A
- ABAC (attribute-based access control), 62
- abstraction, 468
- access control,
- ABAC (attribute-based access control), 62
- accountability, 32–34
- accounting and, 565
- AD (Active Directory), 574
- admission, 569–570
- authentication and, 565
- authorization and, 565
- centralized, 58
- compensating controls, 105–106
- corrective, 104
- DAC (discretionary access control), 59
- data classification, –9
- decentralized, 58–59
- decision-making, 568–569
- detective controls, 103–104
- deterrent controls, 101–103
- device authentication, 35
- devices, 53
- dual control, 97
- federated access, 36–38
- IEEE 802.1X Port-Based Access Control Standard, 573
- implementation, 58–63
- integrity protection, 11
- Kerberos, 573–574
- LANs (local area networks), –5
- least privilege, 94–95
- lifecycle, 106–107
- logical controls, 566
- MAC (mandatory access control), 59
- malicious activity and, 686
- NAC (network access control), 566
- NDAC (nondiscretionary access control), 59
- need to know, 94, 98–99
- OAuth, 574
- object-based, 62–63
- objects,
- OpenID, 574
- physical controls, 566
- physical security, 138–139
- facility entrance, 141
- internal controls, 142
- parking, 141
- perimeter, 140–141
- property approach, 139–140
- preventative, 103
- privileges, –7
- RBAC (role-based access control), 61
- read-up problems, –9
- SAML (Security Assertion Markup Language), 574
- security models, –10
- Bell-LaPadula, 10
- Biba, Kenneth, 11
- Brewer and Nash model, 11
- Chinese Wall model, 11
- Clark-Wilson model, 11
- Gogun-Meseguer model, 11
- Graham-Denning model, 11
- security properties
- * (star) property, 10, 11
- discretionary, 10
- simple integrity, 11
- SS (simple security), 10
- separation of duties, 95–98
- SOHO (small office/home office), –5
- SSO (single-sign on)
- AD (Active Directory), 34
- integrated Windows Authentication, 35
- SAML-based systems, 35
- smart cards, 35
- TGT (ticket granting ticket) systems, 34
- subject-based, 62
- subjects,
- system logs, 232
- trust architectures, 38–43
- two-person integrity, 97
- write-down problems, –9
- X.5000 Directory Access Protocol Standard, 573
- access management, 652
- accidents as attacks, 541
- accountability, 82, 565
- access control and, 32–34
- separation of duties and, 95–98
- accounting, 652
- active security devices, network-based monitoring, 587
- AD (Active Directory), 574
- ad hoc wireless networks, 640–642
- addresses, 478
- addressing, 472. See also IP addressing; IPv4
- administrative attack surfaces, 254
- administrative controls
- baselines, 127–128
- guidelines, 128
- malicious activity, 688
- policies, 125–126
- procedures, 127
- standards, 126–127
- admission, 569–570
- ADSP (author domain signing practices), 434
- AES (Advanced Encryption Standard), 361–362, 395
- side-channel attacks, 362
- AFP (Apple Filing Protocol), 549
- alarms, 265–266, 273
- algorithms. See also cryptography
- attacks, 401–402
- Blowfish, 362–363
- cryptographic, 339–340
- encryption, 392–393
- path validation algorithm, 392
- decryption, 339–340
- encryption, 339–340
- IDEA (International Data Encryption Algorithm), 363
- Rijndael algorithm, 361
- rounds, 340
- state, 362
- symmetric, 341
- transposition, 340
- Twofish, 362–363
- alternate processing, 310–313
- amplifiers, 610
- analysis, 264
- Anderson, Ross, 369
- anomalies, 250
- monitoring and, 242–243
- path to business end, 306
- antivirus, 668
- APIs (application programming interface), 498
- appliances, virtual, 726–727
- Application layer
- OSI Layer 7, 501
- TCP/IP model, 507–508
- application white listing, 693
- applications, 651–652
- APTs (advanced persistent threats), 148–149. See also kill chains
- identity theft and, 150
- stereotyping, 154
- architectural baselines, 128
- ARP (Address Resolution Protocol), 495, 535
- ARPANET, 470
- ARQ (automatic repeat request), 491
- ASICs (application-specific integrated circuit chips), 361
- assessment strategies, 213–215
- assessment-driven training, 212–213
- asset management, 107, 218–219
- inventory, 108–109
- data storage, 114–120
- hardware, 112–113
- licensing, 113–114
- process, 111
- software, 113–114
- system of record, 109–111
- tool, 109–111
- lifecycles, 111–112
- asset-based risk, 172
- asset-centric approach, threat modeling, 180–181
- assets
- information assets, 172
- information technology assets, 172
- intangible assets, 172
- tangible assets, 172
- asymmetric encryption, 371–372
- Diffie-Hellman-Merkle, 374–377
- discrete logarithm problems, 373
- ElGamal, 378
- factoring problems, 374
- forward secrecy, 372–373
- generator, 372
- hybrid cryptosystems, 380
- private key, 372
- public key, 372
- quantum cryptography, 378–380
- RSA, 377–378
- session keys, 372
- shared key generation, 372
- attacker-centric approach, threat modeling, 180
- attacks
- algorithm attacks, 401–402
- app attacks, 551
- ARP poisoning, 547
- birthday attacks, 406–407
- blind hijacking, 547
- brute force, 403–404
- cryptanalytic attacks
- differential cryptanalysis, 409
- linear cryptanalysis, 408–409
- quantum cryptanalysis, 409
- DDoS (distributed denial-of-service), 544, 551, 565
- device attacks, 551
- differential fault analysis, 406
- DoS (denial of service), 551
- false invoice attack, 659–660
- Heartbeat implementation flaw, 403
- HTTP flood attacks, 550
- against human element, 401
- IoT devices, 565
- length-extension, 387
- living off the land attack, 659–660
- low-and-slow, 551
- man-in-the-browser, 547
- meet-in-the middle attacks, 407
- MiTM (man-in-the-middle), 404, 547
- networks, 536–537, 538
- accidents as, 541
- Applications layer (layer 7), 549–550
- assessment, 550–552
- DDoS (distributed denial-of-service), 553–554
- DHCP attacks, 557–558
- DNS cache poisoning, 556–557
- enterprise networks, 561–562
- ICMP (Internet Control Message Protocol), 560–561
- industrial control systems, 563–564
- IP layer (layer 3), 543–545
- Link layer (layer 2), 541–543
- MITM (man-in-the-middle), 554–556
- Physical layer (layer 1), 539–541
- Presentation layer (layer 6), 548–549
- Session layer (layer 5), 546–548
- smurfing, 559–560
- SYN flooding, 558–559
- Transport layer (layer 4), 545–546
- VLANs, 563–564
- vulnerabilities, 550–552
- NTP amplification, 551
- overlap, 283
- packet sniffing, 544
- phishing, 330–331
- ping floods, 544
- ransom attacks, 249, 671
- related-key attacks, 394, 407
- replay attacks, 407–408
- self-inflicted, 593
- session hijacking, 547
- session sniffing, 547
- side-channel attacks, 393, 404–406
- social engineering, 252
- SSH downgrade, 548
- teardrop attacks, 544
- threat hunting activities, 546
- threats, advanced persistent threats, 550
- traffic monitoring, 546
- user hijacking, 551
- virtual environments, 727–729
- war droning, 635
- wireless, 539–540, 635–637
- XSS (cross-site scripting) and, 550
- audit strategies, 213–215
- auditability, cryptography and, 423–424
- audits, 128–130, 653
- baselines, controlled, 219
- findings, remediation, 217
- authentication, 12, 91–92, 565, 652
- centralized remote authentication services, 578–579
- CER (crossover error rate), 14–15
- credentials, 12
- cryptography and, 420–421
- device authentication, 35
- EER (equal error rate), 14
- factors, 12
- recovery, 14
- Type I, 13
- Type II, 13
- Type III, 13
- false acceptance errors, 12, 14
- false negative errors, 12
