A

AAA (authentication, authorization, and accounting), 358

AACS (Advanced Access Content System), 151

ABAC (attribute-based access control), 377

acceptable use policies (AUPs)

content-filtering proxies, 336

e-mail, 678

mobile devices, 469

overview, 67–68

acceptance response for risk, 765–766

access control

auditing, 640

authorization, 371

data compromise factor, 870

electronic systems, 249–250

layered access, 39

mobile devices, 456–457

access control lists (ACLs)

authorization, 374–375

description, 550

firewalls, 325–326

Linux, 531

routers, 321

SIEM, 498

access control matrices, 374–375

access points (APs)

description, 329

placement, 443–444

rogue, 449

test, 340

wireless security, 439–441, 445

access tokens, 249

accounting

configuration status, 822

functions, 370–371

RADIUS, 402–403

TACACS+, 405–406

accounts

auditing, 368

authentication, 359–361

disabling, 61, 65, 369, 521–522

expiration, 60, 369–370

generic, 360

lockouts, 61

maintenance, 367

onboarding and offboarding, 361

policies, 60–62, 363–370

recertifying, 368

recovery, 60–61

vulnerabilities, 642

ACLs. See access control lists (ACLs)

active/active load balancer schemes, 334–335

active defense model, 31

active HIDSs, 489–490

active logging, 893

active NIDSs, 483–484

active/passive load balancer schemes, 335

active reconnaissance testing, 632

Active Server Pages (ASP), 663

active tools

network security, 505

penetration testing, 632

actor attributes, 14–16

ad hoc networks, 272

add-ons, malicious, 666

Additional Decryption Key (ADK), 688

Address Resolution Protocol (ARP)

arp command, 619–620

neighbor discovery, 291

poisoning attacks, 601–602

switch attacks, 321

vulnerabilities, 294–295

address space in IPv4 vs. IPv6, 290–291

ADK (Additional Decryption Key), 688

Adleman, Leonard, 137

administrator accounts

credential policies, 60

default settings, 643

description, 360

disabling, 364

admissibility of evidence, 882

Adobe data breach, 7

Adult Friend Finder data breach, 7

Advanced Access Content System (AACS), 151

advanced persistent threats (APTs)

Cyber Kill Chain, 840

description, 4

groups, 5

incident response, 839–840

overview, 605

persistence, 633

adverse actions, 66–67

adware, 583

AEAD (Authenticated Encryption with Associated Data), 130

RC4, 132

symmetric encryption, 134

AES algorithm

AACS, 151

BitLocker, 453

CBC, 132

CCMP, 439

IEFT, 163

key length, 115

overview, 129–130

passwords, 179, 609

WPA2, 433

affinity-based load balancer scheduling, 334

affinity grouping, 790

after-action reports in business continuity, 803

agentless NAC, 332

agents in NAC, 332

aggregation in SIEM, 498

aggregation switch placement, 342

agile software development model, 721

air gaps, 247, 275–276

aircraft, 564–565

aisles, hot and cold, 256

alarms, 241–242

ALE (annualized loss expectancy)

defined, 763

risk calculations, 787, 789

alerts in SIEM, 497–498

all-glass cockpits, 564

all nines keys, 244

alternate data streams, 896

alternative sites for business continuity, 810–811

amplification attacks, 602

analysis

BIA, 772, 802

computer forensics, 891–894

evidence, 881

logs, 487

Registry, 897–898

risk, 784–790

social media, 69

analysis engines

HIDSs, 485–486

IDSs, 475–476

NIDSs, 480–481

analyst-driven log analysis, 487

analytics, 495–496

annualized loss expectancy (ALE)

defined, 763

risk calculations, 787, 789

annualized rate of occurrence (ARO)

defined, 763

risk calculations, 788

anomaly-based IDS model, 477

anomaly detection models, 476

anonymity

anonymization, 953

anonymizing proxies, 336

wireless attacks, 446–447

anonymous FTP, 659

Anonymous group, 14

antenna types and placement, 442

anti-malware

BYOD model, 467

overview, 535

antivirus (AV) products

BYOD model, 467

overview, 533–535

anycast messages, 291

Anything as a Service (XaaS), 699

API (application programming interface)

cloud computing, 714

digital certificates, 200

inspection and integration, 706

app stores for mobile devices, 460–461

appliances

all-in-one, 338

firewalls, 328

NIDSs, 481

operating systems, 518

UTM, 339

application attacks, 735

attachments, 740

buffer overflow, 738–739

cross-site request forgery, 739–740

cross-site scripting, 735–736

directory traversal, 738

injections, 736–738

integer overflow, 739

locally shared objects, 740

OVAL, 741

remote code execution, 741

zero day, 740

application cells in virtualization, 314

application layer proxies in firewalls, 325

application-level attacks, 586

application programming interface (API)

cloud computing, 714

digital certificates, 200

inspection and integration, 706

application server guides, 567–568

applications

authentication, 389

baselines, 543, 546

blacklisting, 522, 538

cloud computing, 709

cryptographic, 152–153

hardening, 542–547, 742–745

log files, 861

mobile devices, 452, 457–459

patches, 543–545

vulnerabilities, 645

vulnerability scanners, 546–547

vulnerability testing, 635–636

weaknesses, 668–670

whitelisting, 522, 538

applied cryptography, 148

applications, 152–153

cipher suites, 153–162

cryptographic attacks, 174–179

key terms, 181–182

lab projects, 183

PGP, 165–167

quizzes, 182–183

review, 181

S/MIME, 162–164

secure protocol use cases, 172–174

secure protocols, 169–172

standards, 179–180

steganography, 167–168

uses, 149–153

AppLocker, 524–525, 538–539

APTs. See advanced persistent threats (APTs)

arbitrary code execution, 741

architecture considerations in BYOD model, 468

archive bit, 805

archiving keys, 218–219

ARLs (authority revocation lists), 211

armored viruses, 580

ARO (annualized rate of occurrence)

defined, 763

risk calculations, 788

ARP. See Address Resolution Protocol (ARP)

