97
messaging, 90
remote control programs, 90
Remote Desktop Connection, 90
Remote Desktop Services, 93
services
Remote Desktop Services, 93
TOS, 97
whitelisting applications, 92
Windows
Programs and Features window, 91
starting/stopping services, 95–97
Windows XP, 94
hashing
hash functions
cryptographic hash functions, 498–499
defining, 497
HMAC, 499
MD5, 498
one-way function, 498
password hashing
birthday attacks, 503
key stretching, 504
NTLMv2 hashing, 502
pass the hash attacks, 502–503
process of, 497
RIPEMD, 499
system images, incident response procedures, 630
HAVA (Help America Vote Act of 2002), 617
hazard protection systems, 596
headers
AH, IPsec, 534
manipulation, 441
heuristic analysis, 437
HIDS (Host-based Intrusion Detection Systems), 53–55
Trend Micro OSSEC, 56
Tripwire, 57
Verisys, 57
hierarchical CA organization, 528
hierarchical lists of critical systems/data, DRP, 570
high availability, RAID arrays, 63
high-energy EMP (Electromagnetic Pulses), 599
hijacking sessions, XSS, 137
HIPAA (Health Insurance Portability and Accountability Act), 616
HIPS (Host Intrusion Prevention Systems), 270
HMAC (Hash-based Message Authentication Code), 499
hoaxes, social engineering attacks, 587, 590
honeynets, 266
honeypots, 266
horizontal privilege escalation, 288
host files, DNS servers, 237, 241
hosted hypervisors, 112
HOSTS files, preventing/troubleshooting spyware, 37
hot and cold aisles (HVAC), facilities security, 597
hot sites, 561
hotfixes, OS hardening, 99–100
hover ads (DHTML), 59
HSM (Hardware Security Modules), 65–66
HTTP (Hypertext Transfer Protocol)
connections, 71
port associations with, 220
proxies. See proxy servers
response packets, header manipulation, 441
HTTPS (HTTP Secure), 71–72, 532
HVAC (Heating, Ventilation, Air Conditioning), facilities security, 597
ANT sensors, 598
shielding, 599
hybrid clouds, 194
Hyper-V, 114
I
IA (Information Assurance). See risk, assessment; risk, management
IaaS (Infrastructure as a Service), 193
ICMP flood attacks. See ping floods
IDEA (International Data Encryption Algorithm), 486
identification
authentication schemes, 321
biometric readers, 326–327, 345
cardkey systems, 324
definition, 321
FIM, 328
fingerprint readers/scanners, 326
identity proofing, 322
identity theft emails, 26
photo ID, 324
security tokens, 325
smart cards, 325
verifying. See authentication
identification phase (incident response procedures), 628
IDF (Intermediate Distribution Frame) rooms, wire closets, 294
IDPS (Intrusion Detection and Prevention Systems), 57
IDS (Intrusion Detection Systems)
false negatives, 56
false positives, 56
Trend Micro OSSEC, 56
Tripwire, 57
Verisys, 57
NIDS, 55
placement within networks, 269
promiscuous mode, 268
protocol analyzers, 271
signature-based detection, 56
statistical anomaly detection, 56
WIDS, 272
IE (Internet Explorer)
domain controller-managed policies, 131–132
Internet Explorer Maintenance Security, 130–131
security settings, 130
IF-THEN statements, genetic algorithms, 496
imaging
IMAP (Internet Message Access Protocol), port associations with, 220
immutable systems, 146
impact analysis (business), BCP, 569
impact assessment, 399
impact determination, DRP, 569
implicit deny (access control), 366
implicit deny firewall rule (ACL), 258
Import Policy From window (Windows Server), 104
in-band management, 444
inbound ports, 219
incident management, 627
incident response procedures
chain of custody (evidence collection), 629
collecting/preserving evidence, 629, 632–633
containment phase, 628
damage/loss control, 630
emergency response detail, 629
eradication phase, 628
events versus incidents, 627
forensics
data analysis, 631
licensing reviews, 632
network traffic, 631
screenshots, 631
system images, 630
tracking man hours/expenses, 632
video, 631
witness statements, 631
identification phase, 628
initial incident management process, 629
lessons learned phase, 628
need-to-know, 633
preparation phase, 628
recovery phase, 628
incremental data backups, 563–564
information security
authentication, 7
backups, 8
data removal, 8
defense in depth, 9
encryption, 8
malware, 6
security plans, 7
social engineering, 6
system failure, 6
unauthorized access, 6
user awareness, 7
infrastructure security, due diligence, 621–623
inherence factors (authentication), 322
inheritance (permissions), 374–375
initial incident management process (incident response procedures), 629
installing, 36
instant messaging
malware delivery, 26
OS hardening, 90
spim, 25
integer overflows, 154
integrity (CIA triad), 5, 146–148
interference
cabling
EMI, 290
RFI, 291
surveys, 302
internal information, classifying (data sensitivity), 615
Internet
content filtering, 265
messaging, 73
network design, 183
Internet Explorer
Internet protocol suite. See TCP/IP
IP addresses
ports and, 222
spoofing attacks, 231
IP proxies, 263
IP spoofing attacks, 179
IPFW (IP Firewall), 54
IPS (Intrusion Prevention Systems), 57
false negatives, 270
HIPS, 270
false positives, 270
protocol analyzers, 271
routers, 179
WIPS, 272
IPsec (Internet Protocol Security)
AH, 534
ESP, 535
SA, 534
transport mode, 535
tunneling mode, 535
iptables, 54
IPv4
firewall effect, 180
IronKey, 63
ISA (Interconnection Security Agreements), 624
iSCSI (Internet Small Computer Systems Interface), port associations with, 221
ISP (Internet Service Providers), redundancy planning, 559
ISSO (Information Systems Security Officers), disaster recovery planning, 570
IT folder
advanced security settings, 459–460
permissions, 458
IT security frameworks
ERP, 635
reference frameworks, 634
risk analysis, 635
vulnerability assessments, 635
ITCP (IT Contingency Planning), 569
IV attacks, 304
J - K
jailbreaking, 135. See also privilege, escalation
DRM, 288
mobile devices, 75
jamming surveys, 302
job rotation
access control, 368
separation of duties policies, 619, 622
KDC (Key Distribution Center), tickets, 334
KEK (Key Encryption Keys), 488
Kerberos, 334–336, 344, 482, 502
LDAP injections, 199
Microsoft Security Bulletins, 199
port associations with, 220
vulnerabilities, 199
keys
certificate keys, 528
cryptography
asymmetric key algorithms, 483
DEK, 488
Diffie-Hellman key exchange, 484, 491–492
KEK, 488
key stretching, 504
MEK, 488
private key cryptography, 481, 490
public key cryptography, 481–484, 490–493
QKD, 493
web of trust, 529
knowledge factors (authentication), 322
L
L2TP (Layer 2 Tunneling Protocol), 534
port associations with, 221
LAN (Local Area Networks)
bridges, 178
broadcast storms, 441
routers, 178
split tunneling, 342
VLAN, 188
MAC flooding, 189
VLAN hopping, 189
WAN versus, 182
LDAP (Lightweight Directory Access Protocol), 333–344
port associations with, 221
LEAP (Lightweight Extensible Authentication Protocol), 332
least functionality, 90
least privilege
access control, 367
principle of, 147