- false positive errors, 12
- false rejection errors, 12, 14
- FAR (false acceptance rate), 14
- FRR (false rejection rate), 14
- message authentication codes, HMACs, 386–387, 416
- MITM attacks and, 555
- multifactor, 13–15
- single-factor, 13–15
- something you are, 13
- biometric identification, 26–28
- something you do, 28–30
- something you have, 13
- security tokens, 25–26
- smart cards, 23–24
- something you know, 13, 16
- memorable information, 22
- passphrases, 19–21
- password escrow, 22–23
- password recovery, 22–23
- password reset, 22–23
- passwords, 16–19
- PINs, 22
- recent access history, 22
- security questions, 21–22
- somewhere you are, 32
- Type 1 errors, 12
- Type 2 errors, 12
- WPA (Wi-Fi Protected Access), 628–630
- authenticity, security and, 70
- authorization, 44–45, 565, 652
- access control models, 44
- cryptography and, 337
- availability
- cryptography and, 418
- information availability, 82
- security and, 70
- systems availability, 82
B
- backups, 280–281, 315–316
- data at rest, 319
- database backup, 317–318
- platform backup, 317–318
- baseband cabling, 528
- baselines, 127
- architectural baselines, 128
- behavioral, 241–242
- controlled, auditing, 219
- risk and, 218–219
- scoping guidance, 128
- security baselines, 128
- BCPs (business continuity plans), 308
- behavioral anomaly detection, 243
- behavioral baselines, 241–242
- Bell, David, 10
- Bell-LaPadula model, 10
- bent functions, 364
- Berners-Lee, Tim, 485–486
- Bernstein, Daniel J., 370
- BGP (Border Gateway Protocol), 495, 561–562, 610
- BIA (business impact analysis), 301
- risk management and, 184–185
- Biba, Kenneth, 11
- Biham, Eli, 394–395
- biometric identification, 27–28
- birthday attacks, 406–407
- black-box testing, 324
- blacklisting, 669–670
- blind hijacking, 547
- block ciphers, 353–355
- asymmetric encryption, 359
- CBC (Cipher Block Chaining), 356–358
- DES (Data Encryption Standard), 355
- feedback chaining, 356–358
- Feistel ciphers, 355
- padding and, 356
- P-boxes, 354–355
- S-boxes, 354–355
- symmetric encryption, 359
- blockchain, 392, 434
- Bitcoin and, 435
- cryptocurrencies, 435–437
- digital provenance systems, 436
- errors, 435–436
- genesis block, 435
- Blowfish, 362–363
- Bluetooth, 620, 637–638
- body weight, biometric identification and, 27
- botnets, 554
- Brewer and Nash model, 11
- bridges, 612
- broadband cabling, 528
- broadcast domains, 609
- brute force attacks, 403–404
- buffer overflows, 267
- bus topography, 518
- business case, risk management and, 165–168
- business continuity, 653
- business continuity planning, 281, 306
- emergency response plan, 307–310
- BYOC (bring your own cloud), 623
- BYOD (bring your own device), 623
- BYOI (bring your own infrastructure), 623
C
- CAB (change advisory board), 132
- cabling, 526–527
- baseband, 528
- broadband, 528
- characteristics, 529
- coaxial cabling, 528
- copper, 527
- fiber-optic, 527
- plenum rated, 488, 527
- repeaters, 530
- STP (shielded twisted pair), 488
- twisted-pair, 528–529
- UTP (unshielded twisted pair), 488
- CAC (common access card), 23
- cache poisoning, 556–557
- Capitol One breach, 537
- captive portals, remediation and, 570
- CAs (certificate authorities), 389
- CRL (certificate revocation list), 389
- HSM (hardware security module), 413
- OCSP, 389
- path validation algorithm, 461
- root certificate, 460
- trust hierarchies, 460
- CAST, 364
- catphishing attacks, 332
- causal agent, 276, 277
- CBC (Cipher Block Chaining), 356–358
- CCB (configuration control board), 132
- CCITT (International Telegraph and Telephone Consultative Committee), 470
- CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), 629–630
- CDNs (content distribution networks), 585
- centralized decision-making, 568–569
- centralized remote authentication services, 578–579
- CER (crossover error rate), 14–15
- CERT (computer emergency response team), 248, 253, 260
- certificate-signing parties, 463
- chain of trust, 39
- change management, 130–135
- CHAP (Challenge Handshake Authentication Protocol), 578, 582
- checksums, 504
- Chinese Wall model, 11
- chosen-ciphertext algorithm attack, 402
- chosen-plaintext algorithm attack, 402
- CI (configuration item), 132
- CIA (confidentiality, integrity, availability), , 71–72
- CIANA (confidentiality, integrity, availability, nonrepudiation, authorization), , 72
- log files, 229
- OSI reference model and, 328–333
- CIDR (Classless Inter-Domain Routing), 512–513
- CIFS (Common Internet File System), 480, 501
- cipher systems, 353
- block ciphers, 353–358
- CAST, 364
- CryptoCypher, 365
- stream ciphers, 365–371
- ciphertext-only algorithm attack, 402
- CIRT (computer incident response team), 253
- Clark-Wilson model, 11
- cleartext, 338
- client-server relationships, 521–522
- cloud computing
- cloud as endpoint, 690
- cloud-hosted devices, 596
- deployment, 703
- forensic investigation and, 304
- migration, 703
- service models, 703–705
- cloud security, 701
- data transmission, 716
- deployment models, 702–703
- legal and regulatory framework
- blockchain, 715
- custody of data, 713–714
- data control, 713–714
- data ownership, 713–714
- e-discovery, 710, 711–712, 713
- immutable ledgers, 715
- jurisdiction, 711–712
- lessons learned, 710
- PII, 714–715
- privacy-related data, 709–710
- private data, 714–715
- recordkeeping, 710
- surveillance data, 715
- lifecycles, 717–718
- outsourcing requirements, 716–717
- redundancy, 719–720
- shared responsibility model, 718–719
- storage, 716
- third-party requirements, 716–717
- virtualization and
- serverless services, 708–709
- VMs (virtual machines), 706–707
- Cloud Security Alliance, 305
- cloud services, 702–703
- CM (configuration management), 130–132
- CM/CC (configuration management and configuration control), 131–132
- CMIP (Common Management Information Protocol), 535
- CMVP (Cryptographic Module Validation Program), 345
- coaxial cabling, 528
- COBIT (Control Objectives for Information and Related Technologies), 192–193
- codes of ethics, 66–70
- collaboration security, cryptography and, 440
- collaborative workspaces, 329
- collateral damage, 422
- collision domains, 609
- community cloud services, 703
- compensating controls, 105–106
- competencies, 137
- competitive edge, cryptography and, 424
- compliance, risk management and, 184–185
- compliance monitoring, 226–228
- compliance-driven information, cryptography, 417
- concentrators, 610
- confidentiality, 72–73, 651
- corporate espionage, 77–79
- cryptography and, 337
- industrial espionage, 77–79
- intellectual property, 74–77
- requirements, 665
- security and, 70
- configuration control, 218–219
- configuration enumeration, 133
- configuration management, 218–219
- connectionless protocols, 497
- connection-oriented protocols, 496
- connections, 652
- containerization
- virtual environments, 722–723
- VMs, 707
- containment, 275–277
- contingency operations planning, 308
- continuity, virtual environments, 727
- controlled egress system, 124
- controlled entry system, 124
- controls
- administrative, 125–128
- compensating controls, 105–106
- corrective, 104
- detective controls, 103–104
- deterrent controls, 101–103
- dual control, 97
- implementing, 120–130
- least privilege, 94–95
- lifecycle, 106–107
- need to know, 94, 98–99