arp command, 619–620

artifacts in forensics, 896

ASA (Attack Surface Analyzer), 527

Asia, privacy laws in, 951

ASP (Active Server Pages), 663

ASP.NET, 663

assertion service in XKMS, 228

assertion status service in XKMS, 228

asset value (AV) in risk calculations, 788

assets

defined, 762

management policies, 55

mobile devices, 456

risk management, 780

assurance, 114

asymmetric encryption, 135–140

Asynchronous Transfer Mode (ATM), 281

Atbash cipher, 121

attachments, 740

Attack Surface Analyzer (ASA), 527

attack surfaces

description, 41

minimization, 722–723

attacks, 574

address, 599

advanced persistent threats, 605

amplification, 602

application. See application attacks

avenues, 575–576

brand-name, 13–14

cache poisoning, 599–602

client-side, 603–604

cryptographic, 174–179

domain hijacking, 602

DoS, 587–590

driver manipulation, 604–605

encryption, 597–598

frameworks in incident response, 838–842

key terms, 610–611

lab projects, 613

malicious code, 576

malware. See malware

man-in-the-browser, 596

man-in-the-middle, 595–596

pass-the-hash, 602–603

password, 177–178, 605–609

quizzes, 611–613

replay, 597

review, 610

scanning, 597

sniffing, 591

social engineering, 90–99

spoofing, 592–595

TCP/IP hijacking, 595

transitive access, 597

attestation, 388, 515

attribute-based access control (ABAC), 377

attributes

actor, 14–16

certificates, 202–205

identity, 378

multifactor authentication, 398–399

auditability in CIA of security, 28

auditing

accounts, 367–368

cloud, 703–704

configuration, 822

overview, 639–640

usage, 367–368

Authenticated Encryption with Associated Data (AEAD), 130

RC4, 132

symmetric encryption, 134

authentication, 358–359

vs. access control, 371

account policies, 363–370

accounts, 360

attestation, 388

authorization, 370–378

basic, 382

biometric efficacy rates, 393–396

biometric factors, 391–393

certificates, 385

CIA of security, 28

cloud vs. on-premises requirements, 416

connections, 416–417

cryptography, 150, 162

data loss and theft prevention, 415

databases, 415

digest, 382–383

directory services, 387

federation, 387–388

groups, 361–362

identity, 378–380

Kerberos, 383–384

key terms, 419–420

knowledge-based, 386–387

lab projects, 423

logs, 862

methods, 381–387

mobile devices, 456, 458–459

multifactor, 396–399

mutual, 384–385

protocols, 406–413

quizzes, 420–422

RADIUS, 401

references, 417

remote access. See remote access

review, 418–419

roles, 362–363

single sign-on, 365–366

TACACS+, 404

technologies, 388–390

tokens, 385–386

transitive trusts, 388

users, 359–360

wireless security, 437–439

authentication, authorization, and accounting (AAA), 358

authentication servers (ASs), 383

Authenticode system, 666–667

authority factor in social engineering, 89

authority revocation lists (ARLs), 211

authorization

access control, 371

access control lists, 374–375

attribute-based access control, 377

conditional access, 377–378

description, 370–371

discretionary access control, 376

mandatory access control, 375–376

penetration testing, 631–632

permissions, 371–374

RADIUS, 402

role-based access control, 376–377

rule-based access control, 377

social engineering factor, 90–91

TACACS+, 404–405

autofill fields, 670

automation, 551–555

home, 561–562

policy enforcement, 55

SIEM, 498

software development, 750

autonomous systems (ASs), 303

AutoPlay feature, 252–253

Autopsy tool, 629

availability

business risks, 775

CIA of security, 28

cloud, 704–705

risk management, 767

avoidance response for risk, 765

B

Back Orifice (BO) trojan, 578

backdoors

description, 102–103, 585

incident response, 839

backout plans in change management, 824

backup generators

business continuity, 812

power protection, 261

backup power, 261

backups

business continuity, 804–810

data, 56

frequency and retention, 806–808

lifetime, 350

restoration order, 811

storage, 808–810

strategies, 805

types, 805–806

badges, 250

bandwidth

band selection, 441

coaxial cable, 344

fiber-optic cable, 346

hubs, 317

IPv6, 292

monitoring, 864

packets, 282

QoS, 305

wireless communications, 441–442

banking rules and regulations, 946

banner grabbing, 505–506

barricades, 240

Basel Committee on Banking Supervision, 761–762

baselines

application configuration, 742

applications, 543, 546

change management, 821–822

controls, 767

host software, 546

machine hardening, 523–524

operating system hardening, 524–525

overview, 513, 522–523

risk assessment, 790

software development, 753, 828–829

Unix, 529–530

basic authentication, 382

Basic Input/Output System (BIOS)

boots, 237

hardening, 514

settings, 251

basic packet filtering in firewalls, 325

basic service set identifiers (BSSIDs), 440

batch mode in HIDSs, 485

BCPs (business continuity plans), 801–802

Bcrypt key-stretching mechanism, 157

beacon frames for access points, 440

behavior based IDS model, 477

Bell-Lapadula security model, 43–44

benchmarks, 566–568

Bernstein, Daniel, 132

best evidence rule, 879

best practices

Critical Security Controls, 568

incident response, 867–868

investigations, 854

risk management, 791–792

training for, 76

BGP (Border Gateway Protocol), 303

BIA (business impact analysis), 772, 802

Biba security model, 44–45

big data

analytics, 495–496

e-discovery, 901

handling, 549

binary diversity in software development, 749

binary risk assessment, 784

binding corporate rules (BCRs) in GDPR, 950

biometrics

authentication, 391–393

description, 250

efficacy rates, 393–396

mobile devices, 455

BIOS (Basic Input/Output System)

boots, 237

hardening, 514

settings, 251

birthday attacks, 175, 608–609

BIS (Bureau of Industry and Security), 918

Bitcoin, 153

BitLocker

filesystem encryption, 152

full disk encryption, 453

system hardening, 524–525

black-box testing

software development, 728–729

system tests, 638

black hat hacking, 639

blacklisting

applications, 458, 522, 538

e-mail, 680

BLE (Bluetooth Low Energy), 426

blind FTP, 657–658

block ciphers, 128

block lists for spam, 683

block symmetric encryption, 134

blockchains, 153

blocking, USB, 499–500

Blowfish ciphers, 131–132

Blu-ray discs, 350

Bluebugging, 450

Bluejacking, 449

Bluesnarfing, 450

Bluetooth

attacks, 449–450

connections, 425–426

disabling, 457

mobile devices, 558

Bluetooth Low Energy (BLE), 426

bollards, 239–240

boot sector viruses, 579

bootdisks, 236–237

booting

measured boot method, 515

secure, 237, 515

Border Gateway Protocol (BGP), 303

Bork, Robert, 944

Bosch, Robert, 564

Bot Roast operation, 3, 582

botnets

description, 582

DNS sinkholes, 495

spam, 675

BPAs (business partnership agreements), 80

BPDU (Bridge Protocol Data Unit) guards, 319

brand-name attacks, 13–14

breaches

business risks, 773

consequences, 931–932

examples, 6–7

privacy, 957

Brewer-Nash security model, 44

Bridge Protocol Data Unit (BPDU) guards, 319

bridges, 317

bring-your-own-device (BYOD)

mobile devices, 465–469

in offboarding, 66

policies, 69–70

British thermal units (BTUs), 255

broad network access in cloud computing, 698

broadcast domains, 274

broadcast storm prevention, 319

broadcasts

hubs, 501

IP addresses, 300

microwave media, 348

browser helper objects (BHOs), 666

browsers

code-based vulnerabilities, 660

plug-ins, 665–666

vulnerabilities, 662–663

brute force passwords attacks, 177–178, 607–609

BTUs (British thermal units), 255

buffer overflow, 586, 738–739

bug tracking in software development, 734–735

bump keys, 243–244

Bureau of Industry and Security (BIS), 918

burning data, 938

Burp Suite tools, 630

bus topologies, 270

business continuity, 800

after-action reports, 803

alternative sites, 810–811

backups, 804–810

business continuity plans, 801–802

business impact analysis, 802

COOP, 813

critical systems identification, 802

failover, 803–804

key terms, 831

quizzes, 832–834

recovery, 812–813

restoration order, 811

review, 830–831

risk assessment, 803

single points of failure, 802–803

succession planning, 803

utilities, 812

business continuity plans (BCPs), 801–802

business impact analysis (BIA), 772, 802

business partners

onboarding and offboarding, 66

risk management, 79

business partnership agreements (BPAs), 80

business risks, 770–775

busses, 563–564

BYOD (bring-your-own-device)

mobile devices, 465–469

in offboarding, 66

policies, 69–70

C

CA certificates, 202–203

cabinets, secure, 247

cable

coaxial, 344

fiber-optic, 346–347

protected, 247

shielding, 261

UTP/STP, 345

cable locks, 248

cable modems, 330

caches

DNS queries, 676

forensics, 897

poisoning, 599–602

caching proxies, 336

CACs (Common Access Cards), 380, 385

California Senate Bill 1386 (SB 1386), 946

call detail records (CDRs), 863

call managers, 862–863

callback verification for e-mail, 680

Cambridge Analytica breach, 932

cameras

CCTV, 245, 885

cell phones, 104

drones, 262, 564

metadata, 866

mobile devices, 454, 462

protecting, 559

camouflage

industrial, 242

software development, 744

campus area networks (CANs), 269

CAN bus (controller area network bus), 563–564

CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act), 680, 914–915

Canada

computer trespass, 912

digital signature laws, 921

privacy laws, 950

canonicalization errors, 732–733

CANs (campus area networks), 269

Capability Maturity Model Integration (CMMI), 826–827

CAPI (Cryptographic Application Programming Interface) environment, 213

Capone, Al, 910

captive portals, 446

capture-the-flag events, 73

cards for physical access, 249–250

Carlisle Adams and Stafford Tavares (CAST) algorithm

description, 130

PGP, 165, 687–688

carrier unlocking for mobile devices, 461–462

CAs. See certificate authorities (CAs)

