INDEX
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
“5 nines” of availability, 524
802.1X standard, 268, 287, 361, 363, 364
802.11b standard, 360
802.11i standard, 361
A
AAA (authentication, authorization, and accounting), 163
acceptable use policy, 44, 446–447
access control
applications, 206
DAC, 151–152
MAC, 151
management interfaces, 206
password policies, 45
RBAC, 152
remote. See remote access
user access reviews, 178
access control lists (ACLs), 151, 267
access control models, 151–153
access lists, 397
access logs, 296
access points (APs), 349–350
access rights, 28–29
accountability, 29
accounting function, 163–164
accounts. See user accounts
ACK flag, 276
ACLs (access control lists), 151, 267
Active Directory (AD), 161
active security tools, 486
AD (Active Directory), 161
Address Resolution Protocol. See ARP
Adleman, Leonard, 98
administration principles, 265–270
administrative controls, 30, 387, 388
administrators
alternate administrators, 521
continuous monitoring and, 297–300
experience, 4
managing users by group, 171–172
mobile device management, 441
reviewing logs, 295
reviewing reports, 300
rogue, 191
role-based training, 466
skills, 5
whitelisting/blacklisting software, 212
administrators group, 171, 178
Advanced Encryption Standard (AES), 96, 97, 109, 354, 362
adware, 189–190
AES (Advanced Encryption Standard), 96, 97, 109, 354, 362
AH (Authentication Header) protocol, 225
AIC triad, 26–28
Aircrack-ng tool, 353
alarm systems, 395, 399, 400, 401
alarms/alerts, 299
ALE (annualized loss expectancy), 68
alerts, 299
algorithms. See cryptographic algorithms
allow actions, 266
alternative sites, 535–537
Android game console, 245–246
Android OS, 243–244
annualized loss expectancy (ALE), 68
annualized rate of occurrence (ARO), 67–68
antennas, wireless, 366–371
anti-malware software, 192, 210–211, 247
antivirus software. See also viruses
boot-sector viruses, 188
considerations, 31
mobile devices, 444
rootkit detection, 190
updates, 54
Apple devices, 244–245
application control, 437
application firewalls, 249, 250
application protocols, 327–334
application security, 303–346
application hardening, 319–326
application threats, 305–309
application-aware devices, 321–322
arbitrary code execution, 309
buffer overflow attacks, 308
client-side vs. server-side validation, 322–323
command injection attacks, 306
controls/techniques, 319–322
directory traversal attacks, 308
fuzzing, 322
injection attacks, 305–307
integer overflow condition, 308
LDAP injection attacks, 307
malicious add-ons, 308–309
mobile devices, 437–438
NoSQL vs. SQL databases, 322
preventing attacks, 322–324
remote code execution, 309
secure coding concepts, 319–320
SQL injection attacks, 306–307
vulnerabilities, 305
web application attacks, 307–309
XML injection attacks, 307
XSRF attacks, 323–324
application-aware devices, 321–322
applications
baseline configuration, 320–321
blacklisting, 212
hardening, 319–326
P2P, 471–472
patches, 321
privileges, 321
protecting, 206
restricting access to, 206
security. See application security
web. See web applications
APs (access points), 349–350
arbitrary code execution, 309
archive bits, 533
armored viruses, 192–193
ARO (annualized rate of occurrence), 67–68
ARP (Address Resolution Protocol), 196
AS (Authentication Service), 162
assessment exam, 15–21
asset tracking, 433–434
asset valuation, 66–67
assets
acceptable use of, 44
described, 52
exposure factor, 67
importance of, 52
intangible, 52
risks associated with, 52
value of, 66–67
asymmetric algorithms, 97–100, 109, 118
asymmetric cryptography, 88–89, 118
attacks, 193–201. See also threats; vulnerabilities
ARP poisoning, 196
Bluetooth, 355
botnet, 276–277
brute-force, 198
buffer overflow, 308
client-side, 196
command injection, 306
considerations, 187
cookie-based, 314–315
DDoS, 276–278
deauthentication, 352–353, 372
dictionary, 198–199
directory traversal, 308
DNS poisoning, 195
DoS, 276
dumpster diving, 455–456
evil twin, 349–350
host. See host attacks
hybrid, 199
ICMP, 226
injection, 305–307
LDAP injection, 307
malware. See malware
MITM, 274–275
on network. See network attacks
password, 196–200
Poodle, 329–330
preventing, 322–324
privilege escalation, 194–195
rainbow, 199
shoulder surfing, 454–455
side-channel, 96
smurf, 277
social engineering. See social engineering attacks
spam, 193
spim, 194
spoofing, 273–274
SQL injection, 306–307
transitive access, 196
typo squatting, 200–201
URL hijacking, 200–201
viruses. See viruses
vishing, 194
watering hole, 201
web application, 307–309
wireless, 349–355
XML injection, 307
XSRF, 323–324
audit logs, 295
authentication. See also authorization
vs. authorization, 163
centralized, 142
CHAP, 160–161
considerations, 157
credentials. See credentials
decentralized, 142
diameter, 164
factors, 136–138
federated, 143–144
L2TP, 165
LANMAN, 161
MS-CHAP, 160–161
multifactor, 136
mutual, 329
NTLM, 161
one-time password, 159–160
PAP, 160
PPTP, 165
remote access, 163–165
SAML, 158–159
static devices, 247
TACACS/TACACS+, 164–165
trust relationships, 143–144
trusted entity, 141–143
two-factor, 136
username/password, 139
wireless networks, 363–364, 372
WPA-Enterprise, 354
XTACACS, 164
authentication, authorization, and accounting (AAA), 163
Authentication Header (AH) protocol, 225
authentication protocols/methods, 157–163
authentication server, 363
Authentication Service (AS), 162
authentication systems, 136
authoritative servers, 328
authorization, 147–155. See also authentication
access control models, 151–153
vs. authentication, 163
restrictions on, 152–153
supporting, 147–151
automobile computing systems, 246
availability, 27–28, 340–341, 524–525
avalanche effect, 114
B
backdoors, 190
backup plans/policies, 532–535
alternate sites, 535–537
execution of backups, 533
frequency of backups, 533
hot sites, 536–537
offsite storage of, 532
responsibility for backups, 532
backups
datasets, 535
third-party security and, 412–413
types of, 533–535
virtual machines, 341–342, 537
banner grabbing, 489
barricades, 397–398
baseline reporting, 483
baselines
applications, 320–321
creating, 483
detecting deviations, 216
establishing, 215
monitoring, 215
security, 215
bastion host, 260–261
BCP. See business continuity planning
Bcrypt method, 113
best practices, 469–470
BIA (business impact analysis), 520–521, 532, 537
bidirectional trust, 142
biometric authentication, 140–141, 397
birthday paradox, 197
black box test, 485
black hat hacker, 486
blacklisting, 212
blind testing, 485
block ciphers, 97
blocks, 84
bluejacking, 355
bluesnarfing, 355
Bluetooth attacks, 355
Bluetooth devices, 355
Bluetooth technology, 246, 355
bollards, 397–398
boot-sector viruses, 188
botnet attacks, 276–277
BPA (business partner agreement), 413–414, 415
bridging, 339
bring your own device. See BYOD
broadband connections, 163–164
browser helper objects (BHOs), 308
browsers. See web browsers
brute-force attacks, 198
buffer overflow attacks, 308
business continuity
basic concepts, 520–521
described, 519
disaster recovery and, 523
business continuity planning (BCP), 519–529. See also disaster recovery; risk management
business impact analysis, 520–521, 532, 537
considerations, 522
continuity of operations, 522–523
downtime, 524–525
exercises/testing plans, 526–527
high availability and, 524–525
identifying critical systems/components, 520–521
IT contingency planning, 523
leadership chain-of-command, 524
purpose of, 522
redundancy, 525
removing single points of failure, 521
risk assessment, 519–520
risk management and, 519
succession planning, 523–524
business impact analysis (BIA), 520–521, 532, 537
business partner agreement (BPA), 413–414, 415
business partnerships. See also third-party security providers
agreements, 413–414
considerations, 411–413