- physical, 122–124
- preventative, 103
- risk treatment, 201–203
- security and, 70
- separation of duties, 95–98
- technical, 121–122
- two-person integrity, 97
- converged protocols, 508–509
- FCoE (Fibre Channel over Ethernet), 508
- iSCSI (Internet Small Computer System Interface), 509
- MPLS (Multiprotocol Label Switching), 509
- NAS (network-attached storage), 509
- SAN (storage area network), 509
- COPACABANA (Cost Optimized Parallel COdeBreaker), 361
- COPE (company owned personally enabled), 623
- CORAS, 183
- corrective controls, 104
- correlation, 270–271
- COSO (Committee of Sponsoring Organizations of the Treadway Commission), 191–192
- cost centers, risk management and, 165–168
- COTS (commercial-off-the-shelf) system, 163–164
- countermeasures, implementation, 283–284
- covert channels, 696–697
- isolating, guest operating system, 721–722
- credentials, 12
- critical asset protection planning, 309
- CRO (chief risk officer), 307
- cross-layer protocols, 535–536
- cryptanalysis, 347
- cryptanalytic attacks, 408–409
- crypto family tree, 342
- cryptocurrencies, 435–437
- cryptographic accelerators, 413
- cryptographic hygiene, 393, 396–400
- cryptographic module, 411–412
- cryptographic system, 345
- cryptography, 336, 426–437. See also decryption; encryption
- AES (Advanced Encryption Standard), 361–362
- algorithms, 339–340
- Blowfish, 362–363
- encryption, 392–393
- IDEA, 363
- path validation algorithm, 392
- Twofish, 362–363
- attacks, 401–409
- auditability and, 423–424
- authentication and, 420–421
- authenticity, 415–417
- availability and, 418
- AZTEC, 371
- block ciphers, 353–358
- blockchain, 434–437
- CAST, 364
- cipher systems, 353
- CAST, 364
- CryptoCypher, 365
- stream ciphers, 365–371
- collaboration security, 440
- competitive edge and, 424
- compliance-driven information, 417
- confidentiality, 414–415
- cryptology and, 347
- data sensitivity and, 417–418
- deployment, 442–444
- DES (Data Encryption Standard), 355, 360–361
- digital certificates, 388
- blockchains, 392
- CAs (certificate authorities), 389
- certificate enrollment, 388
- CRL (certificate revocation list), 389
- CSR (certificate signing request), 388
- genesis block, 392
- hash function, 390
- HTTPS and, 390–391
- Merkel tree, 392
- MITM attacks, 390
- OCSP, 389
- path validation algorithm, 392
- private key generation, 388
- public key generation, 388
- self-signed, 392
- S/MIME, 390
- TLS, 390–391
- VPNs, 390
- DKIM, 433–434
- ECC (elliptical curve cryptography), 380–382
- EU ECRYPT, 371
- federated systems, 438
- forward secrecy and, 338
- functions, 345–347
- hash functions, 336, 348
- hashing, 347–349, 351–353
- Heartbeat implementation flaw, 403
- high-compliance architectures, 444
- homomorphic encryption, 415
- HTTPS, 431–432
- ICSs (industrial process control systems), 441
- ILS (integrated logistics support), 440
- integrity, 415–417
- IoT (Internet of Things), 441
- IPsec, 426–427
- key distribution, 343
- key management, 343–344
- key space, 343
- key strength, 343, 393–395
- keys, 342–344, 363
- limitations, 444–446
- modules, 345–347
- nonrepudiation, 383–388
- on-premises data center, 442–444
- pervasive encryption architectures, 415
- PGP, 364, 430–431
- privacy and, 421–422
- protocols, 345–347, 424–437
- PROVILAB, 371
- regulatory requirements and, 423
- repudiation and, 418–420
- safety and, 422
- salting, 351–353
- security classification, 417
- sets, 345–347
- S/MIME, 432–433
- stream ciphers, 353, 365–371
- STVL, 371
- through time and, 338
- TLS (Transport Layer Security), 427–429
- transaction processing, 439
- transparency and, 423–424
- trust hierarchies, 459–462
- UASs (untended or uncrewed aerial systems), 441
- VAMPIRE, 371
- VPNs (virtual private networks) and, 437–438
- vulnerabilities, 444–446
- WAVILA, 371
- web of trust, 462–464
- workflow processing, 439
- cryptolinguists, 347
- cryptoprocessors. See secure cryptoprocessors
- cryptosystems, hybrid, 380
- cryptovariables, 340–341
- CSIRT (computer security incident response team), 248, 253–254, 260
- CSRF (cross-site request forgery), 550
- CVE (common vulnerabilities and exposures), 163, 164
- CVSS (Common Vulnerability Scoring System), 163–164
- CybOX (Cyber Observable eXPression), 609
- CYOD (choose your own device), 623
D
- DAC (discretionary access control), 59
- Daeman, Joan, 361
- DANE (DNS-based Authentication of Named Entities), 481
- data availability, 651
- data breach kill chain, 154
- data center
- ambient temperature, 142
- gatekeepers,
- humidity, 142
- data classification, –9
- data cleaning, crime scenes, 294
- data collection plan, 302
- data encapsulation, 380
- data flow, east-west data flow, 675–677
- data frames, 504
- data integrity, 651
- Data Link layer (OSI Layer 2), 491–493
- LLC (logical link control) sublayer, 491
- MAC (media access control) sublayer, 491
- data protection, 651
- data recovery/restoration, 319–321
- data sensitivity, cryptography and, 417–418
- data storage
- colorizing, 117
- disposal, 119–120
- information lifecycle, 114–116
- marking, 116–117
- protection, 117–118
- sanitization, 119–120
- shared, 729–730
- transport, 118
- datagrams, 471, 472–474, 534
- DDoS (distributed denial-of-service) attacks, 272, 544, 551, 553–554, 565
- decision assurance, 71
- decryption, collisions, 340
- defense in depth, 590
- deprovisioning, 46–48
- DES (Data Encryption Standard), 355, 360–361
- deserialization, 500
- design, hardware and, 664–665
- destructive attacks, triage, 272
- detection, 264, 268–270
- detective controls, 103–104
- determinism, 350
- deterrent controls, 101–103
- development, software vulnerabilities, 655–656
- built-in vulnerabilities, 656–657
- code library use, 657
- coding practices, 657
- data modeling, 657–658
- data typing enforcement, 657–658
- design patterns, 656
- device management, 591–592
- devices. See also security devices
- authentication, 35
- endpoint device security, 689–691
- application white listing, 693
- endpoint encryption, 694–695
- firewalls, 692
- HIDS (host-based intrusion detection system), 691–692
- HIPS (host-based intrusion prevention system), 691–692
- host-based firewalls, 692
- IoT and, 700–701
- MDM (mobile device management), 696
- secure browsing, 697–699
- TPMs (trusted platform modules), 695
- placement, 586–587
- security, 587
- wireless security devices, 645–646
- DHCP (Dynamic Host Configuration Protocol), 276, 535
- attacks, 557–558
- logging and, 233
- differential cryptanalysis, 409
- differential fault analysis, 406
- Diffie, Whitfield, 373, 374
- Diffie-Hellman-Merkle, 373, 374–377
- digital certificates, 388
- blockchains, 392
- CAs (certificate authority), 389
- certificate enrollment, 388
- CSR (certificate signing request), 388
- genesis block, 392
- hash function, 390
- HTTPS and, 390–391
- Merkel tree, 392
- MITM (man-in-the-middle) attacks, 390
- path validation algorithm, 392
- private key generation, 388
- public key generation, 388
- self-signed, 392
- S/MIME, 390
- TLS, 390–391
- VPNs, 390
- X.509, 391–392
- digital encryption, 337
- digital footprints, 303
- digital forensics, 287–289. See also forensic investigations
- cloud computing and, 304–305
- dead copy, 299
- digital footprints, 303
- evidence, triage and, 299–301
- evidence collection, 297–298
- evidence handling, 292–297