CASBs (Cloud Access Security Brokers), 708–709

case law for cybercrime, 911

CAST (Carlisle Adams and Stafford Tavares) algorithm

description, 130

PGP, 165, 687–688

cat command, 623

Category x cable, 345

cause-and-effect risk analysis, 790

CBC (Cipher Block Chaining), 133

CC (Common Criteria), 179–180

CCBs (change control boards), 824–826

CCMP (Counter Mode/CBC-MAC Protocol), 439

CCTV (closed-circuit television) cameras, 245, 885

CDs (compact discs), 350

cellular connections, 425

centralized infrastructures in PKI, 215–220

CER (crossover error rate) in biometrics, 395

.cer file extension, 206

certificate authorities (CAs), 186–187

in-house, 189

internal, 213

online vs. offline, 191

outsourced, 189–191

PKIX, 222

public, 188–189

root, 196

subordinate, 194

trust models, 193–195

trust relationships, 193

certificate chaining, 193–194

Certificate Enrollment Protocol (CEP), 228

Certificate Management Protocol (CMP), 226

certificate policies (CPs), 188–189

certificate revocation lists (CRLs), 209–211, 215

certificate servers, 187

certificate signing requests (CSRs), 208

certificates

attributes, 202–205

authentication, 385

classes, 198–200

extensions, 200–201

fields, 197–198

formats, 206–207

identity, 379

life cycles, 207–212

paths, 195–197

PKI, 186–187

repositories, 212–215

threats, 220–221

TLS, 654

validating, 215

certification practices statements (CPSs), 187

CERTs (computer emergency response teams), 837

CFAA (Computer Fraud and Abuse Act), 911, 914–915, 943

ChaCha20 cipher, 132

chain of custody for evidence, 880

Challenge-Handshake Authentication Protocol (CHAP), 409

change control, 54

change control boards (CCBs), 824–826

change management, 800–801

backout plans, 824

change control boards, 824–826

CMMI, 826–827

code integrity, 825–826

elements, 821–822

implementing, 823–824

key terms, 831

lab projects, 835

overview, 817–819

policy, 54

quizzes, 832–834

review, 830–831

risk strategies, 778–779

scope, 819

separation of duties, 819–821

software development, 752–753

channel overlays in wireless security, 443

CHAP (Challenge-Handshake Authentication Protocol), 409

checksums, 887

Children’s Online Privacy Protection Act (COPPA), 943–944

chip cards, 390

chmod command, 624

choice factor in PII, 935

choose your own device (CYOD) deployment model, 465

chosen cipher text attacks, 175

Christmas attacks, 597

CIA of security, 28

CIP (Critical Infrastructure Protection) standards, 565

Cipher Block Chaining (CBC), 133

cipher locks, 244

cipher modes in symmetric encryption, 133–134

cipher suites, 153–154

common use cases, 161–162

ephemeral keys, 157

implementation vs. algorithm selection, 160–161

key escrow, 156

key exchange, 155–156

key stretching, 157

secret algorithms, 155

session keys, 156–157

strong vs. weak, 154

transport encryption, 157–160

weak/deprecated algorithms, 154–155

ciphertext, 117

CIRTs (cyber incident response teams), 837–838, 848–849, 857–858

Citibank incident, 2

Clark-Wilson security model, 45–46

classes of digital certificates, 198–200

classification of information, 56

clean-agent fire suppression systems, 257

clean desk policies, 69, 104

click fraud, 909

clickjacking, 604

client-side attacks, 603–604, 669–670

client-side validation in software development, 743

client-to-server tickets, 383

clients, network, 270

Clipper chip, 220

closed-circuit television (CCTV) cameras, 245, 885

closed ports, 504

Cloud Access Security Brokers (CASBs), 708–709

cloud-based DLPs, 500

cloud-based vulnerabilities, 641

cloud computing, 696–697

application security, 709

authentication requirements, 416

characteristics, 697–698

Cloud Access Security Brokers, 708–709

cloud-native controls vs. third-party solutions, 710–711

cloud service providers, 701–702

compute aspects, 706–707

containers, 714

edge computing, 713

firewalls, 709–710

fog computing, 713

forensics, 901–902

key terms, 716

lab projects, 719

level of control, 699–700

microservices, 714

networks, 705–706

quizzes, 717–718

review, 716

risks, 793–794

Security as a Service, 707–708

security controls, 702–707

serverless architecture, 715

service models, 698–699

services integration, 700

storage, 550, 704–705

thin clients, 713

types, 700–701

VDI/VDE, 712

virtualization, 711–712

cloud-native controls vs. third-party solutions, 710–711

cloud service providers (CSPs), 701–702

CMF (collection management framework), 867

CMMI (Capability Maturity Model Integration), 826–827

CMS (Cryptographic Message Syntax), 164

coaxial cable, 344

Cobalt Strike application, 630

COBIT (Control Objectives for Information and Related Technologies), 766

COBO (corporate-owned business-only) deployment model, 465

code

change management, 825–826

injection attacks, 736–738

malicious, 576

quality and testing, 745–748

reuse, 744

third-party risks, 777

code analysis, 745–746

code-based vulnerabilities, 660

add-ons, 666

browser, 662–663

code signing, 666–667

cookies, 663–665

Java, 661

JavaScript, 661–662

plug-ins, 665–666

server-side scripts, 663

Code Red worm, 3, 578

code signing

certificates, 204

overview, 666–667

software development, 743

codes of ethics, 63

coding phase in software development, 724–725

Codoso Group, 5

COFEE (Computer Online Forensics Evidence Extractor), 883

cold aisles, 256

cold sites, 811

collection inventory matrix (CIM), 866

collection management framework (CMF), 867

collection of evidence, 881

collector placement, 340

collision attacks, 124, 176

collision domains, 317

command-and-control servers, malware in, 581

command injection attacks, 738

Comment Crew group, 5, 14

Common Access Cards (CACs), 380, 385

Common Criteria (CC), 179–180

common Internet crime schemes, 911

common law, 911

Common Name (CN) field for certificates, 203–204

Common Vulnerabilities and Exposures (CVE), 636–637, 725

Common Vulnerability Scoring System (CVSS), 636–637

Common Weakness Enumeration (CWE), 725

communication plans in incident response, 860

community clouds, 701

community strings in SNMP, 541

compact discs (CDs), 350

company-issued, personally enabled (COPE) deployment model, 465

compensating controls, 770

competent evidence, 879

compiled code and compilers, 748–749

complete mediation, 36–37

complexity of passwords, 60, 364

compliance

CAN-SPAM, 914

DPOs, 937–938

GDPR, 949

ISO/IEC 27002, 180

privacy, 953

SCM, 526

SCT, 527

training for, 76–77

web security gateways, 337

computer-based training (CBT), 74

computer certificates, 204

computer emergency response teams (CERTs), 837

computer forensics, 876–877

analysis, 891–894

BYOD model, 467

data recovery, 882

devices, 899

evidence. See evidence

filesystems, 894–896

hosts, 894–899

investigations, 889–890

key terms, 904

lab projects, 907

legal holds, 900–902

message digest and hash, 890–891

networks, 899–900

process, 880–882

quizzes, 905–907

review, 903–904

tools, 627–629

Computer Fraud and Abuse Act (CFAA), 911, 914–915, 943

Computer Online Forensics Evidence Extractor (COFEE), 883

computer security problem, 1–4

computer trespass, 912

COMSEC, 27

concentrators, VPN, 328–329

Concept virus, 579–580

conditional access, 377–378

conduits for networks, 276

Conficker worm, 3–4

confidential data, 376, 934

confidentiality

CIA of security, 28

cryptography, 149, 161

models based on, 42–43

configuration

auditing, 822

change management, 778–779, 821–822

guides, 566–568

hardening, 520–521

identification, 821

network devices, 540–541

status accounting, 822

validation, 552–553

vulnerabilities, 637–638, 641

configuration management, 32, 801

confusion in cryptography, 116

connections

authentication, 416–417

SSH, 411

wireless security, 425–429

consensus factor in social engineering, 89

consent factor in PII, 935

constrained data items (CDIs), 45–46

constraints in cryptography, 162

contactless access cards, 243

containers

cloud, 707, 714

mobile devices, 456

virtualization, 314

containment in incident response, 851–852

content-based signatures, 478

content filters

e-mail, 680

Internet, 338

proxies, 336

content inspection, 339

content management for mobile devices, 453

content monitoring by web security gateways, 337

Content Scramble System (CSS), 151

context-aware authentication, 456

context-based signatures, 478–479

contingency planning, 816

continuing education, 76

continuity of operations planning (COOP), 813

continuous lighting, 241

continuous monitoring, 552, 750

continuous operations in software development, 750–751

continuous risk management, 764

contractors in social engineering attacks, 91

Control Objectives for Information and Related Technologies (COBIT), 766

control systems for networks, 276

controller area network bus (CAN bus), 563–564

controller-based access points, 441

controllers

data, 937

domain, 363

wireless security, 445

Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), 680, 914–915

controls

cloud computing, 702–707

defined, 763

risk management, 767–770, 781–782

testing, 316

vulnerability testing, 637

Convention on Cybercrime, 912–913

convergence, 250

cookies

cookie cutters, 951–952

disabling, 665

Flash, 740

ISAKMP, 225

privacy issues, 955–956

vulnerabilities, 663–665

COOP (continuity of operations planning), 813

Coordinated Universal Time (UTC), 899

COPE (company-issued, personally enabled) deployment model, 465

COPPA (Children’s Online Privacy Protection Act), 943–944

copyright issues, 922–923

Core Impact tools, 630