lessons learned phase (incident response procedures), 628
licensing
compliance violations, 632
reviewing, incident response procedures, 632
linemanls handsets. See butt sets
links (email), preventing/troubleshooting spam, 40
Linux
file permissions, 373
netstat command, analytical monitoring, 447
OS hardening, starting/stopping services, 95–97
patch management, 102
SELinux, 57
System Monitor, 440
tcpdump packet analyzer, 443
virus prevention/troubleshooting tools, 35
vulnerability scanning, 414
LM hashes. See LANMAN hashing
load-balancing clusters, 560
Local Group Policy
browser security, 129
LANMAN hashing, 501
Local Group Policy Editor, 103
localized authentication, 329
802.1X, 344
authentication procedure, 331
connection components, 331
mutual authentication, 334
Remote Desktop Services, 336–337
locking systems, vehicles and facilities security, 601
lockout programs, mobile devices, 70
logic bombs, malware delivery, 29
logins
Ctrl+Alt+Del at logon, 379
logs
application logs, 452
audit trails, 451
DFS Replication logs, 452
DNS Server logs, 452
file maintenance/security, 455–457
network traffic logs, incident response procedures, 631
non-repudiation, 450
security events, failure to see events, 450
system logs, 452
long-term power loss, disaster recovery, 568
looping switches, 177
loss/damage control (incident response procedures), 630
loss of building, disaster recovery, 568
lottery scam emails, 26
Love Bug viruses, 25
LSO (Locally Shared Objects), 137
M
MaaS (Monitoring as a Service), 194
MAC (Mandatory Access Control), 366
data labeling, 363
filtering, WAP, 302
lattice-based access control, 364
rule-based access control, 364
macOS/OS X
OS hardening, starting/stopping services, 96–97
macro viruses, 20
maintenance
hard disks, 109
Internet Explorer Maintenance Security, 130–131
malicious add-ons, 138
malicious attacks/theft, disaster recovery, 568
malicious insiders, social engineering attacks, 585, 590
malvertising, 23
malware, 6, 19. See also crimeware
adware, 23
anti-malware
software, 8
updates, 108
APT, 22
badware, 37
delivery systems
active interception, 28
attack vectors, 26
backdoors, 29
bit torrents, 27
botnets, 28
Easter eggs, 30
email, 26
exploit kits, 27
FTP servers, 26
instant messaging, 26
keyloggers, 27
logic bombs, 29
media-based delivery, 27
memory cards, 27
optical discs, 27
P2P networks, 27
privilege escalation, 29
smartphones, 27
software, 26
threat vectors, 26
time bombs, 29
typosquatting, 27
URL hijacking, 27
USB flash drives, 27
user error, 27
websites, 27
zip files, 26
zombies, 28
grayware, 23
malvertising, 23
non-malware, 24
ransomware, 22
definition of, 26
preventing/troubleshooting, 35
rootkits
definition of, 26
detecting, 24
Evil Maid Attacks, 26
preventing/troubleshooting, 38, 41
spam, 25
definition of, 26
filters, 38
firewalls, 38
identity theft emails, 26
lottery scam emails, 26
preventing/troubleshooting, 38–41
spim, 25
definition of, 26
Internet Optimizer, 26
preventing/troubleshooting, 35–37, 41
symptoms of, 36
tracking cookies, 137
Trojans
definition of, 25
GinMaster Trojan, 67
PlugX Trojans, 25
preventing/troubleshooting, 35, 41
time bombs, 29
ZeroAccess botnet, 28
unsavable computers, 40
viruses
armored viruses, 21
definition of, 25
encrypted viruses, 20
Love Bug virus, 25
macro viruses, 20
metamorphic viruses, 21
multipartite viruses, 21
polymorphic viruses, 20
preventing/troubleshooting, 31–35, 41
program viruses, 20
stealth viruses, 21
virus hoaxes, 21
worms
definition of, 25
Nimda, 21
Nimda worm, 25
preventing/troubleshooting, 35, 41
man hours/expenses, tracking (incident response procedures), 632
management controls, 404
managing
add-ons, 138
application patches, 142
change management policies, 619, 622
configurations, 102
group policies, GPMC, 133
in-band management, 444
incidents, 627
out-of-band management, 444
vulnerabilities
general vulnerabilities/basic prevention methods table, 409–410
Mandatory Security Policy. See MAC
mantraps
multifactor authentication, 589
physical security, 326
manual auditing, 448
manual monitoring, 435
many-to-one mapping (certificates), 527
mapping
certificates, 527
MBR (Master Boot Records) rootkits, preventing/troubleshooting, 38
MBSA (Microsoft Baseline Security Analyzer), 101
MD5 (Message-Digest algorithm 5), 498
MDF (Main Distribution Frame) rooms, wire closets, 294
MDM (Mobile Device Management), 75
measured boot option, BIOS, 62
media gateways, 191
media-based malware delivery, 27
MEK (Master Encryption Keys), 488
memory
ASLR, 155
CAM tables, MAC flooding, 176
integer overflows, 154
memory leaks, 154
null pointer dereferences, 154
RDBMS, stored procedures, 156–157
memory cards, malware delivery, 27
messaging (instant)
malware delivery, 26
MMS attacks, 73
OS hardening, 90
SMS attacks, 73
spim, 25
metamorphic viruses, 21
MFA (Multifactor Authentication), 327
Microsoft domains, KDC tickets, 334
Microsoft Edge, policy settings, 130
Microsoft Security Bulletins, Kerberos vulnerabilities, 199
minimizing attack surface, 94, 147
mirroring ports, 442
MITB (Man-in-the-Browser) attacks, 233–234, 240
mitigating risk, 400
MITM (Man-in-the-Middle) attacks, 28, 233, 240
mobile apps, security, 143
mobile devices, 66
access control, 75
application security, 78
application blacklisting, 73
application whitelisting, 73
geotagging, 74
key management, 72
MMS attacks, 73
server/network authentication, 72
SMS attacks, 73
transitive trust, 72
bluejacking, 69
bluesnarfing, 69
browser security, 135
carrier unlocking, 69
COPE, 74
crosstalk, 291
CYOD, 74
encryption, 67
full device encryption, 70
lockout programs, 70
MDM, 75
offboarding, 76
onboarding, 76
sanitizing, 70
screen locks, 71
sideloading, 75
social engineering attacks, 68
storage segmentation, 75
modems
war-dialing, 190
monitoring
analytical monitoring tools
Computer Management, 445
keyloggers, 447
net file command, 446
netstat command, 446
openfiles command, 445
static and dynamic analytical tools, 447
anomaly-based monitoring, 436–437
auditing and, 434
automated monitoring, 435
behavior-based monitoring, 436–437
manual monitoring, 435
performance baselining
alerts, 440
baseline reporting, 438
Performance Monitor, 439
standard loads, 438
System Monitor, 440
protocol analyzers
broadcast storms, 441
network adapters, 440
packet capturing, 440
TCP/IP handshakes, 441
session monitoring, Computer Management, 445
signature-based monitoring, 435–437
motion detectors, physical security, 323
MoU (Memorandums of Understanding), 624
moving files/folders, 376
MPLS (Multiprotocol Label Switching), 342
MS-CHAP (Microsoft-Challenge Handshake Authentication Protocol), RAS authentication, 338
Ms-sql-s, port associations with, 221
MTBF (Mean Time Between Failures), quantitative risk assessment, 401–402
MTTF (Mean Time To Failure), quantitative risk assessment, 402
MTTR (Mean Time To Repair), quantitative risk assessment, 402