general, 413–414
onboarding/offboarding, 409–410
BYOD (bring your own device), 431, 443
BYOD concerns, 443–445
C
CA (certificate authority), 123–124
cable modems, 163–164
cabling, physical, 269, 398–399
caching servers, 328
Cain and Abel tool, 198
camera
mobile devices, 447
video surveillance, 395–396
CAP certification, 7
captive portals, 368–369
car computing systems, 246
CASP certification, 7
CBC (Cipher Block Chaining) mode, 94
CCMP (Cipher Block Chaining Message Authentication Code Protocol), 362
CCTV (closed-circuit television) systems, 395–396
CEH certification, 7
cellular technology, 246
centralized account management, 170, 171
centralized authentication, 142
CER (crossover error rate), 141
certificate authority (CA), 123–124
certificate revocation lists (CRLs), 124–125
certificate servers, 124
Certificate Signing Request (CSR), 123
certificates. See digital certificates
certification exams, 3–7. See also CompTIA Security+ exam
certification, security, 5–7
certifications, 4
Certified Information Systems Security Professional (CISSP), 6, 7
CFB (Cipher Feedback) mode, 94
chain-of-custody, 511
Challenge-Handshake Authentication Protocol (CHAP), 160–161
CHAP (Challenge-Handshake Authentication Protocol), 160–161
CHFI certification, 7
Cipher Block Chaining Message Authentication Code Protocol (CCMP), 362
Cipher Block Chaining (CBC) mode, 94
Cipher Feedback (CFB) mode, 94
cipher locks, 394
CISA certification, 7
CISM certification, 7
CISSP (Certified Information Systems Security Professional), 6
CISSP certification, 7
classification of information, 31–32, 44, 468
clean desk policy, 471
client-side attacks, 196
client-side validation, 322–323
closed circuit television (CCTV) systems, 395–396
cloud architecture models, 422–423
cloud computing, 419–427
cloud providers, 419, 422, 425, 426–427
cloud security, 419–429
cloud services, 420–422
clustering, 525
clustering technology, 236–237
Cocks, Clifford, 98
code review, 483
codebook, 78
codes of conduct/ethics, 78
collision domains, 259
command injection attacks, 306
community clouds, 423
compensating controls, 390
CompTIA (Computing Technology Industry Association), 7–8
CompTIA certifications, 7–8
CompTIA Network+ certification, 8
CompTIA Security+ exam. See also certification exams
assessment exam, 15–21
domains, 9
forms of identification required, 10
general information, 8–9
introduction to, 1–13
objectives, 9
overview, 7–11
passing score, 8
prerequisites, 8
sample questions, 15–21
scheduling, 10
studying for, 10–11
computer security. See security
computers. See also devices
mainframes, 242–243
physical security, 213–214
virtual. See virtual machines
Computing Technology Industry Association. See CompTIA
confidentiality, 27
confidentiality, integrity, and availability. See CIA triad
configuration control, 215
confusion, 114
contingency planning, 523
continuity of operations (COO), 522–523
continuous security monitoring
vs. ad-hoc monitoring, 297
alarms/alerts, 299
auditing, 297–298
host hardening, 215
network traffic, 288–289
real-time monitoring, 298, 299
reporting, 300
SIEM, 298–299
SNMP, 298
trend analysis, 299
user accounts, 178–179
contract agreements, 426
control diversity, 247–248
controls, 30–31. See also security
for application security, 319–322
classifying, 387–391
compensating, 390
for data storage, 230–235
deterrent, 389
environmental. See environmental controls
functions, 388–391
overview, 30–31
parental, 245
perimeter. See perimeter controls
recovery, 390–391
safety, 391–401
testing, 401
types of, 387–388
COO (continuity of operations), 522–523
cookie-based attacks, 314–315
cookies, 314–315
Counter (CTR) mode, 94
credentials
authentication and, 28, 135–136, 141–143
management of, 170–171
mobile security, 439–440
replay attacks, 275–276, 353–354
stealing, 323–324
trusted entity, 141–143
CRISC certification, 7
critical path analysis, 535
CRLs (certificate revocation lists), 124–125
crossover error rate (CER), 141
cross-site request forgery (XSRF) attacks, 323–324
cross-site scripting. See XSS
cross-trust model, 128
cryptanalysis, 78
cryptographic algorithms, 93–103
ECC, 100
ElGamal, 100
GPG, 99–100
HMAC, 103
keys and, 82–84
MD5, 102
overview, 82–84
PGP, 99–100
RIPEMD, 103
SHA, 102–103
cryptographic keys, 82–84, 440
cryptographic methods, 93–105
application of, 107–116
avalanche effect, 114
confusion, 114
considerations, 112–114
data storage security, 108
diffusion, 114
ephemeral keys, 113
key stretching, 113
perfect forward secrecy, 113
proven technologies, 112
steganography, 110–112
strong vs. weak ciphers, 113
transport encryption, 108–110
wireless encryption, 110, 372–373
cryptography, 77–92. See also encryption
algorithms. See cryptographic algorithms
components, 82–90
considerations, 107
cryptosystems, 84
hashing, 81–82
keys, 82–84
overview, 77–82
substitution cipher, 80
symmetric key, 93
terminology, 78–79
transposition, 81
uses for, 78
XOR function, 84–85
cryptosystems, 84
cryptovariable, 83
CSR (Certificate Signing Request), 123
CTR (Counter) mode, 94
cybersecurity, 3. See also security
cybersquatting, 199–200
D
DAC (discretionary access control), 151–152
damage control, 502–503
data. See also information
access to. See access control
classification of, 31–32, 44, 468
considerations, 52
destruction of, 235
disposal of, 469
encryption, 230–233
fault tolerance, 235–238
handling, 469
hiding in other data, 110–112
labeling, 469
objective, 66
redundancy, 525
retention policies, 235
sensitivity levels, 31–32, 44, 147, 148
sharing, 412
storage of. See data storage
transport of, 235
volatility, 509–510
data breaches, 501–502
Data Encryption Standard (DES), 94–95
data integrity, 512–513
data loss prevention (DLP) layer, 285–286
data sensitivity, 31–32, 44, 147, 148
data sensitivity and classification policy, 44
data storage
best practices, 235–238
controls/methods, 230–235
fault tolerance, 235–238
policies, 235
protocols, 229–230
databases
big data and, 234
credentials, 170–171, 197, 199
decentralized, 171
directory services, 307
encryption, 230
NoSQL, 322
relational, 306
signatures, 284
data-in-process, 79
datasets, 535
DDoS (distributed denial-of-service) attacks, 191, 276–278
deauthentication attacks, 352–353
decentralized account management, 170, 171
decentralized authentication, 142
decipher, 79
decode, 79
de-encapsulation, 328
default-allow policy, 266
defense diversity, 210–211
demilitarized zone (DMZ), 247–248, 261, 262
denial-of-service (DoS) attacks, 276, 349
deny actions, 266
DES (Data Encryption Standard), 94–95
detective controls, 30, 283, 389–390
deterrent controls, 389
device lockout, 440–441
device locks, 394
devices
Apple, 244–245
application-aware, 321–322
authentication and, 247
Bluetooth, 355
detecting rogue machines, 288
embedded, 242
entertainment, 242
firmware version control, 250–251
general purpose, 241
Google, 244–245
medical, 248–249
mobile. See mobile devices
network. See network devices
pairing, 355
parental controls, 245
personally owned, 471
proxies, 282
rule-based management, 265–266
smart, 431
special purpose, 241
static environments, 241–251
UTM, 286
wireless, 350, 354, 360, 361, 362
D-H (Diffie-Hellman) algorithm, 98–99
DHCP (Dynamic Host Configuration Protocol), 206
DHCP logs, 288
DHCP servers, 288
DHE (Diffie-Hellman) algorithm, 98–99
dial-up connections, 269
diameter protocol, 164
dictionary attacks, 198–199
Diffie-Hellman algorithm, 98–99
diffusion, 114
digital certificates. See also certificate authority
digital signatures, 121
example of, 122–123
general information, 117, 122–123
lifecycles, 125
non-repudiation and, 120
PKI structures and, 121–125
registration, 123
uses for, 122
digital identities, 439–440
Digital Signature Algorithm (DSA), 100, 102
digital signatures, 121