- forensic workstation, 291
- investigations, 287, 291
- jurisdiction, 305
- procedures, 301–304
- reverse engineering and, 298
- techniques, 301–304
- tools, 298–299
- write blockers, 299
- digital signatures, nonrepudiation and, 384–386
- digital triage, 300
- DIKW (data, information, knowledge, wisdom, insight), 81
- DIM (delegated identity management), 36
- directory information tree, 573
- directory service agents, 573
- directory services, 233
- disaster recovery, 306
- discretionary security property, 10
- distributed decision-making, 568–569
- DKIM (DomainKeys Identified Mail), 433–434
- DLP (data loss prevention), 592
- DMARC (domain-based message authentication, reporting, conformance), 433
- DMZs (demilitarized zones), segmentation, 589
- DNP3 (Distributed Network Protocol), 564
- DNS (Domain Name System), 276, 479, 535
- cache poisoning, 556–557
- caching, 480
- logging, 233
- poisoning, 547
- DNS cache poisoning attacks, 556–557
- DNSSEC (DNS Security Extensions), 481
- documentation, monitoring findings, 245–246
- DOI (domain of interpretation), 583
- domain-based network architecture, 589
- DoS (denial of service) attacks, 551
- Dragonblood algorithm, 628
- Dragonfly algorithm, 628
- drills, 322, 327
- DRP (disaster recovery planning), 308
- DSA (Digital Signature Algorithm), 373, 378, 387–388
- DSS (Digital Signature Standard), 378
- DSSS (direct sequence spread spectrum), 645
- dual control, PKI and, 458–459
- dynamic IP addresses, 510
E
- EAP (Extensible Authentication Protocol), 578, 582, 630
- LEAP (Lightweight Extensible Authentication Protocol), 629
- PEAP (Protected Extensible Authentication Protocol), 629
- east-west data flow, 675–677
- ECB (Electronic Code Book) mode, 355, 358–360
- ECC (elliptical curve cryptography), 380–382
- ECTF (Electronic Crimes Task Force), 159
- edge computing, 597
- EER (equal error rate), 14
- EFF (Electronic Frontier Foundation), 361
- ElGamal, 373, 378
- Elliptical Curve, 373
- email
- bounced, 267
- servers, logging and, 233
- emergency response plan, 307–310
- BCPs (business continuity plans), 308
- contingency operations planning, 308
- critical asset protection planning, 309
- DRP (disaster recovery planning), 308
- physical security and safety planning, 309
- EMI (electromagnetic interference), 528
- employees, reporting and, 270
- encapsulation, 472, 475–477, 534, 562–563
- encryption. See also cryptography; decryption
- AES (Advanced Encryption Standard), 361–362
- algorithms, 392–393
- asymmetric, 340–342, 371–372
- Diffie-Hellman-Merkle, 374–377
- discrete logarithm problems, 373
- ElGamal, 378
- factoring problems, 374
- forward secrecy, 372–373
- generator, 372
- hybrid cryptosystems, 380
- private key, 372
- public key, 372
- quantum cryptography, 378–380
- RSA, 377–378
- session keys, 372
- shared key generation, 372
- collisions, 340
- DES (Data Encryption Standard), 355, 360–361
- digital, 337
- endpoints, 694–695
- as function, 348
- homomorphic encryption, 415
- IDEA (International Data Encryption Algorithm), 363
- pervasive encryption architectures, 415
- symmetric, 340–342
- symmetric encryption, 337
- TKIP (Temporal Key Integrity Protocol), 625
- trapdoor functions, 341
- WPA (Wi-Fi Protected Access), 628–630
- Endpoint Security Solutions Review, 701
- endpoints, 566, 652
- data in use, 677–678
- detection and response, 684
- device security, 689–691
- application white listing, 693
- endpoint encryption, 694–695
- firewalls, host-based, 692
- HIDS (host-based intrusion detection system), 691–692
- HIPS (host-based intrusion prevention system), 691–692
- IoT and, 700–701
- MDM (mobile device management), 696
- secure browsing, 697–699
- TPMs (trusted platform modules), 695
- encryption, 694–695
- host endpoint, 569
- malicious activity and, 686
- MDM (mobile device management), 622–624
- network monitoring and, 572–573
- new, 267
- as security devices, 596–597
- segmentation and, 591
- unmanaged, 267
- wireless communications and, 621–622
- enterprise networks attacks, 561
- BGP (Border Gateway Protocol), 561–562
- OSPF (Open Shortest Path First), 562
- enumeration, 133
- eradication, 277–278
- ERP (enterprise resource management), 171
- errors
- CER (crossover error rate), 14–15
- EER (equal error rate), 14
- false acceptance errors, 12, 14
- false negative errors, 12
- false positive errors, 12
- false rejection errors, 12, 14
- FAR (false acceptance rate), 14
- FRR (false rejection rate), 14
- Type 1 errors, 12
- Type 2 errors, 12
- escalation, 264
- Ethernet
- 10 Gigabit Ethernet, 526
- DCE (Data Communication Equipment), 526
- DTE (Data Terminal Equipment), 525
- Fast Ethernet, 526
- Gigabit Ethernet, 526
- ethical penetration testing, 259, 701
- ethics, 66–67
- (ISC)2, 68–69
- organizational code of ethics, 69–70
- professional ethics, 67–68
- EU ECRYPT, 371
- events, 250
- data analysis, 244–245
- hostile, 249
- incidents and, 250
- kill chains, 267
- kill chains and, 155–156
- responses, priorities, 272
- triage, 271–273
- events of interest, 222–224, 267
- anomalies, 224
- changes, unauthorized, 225–226
- compliance monitoring, 226–228
- indicators, 223–224
- intrusions, 225
- real-time compliance monitoring, 226–228
- exponent, 381
- extranets, 40, 584–585
- DMZ and, 41
- EDI and, 40
- SOAs and, 40
F
- facial recognition, biometric identification and, 28
- factoring problems, 374
- false acceptance errors, 12, 14
- false invoice attack, 659–660
- false negative alarms, IDS/IPS, 607
- false negative errors, 12
- false negative outcomes, 252
- false positive errors, 12
- false positive outcomes, 252
- false rejection errors, 12, 14
- false rejects, triage, 272
- FAR (false acceptance rate), 14
- fax machines, 576
- fax servers, logging and, 233
- Fazzini, Kate, 663
- FCoE (Fibre Channel over Ethernet), 508
- FDDI (fiber distributed data interface), 517–518
- federated access, 36–37
- DIM (delegated identity management), 36
- FIM (federated identity management), 36
- IAM (identity and access management), 36
- federated systems, cryptography and, 438
- FedRAMP Continuous Monitoring Strategy Guide, 220
- Feistel, Horst, 355
- FHSS (frequency hopping spread spectrum), 644–645
- fiber-optic cabling, 527
- fiefdoms, 590
- field of regard, monitoring, 586–587
- file integrity, 303
- filenames, characters, unusual/unprintable, 267
- filtering, detection and, 268–270
- FIM (federated identity management), 36
- fingerprints, biometric identification and, 27
- FIPS (Federal Information Processing Standards), 190–191
- firewalls
- application-level, 600–601
- circuit-level, 601
- configuration, 599
- deep packet inspection, 601
- deployment architecture, 602–604
- disruptions, 604–605
- events of interest, 600
- IDS/IPS functions, 601
- management, 599
- multihomed, 534, 601–602
- multitier, 604
- NGFWs, 601
- packets, 599
- segmentation, 599, 604
- stateful inspection, 601
- static packet filtering, 600
- UTM, 601
- flow control, 504
- forensic investigations, 287–289. See also digital forensics
- cloud computing and, 304–305
- dead copy, 299
- digital footprints, 303
- evidence, triage and, 299–301
- evidence collection, 297–298
- evidence handling, 292–297
- forensic workstation, 291
- jurisdiction, 305
- procedures, 301–304
- reverse engineering and, 298
- techniques, 301–304
- tools, 298–299