multicast IPv6 addresses, 181
multidomain certificates, 523
multifactor authentication, 337, 589
multihomed connections, 262
multipartite viruses, 21
multiple user accounts, 371
mutual authentication, 334
N
NAC (Network Access Control), 185–186
NAS (Network Attached Storage), 63
NAT (Network Address Translation), 180
filtering, 259
firewall effect, 180
static NAT, 180
native hypervisors, 112
NCAS (National Cyber Awareness System), mobile device security, 67
Ncat, 414
need-to-know (incident response procedures), 633
Nessus, 414
net file command, analytical monitoring, 446
NetBIOS, port associations with, 220
NetBus, 22
netstat command, analytical monitoring, 446
network controllers, security, 199
Network layer (OSI model), 174
networks
attacks
blackholes, 230
client-side attacks, 236
command-line scripting and, 235
phishing attacks, 231
session hijacking, 232–234, 240
sinkholes, 230
spoofing attacks, 231–232, 240
wired network/device security, 289
authentication, 72
back-to-back perimeter networks, 184
bridges, 178
cellular networks, 308
cloud computing
community clouds, 194
CSP, 194
definition, 192
hybrid clouds, 194
IaaS, 193
MaaS, 194
P2P networks and, 198
PaaS, 193
private clouds, 194
public clouds, 194
SaaS, 193
SECaaS, 193
services, 197
social media and, 197
XaaS, 194
connections, redundancy planning, 558
CSU, 179
DLP systems, 59
DMZ
3-leg perimeter DMZ, 183
back-to-back perimeter networks, 184
documenting network design, 309
DSU, 179
enumerators, 414
firewalls, back-to-back perimeter networks, 184
Internet, 183
IP addresses and ports, 222
LAN
routers, 178
WAN versus, 182
NAS, 63
NAT
firewall effect, 180
private IPv4 addresses, 180
private IPv6 addresses, 181–182
public IPv4 addresses, 180
static NAT, 180
OSI model, 173
layers of, 174
TCP/IP model versus, 175
PAT, IPv4 addresses, 180
PBX equipment, 191
DLP, 267
HIPS, 270
honeynets, 266
honeypots, 266
SSID broadcasting, disabling, 262
UTM, 272
web security gateways, 265
WIDS, 272
WIPS, 272
ports
application service ports, 219
associated protocols table, 219–221
closing open ports, 224
dynamic ports, 218
FTP servers, 223
inbound ports, 219
IP addresses and, 222
outbound ports, 219
port zero security, 224
private ports, 218
protocol associations, 219–221
ranges, 218
registered ports, 218
scanning for open ports, 223
unnecessary ports, 224
well-known ports, 218
protocols and port associations
associated protocols table, 219–221
Diameter, 221
DNS, 220
FCIP, 221
HTTP, 220
IMAP, 220
iSCSI, 221
Kerberos, 220
L2TP, 221
LDAP, 221
MS-sql-s, 221
NetBIOS, 220
NNTP, 220
POP3, 220
PPTP, 221
RADIUS, 221
RDP, 221
RPC, 220
RTP, 222
SMB, 221
SMTP, 220
SNMP, 220
SNMPTRAP, 220
SSH, 219
Syslog, 221
TACACS+, 220
Telnet, 220
TFTP, 220
redundancy planning
ISP, 559
network connections, 558
switches, 559
routers
ACL, 179
Cisco routers, 178
content filtering, 179
firewalls, 178
IPS, 179
secure configurations, 178
secure VPN connectivity, 179
SAN, NAS, 64
SATCOM, 308
DLP, 267
HIPS, 270
honeynets, 266
honeypots, 266
SSID broadcasting, disabling, 262
UTM, 272
web security gateways, 265
WIDS, 272
WIPS, 272
switches, 175
aggregation switches, 177
ARP spoofing, 177
DHCP starvation attacks, 177
fail-open mode, 176
looping, 177
physical tampering, 177
STP, 177
TCP/IP model versus OSI model, 175
telephony
PBX equipment, 191
VoIP, 191
traffic, incident response procedures, 631
transitive trust, 72
VoIP, 191
VPN, WAP, 300
WAN
LAN versus, 183
routers, 178
wired network/device security, 285
default accounts, 286
network attacks, 289
remote ports, 289
Telnet, 289
wireless network security
cellular networks, 308
documenting network design, 309
geofences, 308
GPS, 308
RFID, 307
SATCOM, 308
third-party wireless adapter connections, 296
VPN, 300
wireless protocols, 298
wireless transmission vulnerabilities, 304–305
NEXT (Near End Crosstalk), 292
NFC (Near Field Communication), 306–307
NGFW (Next Generation Firewalls), 532
NIDS (Network Intrusion Detection Systems), 55
placement within networks, 269
promiscuous mode, 268
protocol analyzers, 271
NIPS (Network Intrusion Prevention Systems), 268–269
false positives, 270
protocol analyzers, 271
NIST penetration testing, 408
Nmap, 413
NMS (Network Management System), SNMP, 444
NNTP (File Transfer Protocol), port associations with, 220
non-promiscuous mode, network adapters, 440
normalization, relational databases, 157
NoSQL injections, 157
NTFS (NT File System) permissions, 372, 376
NTLMv2 hashing, 502
null pointer dereferences, 154
O
obfuscation, programming security, 148
OCSP (Online Certificate Status Protocol), 528
on-demand VPN (Virtual Private Networks), 535
one-way functions, hashes as, 498
OOV (Order of Volatility)
incident response procedures, 630–631
open mail relays, preventing/troubleshooting spam, 39
open ports
closing, 224
scanning for, 223
openfiles command, analytical monitoring, 445
operational controls, 404
optical discs, malware delivery, 27
organizational policies
data sensitivity
classifying data, 615
DHE, 616
personal security policies, 617
change management policies, 619, 622
due diligence, infrastructure security, 621–623
equipment recycling/donation policies, 625
offboarding, 620
privacy policies, 618
separation of duties/job rotation policies, 619, 622
organized crime, 11
organizing CA horizontally, 528
OS
fingerprinting, 403
hardening, 89
backward compatibility of applications, 91
baselining, 105
blacklisting applications, 92
centrally administered management systems, 92
configuration management, 102
hard disk space, conserving, 91
Linux, starting/stopping services, 95–97
macOS/OS X, starting/stopping services, 96–97
messaging, 90
reducing attack surface, 94
remote control programs, 90
Remote Desktop Connection, 90
Remote Desktop Services, 93
TOS, 97
whitelisting applications, 92
Windows, starting/stopping services, 95–97
Windows Programs and Features window, 91
Windows XP, 94
updates, 108
OS GUI, closing open ports, 224
OS X
OS hardening, starting/stopping services, 96–97
patch management, 102
OSI (Open Systems Interconnection) model, network design, 173
layers of, 174
TCP/IP model versus, 175
OSINT (Open Source Intelligence), social engineering, 584
OSSEC, 56
OSSTMM (Open Source Security Testing Methodology Manual), penetration testing, 408
out-of-band management, 444
outbound ports, 219
Outlook, securing, 143
OV (Organizational Validation) certificates, 522
OVAL (Open Vulnerability and Assessment Language), 408–409
P
P2P networks
cloud computing and, 198
malware delivery, 27
P12/PFX (P12 Personal Information Exchange) format, certificates, 524
PaaS (Platform as a Service), 193
PAC (Proxy Auto-Configuration) files, 263
packets
filtering, 258
headers
manipulating, 441
session theft, 232
HTTP response packets, header manipulation, 441
sniffers, 443
SPI, 258
PAM (Pluggable Authentication Modules), Kerberos, 336