directory traversal attacks, 308
disaster recovery, 531–540. See also business continuity; emergencies; risk management
alternate sites, 535–537
backup plans, 532–535
considerations, 531
contingency planning, 523
continuity of operations, 522–523
downtime, 524–525
escape plans/routes, 399–400
exercises, 526–527
man-made disasters, 531–532
natural disasters, 531
overview, 531–532
recovery point objective, 537, 538
recovery time objective, 537
single points of failure, 521
succession planning, 523–524
testing, 526–527
disaster recovery plans (DRPs), 520, 522, 523, 531, 532
discretionary access control (DAC), 151–152
disks. See hard drives
distributed denial-of-service (DDoS) attacks, 191, 276–278
DLP (data loss prevention) layer, 285–286
DMZ (demilitarized zone), 247–248, 261, 262
DNS (Domain Name System), 206, 328–329
DNS poisoning, 195
DNS Security Extensions (DNSSEC), 329
DNS servers, 195, 288, 328–329
DNS zones, 328
DNSSEC (DNS Security Extensions), 329
documentation review, 526
Domain Name System. See DNS
DoS (denial-of-service) attacks, 276, 349
double-blind test, 485
downtime, 524–525
drills, conducting, 401
drives. See hard drives
DRPs (disaster recovery plans), 520, 522, 523, 531, 532
DSA (Digital Signature Algorithm), 100, 102
DSL modems, 163–164
due care, 34
due diligence, 34
dumpster diving, 455–456
Dynamic Host Configuration Protocol. See DHCP
E
EAP (Extensible Authentication Protocol), 102, 164, 363–364
EAP-MD5 method, 102
ECB (Electronic Codebook) mode, 94, 95
ECC (Elliptic Curve Cryptography), 100
EC-Council, 6
EDE (Encrypt-Decrypt-Encrypt) method, 95
EDH (Ephemeral Diffie-Hellman) key exchange, 113
egress filtering, 258
elasticity, 342
electrical interference, 379–380
electromagnetic interference (EMI), 379–380
Electronic Codebook (ECB) mode, 94, 95
electronic locks, 394
ElGamal algorithm, 100
ElGamal, Taher, 100
Elliptic Curve Cryptography (ECC), 100
Elliptic Curve Diffie-Hellman Exchange (ECDHE), 98
hoaxes, 457
HTML attachments, 315
phishing attacks, 193, 194, 457, 472
secret keys and, 87
spam, 285–286
embedded devices, 242
emergencies. See also disaster recovery
conducting drills, 401
escape plans/routes, 399–400
security guards and, 394
testing controls, 401
emergency lighting, 401
EMI (electromagnetic interference), 379–380
employees. See also users
access control. See access control
administrators. See administrators
clean desk policy, 471
incident response team, 497–498
IT professionals, 3–4
job rotation, 33–34
leadership chain-of-command, 524
malicious insider threat, 195
mandatory vacations, 33
mantraps, 396
multi-person control, 33
need-to-know, 32
personally identifiable information, 467–468
personally owned devices, 471
personnel policies, 46
principle of least privilege, 32, 148
privacy issues, 46
security professionals, 3–5
security responsibilities, 466
social engineering and. See social engineering
social networking and, 471–472
succession planning, 523–524
use of computer assets, 44
Encapsulating Security Payload (ESP) protocol, 225
encapsulation, 328
EnCase software, 513
encipher, 79
encode, 79
Encrypt-Decrypt-Encrypt (EDE) method, 95
encryption. See also cryptography
data, 230–233
databases, 230
described, 77
hardware-based, 233
individual files vs. container, 230–231
transport, 108–110
wireless networks, 110, 372–373
encryption algorithms. See cryptographic algorithms
encryption keys, 231
Enigma machine, 80
entertainment devices, 242
environmental controls, 379–383
EMI/RFI shielding, 379–380
fire suppression, 380–381
hot/cold aisles, 382–383
humidity control, 382
overview, 379
temperature control, 382
environmental monitoring, 383
Ephemeral Diffie-Hellman (EDH) key exchange, 113
ephemeral keys, 113
equipment. See also hardware
care/use of, 45–46
clustering, 525
hot/cold aisles, 382–383
physical cabling for, 398–399
error rates, 141
eSATA (external serial advanced technology attachment), 230
escape plans/routes, 399–400
ESP (Encapsulating Security Payload) protocol, 225
Ethernet cables, 380
ethical hackers, 484–486
ethical issues, 508
event logs, 295, 296–297, 389–390
evidence, computer crime. See forensics
evil twin attack, 349–350
exams, 3–7. See also CompTIA Security+ exam
eXclusive OR (XOR), 84–85
explicit rules, 266
exposure factor, 67
Extended Terminal Access Controller Access Control System (XTACACS), 164
Extensible Authentication Protocol. See EAP
eXtensible Markup Language. See XML
external serial advanced technology attachment (eSATA), 230
F
false acceptance rate (FAR), 141
false rejection rate (FRR), 141
false value, 85
fault tolerance, 235–238
FCoE (Fibre channel over Ethernet), 230
Federal Rules of Evidence (FRE), 508
federated authentication, 143–144
fibre channel, 230
Fibre channel over Ethernet (FCoE), 230
File Transfer Protocol. See FTP
files
cookie, 315
copying/transferring, 332
HTML, 315
integrity, 512–513
log. See log files
zone, 328
fire extinguishers, 381
fire suppression, 380–381
firewalls
ACLs and, 267
considerations, 247–248
egress filtering, 258
ingress filtering, 258
network- vs. host-based, 258
overview, 258
firmware
considerations, 250
vehicular computing systems, 246
version control, 249–251
first responders
forensics investigations, 510–511
flags, 196
flash cookies, 314
flood guards, 268–269
Forensic Toolkit (FTK), 513–514
forensics, 507–518
analyzing evidence, 515–516
basic concepts, 507–508
capturing evidence, 513–515
chain-of-custody, 511
critical practices, 510–513
data integrity, 512–513
data volatility, 509–510
first response, 510–511
impartiality, 507–508
importance of time, 511–512
legal/ethical issues, 508
mobile devices, 446
sources of evidence, 509–510
types of evidence, 508
FRE (Federal Rules of Evidence), 508
FRR (false rejection rate), 141
FTK (Forensic Toolkit), 513–514
FTP (File Transfer Protocol), 206, 331
fuzzing, 322
game consoles, 245–246
generic accounts, 181
geofencing, 441
geotagging, 435–436
GLB (Gramm-Leach-Bliley Act), 470
Gnu Privacy Guard (GPG), 99–100, 129
governance. See also security governance
legal sources, 40
organizational, 41–44
other sources, 43–44
overview, 39–40
GPG (Gnu Privacy Guard), 99–100, 129
GPS services, 441
Gramm-Leach-Bliley Act (GLB), 470
gray box test, 485
gray hat hackers, 486
group accounts, 181
group-based privileges, 178
groups. See also users
policies, 171–172
privileges/permissions, 177, 178
web of trust model, 129
guards, security, 394–396, 401
guest accounts, 207–208
guidelines, defined, 43
H
hackers
black hat, 486
considerations, 187
ethical, 484–486
gray hat, 486
passive/active tools, 486
password cracking and, 172–173, 175
SCADA systems and, 243
viruses and. See viruses
white hat, 486
Halon gas, 381
hard drives
analyzing evidence on, 515
disposal of, 469
as forensics evidence, 509
imaging, 512
RAID, 237–238
hardening
applications, 319–326
host network services, 219–228
hosts. See host hardening
Internet service, 327–336
networks. See network hardening
operating systems, 208–212
virtual machines, 441
wireless networks, 359–375
hardware. See also devices; equipment
fault tolerance, 236
mean time between failures, 64, 65
physical security. See physical security
policies, 214
risk factors, 64–65
securing, 213–214
hardware addresses, 287
hardware locks, 394
Hardware Security Module (HSM), 233
hardware tokens, 137
hardware-based encryption, 233
Hash Message Authentication Code. See HMAC
hashes/hashing
CHAP, 160–161
considerations, 93, 100–102, 121
data integrity and, 512–513, 514, 515
dictionary attacks and, 199–200
digital evidence and, 512–513
Keccak, 103
MD4, 102
password hashes, 101, 197, 199
RIPEMD, 103
hashing algorithms, 82, 100–103, 121
hashing process, 101
Health Insurance Portability & Accountability Act (HIPAA), 40, 470, 502
heating, ventilation, and air conditioning (HVAC) controls, 243, 382