corporate-owned business-only (COBO) deployment model, 465

corrective controls, 770

correctness considerations in security, 18

correlation

correlation engines, 341

SIEM for, 497–498

cost/benefit risk analysis, 790

cost considerations for firewalls, 709–710

cost-effectiveness risk modeling, 791

Counter Mode (CTM), 133–134

Counter Mode/CBC-MAC Protocol (CCMP), 439

counterintelligence gathering, 893

countermeasures, 763

Cozy Bear group, 14

CPSs (certification practices statements), 187

Credential Guard, 526

credentials

authentication, 360

harvesting, 97

managing, 366

mobile devices, 458

policies, 58–60

vulnerability scans, 635

credit cards

breaches, 6–7

card verification code, 872

data masking, 952

data minimization, 870

FACTA, 947

PCI DSS, 916

criminal organizations, 12–13

critical bugs in software development, 734

critical certificate extensions, 202

critical data, 934

Critical Infrastructure Protection (CIP) standards, 565

critical infrastructure threats, 13

critical systems

business risks, 772

identifying, 802

CRLs (certificate revocation lists), 209–211, 215

cross-certification certificates, 203

cross-site request forgery (XSRF) attacks, 739–740

cross-site scripting (XSS), 669, 735–736

crossover error rate (CER) in biometrics, 395

cryptanalysis, 112–113

crypto-malware, 582

crypto modules, 161

cryptocurrencies, 153

Cryptographic Application Programming Interface (CAPI) environment, 213

Cryptographic Message Syntax (CMS), 164

cryptographic service providers (CSPs), 160–161

cryptographically random numbers, 727

Cryptographically Secure Random Number Generator (CSPRNG) algorithms, 122

cryptography, 112–113. See also encryption

algorithms, 115

applied. See applied cryptography

asymmetric encryption, 135–140

attacks, 174–179

failures, 726–728

fundamental methods, 114–115

hashing functions, 123–127

historical perspectives, 117–123

homomorphic encryption, 141–142

key length, 115–116

key management, 122

key terms, 144

lab projects, 147

lightweight, 141

objectives, 116–117

one-time pads, 121

post-quantum, 140–141

in practice, 113–114

quantum, 140

quizzes, 145–146

random numbers, 122–123

references, 142

review, 143–144

symmetric encryption, 127–134

CryptoLocker ransomware, 577

cryptomalware, 577

CSF (Cyber Security Framework), 565

CSPRNG (Cryptographically Secure Random Number Generator) algorithms, 122

CSPs (cloud service providers), 701–702

CSPs (cryptographic service providers), 160–161

CSRs (certificate signing requests), 208

CSS (Content Scramble System), 151

Cuckoo sandbox, 622

curl command, 620–621

current threat environment, 4–8

curves in elliptic curve cryptography, 138–139

custodians of data, 937

custom firmware for mobile devices, 461

customer data, PII in, 936

CVE (Common Vulnerabilities and Exposures), 636–637, 725

CVSS (Common Vulnerability Scoring System), 636–637

CWE (Common Weakness Enumeration), 725

cyber incident response teams (CIRTs), 837–838, 848–849, 857–858

cyber kill chain model, 840–841

Cyber Observable Expression (CybOX), 869, 871–872

Cyber Security Framework (CSF), 565

cybercrime, 909–910

common Internet schemes, 911

computer trespass, 912

Convention on Cybercrime, 912–913

digital rights management, 922–923

digital signature laws, 920–922

encryption debate, 910–911

import/export encryption restrictions, 918–919

key terms, 927

laws, 911, 913–916

PCI DSS, 916–917

quizzes, 927–929

review, 926

Cybersecurity Framework model, 29–30

cybersecurity kill chains, 18–19

Cybersecurity Unit, 868

cyberwar, 3

CybOX (Cyber Observable Expression), 869, 871–872

CYOD (choose your own device) deployment model, 465

D

DAC (discretionary access control), 373, 376

daemons, 530

dashboards in SIEM, 496

data

backups. See backups

classification, 526

collection models in incident response, 866–867

disposal and destruction, 57–58, 938–940

exfiltration, 773

governance, 57

labeling and handling, 57, 931, 933–936

need to know principle, 57–58

policies, 55–58

poor practices, 103

privacy. See privacy

recovery. See recovery

retention, 57, 872, 931

data at rest

protecting, 548

transport encryption, 160

data-based security controls, 547–550

Data Breach Investigations Report (DBIR), 16

data breaches

business risks, 773

consequences, 931–932

examples, 6–7

privacy, 957

Data Encryption Standard (DES)

keys in, 115

symmetric encryption, 128–129

Data Execution Prevention (DEP), 517

data exposure in software development, 745

data in transit

protecting, 548

transport encryption, 160

data in use

protecting, 548

transport encryption, 160

data loss prevention (DLP)

authentication, 415

cloud-based, 500

description, 338

e-mail, 500, 685

hardening, 535–536

USB blocking, 499–500

data loss risk, 773, 779

data masking, 952

data minimization, 952

Data Over Cable Service Interface Specification (DOCSIS), 330

data owners

BYOD model, 466

defining, 56

privacy, 936

role-based training, 74

data privacy officers (DPOs), 937–938

data processors, 937

data protection

European statutes, 948–950

web security gateways, 337

data roles in privacy, 936–938

data sharing, unauthorized, 56

data sources in incident response, 860

data sovereignty of backups, 810

databases

encryption, 152–153, 548–549

protecting, 415

datagrams, 284–285

Daubert standard, 878–879

DBIR (Data Breach Investigations Report), 16

DCSs (distributed control systems), 560

dd command, 627–628

DDoS (distributed denial-of-service) attacks

firewalls for, 326

mitigators, 341

overview, 588–589

de Guzman, Onel, 3

dead code, 744

decentralized infrastructures in PKI, 215–220

deception and disruption technologies, 493–495

decision trees, 486

default deny, 35, 643

defaults

fail-safe, 35–36

settings, 643

defense in depth, 38–39

defenses for social engineering, 90

degaussing data, 58, 939

delay-based filters for e-mail, 680

delivery phase in software development, 751

delta backups, 806

demilitarized zones (DMZs)

firewalls, 41, 273–274

intranets, 279

networks, 277–278

segments, 272–273

demonstrative evidence, 878

denial-of-service (DoS) attacks

Bluetooth, 449–450

DDoS, 326, 341, 588–589

defending against, 589–590

ICMP, 288

overview, 587–588

smurf, 589

war-dialing and war-driving, 590

DEP (Data Execution Prevention), 517

Department of Justice, incident response best practices, 868

deployment models for mobile devices, 465–469

deployment phase in software development, 729, 751

deprecated algorithms and functions

cipher suites, 154–155

software development, 728

deprovisioning in software development, 753–754

DER (distinguished encoding rules) format, 206

DES (Data Encryption Standard)

keys in, 115

symmetric encryption, 128–129

design phase in software development, 724

Desired State Configuration (DSC), 526–527

destruction

certificate keys, 212

data, 57–58, 938–940

detection in incident response, 849–850

detective controls, 770

deterrent controls, 769–770

development environments. See software development

devices

credential policies, 59

fire detection, 258–259

forensics, 899

locks, 244

mobile. See mobile devices

placing, 340–342

protecting, 311–313

removal in incident response, 853

theft, 253–255

wireless, 329

DevOps, 749–751

DH (Diffie-Hellman) algorithm, 136

ECDH, 136–137

groups, 136

PGP, 165

DHCP (Dynamic Host Configuration Protocol)

modems, 330

overview, 298–299

snooping, 320

DHE (Diffie-Hellman Ephemeral) algorithm, 137

diagnostics for networks, 332–333

Diameter suite, 403

Diamond Model of Intrusion Analysis, 842

dictionary password attacks, 177, 606–607

differential backups, 805–806

differential cryptanalysis, 113

Diffie, Whitfield, 135

Diffie-Hellman (DH) algorithm, 136

ECDH, 136–137

groups, 136

PGP, 165

Diffie-Hellman Ephemeral (DHE) algorithm, 137

diffusion in cryptography, 116

dig command, 615–616

digest authentication, 382–383

digital certificates. See certificates

Digital Millennium Copyright Act (DMCA), 922–923

digital rights management (DRM)

cryptography, 151–152

overview, 922–923

digital sandboxes, 493

Digital Signature Algorithm (DSA), 125

digital signatures

applied cryptography, 150–151

asymmetric encryption, 136

IDSs, 478–479

laws, 920–922

digital video discs (DVDs), 350

direct evidence, 878

direct-sequence spread spectrum (DSSS), 430

directory services

description, 387

LDAP, 173, 400

web, 657–658

directory traversal, 738

disabling

accounts, 61, 65, 369, 521–522

administrator accounts, 364

AutoPlay, 253

Bluetooth, 457

cookies, 665

e-mail, 66

passwords, 521–522

ports and services, 520

SSL, 154

unused features, 457

USB support, 252

disassociation attacks, 451

disaster recovery, 800, 813–814

business functions, 815

IT contingency planning, 816

key terms, 831

process, 814–815

quizzes, 832–834

review, 830–831

RTO and RPO, 817

testing, 816–817

disaster recovery plans (DRPs), 801–802, 814–815

discovery tools, 615–622

discretionary access control (DAC), 373, 376

diskettes, 349

displays, 557

disposal of data, 57–58, 938–940

Disposal Rule, 947

distance issues for backups, 810

distinguished encoding rules (DER) format, 206

Distinguished Names, 213

distributed control systems (DCSs), 560

distributed denial-of-service (DDoS) attacks

firewalls for, 326

mitigators, 341

overview, 588–589

distribution, protected, 247

distributive allocation, 555

diversity

defense, 40–41

software, 748–749

DKIM (DomainKeys Identified Mail), 684

DLLs (dynamic link libraries), 738

DLP. See data loss prevention (DLP)