pass the hash attacks, 502–503
passive optical splitters, fiber-optic cabling, 294
passive reconnaissance (security analysis), 403
Administrator accounts, 378
BIOS, 60
browser security, 139
clear-text passwords, 443
cloud security, 195
complexity of, 381
data exfiltration, 378
default accounts, 286
drive lock passwords, 61
guest accounts, 378
hashing
birthday attacks, 503
key stretching, 504
NTLMv2 hashing, 502
pass the hash attacks, 502–503
length of, 381
nonce, 504
programming security, 147
wired network/device security, 286–287
PAT (Port Address Translation), IPv4 addresses, 180
patches
programming security, 148
PayPal, VeriSign certificates, 525
PBX (Private Branch Exchange) equipment, network design, 191
Pcap. See packets, capturing
PDS (Protected Distribution Systems), cabling, 295
PEAP (Protected Extensible Authentication Protocol), 330–332
PEM (Privacy-enhanced Electronic Mail) format, certificates, 524
penetration tests, 149, 407–408
people, succession planning, 562
performance baselining
alerts, 440
baseline reporting, 438
Performance Monitor, 439
standard loads, 438
System Monitor, 440
peripherals (wireless), 66
permanent DoS attacks, 229
permanently installed generators, 553
permissions
ACL, 371
DACL, 372
IT folder, 458
Linux file permissions, 373
privilege creep, 374
programming security, 147
propagating, 375
SACL, 372
user access recertification, 374
persistence (penetration testing), 407
persistent cookies, 136
personal firewalls, 53
IPFW, 54
iptables, 54
PF, 54
SOHO router/firewall configuration, 55
Windows Firewall, 54
ZoneAlarm, 54
personal security policies, 617
change management policies, 619, 622
due diligence, infrastructure security, 621–623
offboarding, 620
privacy policies, 618
separation of duties/job rotation policies, 619, 622
PF (Packet Filters), 54
PFS (Perfect Forward Secrecy), 492
PGP (Pretty Good Privacy), 494–495
pharming, 237
PHI (Protected Health Information), 616–617
phishing attacks, 231, 586, 590
phone number encryption, 477–480
phone phishing. See vishing
photo ID, 324
PHP scripts, exploit kits, 27
Physical layer (OSI model), 174
physical security, 7
authentication, 321
biometric readers, 326–327, 345
CCTV, 323
door access
cardkey systems, 324
cipher locks, 324
mantraps, 326
proximity sensors, 325
security tokens, 325
smart cards, 325
fingerprint readers/scanners, 326
mantraps, 589
motion detectors, 323
server rooms, 323
user safety, 324
video surveillance, 323
piggybacking, social engineering attacks, 589–591
PII (Personally Identifiable Information), 616–617, 622
pivots (penetration testing), 407
PIV (Personal Identity Verification) cards. See smart cards
PKI (Public Key Infrastructure)
CA
certificate mapping, 527
certificate validation, 525
certificate verification with RA, 527
chain of trust, 528
CRL, 527
CSR, 525
horizontal organization, 528
key escrow, 528
key recovery agents, 528
revoking certificates, 527–528
VeriSign certificates, 72, 525
web of trust, 529
certificates
BER format, 524
CA, 525
CER format, 524
DER format, 524
dual-sided certificates, 523
DV certificates, 522
EV certificates, 522
multidomain certificates, 523
OV certificates, 522
P12/PFX format, 524
PEM format, 524
SAN field, 523
single-sided certificates, 523
validation, 525
web of trust, 529
wildcard certificates, 523
X.509 standard, 522
defining, 521
IPsec
AH, 534
ESP, 535
SA, 534
transport mode, 535
tunneling mode, 535
L2TP, 534
PPTP, 533
PlugX RAT, 22
PlugX Trojans, 25
PNAC (Port-based Network Access Control), 802.1X, 330
Poirot, Hercule, 435
policies
access control
Account Lockout Threshold Policy, 382
Default Domain Policy, 379
Account Lockout Threshold Policy, 382
Default Domain Policy, 379
equipment recycling/donation policies, 625
organizational policies
equipment recycling/donation policies, 625
personal security policies, 617–623
personal security policies, 617
change management policies, 619, 622
due diligence, infrastructure security, 621–623
offboarding, 620
privacy policies, 618
separation of duties/job rotation policies, 619, 622
privacy policies, 618
procedures versus, 613
vendor policies
ISA, 624
MoU, 624
policy implementation, applications, 140
polymorphic viruses, 20
POP3, port associations with, 220
pop-under ads, 59
pop-up blockers, 53, 57–59, 135
portable generators, 553
ports
application service ports, 219
associated protocols table, 219–221
dynamic ports, 218
external ports, disabling, 61
FTP servers, 223
inbound ports, 219
IP addresses and, 222
mirroring, 442
NAC, 186
open ports
closing, 224
scanning for, 223
unnecessary ports, 224
outbound ports, 219
PAT, IPv4 addresses, 180
PNAC, 802.1X, 330
port zero security, 224
private ports, 218
registered ports, 218
remote ports, wired network/device security, 289
RTP and port associations, 222
scanning, 413
SNMP, 444
twisted-pair networks, wiretapping, 293
well-known ports, 218
WinDump, 443
possession factors (authentication), 322
post-certification process, 655
power supplies
backup generators
considerations for selecting, 554
types of, 553
battery backups, 552
blackouts, 550
brownouts, 550
disaster recovery, 568
failures, 550
battery backups, 552
standby generators, 553
sags, 550
spikes, 550
standby generators, 553
surges, 550
PPTP (Point-to-Point Tunneling Protocol), 533
port associations with, 221
practice exams, 649
pre-action sprinkler systems, 596
Premiere Pro, 91
preparation phase (incident response procedures), 628
preparing for exams
exam preparation checklist, 647–650
grading scale, 647
post-certification process, 655
Presentation layer (OSI model), 174
preserving evidence (incident response procedures), 629, 632–633
pretexting, social engineering attacks, 584, 590
preventing/troubleshooting
ransomware, 35
viruses, 41
encryption, 33
Linux-based tools, 35
Windows Firewall, 31
Windows Update, 31
preventive controls, 404
principle of defense in depth, 147
principle of least privilege, 147
privacy policies, 618
private clouds, 194
private information, classifying (data sensitivity), 615
private IPv4 addresses, 180
private key cryptography, 481, 490
private ports, 218
privilege
creep, 374
de-escalation, 288
escalation. See also jailbreaking
horizontal privilege escalation, 288
malware delivery, 29
SOHO routers, 288
vertical privilege escalation, 288
wired network/device security, 287–288
principle of least privilege, 147
PRNG (Pseudorandom Number Generator), 495
Pro Tools, 91
procedures
incident response procedures, 627
chain of custody (evidence collection), 629
collecting/preserving evidence, 629, 632–633
containment phase, 628
damage/loss control, 630
emergency response detail, 629
eradication phase, 628
events versus incidents, 627
identification phase, 628
initial incident management process, 629
lessons learned phase, 628
need-to-know, 633
preparation phase, 628
recovery phase, 628