heuristic systems, 284
hierarchical trust model, 128
high availability, 524–525
HIPAA (Health Insurance Portability & Accountability Act), 40, 470, 502
HMAC (Hash Message Authentication Code), 103
HMAC-based One-Time Password (HOTP), 159–160
hoaxes, 457
honeypots, 488–489
host attacks, 193–201. See also host-based threats
ARP poisoning, 196
client-side attacks, 196
considerations, 187
DNS poisoning, 195
password attacks, 196–200
phishing, 193
privilege escalation, 194–195
spam, 193
spim, 194
transitive access, 196
typo squatting, 200–201
URL hijacking, 200–201
vishing, 194
watering hole attacks, 201
host availability, 342
host hardening, 205–218
baseline configuration, 215
blacklisting, 212
configuring host security, 205–208
continuous security monitoring, 215
disabling unnecessary services, 206
hardening OS, 208–212
host-based firewalls, 212–213, 214
intrusion detection systems, 212–213
maintaining host security, 214–216
management interfaces/applications, 206
network services, 219–228
overview, 205
physical security, 213–214
remediation, 216
whitelisting, 212
host-based firewalls, 212–213, 214
host-based threats, 187–203. See also host attacks
hot sites, 536–537
hot/cold aisles, 382–383
HOTP (HMAC-based One-Time Password), 159–160
hot-swappable, 237
HSM (Hardware Security Module), 233
HTML (Hypertext Markup Language), 330
HTML attachments, 315
HTML files, 315
HTTP (Hypertext Transfer Protocol), 109, 330–331
HTTP headers, 315
HTTP traffic, 249, 258, 266, 321, 330, 331
HTTPS (HyperText Transfer Protocol-Secure), 109, 330–331
humidity control, 382
HVAC (heating, ventilation, and air conditioning) controls, 243, 382
hybrid attacks, 199
hybrid clouds, 423
hybrid cryptography, 89–90, 117–118
hygrometers, 382
hygrothermographs, 382
Hypertext Markup Language. See HTML
Hypertext Transfer Protocol. See HTTP
HyperText Transfer Protocol-Secure (HTTPS), 109, 330–331
I
IaaS (Infrastructure-as-a-Service), 421–422
ICMP (Internet Control Message Protocol), 225–226
ICMP attacks, 226
ICMP floods, 268
ICMP packets, 225, 226, 276, 277
ICS (industrial control systems), 243
identification, 28, 135, 139, 147
identify provider, 158
IDS (intrusion detection system), 212–213, 389, 390, 399
IETF (Internet Engineering Task Force), 97
IETF standard, 100
IKE (Internet Key Exchange) protocol, 225
IM (instant messaging), 194
IMAP (Internet Message Access Protocol), 333–334
IMAPS, 334
impact, 54–55
impersonation, 456
implicit deny principle, 266–267
implicit rules, 266
in-band key exchange, 87
incident management, 496
incident response, 495–506. See also incidents
data breaches, 501–502
escalation/identification, 501
executing, 498–503
incident management, 496
overview, 495
post-response, 503–504
preparation, 497–498
recovery operations, 504
reports/reporting, 503–504
response strategy, 498
risk mitigation strategies, 495
staffing, 497–498
incident response team, 497–498
incidents
analyzing, 499
categories, 531
damage from, 502–503
described, 495
due diligence/due care, 34
identifying, 500–501
response to. See incident response
industrial control systems (ICS), 243
classification of, 31–32, 44, 468
disposal of, 469
dumpster diving, 455–456
handling, 469
labeling, 469
storage of. See data storage
information assurance, 3
Information Systems Audit and Control Association. See ISACA
Infrastructure-as-a-Service (IaaS), 421–422
ingress filtering, 258
inherence factor, 137, 138, 140
initialization vectors (IVs), 354, 360
injection attacks, 305–307
input validation, 305, 308, 322
instant messaging (IM), 194
integer overflow condition, 308
Integrated Services Digital Network. See ISDN
Interconnection Service Agreement (ISA), 414, 415
interference
described, 350
electrical, 379–380
electromagnetic, 379–380
radio frequency, 379–380
International Information System Security Certification Consortium, Inc. (ISC), 6
Internet Control Message Protocol. See ICMP
Internet Engineering Task Force. See IETF
Internet Key Exchange (IKE) protocol, 225
Internet Message Access Protocol. See IMAP
Internet Protocol. See IP
Internet Protocol Security (IPSec), 109, 222, 225, 265, 269
Internet SCSI (iSCSI) protocol, 229–230
Internet Security Association and Key Management Protocol (ISAKMP), 225
Internet service
hardening, 327–336
protocols, 327–334
inter-VLAN routing, 264
intrusion detection system (IDS), 212–213, 389, 390, 399
in-vehicle computing systems, 246
inventory control, 433–434
iOS, 244–245
IP (Internet Protocol), 221
iPhone, 244–245
IPSec (Internet Protocol Security), 109, 222, 225, 265, 269
IPv4 protocol, 221–222
IPv6 protocol, 222
ISA (Interconnection Service Agreement), 414, 415
ISACA risk assessment methodology, 65
ISACA Risk IT Framework, 59
ISAKMP (Internet Security Association and Key Management Protocol), 225
ISC (International Information System Security Certification Consortium, Inc.), 6
iSCSI (Internet SCSI) protocol, 229–230
ISDN (Integrated Services Digital Network), 163
ISSAP certification, 7
ISSEP certification, 7
ISSMP certification, 7
IT contingency planning, 523
IT professionals
measuring knowledge/skills, 3–4
resumes of, 4
IT risk assessment. See risk assessment
IT security certification, 3–7
ITU-T X.509 standard, 119, 120
IVs (initialization vectors), 354, 360
J
jailbreaking, 245
jamming, 350
job rotation, 33–34
K
KDC (Kerberos Key Distribution Center), 162
Keccak hashing function, 103
Kerberos authentication, 161–162, 163, 354
Kerberos Key Distribution Center (KDC), 162
Kerberos realms, 162
Kerberos servers, 162
Kerckhoffs, Auguste, 112
Kerckhoffs’s principle, 83
key exchange, 87–88, 89, 90, 120
key generation, 120
key management, 439–440
key stretching, 113
keys
ephemeral, 113
mobile devices, 439–440
perfect forward secrecy, 113
PKI. See PKI entries
preshared, 110
stretching, 113
keystream, 85
knowledge/skills, 4–5
L
L2TP (Layer 2 Tunneling Protocol), 165, 269
LAN Manager (LANMAN) protocol, 161
LANs (local area networks). See also networks
administration principles, 265–270
devices. See network devices
hardening. See network hardening
IPv4 issues, 221
NetBIOS and, 224
security. See network security
virtual. See VLANs
laptop computers, 214, 394, 431
Layer 2 Tunneling Protocol (L2TP), 165, 269
LDAP (Lightweight Directory Access Protocol), 162–163
LDAP injection attacks, 307
LDAP over SSL, 162
LEAP (Lightweight Extensible Authentication Protocol), 364
Least Significant Bit (LSB), 111, 112
legacy software, 343
liability, 34
lighting, 393–394
Lightweight Directory Access Protocol. See LDAP
Lightweight Extensible Authentication Protocol (LEAP), 364
line conditioners, 380
line noise, 380
live response, 509
load balancing, 236, 259–260, 525
local shared objects (LSOs), 314
location factor, 138
locks
cipher, 394
device, 394
electronic, 394
mechanical, 394
physical, 384
warded, 394
log files
access logs, 296
analyzing, 296–297
audit logs, 295
capturing, 514–515
decentralized vs. centralized, 294–295
described, 294
event logs, 295, 296–297, 389–390
as evidence, 514–515
managing, 294–296
network logs, 514–515
security logs, 295
types of, 295–296
logic bombs, 190–191
logical groups, 171
loop protection, 269
looping, 269
loss control, 502–503
LSB (Least Significant Bit), 111, 112
LSOs (local shared objects), 314
Lucifer algorithm, 94
M
MAC (mandatory access control), 151
MAC (Message Authentication Code), 103
MAC addresses
ARP poisoning and, 196
considerations, 365
limiting, 287
MAC flooding, 268
mail. See e-mail
mainframes, 242–243
malicious add-ons, 308–309
malicious hackers, 484–486, 487, 488
malware, 187–193
adware, 189–190
backdoors, 190
botnets, 191
logic bombs, 190–191
metamorphic, 192
new forms of, 472
overview, 187–188
polymorphic, 192
ransomware, 191–192
rootkits, 190
spyware, 190
trojans, 189