- triage, 275, 300
- write blockers, 299
- Forrester research, 590–591
- forward secrecy, 372–373
- FQDNs (fully qualified domain names), 479
- frameworks, 257
- FRR (false rejection rate), 14
- FTP (File Transfer Protocol), 474–475, 507
- full duplex sessions, 499
- full interruption tests, 327
- FWaaS (firewall as a service), 605
G
- gatekeepers,
- GCHQ (Government Communications Headquarters), 163–164, 375
- GDPR (General Data Protection Regulation), 84
- generators, encryption, 372
- Gogun-Meseguer model, 11
- golden image, 279
- Gosney, Jeremi, 352
- govcloud cloud services, 703
- GPOs (group policy objects), 53, 121
- GPUs (graphic processing units), 393–394
- Graham-Denning model, 11
- gray-box testing, 324
- guest operating systems, 721–722
- guidelines, 128
H
- half-duplex sessions, 499
- handshakes, 471, 474–475
- hardening standards, 133
- hardware
- design and, 664–665
- inventory, 112–113
- secure cryptoprocessors, 410
- supply chain security, 667
- hash collisions, birthday attacks, 406
- hash functions, 336
- digital certificates, 390
- hashing
- anonymization and, 349
- checksums and, 349
- database lookup, 349
- digital fingerprints and, 349
- error detection and, 349
- functions, 348
- integrity checking and, 349
- mappings, 348
- message digests, 349
- salting, 351–353
- SHA (Secure Hash Algorithms), 349
- table lookup, 349
- hazard surfaces, 254
- Heartbeat implementation flaw, 403
- Hellman, Martin, 373, 374
- HIDS (host-based intrusion detection system), 586, 606–607
- hierarchical trust relationships, 39
- high-compliance architectures, cryptography, 444
- hijacking, 556
- HIPS (host-based intrusion prevention system), 606–607, 691–692
- HITRUST (Health Information Trust Alliance Common Security Framework), 193
- HMACs (hashed message authentication codes), 386–387, 416
- hold-down timers, 508
- homomorphic encryption, 415, 678
- host operating system, 721–722
- host-based monitoring, 586
- hostile events, 249
- hosts
- HSM (hardware security module), 373, 412–413
- HTTP (Hypertext Transfer Protocol), 485, 507
- HTTP flood attacks, 550
- HTTPS (Hypertext Transfer Protocol Secure), 431–432
- digital certificates, 390–391
- hubs, 611
- human observation, 270
- HUMINT, 22
- HVAC (heating, ventilation, and air conditioning), 108
- hybrid cloud services, 703
- hybrid cryptosystems, 380
- hypervisor, 725–726
I
- IaaS (infrastructure as a service), 704
- IAM (identity and access management), 36, 47
- AD (Active Directory), 57
- auditing, 51–52
- enforcement, 52
- groups, 53
- identity data review, 48–49
- LDAP (Lightweight Directory Access Protocol) and, 55–56
- OpenID and, 57
- privilege and access review, 49
- RADIUS (remote authentication dial-in user service) and, 56
- system account access review, 50–51
- TACACS (Terminal Access Controller Access Control System) and, 56
- user access review, 50
- XTACACS (Extended Terminal Access Controller Access Control System) and, 56
- IANA (Internet Assigned Numbers Authority), 479
- ICANN (Internet Corporation for Assigned Numbers and Names), 479
- ICMP (Internet Control Message Protocol), 505
- ICSs (industrial control systems), 271
- IDaaS (identity as a service), 36
- IDEA (International Data Encryption Algorithm), 363
- identities,
- identity management lifecycle, 43–44
- authorization, 44–45
- deprovisioning, 46–48
- entitlement, 52–55
- IAM (identity and access maintenance), 48–52, 55–58
- proofing, 45–46
- provisioning, 46–48
- identity proofing,
- identity theft, APTs and, 150
- IDS (intrusion detection system)
- HIDS (host-based intrusion detection system), 606–607, 691–692
- NIDS (network-based intrusion detection system), 606–607
- IEEE 802.1X Port-Based Access Control Standard, 573
- IEEE 802.11 standard amendments, 626
- IGMP (Internet Group Management Protocol), 495, 505
- ILS (integrated logistics support), cryptography and, 440
- IMAP (Internet Message Access Protocol), 507
- impact assessments, 174–179
- inactivity lockout, 122
- incident response, 251
- administrative attack surfaces, 254
- alarms, 265–266, 273
- alternate processing, 310–313
- backups, 315–319
- causal agent, 276, 277
- CIRT (computer incident response team), 253
- containment, 275–277
- correlation, 270–271
- countermeasures, implementation, 283–284
- data recovery/restoration, 319–321
- detection, filtering and, 268–270
- drills, 322
- emergency response plan, 307–310
- BCPs (business continuity plans), 308
- contingency operations planning, 308
- critical asset protection planning, 309
- DRP (disaster recovery planning), 308
- physical security and safety planning, 309
- eradication, 277–278
- ethics, 289–291
- exercises, 322
- filtering, detection and, 268–270
- forensic investigation, 287–289
- indicators, 250, 265–266
- interim processing, 310–313
- IOCs (indicators of compromise), 250, 265–266, 266–267
- legal principles, 289–291
- meant time to repair or remediate, 255
- MTTD (mean time to detect), 254–255
- MTTE (mean time to eradicate), 254–255
- MTTR (mean time to respond), 254–255, 256
- NIST incident handling checklist, 258
- NOC (network operations center), 251
- observation, human observation, 270
- physical surfaces, 254
- preparation, 257–264
- priorities, 272
- real-time notification, 285
- recovery, 279–282
- redundancy, storage redundancy, 318–319
- reporting, 270
- restoration planning, 313–315
- safety and, 263
- signals, 265, 268
- SOC (security operations center), 251, 253
- testing, 322–325
- drills, 327
- environments, 325–326
- full interruption tests, 327
- parallel tests, 327
- read-throughs, 326
- simulations, 327
- table top assessment, 326
- walk-throughs, 326
- third-party services, 284–287
- training, 321–322
- triage, 251
- forensic triage, 275
- security events, 271–273
- incident response log, 262
- incident response team
- analysis, 262
- assessment, 262
- CERT, 260
- containment, 263
- control, 261–262
- CSIRT, 260
- documentation, 263
- eradication, 263
- investigation, 262
- kill chains, 264–265
- leadership and, 262
- point of contact, 261
- recovery, 263
- roles, 260–263
- structures, 260–263
- incidents, 250
- declaring, 273
- dwell times, 283
- ethics, 289–291
- events and, 250
- hostile events, 249
- kill chains, 155–156
- legal principles, 289–291
- lifecycle, 255–257
- mapping visually, 274–275
- precursors, 250, 251, 252
- real-time notification, 287
- rude awakenings, 250
- indicators, 250, 265–266
- information assets, 172
- information availability, 82
- information integrity, security and, 670–678
- information quality, security and, 670–678
- information security, 670–671
- data modeling, 671–673
- data preservation, lifecycle, 674–678
- information security incident, 251
- information systems asset management. See asset management
- information technology assets, 172
- input buffer overflows, 267
- insider breach, triage, 272
- insider threats, 686–688
- intangible assets, 172
- integrity, 79–81
- cryptography and, 337
- protection, 11
- security and, 70
- interim processing, 310–313
- Internet
- Internet layer (TCP/IP model), 505
- internet segments, 484–485
- intranets, 584–585
- inventory, 108–109
- data storage, 114–120
- hardware, 112–113
- licensing, 113–114
- process, 111
- software, 113–114
- system of record, 109–111
- tool, 109–111
- IoCs (indicators of compromise), 250, 265–267, 572–573