witness statements, 631
policies versus, 613
process VM (Virtual Machines), 111
program viruses, 20
programming
ASLR, 155
authenticity, 148
CIA triad, 146
cloud security, 196
code checking, 148
code signing, 148
error-handling, 148
integrity, 148
minimizing attack surface area, 147
obfuscation, 148
passwords, 147
patches, 148
permissions, 147
principle of least privilege, 147
quality assurance policies, 147
SDLC
agile model, 146
V-shaped model, 145
waterfall model, 145
secure code review, 146
secure coding concepts, definition of, 144
testing methods
black-box testing, 149
compile-time errors, 150
dynamic code analysis, 152
fuzz testing, 152
gray-box testing, 149
penetration tests, 149
runtime errors, 150
sandboxes, 149
SEH, 150
stress testing, 149
white-box testing, 149
threat modeling, 147
trusting user input, 147
vulnerabilities/attacks
arbitrary code execution, 155
backdoor attacks, 22, 29, 153, 159
DLL injections, 158
integer overflows, 154
LDAP injections, 157
memory leaks, 154
NoSQL injections, 157
null pointer dereferences, 154
SQL injections, 156
XML injections, 157
Programs and Features window (Windows), OS hardening, 91
promiscuous mode
network adapters, 440
NIDS, 268
propagating permissions, 375
proprietary information, classifying (data sensitivity), 615
protocol analyzers, 415
broadcast storms, 441
network adapters, 440
NIDS, 271
packet capturing, 440
TCP/IP handshakes, 441
protocols, port associations with
associated protocols table, 219–221
Diameter, 221
DNS, 220
FCIP, 221
HTTP, 220
IMAP, 220
iSCSI, 221
Kerberos, 220
L2TP, 221
LDAP, 221
MS-sql-s, 221
NetBIOS, 220
NNTP, 220
POP3, 220
PPTP, 221
RADIUS, 221
RDP, 221
RPC, 220
RTP, 222
SMB, 221
SMTP, 220
SNMP, 220
SNMPTRAP, 220
SSH, 219
Syslog, 221
TACACS+, 220
Telnet, 220
TFTP, 220
proximity sensors, physical security, 325
application proxies, 264
forward proxies, 264
HTTP proxies, 263
Internet content filtering, 265
IP proxies, 263
PAC files, 263
reverse proxies, 264
transparent proxies, 265
pseudocodes. See error-handling
PSK (Pre-Shared Keys), WAP, 298
public clouds, 194
public information, classifying (data sensitivity), 615
public IPv4 addresses, 180
public key cryptography, 481–483
certificates, 484
digital signatures, 484
ECDHE, 492
RSA, 490
public networks, split tunneling, 342
punch blocks, wiretapping, 293
purging (data removal), 626
Q - R
QKD (Quantum Key Distribution), 493
qualitative risk assessment, 399, 402
quality assurance policies, 147
quantitative risk assessment, 400–402
quantum cryptography, 493
questions (end-of-chapter), exam preparation, 648
RA (Registration Authority), certificate verification, 527
race condition exploits, 408
RADIUS (Remote Authentication Dial-In User Service)
port associations with, 221
RAID (Redundant Array of Independent Disks)
high availability, 63
RAID 0, 555
RAID 0+1, 556
RAID 10, 556
ransomware, 22
definition of, 26
preventing/troubleshooting, 35
RAS (Remote Access Service), 337, 340, 344
MS-CHAP, 338
RAT (Remote Access Trojans), 22, 29, 202–203
RBAC (Role-Based Access Control), 364–366
RC (Rivest Cipher)
RC5, 489
RC6, 489
RCE (Remote Code Execution), 155, 159
RDBMS (Relatable Database Management System, 156–157
RDP (Remote Desktop Protocol), port associations with, 221
record time offset, 631
recovering certificate keys, 528
recovery phase (incident response procedures), 628
recycling/donating equipment policies, 625
Red Book, 362
Red Hat Enterprise, Kerberos and PAM, 336
Red October, 24
reduced sign-ons, 328
reducing risk, 398
redundancy planning
employees, 562
fail-closed, 549
fail-open, 549
failover redundancy, 548
networks
ISP, 559
network connections, 558
switches, 559
battery backups, 552
standby generators, 553
single points of failure, 547–548
succession planning, 562
websites, 561
reference frameworks (IT security), 634
registered ports, 218
registering for exams, 650
relational databases
normalization, 157
remanence (data), 8
remote authentication
MS-CHAP, 338
VPN
always-on VPN, 342
GRE, 342
illustration of, 340
RRAS, 341
split tunneling, 342
VPN concentrators, 342
remote control programs, OS hardening, 90
Remote Desktop Connection, OS hardening, 90
Remote Desktop Services, 93, 336–337
remote ports, wired network/device security, 289
removable media controls, 63
removable storage/media, 62–63
removing
data, 8
clearing, 626
destroying storage media (physical data removal), 627
purging, 626
unnecessary applications/services, 90–91
residual risk, 398
restore points, hard disks, 107
reverse proxies, 264
revoking certificates
CRL, 527
OCSP, 528
RFI (Radio Frequency Interference), cabling, 291
RFID (Radio-Frequency Identification), 307
RIPEMD (RACE Integrity Primitives Evaluation Message Digest), 499
risk
analysis, IT security frameworks, 635
assessment
impact assessment, 399
qualitative risk assessment, 399, 402
qualitative risk mitigation, 400
quantitative risk assessment, 400–402
residual risk, 398
risk acceptance, 398
risk avoidance, 398
risk reduction, 398
risk registers, 399
risk transference, 398
vulnerability assessment, 396, 406, 410–420
vulnerability management, 405–410
GRC, 617
Rivest, Ron
MD5, 498
RSA, 490
RJ11 jacks, wiretapping, 293
RJ45 jacks, wiretapping, 293
RJ45 wall plates, wiretapping, 293
rogue AP (Access Points), 296
Ron’s Code. See RC
room security. See physical security
root of trust, 62
rootkits
definition of, 26
detecting, 24
Evil Maid Attacks, 26
preventing/troubleshooting, 38, 41
routers
ACL, 179
Cisco routers, 178
content filtering, 179
firewalls, 178
IPS, 179
secure configurations, 178
secure VPN connectivity, 179
SOHO firewall configuration, 55
SOHO routers
configuring, 55
default accounts, 286
firewalls, 178
firewalls and, 260
privilege escalation, 288
secure VPN connectivity, 179
WIC, 179
RPC (Remote Procedure Calls), port associations with, 220
RPO (Recovery Point Objective), BCP, 569
RRAS (Routing and Remote Access Service), VPN connections, 341
RSA (Rivest, Shamir, and Adleman), 490
RSA tokens. See security, tokens
RTBH (Remotely Triggered Blackholes), 230
RTO (Recovery Time Objective), BCP, 569
RTP (Real-time Transport Protocol) and ports, 222
runtime errors, 150
S
S/MIME (Secure/Multipurpose Internet Mail Extensions), 530–531
SA (Secure Associations), IPsec, 534
SaaS (Software as a Service), 193
SACL (System Access Control Lists), 372
Safe Mode
antivirus software, 34
spyware, preventing/troubleshooting, 37
sags (power supplies), 550
salting, cryptanalysis attacks, 419
SAN (Storage Area Networks), NAS, 64
SAN (Subject Alternative Name) field, certificates, 523
sandboxes, definition of, 149
sanitizing mobile devices (data removal), 70, 626
SATCOM (Satellite Communications), wireless network security, 308
SB 1386, 617
SCADA (Supervisory Control and Data Acquisition), HVAC (facilities security), 598, 600
scanning
ports, 413