viruses. See viruses
worms, 188
MAM (mobile application management), 438
Management Information Base (MIB), 222, 298
management interfaces, 206
managerial controls, 30, 387, 388
mandatory access control (MAC), 151
mandatory vacations, 33
man-in-the-middle (MITM) attacks, 274–275
man-made disasters, 531–532
mantraps, 396
MD5 (Message Digest 5), 102, 512
MDM (mobile device management), 245, 433, 434, 471
mean time between failures (MTBF), 64
mean time to failure (MTTF), 64, 65
mean time to recovery (MTTR), 64, 65
mechanical locks, 394
media, removable, 232–233
medical devices, 248–249
memorandum of understanding (MOU), 414, 415
memory
buffer overflows, 308
usage, 236
Message Authentication Code (MAC), 103
Message Digest 5 (MD5), 102, 512
message integrity, 121
messages, 82
metadata labeling, 469
metamorphic malware, 192
MIB (Management Information Base), 222, 298
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), 160–161
Microsoft Point-to-Point Encryption (MPPE) protocol, 165
mitigating risks, 57–58
MITM (man-in-the-middle) attacks, 274–275
mobile application management (MAM), 438
mobile device management (MDM), 245, 433, 434, 471
mobile devices
acceptable use policy, 446–447
Android, 243–244
antivirus management, 444
BYOD concerns, 443–445
camera/video concerns, 447
considerations, 447
data ownership and, 443–444
device lockout, 440–441
forensics and, 446
GPS services, 441
iOS, 244–245
jailbreaking, 245
key management, 439–440
legal concerns, 445–446
lost/stolen, 436–437
MDM software, 245, 433, 434, 471
onboarding/offboarding, 437
patches, 444
privacy issues, 444–445
protecting from access/loss, 440–445
provisioning, 437
remote wiping, 436–437
removable storage, 442
screen lock, 440
security. See mobile security
storage segmentation, 441–442
support ownership and, 444
theft of, 214
in the workplace, 431–432
mobile security, 431–450
antivirus management, 444
application control, 437
application whitelisting, 438
applications, 437–438
asset tracking, 433–434
BYOD concerns, 443–445
concepts/technologies, 432–437
credentials, 439–440
device access control, 434–435
disabling unused features, 442–443
geotagging, 435–436
inventory control, 433–434
key management, 439–440
mobile device management, 245, 433, 434, 471
onboarding/offboarding devices, 437
policies, 446–447
remote management, 436–437
modes, 94
moisture, 382
motion detectors, 399
MOU (memorandum of understanding), 414, 415
MPPE (Microsoft Point-to-Point Encryption) protocol, 165
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), 160–161
MTBF (mean time between failures), 64
MTTF (mean time to failure), 64, 65
MTTR (mean time to recovery), 64, 65
multifactor authentication, 136
multi-person control, 33
mutual authentication, 329
N
NAC (Network Access Control), 260, 288
NAS (network attached storage) devices, 234
NAT (Network Address Translation), 265
National Institute of Standards and Technology. See NIST
National Security Agency (NSA), 102
natural disasters, 531
NBT (NetBIOS over TCP/IP), 224
near field communication (NFC), 353
need-to-know principle, 32
negligence, 34
NetBIOS, 224
NetBIOS over TCP/IP (NBT), 224
Network Access Control (NAC), 260, 288
Network Address Translation (NAT), 265
network attached storage (NAS) devices, 234
network attacks, 273–278
botnet, 276–277
DDoS, 276–278
DoS, 276
MITM, 274–275
replay, 275–276
smurf, 277
spoofing, 273–274
Network Basic Input/Output System. See NetBIOS
Network+ certification, 8
network design, 260–265
network devices
ACLs, 267
considerations, 257
detecting rogue machines, 288
disabling application service ports, 288
disabling interfaces, 287
firewalls. See firewalls
load balancers, 259–260
port security, 268
proxies, 282
rule-based management, 265–266
security, 257–260
network hardening, 281–291
defense methods, 281–286
hardening techniques, 286–289
host network services, 219–228
NIDS/NIPS, 283–284
protocol analyzers, 284–285, 486–487, 515
proxies, 282
spam filtering, 285–286
Unified Threat Management, 286
VPN concentrators, 282–283
web security gateways, 282
network intrusion prevention system (NIPS), 283–284
network intrusion detection system (NIDS), 283–284
network logs, 514–515
network monitoring, 293–302
continuous security monitoring, 288–289
log files. See log files
log management, 294
overview, 293
reporting, 300
network protocols, 327–334
considerations, 327–328
ICMP, 225–226
IMAP, 333–334
IPSec, 109, 222, 225, 265, 269
IPv4, 221–222
IPv6, 222
OSI model and, 219–226
overview, 219–220
POP3, 333
SMTP. See SMTP
SNMP. See SNMP
SSH. See SSH
SSL. See SSL
TCP/IP, 220–221
Telnet, 331
network security, 255–302
ACLs, 267
administration principles, 265–270
architecture and, 260–261
attacks. See network attacks
bastion host, 260–261
demilitarized zone, 247–248, 261, 262
devices. See network devices
firewalls. See firewalls
flood guards, 268–269
implicit deny principle, 266–267
load balancers, 259–260
loop protection, 269
monitoring. See network monitoring
NAT, 265
network design, 260–265
network separation strategies, 261–265
remote access, 269–270
rogue machines, 296
rule-based management, 265–266
sniffers/sniffing, 259, 284–285
telephony services, 270
threats, 273–280
network segmentation, 248–249
network separation, 261–265
Network Time Protocol (NTP), 512
network traffic
capturing, 514–515
continuous monitoring, 288–289
sniffing, 352
networking, social, 471–472
networks. See also LANs
administration principles, 265–270
demilitarized zone, 247–248, 261, 262
devices. See network devices
hardening. See network hardening
monitoring. See network monitoring
NAT, 265
protocols. See network protocols
SANs, 234
security. See network security
subnetting, 262–263
VLANs. See VLANs
WANs, 258
wired, 359–360
wireless. See wireless networks
NFC (near field communication), 353
NIDS (network intrusion detection system), 283–284
NIPS (network intrusion prevention system), 283–284
NIST (National Institute of Standards and Technology), 42, 54, 362
nmap tool, 488
NoSQL databases, 322
NSA (National Security Agency), 102
NT LAN Manager. See NTLM
NTLM (NT LAN Manager), 161
NTLMv2, 161
NTP (Network Time Protocol), 512
O
OCSP (Online Certificate Security Protocol), 125, 127
OFB (Output Feedback) mode, 94
one-time password (OTP), 159–160
Online Certificate Security Protocol (OCSP), 125, 127
Online Privacy Protection Act (OPPA), 40
Open System Interconnection. See OSI
OpenLDAP, 162
operating systems (OS)
Android, 243–244
baselines. See baselines
disabling unnecessary services, 206
hardening, 208–212
iOS, 244–245
patches, 208–210
secure configuration of, 205
trusted OS, 210
OPPA (Online Privacy Protection Act), 40
organizational governance, 41–44
OS. See operating systems
OSI model, 219–221
OSI model layers, 221
OTP (one-time password), 159–160
out-of-band key exchange, 87
Output Feedback (OFB) mode, 94
P
P2P (Peer-to-Peer) applications, 471–472
packet sniffing, 352
pairing, 355
PAP (Password Authentication Protocol), 160
parental controls, 245
passive security tools, 486
password command, 159–160
password attacks, 196–200
Password Authentication Protocol (PAP), 160
password cracking, 172–173, 175
password hashes, 101, 197, 199
password protection, 206–207
Password-Based Key Derivation Function 2 (PBKDF2), 113
passwords
auditing strength of, 207
brute-force attacks, 198
character space, 173
complexity of, 172–173, 207, 470
dictionary attacks, 198–199
expired, 175
guessing, 173
history, 173–174
hybrid attacks, 199
length of, 173
one-time, 159–160
protection of, 206–207
recovery of, 176–177
requirements for, 45
reuse restrictions, 173–174
time-based one-time password, 159
user behavior and, 470–471
username/password combination, 139
WEP, 360
PAT (Port Address Translation), 265
patches. See also updates