- IoT (Internet of Things)
- attacks, 565
- cryptography and, 441
- endpoint device security, 700–701
- IP addressing
- dynamic addresses, 510
- logical addressing, 491, 493
- static addresses, 510
- IP layer, network attacks, 543
- IP phone systems, 576
- IP spoofing, 544
- IP-based PBX, 613
- IPS (intrusion prevention system)
- HIPS (host-based intrusion prevention system), 606–607, 691–692
- NIPS (network-based prevention detection system), 606–607
- IPsec, 536
- AH (authentication headers), 426
- bump-in-the-stack, 427
- bump-in-the-wire, 427
- ESP (encapsulating security payloads), 426
- IP stack, 427
- ISAKAMP (Internet Security Association and Key Management protocol), 426
- KINK (Kerberized Internet Negotiation of Keys), 426, 536
- SA (security associations), 426
- transport mode, 427
- tunnel mode, 427
- IPv4
- address classes, 510–513
- broadcast messages, 511
- IPv6 comparison, 514–516
- network relationships, 521–524
- ports, 536
- topographies, 516–520
- transmission media, 525–530
- NAT (network address translation), 595
- packet format, 494
- packet headers, changes, 515
- subnetting, 512–513
- unicasting, 511–512
- IPv6
- improvements, 514
- packages, 515
- packet headers, changes, 515
- iris scan, biometric identification and, 28
- ISA-99, 194
- ISACA (Information Systems Audit and Control Association), 108
- ISA/IEC 62443, 194
- (ISC)2 Code of Ethics, 68–69
- ISCM (information security continuous monitoring), 219–222
- iSCSI (Internet Small Computer System Interface), 509
- ISO (International Organization for Standardization), 470
- isolation, malicious activity, 688
- ISP (Internet service provider), 475
- ITIL Framework, 192
- IV (initialization vector), 356
J
- job rotation, 99–100
- jump boxes, network-bases security devices, 597
K
- Kaminski, Dan, 481
- Kerberos, 573–574
- Kerckhoff, Auguste, 344
- key encapsulation, 380
- key strength (cryptography)
- keying materials, 341
- kill chains, 148–149, 264–265
- conceptual model, 152
- data breach, 154
- events, 155–156, 267
- incidents, 155–156
- indicators, 265
- value chain and, 151–152
- Kindervag, John, 590
- KINK (Kerberized Internet Negotiation of Keys), 426, 536
- known-plaintext algorithm attack, 402
- KPIs (key performance indicators), 221
- KRIs (key risk indicators), 584
- Krißler, Sascha, 369
L
- Lai, Xuijia, 363
- LAN extenders, 610
- land-line systems, 478
- LANs (local area networks), –5
- LaPadula, Leonard, 10
- law of diminishing returns, 172
- layers, encapsulation, 476–477
- layers of abstraction, 468
- LEAP (Lightweight Extensible Authentication Protocol), 629
- least privilege, 52, 94–95
- LED, Li-Fi and, 618–619
- legal issues, 236–238
- length-extension attacks, 387
- licensing, 113–114
- lifecycle of a control, 106–107
- lifecycles, assets, 111–112
- Li-Fi, 618–619
- linear cryptanalysis, 408–409
- link closure, wireless, 617–618
- Link layer (TCP/IP model), 504–505
- LIRs (local Internet registries), 479
- living off the land attack, 659–660
- logbooks, 273–274
- malicious activity and, 686
- logging, 229–230
- logical addressing, 491
- logical connections, 475
- logical controls, 566
- logical surfaces, 254
- low-and-slow attacks, 551
M
- MAC (mandatory access control), 59
- network attacks, 541
- physical addressing, 491, 493
- MAC (media access control), 478–479
- malicious activity, 684–685
- access control and, 686
- countermeasures, 688–689
- endpoint behavior modeling, 686
- insider threats, 686–688
- security logs and, 686
- UBA (user behavior analytics), 687
- user behavior modeling, 686
- malware
- access control enforcement, 682
- command-and-control functions, 679
- countermeasures, 682–684
- description, 679–682
- endpoint passive monitoring, 679
- end-user interaction, 678
- end-user passive monitoring, 679
- supply chain protection, 682
- triage, 272
- weaponized, 653
- whitelisting, 682
- MANET (mobile ad hoc networks), 640
- man-in-the-browser attacks, 547
- MAO (Maximum Allowable Outage), 256, 310
- mapping, port mapping, 530–531
- mapping incidents, visually, 274–275
- Massey, James, 363
- math, digital encryption and, 336–337
- MD5 (Message Digest 5), 299
- MDM (mobile device management), 691
- BYOC (bring your own cloud), 623
- BYOD (bring your own device), 623
- BYOI (bring your own infrastructure), 623
- COPE (company owned personally enabled), 623
- CYOD (choose your own device), 623
- data retention policies, 624
- endpoint device security, 696
- endpoint security, 622–624
- jailbreaks, 624
- PED (personal electronic device), 622
- PMD (personal mobile device), 622
- meet-in-the middle attacks, 407
- memorable information, 22
- merged systems, 663–664
- Merkle, Ralph, 374–375
- Merkle tree, 392
- mesh topography, 519–520
- message authentication codes, HMACs (hashed message authentication codes), 386–387, 416
- metrics, monitoring, 243–244
- MFA (multifactor authentication), 591
- microsegmentation, 491, 591
- MITM (man-in-the-middle) attacks, 404, 547, 554–556
- digital certificates, 390
- mobile phones, 620, 639–640
- modems, 611–612
- modules, cryptography, 345–347
- modulus, 381
- monitoring. See also network monitoring
- anomalies, 242–243
- baselines, 240–242
- documentation, 245–246
- event data, analysis, 244–245
- field of regard, 586–587
- findings, 245–246
- host-based, 586
- metrics, 243–244
- network-based, 587
- results, 269
- trends, 243–244
- visualizations, 243–244
- monitoring systems
- events of interest, 222–228
- ISCM (information security continuous monitoring), 220–222
- legal issues, 236–238
- logging, 229–230
- regulatory issues, 236–238
- source systems, 230–232
- applications, 233–234
- endpoints, 235
- external servers/services, 234
- IoT devices, 236
- network infrastructure devices, 235–236
- on-premises servers/services, 232–233
- platforms, 233–234
- workstations, 235
- MPLS (Multiprotocol Label Switching), 509
- MPPE (Microsoft Point to Point Encryption), 582
- MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), 582
- MTTD (mean time to detect), 254–255
- MTTE (mean time to eradicate), 254–255
- MTTR (mean time to respond), 254–255, 256
N
- NAC (network access control), 566
- name resolution, 475, 477
- NAS (network-attached storage), 509, 568
- NAT (Network Address Translation), 536
- network-based security devices, 594–595
- NAT-T (NAT-Traversal), 595
- NDAC (nondiscretionary access control), 59
- need to know, 61, 94, 98–99
- NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection), 194
- NetBIOS (Network Basic Input/Output System), 500
- network address, 512–513
- Network layer (OSI Layer 3)
- ARP (Address Resolution Protocol), 495
- best-efforts basis, 493
- brouters, 493–494
- connectionless protocols, 495
- connection-oriented protocols, 495
- logical addresses, 493
- packets, 494
- physical addresses, 493
- routing protocols, 495
- network management, 651
- network monitoring
- endpoints, 572–573
- IoCs (indicators of compromise), 571–572
- network-based monitoring, 587
- network-based security devices
- amplifiers, 610
- bridges, 612
- broadcast domain, 609
- cloud-hosted devices, 596
- collision domain, 609
- concentrators, 610
- endpoints, as security devices, 596–597
- firewalls, 598–605
- gateways, 602
- hubs, 611
- IDSs (intrusion detection systems), 605