SCCM (System Center Configuration Manager), 102
scheduling incremental data backups, 563–564
Schneier, Bruce, 489
SCP (Secure Copy), 226
screen locks, mobile devices, 71
screenshots, incident response procedures, 631
script kiddies, 11
SCRM (Supply Chain Risk Management), 399
SDLC (Software Development Life Cycle)
agile model, 146
V-shaped model, 145
waterfall model, 145
SECaaS (Security as a Service), 193
secret information, classifying (data sensitivity), 615
secure boot option, BIOS, 61
secure code review, 146
secure coding concepts, definition of, 144
secure VPN connectivity, routers, 179
security
analysis, 402
active reconnaissance, 403
passive reconnaissance, 403
controls
compensating controls, 405
corrective controls, 405
detective controls, 405
management controls, 404
operational controls, 404
preventive controls, 404
technical controls, 404
events
audit trails, 451
failure to see events in security logs, 450
SIEM, 460
logs
application logs, 452
audit trails, 451
DFS Replication logs, 452
DNS Server logs, 452
file maintenance/security, 455–457
firewall logs, 453
non-repudiation, 450
security events, failure to see events, 450
system logs, 452
plans, 7
postures, baseline reporting, 438
protocols, 529
L2TP, 534
PPTP, 533
templates, OS hardening, 103–104
tokens, 325
updates, 98
security zones, browsers, 135
SED (Self-Encrypting Drives), 64
segregation of duties, 405
SEH (Structured Exception Handling), 150
SELinux, 57
sensitive data
classifying, 615
data handling (DHE), 616
exposure of, 151
separation of duties
access control, 368
job rotation policies, 619, 622
server clusters, 561
failover clusters, 560
load-balancing clusters, 560
server rooms
physical security, 323
mantraps, 589
servers
Apache servers
CVE listings, 201
Darkleech, 201
authentication, 72
authentication servers (802.1X), 331
back office applications, securing, 143
banner grabbing, 414
DNS servers
pharming, 237
unauthorized zone transfers, 237, 241
email servers, security, 199–200
file servers, security, 198–199
FTP servers
ports and, 223
protocol analysis, 443
key management, 72
network controllers, security, 199
proxy servers
application proxies, 264
forward proxies, 264
HTTP proxies, 263
Internet content filtering, 265
IP proxies, 263
PAC files, 263
reverse proxies, 264
transparent proxies, 265
redundancy planning, clusters, 560–561
security
network controllers, 199
standard loads, 438
web servers, security, 200–202
Windows Server, network shares, 457
service packs, updates, 98
services
backward compatibility, 91
cloud computing, 197
consolidating, 144
Remote Desktop Services, 93
Session layer (OSI model), 174
sessions
hijacking
blind hijacking, 233
clickjacking, 233
watering hole attacks, 234, 240
XSS, 137
monitoring, Computer Management, 445
theft of, 28
SFTP (Secure FTP), 225
SHA (Secure Hash Algorithm), 498–499
sharing risk, 398
shielding, facilities security, 598
Faraday cages, 599
HVAC shielding, 599
STP cabling, 599
shoulder surfing, social engineering attacks, 588–590
SHTTP (Secure Hypertext Transfer Protocol Secure), 532
sideloading mobile devices, 75
SIEM (Security Information and Event Management), 460
signal emanation. See data emanation
signal jammers (wireless), 302
signatures
IDS signature-based detection, 56
public key cryptography, 484
signature-based monitoring, 435–437
simulations/videos, exam preparation, 648
single points of failure, redundancy planning, 547–548
single-sided certificates, 523
sinkholes, 230
SLA (Service-Level Agreements), 623–624
SLE (Single Loss Expectancy), quantitative risk assessment, 400–401
smart cards, physical security, 325
smartphones, 66
access control, 75
application security, 78
application blacklisting, 73
application whitelisting, 73
geotagging, 74
key management, 72
MMS attacks, 73
server/network authentication, 72
SMS attacks, 73
transitive trust, 72
bluejacking, 69
bluesnarfing, 69
browser security, 135
carrier unlocking, 69
COPE, 74
CYOD, 74
encryption, 67
full device encryption, 70
lockout programs, 70
MDM, 75
offboarding, 76
onboarding, 76
sanitizing, 70
screen locks, 71
sideloading, 75
social engineering attacks, 68
storage segmentation, 75
SMB (Server Message Blocks), port associations with, 221
SMS attacks, 73
SMTP (Simple Mail Transfer Protocol)
port associations with, 220
preventing/troubleshooting spam
open relays, 39
servers, 39
snapshots
backups, 566
VM disk files, 114
SNMP (Simple Network Management Protocol), 220, 443–445
SNMPTRAP, port associations with, 220
social engineering attacks, 6
CA and, 527
confidence tricks (cons), 588
defining, 584
mobile devices, 68
OSINT, 584
techniques/principles, 584
war-dialing, 587
watering hole attacks, 589–591
social media, cloud computing and, 197
software
antivirus software
Safe Mode, 34
Trojan prevention/troubleshooting, 35
virus prevention/troubleshooting, 31, 34
worm prevention/troubleshooting, 35
badware, 37
crimeware, 27
firewalls, 53
IPFW, 54
iptables, 54
PF, 54
SOHO router/firewall configuration, 55
Windows Firewall, 54
ZoneAlarm, 54
adware, 23
APT, 22
attack vectors, 26
badware, 37
exploit kits, 27
grayware, 23
keyloggers, 27
malvertising, 23
non-malware, 24
spim, 25
threat vectors, 26
Trojans, 22, 25, 29, 35, 41, 67
unsavable computers, 40
URL hijacking, 27
websites, 27
ransomware, worms, 26
SLDC
agile model, 146
V-shaped model, 145
waterfall model, 145
spyware, worms, 26
use case analysis, 634
SOHO (Small Office/Home Office) routers
configuring, 55
default accounts, 286
privilege escalation, 288
secure VPN connectivity, 179
Solitaire, Easter Eggs, 30
SOX (Sarbanes-Oxley) act, 616–617
SPA (Security Posture Assessments), baseline reporting, 438
spam, 25
definition of, 26
filters, 38
firewalls, 38
honeypots, 266
identity theft emails, 26
lottery scam emails, 26
preventing/troubleshooting, 38–41
SPAN. See ports, mirroring
special hazard protection systems, 596
spectral analyzers, data emanations, 294
SPI (Stateful Packet Inspection), 258
spikes (power supplies), 550, 599
spim, 25
split tunneling, 342
spoofing attacks, 231–232, 240
ARP spoofing, 177
IP spoofing attacks, 179
spoofed MAC addresses, 305
stateless packet filters, 259
switch spoofing, 189
sprinkler systems
pre-action sprinkler systems, 596
wet pipe sprinkler systems, 595
definition of, 26
Internet Optimizer, 26
preventing/troubleshooting, 35–37, 41
symptoms of, 36
tracking cookies, 137
SQL injections, 156
SSH (Secure Shell), 219, 532–533
SSID (Service Set Identifiers)
broadcasting, disabling, 262
WAP, 296
SSL pinning. See digital certificates, pinning
SSL/TLS (Secure Sockets Layer/Transport Layer Security), 531–532
standard loads, servers, 438
standby generators, 553
statements (witness), incident response procedures, 631
static and dynamic analytical monitoring tools, 447
static NAT (Network Address Translation), 180
statistical anomaly detection (IDS), 56