applications, 321
considerations, 250
firmware updates and, 250
mobile devices, 444
virtualization and, 342
Payment Card Industry Data Security Standards (PCI-DSS), 42–43, 470
PBKDF2 (Password-Based Key Derivation Function 2), 113
PBX (private branch exchange), 270
PCI-DSS (Payment Card Industry Data Security Standards), 42–43, 470
PEAP (Protected EAP), 364
Pearson Vue web site, 10
Peer-to-Peer (P2P) applications, 471–472
penetration testing, 484–486
perfect forward secrecy, 113
perimeter controls, 391–401
access lists, 397
alarm system, 395, 399, 400, 401
barricades, 397–398
biometric authentication, 140–141, 397
closed-circuit television systems, 395–396
conducting drills, 401
escape plans/routes, 399–400
intrusion detection system, 389, 390, 399
lighting, 393–394
locks, 384
mantraps, 396
physical cabling, 398–399
proximity readers, 397
signage, 392–393
testing, 401
video surveillance, 395–396
permissions. See also privileges; rights
users, 148–150
personal identification numbers (PINs), 140
personal identification verification cards, 140
personally identifiable information (PII), 467–468
personnel policies, 46
PGP (Pretty Good Privacy), 99–100, 129
PHI (protected health information), 40, 469
phishing attacks, 193, 194, 457, 472
physical cabling, 398–399
physical controls, 30, 388, 391–401
physical security, 377–403
access lists, 397
alarm system, 395, 399, 400, 401
barricades, 397–398
biometric authentication, 140–141, 397
closed-circuit television systems, 395–396
computers, 213–214
conducting drills, 401
emergencies. See emergencies
EMI/RFI shielding, 379–380
environmental. See environmental controls
escape plans/routes, 399–400
fire suppression, 380–381
host hardening, 213–214
hot/cold aisles, 382–383
humidity control, 382
lighting, 393–394
locks, 384
mantraps, 396
perimeter. See perimeter controls
physical cabling, 398–399
proximity readers, 397
safety controls, 391–401
signage, 392–393
testing controls, 401
video surveillance, 395–396
PII (personally identifiable information), 467–468
PINs (personal identification numbers), 140
PKCS (Public Key Cryptography Standards), 119–120
PKI (Public Key Infrastructure), 117–131
considerations, 125–128
digital certificates and, 121–125
key generation/exchange, 120
non-repudiation, 120
overview, 117
trust models, 128–129
PKI services, 120–121
PKI standards, 119–120
Platform-as-a-Service (PaaS), 422
Point-to-Point Protocol (PPP), 160
Point-to-Point Tunneling Protocol (PPTP), 165
policies. See security policies
polyalphabetic substitution cipher, 80
polymorphic malware, 192
Poodle attack, 329–330
POP3 (Post Office Protocol 3), 333
Port Address Translation (PAT), 265
port scanners, 487–488
port security, 268
port-based access control, 363
scanning, 487–488
spanned, 259
TCP, 328
UDP, 328
possession, 136
Post Office Protocol 3 (POP3), 333
PPP (Point-to-Point Protocol), 160
PPTP (Point-to-Point Tunneling Protocol), 165
preshared keys, 110
Pretty Good Privacy (PGP), 99–100, 129
preventative controls, 30–31, 283, 389
principal, 158
privacy issues
big data and, 235
employees, 46
personally owned devices, 471
social networking and, 471–472
third-party security, 411–412
private branch exchange (PBX), 270
private clouds, 422–423
privilege creep, 178
privilege escalation, 194–195
privileges. See also permissions; rights
described, 177
management interfaces, 206
managing, 177–181
transitive access, 196
user accounts, 177–179
user-assigned, 177
procedures, defined, 43
processes
redundancy, 525
single points of failure, 521
Protected EAP (PEAP), 364
protected health information (PHI), 40, 469
protocol analyzers, 284–285, 486–487, 515. See also sniffers
protocol suite, 220
provisioning, 169
proxies, 282
proximity readers, 397
public clouds, 423
Public Key Cryptography Standards (PKCS), 119–120
Public Key Infrastructure. See PKI
public-private key pair, 98
Q
qualitative risk analysis/assessment, 55, 69–70, 481
quantitative risk analysis/assessment, 55, 66–68, 481
R
RA (Registration Authority), 123
RACE Integrity Primitives Evaluation Message Digest (RIPEMD), 103
radio frequency identification. See RFID
radio frequency interference (RFI), 379–380
radio frequency (RF) noise, 366
RADIUS (Remote Authentication Dial-in User Service), 164, 165
RADIUS clients, 165
RADIUS servers, 164
RAID (Redundant Array of Independent Disks), 237–238
RAID levels, 237–238
rainbow attacks, 199
rainbow tables, 199
RAM, 509
ransomware, 191–192
RBAC (rule-based access control), 152
RC4 encryption, 96–97, 354, 360–361
RDP (Remote Desktop Protocol), 224, 421
real-time monitoring, 298, 299
recovery agents, 127–128
recovery controls, 390–391
recovery, disaster. See disaster recovery
recovery point objective (RPO), 537, 538
recovery time objective (RTO), 537
reduced sign-on environment, 158
Redundant Array of Independent Disks (RAID), 237–238
Registration Authority (RA), 123
regulations/laws, 40
remediation, 216
remote access, 163–165. See also access control
accounting function, 163–164
broadband connections, 163–164
dial-up, 269
diameter, 164
L2TP, 165
methods, 269
PPTP, 165
remote shell connections, 270
security issues, 269–270
TACACS/TACACS+, 164–165
XTACACS, 164
Remote Authentication Dial-in User Service. See RADIUS
remote code execution, 309
remote control, 437
Remote Desktop Protocol (RDP), 224, 421
remote management, mobile devices, 436–437
remote shell connections, 270
remote wiping, 436–437
replay attacks, 275–276, 353–354
reports/reporting
baseline reports, 483
continuous security monitoring, 300
incident response, 503–504
reviewing reports, 300
resources, 148–150
response strategy, 498
RF (radio frequency) noise, 366
RFI (radio frequency interference), 379–380
RFID chips, 140
RFID (radio frequency identification) technology, 353
rights, 148–150, 177. See also permissions; privileges
RIPEMD (RACE Integrity Primitives Evaluation Message Digest), 103
risk. See also threats; vulnerabilities
assessing, 63–73, 481, 519–520
assets, 52
calculating, 481–482
cloud computing, 423–425
considerations, 51, 55–56, 482
determining, 70
elements of, 51–55
external, 63–64
identification of, 57
internal, 64–65
levels, 481
likelihood, 53, 55–58, 481, 482
managing. See risk management
third-party security providers, 411
transferring, 58
virtual machines, 340–341, 425
virtualization, 340–341, 423–425
risk acceptance, 58
risk appetite, 59
risk assessment, 63–73, 481, 519–520
risk avoidance, 58
risk factors, 63–65
risk management, 51–62. See also business continuity; disaster recovery; risk
aspects of, 56–59
assets, 52
best practices, 519–520
business continuity planning and, 519
defined, 51
frameworks, 59
guidance, 59
likelihood of threats, 53, 55–58, 481, 482
overview, 56–57
qualitative risk, 55, 69–70, 481
quantitative risk, 55, 66–68, 481
relationships of risk elements, 55–56
response to risk, 57–59, 70–71
risk assessment, 63–73, 481, 519–520
single points of failure, 521
standards, 59
strategies for, 59
threats, 52–53
vulnerabilities, 52
Risk Management Framework (RMF), 59
risk sharing, 58
risk tolerance, 59
risk transference, 58
Rivest-Shamir-Adleman (RSA) algorithm, 98, 99
RMF (Risk Management Framework), 59
rogue access points, 349–350
rogue machine detection, 288
rogue servers, 288
role-based training, 466–467
root CA server, 124
rootkits, 190
ROT-13 cipher, 80
round-robin systems, 260
rounds, 85
routers
overview, 258–259
secure configuration of, 267–269
RPO (recovery point objective), 537, 538
RSA (Rivest-Shamir-Adleman) algorithm, 98, 99
RTO (recovery time objective), 537
rule sets, 266–267
rule-based access control (RBAC), 152
rule-based management, 265–266
rule-based systems, 284
rules, 265–266
S
SaaS (Software-as-a-Service), 420–421
safety controls, 391–401
salt, 113
SAML (Security Assertion Markup Language), 158–159