DMCA (Digital Millennium Copyright Act), 922–923

DMZs. See demilitarized zones (DMZs)

DNS. See Domain Name System (DNS) protocol

DNS over HTTPS (DoH), 297–298

dnsenum tool, 622

DNSSEC (Domain Name System Security Extensions), 169, 296–297, 601

DOCSIS (Data Over Cable Service Interface Specification), 330

document integrity, cryptography for, 150

documentary evidence, 878

documented incident types and categories in incident response, 848

DoH (DNS over HTTPS), 297–298

DOM-based XSS attacks, 736

Domain Name System (DNS) protocol

DHCP, 298–299, 320

DNS over HTTPS, 297–298

DNSSEC, 169, 296–297, 601

e-mail checks, 680

kiting, 599

logs, 862

operation, 297

poisoning, 599–601

queries, 676

remote packet delivery, 295–296

secure protocol, 173

sinkholes, 495

Domain Name System Security Extensions (DNSSEC), 169, 296–297, 601

DomainKeys Identified Mail (DKIM), 684

domains

cookies, 664

hijacking, 602

passwords, 363–365

validating, 205

doors, 244

DoS attacks. See denial-of-service (DoS) attacks

Downadup worm, 3–4

downgrade attacks, 176

DPOs (data privacy officers), 937–938

drills, emergency, 257

drive-by download attacks, 604

drive images, 238, 890

driver manipulation attacks, 604–605

DRM (digital rights management)

cryptography, 151–152

overview, 922–923

drones, 262, 564–565

DRPs (disaster recovery plans), 801–802, 814–815

DSA (Digital Signature Algorithm), 125

DSC (Desired State Configuration), 526–527

DSSS (direct-sequence spread spectrum), 430

dual control in PKI, 219

dual power supplies, 261–262

due care and due diligence policies, 70–71

due process policies, 71

dump files, 862

dumpster diving, 58, 94, 102

duplication of drives in incident response, 855

Duqu malware, 5–6

duties, separation of, 35, 46, 64, 819–821

DVDs (digital video discs), 350

dynamic code analysis, 746–747

Dynamic Host Configuration Protocol (DHCP)

modems, 330

overview, 298–299

snooping, 320

dynamic learning in port security, 319

dynamic link libraries (DLLs), 738

dynamic NAT, 302

dynamic resource allocation, 706

Dynamite Panda group, 5

E

e-discovery (electronic discovery), 900–901

e-mail

antivirus scanning, 534

certificates, 205

DKIM, 684

DLP, 500, 685

encryption, 685–689

e-mail (Cont.)

gateways, 679–685

greylisting, 682–683

hoaxes, 678–679

key terms, 692

lab projects, 695

malicious code, 676–678

metadata, 865

MIME, 673–674

operation, 670–672

popularity, 650

quizzes, 693–694

relaying, 682

review, 691–692

secure protocol, 173

security, 674–679

spam, 675–676, 679–681, 683

SPF, 683–684

spoofing, 592

structure, 672–673

usage policies, 68

E-Sign law (Electronic Signatures in Global and National Commerce Act), 920

EAP (Extensible Authentication Protocol)

description, 408

wireless security, 437

WPS, 433

EAP-FAST protocol, 437

EAP-TLS protocol, 437

EAP-TTLS protocol, 438

EAPOL (Extensible Authentication Protocol over LAN), 400

EAR (Export Administration Regulations), 918

Early Launch Anti-Malware (ELAM), 525–526

east-west traffic, 279

eavesdropping, 259–260

eBay

data breach, 7

fraud target, 909

ECB (Electronic Codebook), 133

ECC (elliptic curve cryptography), 138–139

ECDH (Elliptic Curve Diffie-Hellman) algorithm, 137

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) algorithm, 137

Eck, Wim van, 259

Eck phenomenon, 259

economy of mechanism, 36

ECPA (Electronic Communications Privacy Act), 913–914

edge computing, 713

EDRM (Electronic Discovery Reference Model), 901

EER (equal error rate) in biometrics, 395

EFS (Encrypting File System), 152

Egghead breach, 932

egress e-mail filtering, 681

802.1X standards. See IEEE 802.1X standards

ELAM (Early Launch Anti-Malware), 525–526

elasticity

cloud computing, 698

description, 555

software development, 751–752

virtualization, 316

electric grid, 4, 8

electrical power protection, 260–262

electromagnetic environments, 259–260

electromagnetic interference (EMI)

Faraday cages, 247–248

shielding, 516

electromagnetic pulse (EMP), 516

electronic access control systems, 249–250

Electronic Codebook (ECB), 133

Electronic Commerce Directive, 922

Electronic Communications Privacy Act (ECPA), 913–914

electronic discovery (e-discovery), 900–901

Electronic Discovery Reference Model (EDRM), 901

electronic media, 351–352

electronic medical records (EMR) systems, 945

Electronic Signatures in Global and National Commerce Act (E-Sign law), 920

Elfin group, 5

ElGamal algorithm, 138

eliciting information in social engineering, 95

elite hackers, 11

elliptic curve cryptography (ECC), 138–139

Elliptic Curve Diffie-Hellman (ECDH) algorithm, 137

Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) algorithm, 137

embedded systems, 558–559

emergency changes, 819

emergency lighting, 241

emergency power-off (EPO) switches, 261

EMI (electromagnetic interference)

Faraday cages, 247–248

shielding, 516

EMP (electromagnetic pulse), 516

employees

insider threats, 11–12

policies. See human resources security policies

EMR (electronic medical records) systems, 945

encapsulation, 41, 286

enclaves, network, 273–274

enclosures, secure, 247

Encrypting File System (EFS), 152

encryption. See also cryptography

applications, 458–459

attacks, 597–598

BitLocker, 524–525

cloud, 704

cybercrime debate, 910–911

e-mail, 685–689

homomorphic, 141–142

import/export restrictions, 918–919

man-in-the-middle attacks, 596

methods, 548–549

passwords, 364

software development, 743

transport, 157–160

vulnerabilities, 642–643

web, 652

WPA3, 436

end-entities

certificates, 202–203

PKIX, 222

end of life (EOL), 81, 777

end of service life (EOSL), 81, 777

endpoint detection and response (EDR), 535

endpoints

protecting, 532–539

tunnel, 406, 408

VPN, 413–414

Energetic Bear group, 14

Enforce password history setting, 61, 363

enhanced data rate (EDR), 426

Enigma machine, 119, 175

entanglement in quantum cryptography, 140

Enterprise mode in WPA, 435

entropy in cryptography, 122

environmental controls, 255–256

environments

camera systems, 559

development, 729–730, 827–828

embedded systems, 558–559

game consoles, 559

hardening, 550–551, 555–556

HVAC, 560–561

mainframes, 559–560

peripherals, 556–558

phones and mobile devices, 558

SCADA/ICS, 560

smart devices, 561

special-purpose systems, 562–565

ephemeral keys, 157

EPO (emergency power-off) switches, 261

Epoch time, 898–899

equal error rate (EER) in biometrics, 395

Equation Group, 5, 14

Equifax data breach, 7, 957

equipment failures, 781

eradication phase in incident response, 851–852, 855

errors

software development, 731

vulnerabilities, 642

escalating privileges

incident response, 839

penetration testing, 633

escalation in incident response, 853

escape protection in virtual machines, 315, 712

EternalBlue vulnerability, 577

Ethernet protocol

cable, 344–346

description, 281

hubs, 318

jacks, 236

NICs, 317

packet delivery, 293

switches, 318

ethics, 20, 908–909

codes of ethics, 63

IT code, 924–925

Europe

computer trespass, 912

Convention on Cybercrime, 912–913

digital signature laws, 921–922

DPOs, 938

privacy laws, 948–950

Qualified Certificate, 223

EU–U.S. Privacy Shield Framework, 566

event deduplication in SIEM, 499

event logs in computer forensics, 897

Event Viewer, 861

evidence, 877–878

acquiring, 882–884

chain of custody, 880

hashes, 886–887

identifying, 887

network traffic and logs, 885

protecting, 888

record time offset, 886

rules, 879

screenshots, 887

standards, 878–879

storing, 888–889

system images, 885

tags, 880

transporting, 888

types, 878

video, 885–886

volatility, 884–885

witness interviews, 887

evil twin attacks, 448–449

evolutionary software development model, 721

examination of evidence, 881

exceptions

managing, 31–32

software development, 731

exclusionary rule, 879

exclusive OR (XOR) function in cryptography, 118

executive users, role-based training for, 75–76

exercises for incident response, 849, 858–859

exfiltration, data, 773

exit interviews, 66

expiration

accounts, 60, 369–370

certificates, 209

cookies, 663

passwords, 59–60

explicit FTPS, 659

Export Administration Regulations (EAR), 918

exposure factor (EF)