- HIDS (host-based intrusion detection system), 606–607, 691–692
- NIDS (network-based intrusion detection system), 606–607
- IP-based PBX, 613
- IPSs (intrusion prevention systems), 605
- HIPS (host-based intrusion prevention system), 606–607, 691–692
- NIPS (network-based prevention detection system), 606–607
- jump boxes, 597
- modems, 611–612
- NAT (network address translation), 594–595
- proxies, 602
- repeaters, 610
- routers, 609–610
- servers, 597
- SIEM (security information and event management), 607–608
- switches, 609–610
- traffic, 613–614
- WAP (wireless access point), 612–613
- networks. See also wireless technologies
- address resolution, 475, 482
- addresses, 478
- addressing, 472, 477–479
- attacks, 536–537, 538
- accidents as, 541
- Applications layer (layer 7), 549–550
- assessment, 550–552
- DDoS, 553–554, 565
- DHCP attacks, 557–558
- DNS cache poisoning, 556–557
- enterprise networks, 561–562
- ICMP, 560–561
- industrial control systems, 563–564
- IoT devices, 565
- IP layer (layer 3), 543–545
- Link layer (layer 2), 541–543
- MITM (man-in-the-middle), 554–556
- Physical layer (layer 1), 539–541
- Presentation layer (layer 6), 548–549
- Session layer (layer 5), 546–548
- smurfing, 559–560
- SYN flooding, 558–559
- Transport layer (layer 4), 545–546
- VLANs, 563–564
- vulnerabilities, 550–552
- broadcast domain, 609
- cabling, 526–527
- baseband, 528
- broadband, 528
- characteristics, 529
- coaxial cabling, 528
- plenum rated, 488
- repeaters, 530
- STP (shielded twisted pair), 488
- twisted-pair, 528–529
- UTP (unshielded twisted pair), 488
- checksums, 504
- collision domain, 609
- data frames, 504
- datagrams, 471
- deserialization, 500
- device management, 591–592
- device placement, 586–587
- DNSSEC (DNS Security Extensions), 481
- encapsulation, 472, 475–477
- enterprise networks, attacks, 561–562
- Ethernet, 525–526
- flow control, 504
- handshakes, 471
- logical connections, 475
- name resolution, 475, 477
- NIC (network interface card), 479, 490
- OSI Model, 470–475
- packets, 472, 475–477, 496
- PDU (protocol data unit), 473
- physical connections, 475
- point of presence, 478
- ports, 530–534
- protocols, 471
- connectionless, 497
- connection-oriented, 496
- converged, 508–509
- cross-layer, 535–536
- relationships, 521
- client-server, 521–522
- P2P (peer to peer), 522–524
- routing, 472, 477–479
- AS (autonomous system), 482
- dedicated connections, 484
- dynamically routed connections, 482
- hardwired, 484
- static routing, 483–484
- RPCs (remote procedure calls), 498
- SDN (software-defined networking), 509
- segmentation, 472, 484–485
- serialization, 500
- software defined, 723–725
- subnets, 485
- switching, 472, 477–479, 478, 484
- TCP/IP, 469, 470
- addressing, 472
- datagrams, 471, 473–474
- encapsulation, 472
- handshakes, 471, 474–475
- network segmentation, 472
- packets, 472
- protocols, 471
- routing, 472
- switching, 472
- URLs, 472
- topographies, 516–520
- topologies, 490
- traffic, deviation, 267
- transmission media
- cabling, 526–530
- Ethernet, 525–526
- UDP (User Datagram Protocol), 473
- URLs (uniform resource locators), 472, 485–486
- virtual, 724
- zero-trust architecture, 485
- NFC (near-field communications), 620, 628
- NIC (network interface card), 479, 490
- NIDS (network-based intrusion detection system), 606–607
- NIPS (network-based prevention detection system), 606–607
- NIST 800-154 data-centric threat modeling, 182
- NIST incident handling checklist, 258
- NIST SP 800-37, 220
- NIST SP 800-137, 220
- NOC (network operations center), 65, 251
- Nohl, Karsten, 369
- noise sources, wireless, 617
- nonfunctional requirements, 665
- nonrepudiation, 90–91
- cryptography and, 337, 388
- requirements, 666
- security and, 71
- nonvolatile data, 302
- NPI (nonpublished personal information), 31, 86–87
- NSLs (National Security Letters), 90, 457, 712–713
- NTLM (NT LAN Manager), 352
- NTP amplification attacks, 551
- NVD (National Vulnerability Database), 133
O
- OASIS (Organization for the Advancement of Structured Information Systems), 37
- OAuth, 574
- object-based access control, 62–63
- objects, –7
- observation, human observation, 270
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), 183
- OECD (Organization for Economic Cooperation and Development), 84–86
- OFDM (orthogonal frequency-division multiplexing), 645
- on-premises data center, cryptography and, 442–444
- OpenID, 574
- operating systems
- golden image, 279
- guest, 721–722
- host operating system, 721–722
- security, 650
- organizational code of ethics, 69–70
- OSA (open system authentication), 626–627
- OSI Seven-Layer Reference Model, 328, 469, 470, 486, 487
- addressing, 472
- Application layer (Layer 7), 501
- Data Link layer (Layer 2), 491–493
- datagrams, 471, 473–474
- encapsulation, 472
- handshakes, 471, 474–475
- Network layer (Layer 3), 493–495
- network segmentation, 472
- packets, 472
- Physical layer (Layer 1), 488–491
- Presentation layer (Layer 6), 500–501
- protocols, 471
- routing, 472
- Session layer (Layer 5), 497–499
- switching, 472
- Transport layer (Layer 4), 495–497
- URLs, 472
- OSPF (Open Shortest Path First), 495, 610
- enterprise networks attacks, 562
- outcomes-based risk, 170–171
- OWASP (Open Web Application Security Project), 128
P
- P2P (peer-to-peer) relationships, 522
- blockchain P2P, 524
- content sharing P2P, 523–524
- endpoints, 524
- Native OS-supported P2P, 523
- PaaS (platform as a service), 704–705
- packet sniffing, 544, 556
- packets, 472, 475–477, 496
- PACS (physical access control systems), 23
- palm print, biometric identification and, 27
- PAN devices, 621
- PAP (Password Authentication Protocol), 578, 582
- parallel tests, 327
- Parkerian hexad, 72
- partitioning, guest operating system, 721
- passive security devices, network-based monitoring, 587
- passphrases, 19–21
- passwords, 16–19
- aging, 122
- escrow, 22–23
- recovery, 22–23
- reset, 22–23
- PASTA (Process for Attack Simulation and Threat Analysis), 183
- PAT (Port Address Translation), 536, 595
- path validation algorithm, 392
- PBX (private branch exchange), IP-based, 613
- PCI DSS (Payment Card Industry Data Security Standard), 105
- PCI SSC (PCI Security Standards Council)-, 194–195
- PDU (protocol data unit), 473
- PEAP (Protected Extensible Authentication Protocol), 629
- PED (personal electronic device), 622
- penetration testing, 259, 323, 701
- performance indicators, 584
- pervasive encryption architectures, 415
- PGP (pretty good privacy), 105, 430
- GnuPGP, 365
- GPG (GNU Privacy Guard), 431
- OpenPGP, 365, 430–431
- PKI (Public Key Infrastructure), 364
- PHI (protected healthcare information), 31
- phishing attacks, 330–332
- physical addressing, 491
- physical assets, 108
- physical connections, 475
- physical controls, 122–124, 566
- controlled egress system, 124
- controlled entry system, 124
- malicious activity, 688
- Physical layer (OSI Layer 1), 488
- network attacks, 539–541
- network topologies, 490
- plenum rated cabling, 488
- protocols, 488–489
- segments, 491
- STP (shielded twisted pair) cabling, 488
- UTP (unshielded twisted pair) cabling, 488
- physical security, 138–139, 650
- data center, 142–143
- facility entrance, 141
- internal controls, 142
- parking, 141
- perimeter, 140–141
- property approach, 139–140