sandboxing, 343
SANs (storage area networks), 234
SCADA (Supervisory Control and Data Acquisition), 243
SCADA systems, 243
scalability, 118
scarcity, 460–461
scareware, 191
Schneier, Bruce, 96
SCP (Secure Copy Protocol), 223–224, 270, 332
screen lock, 440
scytale, 79–80
SD (Secure Digital) cards, 442
secret keys, 86
secure coding, 319–320
Secure Copy Protocol (SCP), 223–224, 270, 332
Secure Digital (SD) cards, 442
Secure Hash Algorithm (SHA), 512
Secure LDAP, 162–163
Secure Shell. See SSH
Secure Sockets Layer. See SSL
security. See also controls; security assessments
accountability, 29
Android devices, 243–244
Apple devices, 244–245
applications. See application security
architecture/design, 483–484
attacks. See attacks
auditing, 29
authentication. See authentication
authorization. See authorization
availability, 27–28
awareness training, 465–476
banner grabbing, 489
basics, 25–37
cloud, 419–429
confidentiality, 27
controls, 30–31
data classification, 31–32, 44, 468
data sensitivity, 31–32, 44, 147, 148
data storage, 108
due dilligence/due care, 34
experience/skills, 4–5
game consoles, 245–246
goals of, 25–28
honeypots, 488–489
host. See host hardening
identification, 28
integrity, 27
layered, 247–248
mobile devices. See mobile security
monitoring. See continuous security monitoring
need-to-know principle, 32
network. See network security
new threats/trends, 472–473
passwords. See passwords
perimeter. See perimeter controls
physical. See physical security
port, 268
port scanners, 487–488
principle of least privilege, 32, 148, 321
protocol analyzers, 284–285, 486–487, 515
remote access, 269–270
safety controls, 391–401
social engineering, 471
static hosts, 241
storage, 229–240
third-party providers. See third-party security
transmission, 108–110
video surveillance, 395–396
virtualization, 337–346
vulnerabilities. See vulnerabilities
wireless. See wireless security
Security Assertion Markup Language (SAML), 158–159
security assessments, 479–493. See also risk; threats
assessment techniques, 482–486
banner grabbing, 489
code review, 483
determining attack surface, 483–484
developing baseline, 483
false positives/negatives, 490–491
honeypots, 488–489
impact of threats, 481–482
interpreting results, 489–491
likelihood of threats, 53, 55–58, 481, 482
penetration testing, 484–486
port scanners, 487–488
protocol analyzers, 284–285, 486–487, 515
risk assessment, 63–73, 481, 519–520
risk calculations, 481–482
threats, 480
tools, 486–489
vulnerabilities. See vulnerabilities
security baselines. See baselines
security certification, 3–7
security control testing, 342–343
security events, 296–297
Security+ Exam. See CompTIA Security+ exam
security governance, 39–49
laws/regulations, 40
organizational governance, 41–44
overview, 39–40
security policies, 44–47
security identifiers (SIDs), 176
security incidents. See incidents
Security Information and Event Management (SIEM), 298–299
security layers, 247–248
security logs, 295
security monitoring, 215
security policies, 44–47
backup. See backup plans/policies
clean desk, 471
cloud computing, 426
computer equipment, 45–46, 214
considerations, 46–47
data ownership, 443–444
data retention, 235
data sensitivity/classification, 44
data storage, 235
default-allow, 266
groups, 171–172
hardware, 214
mobile devices, 446–447
overview, 42
personnel, 46
third-party security providers, 411
training employees, 466
user accounts, 169–177
security professionals, 3–5
security through obscurity, 112
security training, 465–476
follow-up on, 473–474
key security areas, 467–470
leadership chain-of-command, 524
new threats/trends, 472–473
overview, 465
password behaviors, 470–471
role-based, 466–467
security policy/procedures, 466
sensitive data, 31–32, 44, 147, 148
servers
authentication, 363
authoritative, 328
caching, 328
certificate, 124
DHCP, 288
fault tolerance, 236
Kerberos, 162
RADIUS, 164
redundant, 236
rogue, 288
root CA, 124
SMTP, 334
SSH, 332
server-side validation, 322–323
service provider, 158
Service Set Identifier. See SSID
service ticket, 162
service-level agreement (SLA), 413, 415
services
cloud, 420–422
directory, 307
disabling unnecessary, 206
GPS, 441
network, 219–228
PKI, 120–121
telephony, 270
session cookies, 314
SHA (Secure Hash Algorithm), 102–103, 512
Shamir, Adi, 98
shielded Ethernet cable, 380
shift ciphers, 80
shoulder surfing, 454–455
side-channel attacks, 96
SIDs (security identifiers), 176
SIEM (Security Information and Event Management), 298–299
signage, 392–393
signature-based systems, 284
Simple Mail Transfer Protocol. See SMTP
Simple Network Management Protocol (SNMP), 222–223, 268
single loss expectancy (SLE), 67, 68
single sign-on (SSO), 142, 157, 158
single-factor authentication, 136, 139
site surveys, 369–370
skills/knowledge, 4–5
SLA (service-level agreement), 413, 415
SLE (single loss expectancy), 67, 68
Small Computer System Interface (SCSI), 229–230
smart devices, 431
SMTP (Simple Mail Transfer Protocol), 334
SMTP servers, 334
SMTPS (SMTP-Secure), 334
smurf attacks, 277
snapshots, 341–342
sniffers, 259, 284–285, 515. See also protocol analyzers
SNMP (Simple Network Management Protocol), 222–223, 268, 298
social engineering, 453–464, 471
authority figures, 459
consensus/social proof, 460
familiarity, 461
impersonation, 456
intimidation, 459–460
overview, 453
principles of effectiveness, 459–462
scarcity, 460–461
tailgating, 456
targets/goals, 453–454
trust, 461–462
urgency, 461
social engineering attacks, 453–459
dumpster diving, 455–456
hoaxes, 457
impersonation, 456
preventing, 471
shoulder surfing, 454–455
social media networks/applications, 410–411
social networking, 471–472
software
anti-malware, 192, 210–211, 247
antivirus. See antivirus software
legacy, 343
whitelisting/blacklisting, 212
Software-as-a-Service (SaaS), 420–421
source routing, 275
spam filtering, 285–286
spanned ports, 259
spim, 194
split DNS architecture, 329
spoofing attacks, 273–274
sprinkler systems, 381
spyware, 190. See also malware
SQL (Structured Query Language), 306
SQL injection attacks, 306–307
SSCP certification, 7
SSH (Secure Shell)
considerations, 109–110
remote access, 270
SSH servers, 332
SSID (Service Set Identifier), 349, 365
SSID broadcasting, 365
SSID hiding/cloaking, 365
SSL (Secure Sockets Layer)
LDAP over SSL, 162
overview, 329–330
TLS and, 108–109
SSO (single sign-on), 142, 157, 158
standards
compliance with, 469–470
overview, 42–43
static environments, 241–251
static hosts, 241–253
static NAT, 265
storage. See data storage
storage area networks (SANs), 234
storage segmentation, 441–442
streaming ciphers, 97
Structured Query Language. See SQL
subnetting, 262–263
substitution cipher, 80
succession planning, 523–524
sum, 512
Supervisory Control and Data Acquisition (SCADA), 243
supplicant, 363
support ownership, 444
surveillance cameras, 514
symmetric algorithms, 93–97, 108, 118
symmetric cryptography, 86–88, 119
symmetric key cryptography, 93
SYN flag, 276
system images, capturing, 513–514
system RAM, 509
system redundancy, 525
T
tabletop exercise, 526
TACACS (Terminal Access Controller Access Control System), 164–165
TACACS+, 164–165
TCP (Transmission Control Protocol), 221
TCP flags, 196
TCP ports, 328
TCP sequence guessing, 275
TCP Wrappers, 251
TCP/IP (Transmission Control Protocol/Internet Protocol), 220–221
TCP/IP protocol suite, 221
telephony services, 270
Telnet protocol, 331
temperature control, 382
temperature sensors, 380–381
temporal factor, 138
Temporal Key Integrity Protocol (TKIP), 110, 354, 361
Terminal Access Controller Access Control System. See TACACS
TGS (Ticket-Granting Service), 162
TGT (Ticket-Granting Ticket), 162
third-party security providers, 407–417. See also business partnerships