defined, 763

risk calculations, 788

extended service sets (ESSs), 440

extended validation (EV) certificates, 205

eXtensible Access Control Markup Language (XACML), 377

Extensible Authentication Protocol (EAP)

description, 408

wireless security, 437

WPS, 433

Extensible Authentication Protocol over LAN (EAPOL), 400

extensions

browser, 665–666

certificates, 200–201

external media

mobile devices, 463

storage devices, 557

external threat actors, 15

externalities, 763

extranets, 280

F

Facebook breach, 932

facial recognition, 392

FACTA (Fair and Accurate Credit Transactions Act), 947

fail-safe defaults, 35–36

fail-soft locks, 244

failover process, 803–804

failure to enroll rate (FER) in biometrics, 396

Fair and Accurate Credit Transactions Act (FACTA), 947

Fair Credit Reporting Act (FCRA), 947

Fair Information Practice Principles (FIPPs), 941

fake telemetry, 495

false acceptance rate (FAR) in biometrics, 394–396

false negatives

biometrics, 393–394

IDSs, 479

vulnerability testing, 635

false positives

biometrics, 393–394

IDSs, 479

vulnerability testing, 634

false rejection rate (FRR) in biometrics, 395–396

familiarity factor in social engineering, 89

Family Education Records and Privacy Act (FERPA), 943

Fancy Bear group, 5, 14

Faraday cages, 247–248

fat access points, 441

FBI (Federal Bureau of Investigation)

cybercrime, 910–911

Internet Crime Complaint Center, 911

Operation Bot Roast, 3, 582

FC (Fibre Channel) technology, 344

FCC (Federal Communications Commission), 248

FCoE (Fibre Channel over Ethernet) protocol, 344

FCRA (Fair Credit Reporting Act), 947

FDDI (Fiber Distributed Data Interface), 281

Federal Bureau of Investigation (FBI)

cybercrime, 910–911

Internet Crime Complaint Center, 911

Operation Bot Roast, 3, 582

Federal Communications Commission (FCC), 248

Federal Information Processing Standards Publications (FIPS), 179

Federal Risk and Authorization Management Program (FedRAMP), 766

federation, 387–388

Felten, Edward, 923

fences, 240

Ferguson, Niels, 132

Fiber Distributed Data Interface (FDDI), 281

fiber-optic cable

cut incident, 4

overview, 346–347

Fibre Channel (FC) technology, 344

Fibre Channel over Ethernet (FCoE) protocol, 344

FIDO Alliance, 393

File Transfer Protocol (FTP), 413, 657

fileless malware, 580

files

encryption, 549

manipulation tools, 623–624

metadata, 865–866

permissions, 371–374

transferring, 173, 657–658

filesystems

computer forensics, 894–896

encryption, 152

filtered ports, 504

filters

content, 336, 338, 680

firewalls, 325

Internet, 338

MAC, 320–321

placing, 341

screen, 248

spam, 679–681

switches, 318

URL, 339

wireless security, 445–446

financial business risks, 774

financial PII, 935–936

fines for breaches, 932

fingerprint scanners, 391

FIPPs (Fair Information Practice Principles), 941

FIPS (Federal Information Processing Standards Publications), 179

fire suppression, 256–259

firewalls, 322–324

auditing, 640

cloud computing, 709–710

DMZs, 277–278

e-mail, 670

HIPSs, 490

host-based, 536–538

NGFW, 327

operation, 325–326

placement, 327

stateless vs. stateful, 324

WAFs, 327–328

Windows Firewall, 524

firmware

forensics, 896

hardening, 513–516

mobile devices, 461

updates, 462, 540

version control, 515–516

vulnerabilities, 644

first responders in incident response, 851

fishbone diagrams, 790

flame-activated fire detectors, 259

Flame malware, 5–6

Flash cookies, 740

flash memory–based storage devices, 427

flat networks, 281

floodlights, 241

floods

broadcast storms, 319

MAC, 321

ping, 477–478

spam, 681

SYN, 587–588, 593, 597

floppy disks, 349

fog computing, 713

FOIA (Freedom of Information Act), 942

folder permissions, 371–374

footprinting, 839

for official use only security level, 376

force majeure, 763

forensic images, 238

forensics. See computer forensics

formal security models, 42–46

formats for certificates, 206–207

fortress model, 28

forward proxies, 336–337

fragmentation, packet, 283

Frame Relay, 283

Framework for Improving Critical Infrastructure Cybersecurity, 30

fraud, 96, 780, 909

free space on media, 894–895

Freedom of Information Act (FOIA), 942

frequency of backups, 806–808

Friend Finder Network data breaches, 957

FTK Imager, 628–629

FTP (File Transfer Protocol), 413, 657

FTPS, 170, 413, 659

full backups, 805

full control permission, 371

full device encryption (FDE), 453, 513, 548

full duplex switching, 318

funding for actors, 15

fuzz testing, 729, 746–747

G

gait analysis, 393

Galois Counter Mode (GCM), 130, 133–134

game consoles, 559

gamification, 73

Gantt charts, 791

garbage collection, 745

gateways

cloud, 702

e-mail, 679–685

web security, 337

GCM (Galois Counter Mode), 130, 133–134

General Data Protection Regulation (GDPR), 766, 949–950

general-purpose guides, 568

general risk management model, 779–780

generation of certificates, 207–208

generators

business continuity, 812

power protection, 261

generic accounts, 360

geo-tagging, 454

geofencing, 453

geographic backup considerations, 809

geolocation, 454

GhostNet, 5

glare projection lighting, 241

GLBA (Gramm-Leach-Bliley Act), 915, 940, 945–946

Global Positioning System (GPS)

description, 428

geo-tagging, 454

tagging in mobile devices, 463

globally unique identifiers (GUIDs), 527

GNU Privacy Guard (GPG), 165

governance data, 57

government PII data, 936

GPG (GNU Privacy Guard), 165

GPMC (Group Policy Management Console), 528–529

GPOs (group policy objects), 366, 527

GPS (Global Positioning System)

description, 428

geo-tagging, 454

tagging in mobile devices, 463

GPUs for password cracking, 607

Gramm-Leach-Bliley Act (GLBA), 915, 940, 945–946

gratuitous ARP, 602

gray-box testing

software development, 729

system tests, 638

grep utility, 623–624

greylisting e-mail, 682–683

group policies, 527–529

Group Policy Management Console (GPMC), 528–529

Group Policy Object Editor, 528

group policy objects (GPOs), 366, 527

groups

authentication, 361–362

cloud, 706

Diffie-Hellman, 136–137

Linux, 531

permissions, 373

guards, 239–240

guest accounts, 361

guest zones, 280

guidelines, 53–54

GUIDs (globally unique identifiers), 527

H

hackers

description, 10–11

hiring, 64

hacking, 10–11, 27

hacktivist attacks, 17

Hall, Chris, 132

halon-based fire suppression systems, 257

handheld fire extinguishers, 257–258

handling data, 57

handshakes

CHAP, 409

IP, 286

TCP, 594

TLS, 158, 653

hard drives, 348–349

hardened operating systems for networks, 277

hardening. See system hardening

hardware

hardening, 513–516

root of trust concept, 514

security, 539

unauthorized, 102–103

hardware firewalls, 328

hardware security modules (HSMs)

authentication, 389

hardening, 514

mobile devices, 459

PKI, 217

harvesting

credentials, 97

passwords, 100

hash message authentication code (HMAC), 162

hashes

algorithms, 886

cryptography, 123–127

evidence, 886–887

forensics, 890–891

hazards, 763

head utility, 623

header manipulations, 603, 669–670

Health Information Technology for Economic and Clinical Health Act (HITECH Act), 945