stealth viruses, 21
steganography, defining, 485
storage, 62
destroying storage media (data removal), 627
DLP systems, 59
flash drives, 63
mobile devices, storage segmentation, 75
removable storage/media, 62–63
USB devices, 63
stored procedures, 157
STP (Shielded Twisted-Pair) cabling, 292, 599
STP (Spanning Tree Protocol) switches, 177
stream ciphers, 482
stress testing, 149
stylometry and genetic algorithms, 496
SubSeven, 22
succession planning, 562
supplicants (802.1X), 331
surge protectors, 108
surges (power supplies), 550
surveys
interference, 302
jamming, 302
wireless site surveys, 302
switches, 175
aggregation switches, 177
ARP spoofing, 177
DHCP starvation attacks, 177
fail-open mode, 176
looping, 177
physical tampering, 177
redundancy planning, 559
STP, 177
switch spoofing, 189
symmetric algorithms, 481
3DES, 486
block ciphers, 482
Blowfish, 489
DEA, 486
IDEA, 486
stream ciphers, 482
Threefish, 489
Twofish, 489
SYN packets, TCP/IP hijacking, 232
system failure, 6
system files, OS hardening, 107
system logs, 452
System Monitor, 440
system security, auditing, 457–460
system VM (Virtual Machines), 111
T
tables (rainbow), 498
tablets, 66
access control, 75
application security, 78
application blacklisting, 73
application whitelisting, 73
geotagging, 74
key management, 72
MMS attacks, 73
server/network authentication, 72
SMS attacks, 73
transitive trust, 72
bluejacking, 69
bluesnarfing, 69
browser security, 135
COPE, 74
CYOD, 74
encryption, 67
full device encryption, 70
lockout programs, 70
MDM, 75
offboarding, 76
onboarding, 76
sanitizing, 70
screen locks, 71
sideloading, 75
social engineering attacks, 68
storage segmentation, 75
TACACS+ (Terminal Access Controller Access-Control System Plus), 220, 343–345
tailgating, social engineering attacks, 589–591
TCP (Transmission Control Protocol)
reset attacks, 225
TCP/IP (Transmission Control Protocol/Internet Protocol)
fingerprinting, 403
handshakes, 441
network design, OSI model versus TCP/IP model, 175
tcpdump packet analyzer, 443
TCSEC (Trusted Computer System Evaluation Criteria), 361
technical controls, 404
technical security plans, 7
telephony
VoIP, 191
Telnet, 415
port associations with, 220
remote network access, 289
TEMPEST (Transient ElectroMagnetic Pulse Emanations Standard), 293, 599–600
templates (security), OS hardening, 103–104
temporary files
OS hardening, 106
securing, 138
testing
testing programs
black-box testing, 149
compile-time errors, 150
dynamic code analysis, 152
fuzz testing, 152
gray-box testing, 149
penetration tests, 149
runtime errors, 150
sandboxes, 149
SEH, 150
stress testing, 149
white-box testing, 149
TFTP (Trivial File Transfer Protocol), port associations with, 220
theft
disaster recovery, 568
diversion theft, social engineering attacks, 586, 590
threat actors. See also hackers
APT, 11
cyber-criminals, 11
hactivists, 11
organized crime, 11
script kiddies, 11
threat modeling, 147
threat vectors, malware delivery, 26
Threefish, 489
tickets (KDC), 334
time bombs, malware delivery, 29
time-of-day restrictions, user accounts, 370
TKIP (Temporal Key Integrity Protocol), 298
TOC (Time-of-Check) attacks, 408
top secret information, classifying (data sensitivity), 615
torrents (bit), malware delivery, 27
TOS (Trusted Operating Systems), 97
TOU (Time-of-Use) attacks, 408
Towers of Hanoi backup scheme, 566
tracking cookies, 137
training
awareness training, 7, 621–622
transferring risk, 398
transitive trust, 72
transmitting malware
active interception, 28
attack vectors, 26
backdoors, 29
bit torrents, 27
botnets, 28
Easter eggs, 30
email, 26
exploit kits, 27
FTP servers, 26
instant messaging, 26
keyloggers, 27
logic bombs, 29
media-based delivery, 27
memory cards, 27
optical disks, 27
P2P networks, 27
privilege escalation, 29
smartphones, 27
software, 26
threat vectors, 26
time bombs, 29
typosquatting, 27
URL hijacking, 27
USB flash drives, 27
user error, 27
websites, 27
zip files, 26
zombies, 28
transparent proxies, 265
transparent testing. See white-box testing
Transport layer (OSI model), 174
transport mode, IPsec, 535
Trend Micro OSSEC, 56
Triple DES (Data Encryption Standard). See 3DES
Tripwire, 57
Trojans
definition of, 25
GinMaster Trojan, 67
PlugX Trojans, 25
preventing/troubleshooting, 35, 41
time bombs, 29
ZeroAccess botnet, 28
troubleshooting
ransomware, 35
viruses, 41
encryption, 33
Linux-based tools, 35
Windows Firewall, 31
Windows Update, 31
trust
chain of (certificates), 523, 528
web of, 529
Trusted Network Interpretation standard, 362
trusting user input, 147
Trustworthy Computing principle, 30
tunneling mode, IPsec, 535
tunneling protocols
L2TP, 534
PPTP, 533
twisted-pair cabling, 290
wiretapping, 293
Twofish, 489
typosquatting, 27
Tzu, Sun, 2
U
UAC (User Account Control), 140, 383–384
UAV (Unmanned Aerial Vehicles), facilities security, 601
UDP (User Datagram Protocol)
flood attacks, 227
UEFI (Unified Extensible Firmware Interface), updates, 108
UEFI/BIOS, malware and unsavable computers, 40
unauthorized access, 6
unauthorized zone transfers, DNS servers, 237, 241
unicast IPv6 addresses, 181
uninstalling. See also installing
Unix
tcpdump packet analyzer, 443
vulnerability scanning, 414
unnecessary applications/services, removing, 90–91
unsavable computers, malware, 40
updates
BIOS, 108
critical updates, 98
driver updates, 99
firewalls, 108
security updates, 98
service packs, 98
UEFI, 108
virtualization, 115
Windows Update
preventing/troubleshooting viruses, 31
UPS (Uninterruptible Power Supplies), 108, 551–552
uptime (generators), 554
URI (Uniform Resource Identifiers), spoofing attacks, 231
URL (Uniform Resource Locators)
hijacking, 27
spoofing attacks, 231
US-CERT (U.S. Computer Emergency Readiness Team), mobile device security, 67
USB devices
encryption, 63
flash drives, malware delivery, 27
use case analysis, 634
users
access control
Account Expiration dates, 370
ADUC, 369
group access control, 371
multiple user accounts, 371
time-of-day restrictions, 370
access recertification, 374
Account Expiration dates, 370
ADUC, 369
applications, trusting user input, 147
authentication, 7
awareness training, 7, 621–622
clean desk policy, 592
first responders (incident response procedures), 629
groups, access control, 371
malware delivery, 27
multiple user accounts, 371
offboarding, 620
personal security policies, 617
change management policies, 619, 622
due diligence, infrastructure security, 621–623
offboarding, 620
privacy policies, 618
separation of duties/job rotation policies, 619, 622
privilege creep, 374
safety, 324
time-of-day restrictions, 370
verifying identification. See authentication
vetting, 592
UTM (Unified Threat Management), 272
UTP (Unshielded Twisted-Pair) cabling, 292
V
V-shaped model (SDLC), 145
V2 cards, SIM cloning, 69
vacations (mandatory), 620–622
validation
CA, 525