agreements, 413–415
considerations, 411–413
data backups, 412–413
data sharing/ownership, 412
integrating systems/data with, 409–411
onboarding/offboarding, 409–410
privacy issues, 411–412
social media and, 410–411
terminated, 410
unauthorized data sharing, 412
threat sources, 53
threats. See also risk management; vulnerabilities
host-based, 187–203
impact of, 54–55
likelihood of, 53, 55–58, 481, 482
new trends/alerts, 472–473
probable, 53
relationships, 54
vulnerabilities and, 482
threat-vulnerability pairing, 56
Ticket-Granting Service (TGS), 162
Ticket-Granting Ticket (TGT), 162
time, 138
time-based one-time password (TOTP), 159
timestamping, 162, 275–276, 354, 512
TKIP (Temporal Key Integrity Protocol), 110, 354, 361
TLDs (top-level domains), 200
TLS (Transport Layer Security), 97, 109, 164, 330
tokens, 136–137
top-level domains (TLDs), 200
TOTP (time-based one-time password), 159
TPM (Trusted Platform Module), 231, 233
training, 465–476
follow-up on, 473–474
key security areas, 467–470
leadership chain-of-command, 524
new threats/trends, 472–473
overview, 465
password behaviors, 470–471
role-based, 466–467
security policy/procedures, 466
transitive access, 196
Transmission Control Protocol (TCP), 221
Transmission Control Protocol/Internet Protocol. See TCP/IP
transmission security, 108–110
transport encryption, 108–110
Transport layer protocol, 328
Transport Layer Security (TLS), 97, 109, 164, 330
transport mode, 225
transposition ciphers, 81
trend analysis, 299
trojans, 189
true value, 85
trust models, 128–129
trust relationships, 143–144, 440
trusted entity authentication, 141–143
trusted OS, 210
Trusted Platform Module (TPM), 231, 233
tunnel mode, 225
Turing, Alan, 80
two-factor authentication, 136
type I error, 141
type II error, 141
typo squatting, 200–201
U
UDP (User Datagram Protocol), 164, 221
UDP floods, 268
UDP ports, 328
UIDs (user identifiers), 176
Unified Threat Management (UTM), 286
uninterruptible power supply (UPS), 380
Universal Coordinated Time (UTC), 512
updates. See also patches
anti-malware, 211
antivirus software, 54
ARP poisoning and, 196
automatic, 249
DNS poisoning and, 195
manual, 249–250
UPS (uninterruptible power supply), 380
URL hijacking, 200–201
USB devices, 233
USB sticks, 232
user access reviews, 178
user accounts, 169–184. See also administrators; users
considerations, 177
continuous monitoring, 178–179
default, 207–208
expired, 175
guest, 207–208
lifecycle, 169
locking, 176
managing, 169–181
multiple accounts, 179–181
passwords. See passwords
policies, 169–177
privileges, 177–179
recovery of, 176–177
re-creating, 177
shared accounts, 179, 180, 181
User Datagram Protocol. See UDP
user habits, 470–472
user identifiers (UIDs), 176
user-assigned privileges, 177
usernames, 139
users. See also employees; user accounts
access rights, 28–29
groups of. See groups
malicious insider threat, 195
passwords. See passwords
permissions, 148–150
personally owned devices, 471
privacy, 46
privileges. See privileges
rights, 148–150
social engineering and, 471
UTC (Universal Coordinated Time), 512
UTM (Unified Threat Management), 286
UTM devices, 286
V
vacations, mandatory, 33
validation
client-side, 322–323
fuzzing and, 322
server-side, 322–323
vehicular computing systems, 246
video surveillance, 395–396
Vigenère cipher, 80
virtual computers. See virtual machines
virtual environments, 337–343
virtual LANs. See VLANs
virtual machine monitors, 338
virtual machines (VMs), 338–341
backups/snapshots, 341–342, 537
hardening, 341
overview, 338–340
virtual private networks. See VPNs
virtualization, 337–342
architecture, 338–342
concepts, 337–342
elasticity, 342
host availability, 342
legacy software support, 343
patches, 342
sandboxing, 343
security, 337–346
virus creation software, 188, 189
viruses. See also antivirus software; malware
armored, 192–193
boot-sector, 188
described, 188
file infectors, 188
new forms of, 472
vs. worms, 188
VLANs (virtual LANs)
VMs. See virtual machines
voice over IP (VoIP), 194, 270, 459
VoIP (voice over IP), 194, 270, 459
voltage regulators, 380
VPN concentrators, 282–283, 371
VPN connections, 163, 269, 282–283, 371
VPNs (virtual private networks)
considerations, 370–371
described, 282
over wireless, 370–371
vulnerabilities. See also attacks; risk; threats
defined, 52
exploiting, 53
host-based. See host-based threats
impact, 481–482
minimizing, 57–58
relationships, 54
risks associated with, 52
scanning for, 484
threats and, 482
vulnerability scanners, 488
walkthrough test, 526–527
WANs (wide area networks), 258
warchalking, 350–351
warded locks, 394
wardriving, 351
watering hole attacks, 201
web applications
cookies, 314–315
directory traversal, 308
HTML attachments, 315
HTTP header manipulation, 315
injection attacks, 305–307
integer overflow condition, 308
XSS attacks, 313–314
web browsers. See also web sites
adware, 189–190
cookies, 314–315
cross-site request forgery, 323–324
cross-site scripting, 313–314
header manipulation, 315
HTML attachments, 315
input validation, 323
legacy, 330
malicious add-ons, 308–309
web of trust model, 99
web security gateways, 282
web sites. See also web browsers
adware, 189–190
cookies, 314–315
directory traversal attacks, 308
DNS poisoning, 195
DNS-related attacks, 328
fake, 457
malicious HTML attachments, 315
malicious sites, 195, 315, 323–324, 328
Pearson Vue, 10
pharming, 195
typo squatting, 200–201
URL hijacking, 200–201
watering hole attacks, 201
XSRF attacks, 323–324
web-of-trust model, 129
WEP (Wired Equivalent Privacy), 97, 110, 354, 359–360
WEP attacks/issues, 354, 371–372
white box test, 485
white hat hackers, 486
wide area networks (WANs), 258
Wi-Fi Protected Access. See WPA
Wi-Fi Protected Setup (WPS), 355
Wired Equivalent Privacy. See WEP
wired networks, 359–360
wireless antennas, 366–371
wireless attacks, 349–355
wireless devices, 350, 354, 360, 361, 362
wireless encryption, 110, 372–373
wireless in-vehicle computing systems, 246
wireless key, 353
wireless networks
antennas, 366–371
Bluetooth technology, 246, 355
captive portals, 368–369
encryption algorithms, 110, 372–373
hardening, 359–375
protocols. See wireless protocols
security issues. See wireless security
site surveys, 369–370
sniffing traffic on, 352
troubleshooting, 371–373
WPA2, 110, 354–355, 361–362, 372
WPS, 355
wireless protocols, 359–362
overview, 359
problems with, 371–372
wireless security, 347–375
authentication issues, 363–364, 372
bluejacking, 355
bluesnarfing, 355
Bluetooth attacks, 355
considerations, 365–371
deauthentication attacks, 352–353, 372
encryption issues, 110, 372–373
evil twin attack, 349–350
interference, 350
jamming, 350
legacy clients, 372–373
near field communication, 353
packet sniffing, 352
replay attacks, 353–354
rogue access points, 349–350
threats, 349–358
troubleshooting, 371–373
warchalking, 350–351
wardriving, 351
WEP attacks/issues, 354, 371–372
wireless antennas, 366–371
WPA attacks/issues, 354–355, 372
Wireshark program, 487
worms, 188
WPA (Wi-Fi Protected Access), 110, 354, 361
WPA attacks/issues, 354–355, 372
WPA Personal Shared Key (WPA-PSK), 354, 361, 362
WPA2 protocol, 110, 354–355, 361–362, 372
WPA2-Personal Shared Key (WPA2-PSK), 361–362
WPA2-PSK (WPA2-Personal Shared Key), 361–362
WPA-ENT (WPA-Enterprise) authentication, 354
WPA-Enterprise (WPA-ENT) authentication, 354
WPA-PSK (WPA Personal Shared Key), 354, 361, 362
WPS (Wi-Fi Protected Setup), 355
wrappers, 249–251
X
XML (eXtensible Markup Language), 310
XML injection attacks, 307
XOR (eXclusive OR), 84–85
XOR function, 84–85
XSRF (cross-site request forgery) attacks, 323–324
XSS (cross-site scripting), 313–314, 323
XTACACS (Extended Terminal Access Controller Access Control System), 164
Z
Zimmermann, Philip, 99
zone files, 328
zones, security, 328