Health Information Trust Alliance (HITRUST), 766

Health Insurance Portability and Accountability Act (HIPAA), 935, 944–945

hearsay rule, 879

Heartbleed incident, 366

Heartland Payment Systems data breach, 7

heat-activated fire detectors, 259

heat maps

risk assessment, 785–786

wireless security, 444–445

heating, ventilating, and air conditioning (HVAC) systems, 255, 560–561

Hellman, Martin, 135

help desk in social engineering attacks, 91

heuristic IDS model, 477

heuristic scanning, 533

hidden fields, 670

hidden files, 895–896

HIDSs. See host-based IDS (HIDSs)

hierarchical trust model, 194–195

high availability in cloud, 702, 704–705

high-end locks, 243–244

high resiliency systems, cryptography in, 161

highly structured threats, 13

hijacking

domain, 602

session, 669

TCP/IP, 595

URLs, 603–604

HIPAA (Health Insurance Portability and Accountability Act), 935, 944–945

HIPSs (host-based intrusion prevention systems), 490, 536

hiring employees, 64–65

historical perspectives on cryptography, 117–123

historical security incidents, 1–4

history, password, 61–62

HITECH Act (Health Information Technology for Economic and Clinical Health Act), 945

HITECH CSF framework, 566

HITRUST (Health Information Trust Alliance), 766

HMAC (hash message authentication code), 162

HMAC-based One-Time Password (HOTP) algorithm, 150, 386

HMIs (human machine interfaces), 560

hoaxes

e-mail, 674, 678–679

social engineering, 98

virus, 580–581

home automation, 561–562

homomorphic encryption, 141–142

honeyfiles, 495

honeynets, 280, 494

honeypots, 280, 493–494

honeyrecords, 495

host-based firewalls, 328, 536–538

host-based IDS (HIDSs)

active vs. passive, 489–490

advantages, 488

description, 475, 536

disadvantages, 489

overview, 485–488

resurgence, 490

host-based intrusion prevention systems (HIPSs), 490, 536

host software baselines, 546

hosted systems vs. cloud, 701

hosts

cloud computing models, 699–700

computer forensics, 894–899

security, 32–33

virtualization, 316

vulnerability scanners, 546–547

hot aisles, 256

hot sites, 810

hotfixes, 520

HOTP (HMAC-based One-Time Password) algorithm, 150, 386

hotspots

description, 464

securing, 446

hping tool, 618–619

HSMs. See hardware security modules (HSMs)

HSTS (HTTP Strict Transport Security), 657

HTML (Hypertext Markup Language), 650, 656, 677

HTTP (Hypertext Transfer Protocol)

header manipulations, 603, 669–670

overview, 655–656

HTTP Strict Transport Security (HSTS), 657

HTTPS (Hypertext Transfer Protocol Secure), 171, 656

hubs, 317

human machine interfaces (HMIs), 560

human resources security policies, 63

acceptable use policies, 67–68

adverse actions, 66–67

bring-your-own-device, 69–70

business partners, 66

clean desk, 69

codes of ethics, 63

credentials, 59

due care and due diligence, 70–71

due process, 71

e-mail usage, 68

employee hiring and promotions, 64–65

exit interviews, 66

incident response, 71–72

Internet usage, 68

job rotation, 63

mandatory vacations, 67

privacy, 70

retirement, separation, and termination, 65–66

separation of duties, 64

social media analysis, 69

humidity control, 255

Hutchins, Marcus, 14, 577

HVAC (heating, ventilating, and air conditioning) systems, 255, 560–561

hybrid clouds, 701

hybrid e-mail filters, 681

hybrid password attacks, 178, 608

hybrid topologies, 270–271

hybrid trust model, 195

hybrid warfare, 99

Hypertext Markup Language (HTML), 650, 656, 677

Hypertext Transfer Protocol (HTTP)

header manipulations, 603, 669–670

overview, 655–656

Hypertext Transfer Protocol Secure (HTTPS), 171, 656

hypervisors, 313–314, 711

I

IaaS (Infrastructure as a Service), 698–699

IAM (identity access management) systems, 704

IC3 (Internet Crime Complaint Center), 911

ICCs (integrated circuit cards), 390

ICMP (Internet Control Message Protocol), 287–290, 478–479

ICSs (industrial control systems), 560

ID badges, 250

IDEA (International Data Encryption Algorithm), 132, 165

identification

authentication, 378–380

evidence, 887

incidents, 850, 880–881

identity access management (IAM) systems, 704

identity fraud in social engineering, 96

identity providers (IdPs), 378

identity theft

banking regulations, 946

breaches, 932

business risks, 773–774

Identity Theft and Assumption Deterrence Act, 940

IdPs (identity providers), 378

IDSs. See intrusion detection systems (IDSs)

IEEE 802.1X standards

attacks, 446–448

authentication, 399–400

implementing, 438

individual, 430–431

wireless protocols, 429–430

IETF (Internet Engineering Task Force)

history, 163–164

Transport Layer Security, 158, 652

ifconfig command, 617

IKE (Internet Key Exchange) protocol, 225

ILOVEYOU worm

damages, 2–3

e-mail, 677

IM (instant messaging), 650, 689–690

images

drive, 238, 628–629, 890

master, 553

IMAP (Internet Message Access Protocol)

e-mail, 671

secure, 171

immutable systems in software development, 753

impact

BIA, 772, 802

business risks, 772–773

defined, 762

PIAs, 954–955

risk calculations, 789

risk management, 781

impersonation factor in social engineering, 90–91

implementation vs. algorithm selection for cipher suites, 160–161

implicit deny, 35–36, 326

implicit FTPS, 659

import/export encryption restrictions, 918–919

important bugs in software development, 734

impossible travel time, 369

in-band NIDSs, 502

in-house certificate authorities, 189

Incident Object Description Exchange Format (IODEF), 869

incident response, 836

attack frameworks, 838–842

communication plans, 860

containment, 851–853

data collection models, 866–867

data sources, 860

detection, 849–850

eradication, 855

exercises, 858–859

foundations, 837

goals, 838

identification, 850

incident management, 837–838

initial, 850–851

investigation, 854–855

key terms, 873–874

lessons learned, 857

log files, 860–864

metadata, 864–866

packet flow information, 864

incident response (Cont.)

plans, 847–849

policies, 71–72, 844

preparation, 845–847

procedures, 71–72

process overview, 844–845

quizzes, 874–875

recovery, 855–856

references, 872

reporting, 856–857

review, 873

security measures, 871–872

stakeholder management, 859

standards and best practices, 867–872

strategy formulation, 853–854

teams, 857–858

threat intelligence, 842–844

increased data center density, 255

incremental backups, 806

indicators of compromise (IOCs)

network security, 506–507

standards, 869–871

indirect encryption attacks, 598

industrial camouflage, 242

industrial control systems (ICSs), 560

industry-standard frameworks, 565–566

influence campaigns, 99

information

classification, 56

criticality, 837

information assurance, 1

Information Sharing and Analysis Centers (ISACs), 19

Information Sharing and Analysis Organizations (ISAOs), 19

Information Systems Audit and Control Association (ISACA), 764

information warfare, 13

infrared (IR)

connections, 427

detection, 245

media, 347

Infrastructure as a Service (IaaS), 698–699

Infrastructure as Code

description, 700

software development, 751

infrastructure security, 310

attacks, 8

BYOD model, 468

data loss prevention, 338

devices, 311–313

firewalls, 322–328

Internet content filters, 338

intrusion detection systems, 331

key terms, 355

lab projects, 357

load balancers, 333–335

media, 344–348

modems, 329–330

network access control, 331–332

network monitoring, 332–333

networking, 316–322

physical, 352–353

proxies, 335–337

quizzes, 355–357

removable media, 348–352

review, 354

storage area networks, 343–344

technology placement, 340–342

telephony, 330–331

tunneling, 342–343

unified threat management, 338–339

virtualization, 313–316

VPN concentrators, 328–329

web security gateways, 337

wireless devices, 329

initial exploitation in penetration testing, 633

initial response for incidents, 850–851

initialization vectors (IVs)