certificates, 525
DV certificates, 522
EV certificates, 522
identity validation, 322
OV certificates, 522
vehicles, facilities security
CAN, 600
drones, 601
locking systems, 601
UAV, 601
Wi-Fi, 601
vendor policies
ISA, 624
MoU, 624
verifying
attestation, BIOS, 62
certificates with RA, 527
user identity. See authentication
VeriSign certificates, 72, 525
Verisys, 57
Vernam ciphers. See one-time pads
vertical privilege escalation, 288
vetting employees, 592
video
exam preparation, 648
incident response procedures, 631
record time offset, 631
video surveillance, physical security, 323
virtualization. See also VM (Virtual Machines)
application containerization, 112
definition of, 109
emulators, 111
hardware, disabling, 115
Hyper-V, 114
network security, 115
updates, 115
virtual appliances, 111
virtual escape protection, 115
virtualization sprawl, 114
viruses
armored viruses, 21
definition of, 25
encrypted viruses, 20
Love Bug virus, 25
macro viruses, 20
metamorphic viruses, 21
multipartite viruses, 21
polymorphic viruses, 20
preventing/troubleshooting, 41
encryption, 33
Linux-based tools, 35
Windows Firewall, 31
Windows Update, 31
program viruses, 20
stealth viruses, 21
virus hoaxes, 21
VLAN (Virtual Local Area Networks), 188
MAC flooding, 189
VLAN hopping, 189
VM (Virtual Machines), 110, 570
disk files, 114
monitoring, 115
preventing/troubleshooting spyware, 36
process VM, 111
security, 115
system VM, 111
virtualization sprawl, 114
virtual machine escape, 113
VMM (Virtual Machine Manager). See hypervisors
voice recognition software, 327
VoIP (Voice over Internet Protocol), network design, 191
VPN (Virtual Private Networks)
always-on VPN, 342
GRE, 342
illustration of, 340
on-demand VPN, 535
RRAS, 341
secure VPN connectivity, routers, 179
split tunneling, 342
VPN concentrators, 342
WAP, 300
vulnerabilities
definition of vulnerabilities, 396
IT security frameworks, 635
vulnerability scanning, 412–414
browsers, 128
definition, 396
managing
general vulnerabilities/basic prevention methods table, 409–410
programming vulnerabilities/attacks
arbitrary code execution, 155
backdoor attacks, 22, 29, 153, 159
DLL injections, 158
integer overflows, 154
LDAP injections, 157
memory leaks, 154
NoSQL injections, 157
null pointer dereferences, 154
SQL injections, 156
XML injections, 157
W
WAN (Wide Area Networks)
LAN versus, 183
routers, 178
WAP (Wireless Access Points)
administration interface, 295–296
AP isolation, 303
evil twins, 297
firewalls, 302
MAC filtering, 302
placement of, 300
PSK, 298
rogue AP, 296
SSID, 296
VPN, 300
wireless network security, 295–305
wireless point-to-multipoint layouts, 301
WLAN controllers, 303
WPS, 299
war-chalking, 304
war-driving, 304
warm sites, 561
waterfall model (SDLC), 145
watering hole attacks, 234, 240, 589–591
web application firewalls, 262
web-based SSO (Single Sign-On), 329
web browsers
automatically updating, 128
company requirements, 128
functionality, 129
HTTP connections, 71
OS, determining, 128
PAC files, 263
preventing/troubleshooting spyware, 35
security
ad-blocking, 135
advanced security settings, 138–139
LSO, 137
mobile devices, 135
passwords, 139
policy implementation, 129–131
pop-up blocking, 135
security zones, 135
temporary files, 138
updates, 135
user training, 133
vulnerabilities/fixes, 128
web of trust, defining, 529
web proxies. See proxy servers
web resources, exam preparation, 649
web security gateways, 265
web servers
exploit kits, 27
web shells, FTP servers, 202–203
websites
cold sites, 561
exam preparation, 649
hot sites, 561
HTTP connections, 71
malware delivery, 27
redundancy planning, 561
typosquatting, 27
URL hijacking, 27
warm sites, 561
WEP (Wired Equivalent Privacy) protocol, 298
wet pipe sprinkler systems, 595
white-box testing, 149
white hats, 9
whitelists
OS hardening, 92
preventing/troubleshooting spam, 40
services, 92
whole disk encryption, 108
WIC (WAN Interface Cards), 179
WiDi (Wi-Fi Direct), 66
WIDS (Wireless Intrusion Detection Systems), 272
Wi-Fi, 77
bluejacking, 69
bluesnarfing, 69
disassociation attacks, 305
facilities security, 601
vehicle security, 601
vulnerabilities, 70
wildcard certificates, 523
Windows
analytical monitoring
net file command, 446
netstat command, 446
openfiles command, 445
Computer Management, 445
Group Policies, accessing, 103–104
hotfixes, 100
OS hardening, starting/stopping services, 95–97
Performance Monitor, 445
Windows 7, Internet Explorer Maintenance Security, 131
Windows 10
Internet Explorer Maintenance Security, 130–131
Local Group Policy, browser security, 129
Windows BitLocker, 63
Windows Defender, preventing/troubleshooting spyware, 35
Windows Programs and Features window, OS hardening, 91
Windows Server
domain controller-managed IE policies, 131–132
Import Policy From window, 104
network shares, 457
security templates, 104
Windows XP
OS hardening, 94
Solitaire, Easter eggs, 30
WinDump, 443
WinPcap
WinDump, 443
Wireshark installation, 441
WIPS (Wireless Intrusion Prevention Systems), 272
wired network/device security, 285
cabling
PDS, 295
wire closets, 294
default accounts, 286
network attacks, 289
remote ports, 289
Telnet, 289
wireless networks, 77
Bluetooth, 306
AP, 306
frequency hopping, 306
cellular networks, 308
documenting network design, 309
facilities security, 601
geofences, 308
GPS, 308
RFID, 307
SATCOM, 308
third-party wireless adapter connections, 296
vehicle security, 601
vulnerabilities, 70
WAP
administration interface, 295–296
AP isolation, 303
evil twins, 297
firewalls, 302
MAC filtering, 302
placement of, 300
PSK, 298
rogue AP, 296
SSID, 296
VPN, 300
wireless point-to-multipoint layouts, 301
wireless site surveys, 302
WLAN controllers, 303
WPS, 299
wireless protocols, 298
wireless transmission vulnerabilities
brute-force attacks, 305
IV attacks, 304
spoofed MAC addresses, 305
war-chalking, 304
war-driving, 304
Wi-Fi disassociation attacks, 305
wireless peripherals, 66
wireless signal jammers, 302
wireless site surveys, 302
wiring closets, 294
witness statements, incident response procedures, 631
WLAN (Wireless Local Area Networks)
AP, 306
bridges, 178
WLAN controllers, WAP, 303
Word (MS), securing, 143
worms
definition of, 25
Nimda, 21
Nimda worm, 25
preventing/troubleshooting, 35, 41
WPA (Wi-Fi Protected Access) protocol, 298
WPA2 (Wi-Fi Protected Access version 2) protocol, 298
WPS (Wi-Fi Protected Setup), WAP, 299
wraps, integer overflows, 154
WTLS (Wireless Transport Layer Security) protocol, 298–299
WWN (World Wide Names), spoofing attacks, 232
X - Y - Z
X.509 standard, certificates and, 522
XaaS (Anything as a Service), 194
Xmas attacks, 228
XML injections, 157
XSRF (Cross-Site Request Forgery), 156, 159
XSS (Cross-Site Scripting), 137, 156, 159, 234
ZeroAccess botnet, 28
Zimmerman, Philip, 495
zip files, malware delivery, 26
zombies, malware delivery, 28
ZoneAlarm, 54