hashes, 123

WEP, 431–432

wireless security, 448

Initiator Cookie, 225

injection attacks, 736–738

inline network devices, 491

inlining, 667

input validation, 731–732

insider threats, 11–12

instance awareness in cloud, 707

instant messaging (IM), 650, 689–690

integer overflow, 739

integrated circuit cards (ICCs), 390

integration

cloud, 703–704, 706

software development, 751

vendor management, 776

integrity

CIA of security, 28

cryptography, 149, 161

measurement, 515, 754, 829

models based on, 44–46

software development, 754

integrity verification processes (IVPs), 45–46

intelligence, threat, 19

intent of actors, 15–16

inter-networking, 303

interconnection security agreements (ISAs), 80

interfaces

human-machine, 560

IDSs, 475

securing, 541

intermediate certificates, 193

internal CAs, 213

internal threat actors, 15

international architectures, 565

international banking risk management example, 761–762

International Data Encryption Algorithm (IDEA), 132, 165

international privacy laws, 947–951

Internet, 278–279

content filters, 338

crime schemes, 911

description, 269

usage policy, 68

Internet Control Message Protocol (ICMP), 287–290, 478–479

Internet Crime Complaint Center (IC3), 911

Internet Engineering Task Force (IETF)

history, 163–164

Transport Layer Security, 158, 652

Internet Key Exchange (IKE) protocol, 225

Internet Message Access Protocol (IMAP)

e-mail, 671

secure, 171

Internet of Things (IoT), 561

Internet Protocol Flow Information Export (IPFIX) protocol, 864

Internet Protocol (IP), 282–284

addresses. See IP addresses

ICMP, 287–290

IPv4 vs. IPv6, 290–293

packets, 284–285

TCP vs. UDP, 285–287

Internet Security Association and Key Management Protocol (ISAKMP), 225–226

Internet Small Computer System Interface (iSCSI) protocol, 343

Internetwork Operating System (IOS), 540

interoperability agreements, 79–81

interrelationship digraphs, 791

interviews as evidence, 887

intimidation factor in social engineering, 89

intranets, 269, 279–280

intruders, 10–11

intrusion detection systems (IDSs), 474

analytics, 495–496

deception and disruption technologies, 493–495

description, 331

HIDSs, 485–490

history, 475

key terms, 509

lab projects, 511

models, 476–477

NIDSs, 479–484

overview, 475–476

quizzes, 510–511

references, 508

review, 509

SIEM, 496–499

signatures, 478–479

intrusion prevention systems (IPSs), 490–492

intrusive vulnerability testing, 635

investigations

forensics, 889–890

incident response, 854–855

invoice scams, 96

IOCs (indicators of compromise)

network security, 506–507

standards, 869–871

IODEF (Incident Object Description Exchange Format), 869

ionization smoke detectors, 259

IOS (Internetwork Operating System), 540

IoT (Internet of Things), 561

IP. See Internet Protocol (IP)

IP addresses

attacks, 599

DHCP, 320

IPv4 vs. IPv6, 290–293, 542

NAT, 301–303

routers, 321

scanners, 619

spoofing, 592–593

subnetting, 299–301

virtual, 333, 335

IP Security (IPSec), 171–172, 225

IP theft, 932

ipchains, 537

ipconfig command, 600, 617

IPFIX (Internet Protocol Flow Information Export) protocol, 864

IPSec (IP Security), 171–172, 225

IPSs (intrusion prevention systems), 490–492

IPv4 vs. IPv6, 290–293, 542

IR (infrared)

connections, 427

detection, 245

media, 347

iris scanners, 392

ISACA (Information Systems Audit and Control Association), 764

ISACs (Information Sharing and Analysis Centers), 19

ISAKMP (Internet Security Association and Key Management Protocol), 225–226

ISAOs (Information Sharing and Analysis Organizations), 19

ISAs (interconnection security agreements), 80

iSCSI (Internet Small Computer System Interface) protocol, 343

Ishikawa, Kaoru, 790

ISO 27001 standard, 766

ISO/IEC 27002 standard, 180

isolation

description, 18, 41

incident response, 851–853

least common mechanism, 38

network, 272–276

IT contingency planning, 816

IVPs (integrity verification processes), 45–46

IVs (initialization vectors)

hashes, 123

WEP, 431–432

wireless security, 448

J

jailbreaking, 461

jamming, 449

Java language, 661

JavaScript language, 661–662

“Jester” (hacker), 2

job rotation, 63

journalctl command, 863

JPMorgan Chase, 6–7

jurisdiction in forensics, 902

K

Kali tools, 629

Kaminsky, Dan, 296

KDCs (key distribution centers), 383

Kelsey, John, 132

Kerberos authentication, 383–384

key destruction in certificates, 212

key distribution centers (KDCs), 383

key escrow

cipher suites, 156

PKI, 219–220

KEY file for certificates, 206

key performance indicators (KPIs), 780

key risk indicators (KRIs), 780

key stores in certificates, 213

key stretching in cipher suites, 157

keyboards, wireless, 556

keyloggers, 583–584

keys

cipher suites, 155–156

cryptography, 115–116, 118, 122

encryption, 135–140, 598

identity, 380

mobile devices, 458

PGP, 165

physical, 248–249

PKI. See public key infrastructure (PKI)

quantum cryptography, 140

WPA3, 436

keyspace in cryptography, 115

kill chains, 18–19

Kim, Gene, 524

kiosks, 518–519

Klíma, Vlastimil, 124

knowledge-based authentication, 386–387

known plaintext/ciphertext attacks, 175

KPIs (key performance indicators), 780

KRIs (key risk indicators), 780

L

L2TP (Layer 2 Tunneling Protocol), 406–407

labeling data, 57, 931, 933–936

lack of vendor support, 776–777

language-specific failures in software development, 728

LANs (local area networks), 269

laptops, securing, 251

last mile problem in microwave media, 347–348

latency, cryptography in, 161

lateral movement in APTs, 840

laws

cybercrime, 911, 913–916

digital signature, 920–922

import/export encryption restrictions, 918–919

privacy, international, 947–951

privacy, U. S., 940–947

training for, 76

Layer 2 Tunneling Protocol (L2TP), 406–407

layered access, 243

layered security, 38

Lazarus Group, 5, 7, 14

LDAP. See Lightweight Directory Access Protocol (LDAP)

LDAPS (Lightweight Directory Access Protocol Secure), 170

Leahy, Patrick, 944

LEAP (Lightweight Extensible Authentication Protocol), 437

least common mechanism principle, 38

least privilege principle

description, 33–34

software development, 725–726

least significant bit (LSB) encoding, 168

legacy platform vulnerabilities, 645

legal holds, 57, 900–902

legal issues, 908–909

backups, 810

BYOD model, 468–469

cybercrime. See cybercrime

length of passwords, 62

lessons learned in incident response, 857

level of control in cloud computing, 699–700

Levin, Vladimir, 2

life cycles

certificates, 207–212

information, 938

software development, 722–729

life risks, 775

lights, 241

lightweight cryptography, 141

Lightweight Directory Access Protocol (LDAP)

directory services, 387, 657–658

injection, 738

PGP, 687

remote access, 400

Lightweight Directory Access Protocol Secure (LDAPS), 170

Lightweight Extensible Authentication Protocol (LEAP), 437

likelihood of occurrence in risk calculations, 789

linear cryptanalysis, 113

Linear Tape Open (LTO) format, 349

LinkedIn data breach, 7

Linux operating systems

hardening, 530–532

metadata, 898

permissions, 373

list folder contents permission, 371

litigation holds, 57, 900–902

live boot media, 554–555

LiveCDs, 237–238, 252–253

load balancers, 333–335

local area networks (LANs), 269

local packet delivery, 293–294

local registration authorities (LRAs), 188

Local Security Policy utility, 528

locally shared objects (LSOs), 740

location-based printing, hardening, 529

lockouts

accounts, 61

mobile devices, 452, 455

locks

cable, 248

types, 243–244

logger command, 624

logic bombs, 582–583

logical networks, 274–275

logins, risky, 369

logs

analyst-driven log analysis, 487

evidence, 885

forensics, 893, 897

HIDSs, 485, 487

incident response, 860–864

physical, 249

SIEM, 499

usage, 367–368

vulnerability testing, 635

long-term backup storage, 808–809

loop prevention, 319

Love Letter virus, 2–3

low latency, cryptography in, 161

low-level bugs in software development, 734

low-power devices, cryptography in, 161

Low-Water-Mark policy, 44–45

LRAs (local registration authorities), 188

LSB (least significant bit) encoding, 168

LSOs (locally shared objects), 740

LTO (Linear Tape Open) format, 349

LulzSec group, 6

Lyon, Gordon, 617

M

MAC (mandatory access control), 375–376

MAC (Media Access Control) addresses. See Media Access Control (MAC) addresses

machines

certificates, 204

hardening, 523–524

macro viruses, 579–580

magic numbers for files, 895

magnetic media, 348–350

mail. See e-mail

mail delivery agents (MDAs), 672

mail transfer agents (MTAs), 672

mail user agents (MUAs), 672

mainframes, 559–560

maintenance

accounts, 367