- SLAs (service-level agreements), 143–146
- physical security and safety planning, 309
- physical surfaces, 254
- PII (personally identifying information), 31, 86–87
- ping floods, 544
- ping packets, 559
- PINs, 22
- PIV (personal identity verification), 23
- PKI (Public Key Infrastructure), 364, 446–447
- asymmetric encryption, 448
- DEK (data encryption key), 451
- HSM (hardware security module), 451
- HSMaaS (hardware security module as a service), 451
- KEK (key encryption keys), 449, 451
- key destruction, 454–455
- key distribution, 451–452
- key escrow, 456–457
- key exchange, 452–453
- key expiration, 454
- key generation, 450–451
- key management vulnerabilities, 455
- key recovery, 457
- key revocation, 454
- key rotation, 453–454
- key size, 449–450
- key trust, 451–453
- PKI revolution, 464
- private keys, 448
- public keys, 448
- randomness, 450
- session keys, 448
- storage, 451
- symmetric encryption, 447–448
- plaintext, 338
- plenum rated cabling, 488, 527
- PMD (personal mobile device), 622
- policies, 125–126
- policy decision points, 567–568
- Popp, Nico, 591
- port assignments, 530–533
- port remapping, 530–531
- port scanning, triage, 272
- possession, security and, 70
- precursors, 250, 251, 252
- preparations, 257–259
- Presentation layer (OSI Layer 6)
- CIFS (Common Internet File System), 501
- deserializing, 500
- NetBIOS and, 500
- network attacks, 548–549
- serializing, 500
- SMB and, 500
- preventative controls, 103
- prime, 381
- print servers, logging and, 233
- privacy, 82–83, 651
- APEC Privacy Framework, 86
- cryptography and, 337, 421–422
- in information systems, 83–86
- in law, 83–86
- NPI, 86–87
- OECD, 84–86
- PII, 86–87
- in practice, 83–86
- private places, 87–89
- public places, 87–89
- security and, 71
- Universal Declaration of Human Rights, 84
- private cloud services, 702
- Private Endorsement Key, 411
- private key encryption, 372
- private places, 87–89
- privilege creep, 61, 99–100
- privilege escalation, triage, 272
- privileged accounts, 721
- privileges, –7
- least privilege, 52
- separation of duties, 52
- procedures, 127
- process-based risk, 171
- professional ethics, 67–68
- profit centers, 165–168
- promiscuous mode, 556
- proofing, 45–46
- properties, security
- * (star) property, 10, 11
- discretionary, 10
- simple integrity, 11
- SS (simple security), 10
- protocol data units, 472–474
- protocol stacks, 469
- protocols, 471
- CHAP, 578
- connectionless, 497
- connection-oriented, 496
- converged protocols, 508–509
- cross-layer, 535–536
- cryptography, 345–347
- EAP (Extensible Authentication Protocol), 578
- PAP (Password Authentication Protocol), 578
- Physical layer (OSI Layer 1), 488–489
- RADIUS (Remote Authentication Dial-In User Service), 578, 579
- TACACS (Terminal Access Controller Access Control System), 579
- TACACS+ (Terminal Access Controller Access Control System Plus), 578
- provisioning, 46–48
- PSTN (Public Switched Telephone Network), 576, 613
- pseudorandom numbers, 343
- public cloud services, 702
- public key encryption, 372
- public places, 87–89
Q
- qualitative risk assessment, information classification system, 179
- quantitative risk assessment
- ALE (annual loss expectancy), 175
- ARO (annual rate of occurrence), 175
- MAO (maximum acceptable outage), 176
- MTO (maximum tolerable outage), 176
- MTPOD (maximum tolerable period of disruption), 176
- MTTR (mean time to repair), 176
- RPO (recovery point objective), 176–177
- RTO (recovery time objective), 176
- safeguard value, 175
- SLE (single loss expectancy), 175
- quantum cryptanalysis, 409
- quantum cryptography, 378–380
- quantum mechanics, 378
- quarantine, 276–277
- malicious activity, 688
- remediation and, 570
R
- radio transmission, wireless communication, 620–621
- RADIUS (Remote Authentication Dial-In User Service), 578, 579
- rainbow tables, 351
- random, description, 350
- ransom attacks, 249, 272, 671
- RBAC (role-based access control), 61
- RCE (remote code execution), 550
- read-down, 416
- read-up problems, –9
- real-time compliance monitoring, 226–228
- recent access history, 22
- recovery, 279–280
- backups, 280–281
- data recovery, 280–281
- golden image, 279
- post recovery, 282
- recovery operations, 313
- redundancy
- cloud security, 719–720
- storage redundancy, 318–319
- regulatory issues, 236–238
- regulatory requirements, cryptography and, 423
- related-key attacks, 394, 407
- remediation
- captive portals and, 570
- quarantine and, 570
- validation, 216–217
- remote access, 575
- centralized remote authentication services, 578–579
- context, 576
- IPsec VPN, 583
- security management, 578
- thin clients, 577
- VPNs (virtual private networks), 579–580
- repeaters, 610
- replay attacks, 407–408
- reporting, 270
- repudiation, cryptography and, 418–420
- resilience, virtual environments, 727
- restarts, unplanned, 267
- restoration planning, 313–315
- results, analysis, 238–240
- retina scan, biometric identification and, 28
- reverse engineering, 678
- reviews, 128–130
- RFID (radio frequency identification), 628
- Rijmen, Vincent, 361
- Rijndael algorithm, 361
- ring topography, 516
- collisions, 517
- FDDI ring networks, 517
- token rings, 517
- RIP (Routing Information Protocol), 495, 507, 508, 544, 610
- RIPE NCC (Réseaux IP Européens Network Coordination Centre), 481
- RIRs (regional Internet registries), 479
- risk
- asset-based, 172
- baselines and, 218–219
- bases, 168–173
- outcomes-based, 170–171
- process-based, 171
- threat-based, 173
- timeline, 177
- vulnerability-based, 173
- risk management, 156, 157–158. See also RMFs (risk management frameworks)
- BIA (business impact analysis), 184–185
- business case, 165–168
- compliance and, 184–185
- cost centers, 165–168
- impact assessments, 174–179
- processes, 158
- risk definitions, 156–157
- risk reporting, 159–164
- risk timeline, 177
- risk visibility, 159–164
- threat modeling, 179–183
- asset-centric approach, 180–181
- attacker-centric approach, 180
- CORAS, 183
- NIST 800-154 data-centric, 182
- OCTAVE, 183
- PASTA, 183
- SDL (secure development lifecycle), 181–182
- software-centric approach, 181
- STRIDE, 181–182
- system-centric approach, 181
- systems-of-systems-centric approach, 181
- TRIKE, 183
- VAST, 183
- vulnerabilities, 173
- risk mitigation controls, 120
- risk register, 160–161
- risk reporting, 159–160
- CVSS, 163–164
- risk register, 160–161
- threats, intelligence sharing, 161–162
- risk treatment, 195
- acceptance, 196–197
- avoidance, 199
- controls, 200–203
- elimination, 199
- mitigation, 198
- recast, 199
- remediation, 198
- residual risk, 200
- transfer, 197
- RiskIT, 192–193
- Rivest, Ron, 370
- RMFs (risk management frameworks), 185–190
- COBIT, 192–193
- COSO, 191–192
- FIPS, 190–191
- HITRUST, 193
- ISA-99, 194
- ISA/IEC 62443, 194
- ITIL Framework, 192
- NERC CIP, 194
- PCI SSC, 194–195
- RiskIT, 192–193
- root certificate, 460
- route poisoning, 508
- routing, 472, 478
- AS (autonomous system), 482
- dedicated connections, 484
- dynamically routed connections, 482
- hardwired, 484
- hold-down timers, 508
- route poisoning, 508
- split horizon, 508
- static routing, 483–484
- RPCs (remote procedure calls), 498
- RSA (Rivest-Shamir-Adleman), 374, 377–378
- RTO (Recovery Time Objective), 256
- rude awakenings, 249
- RUM (real-user monitoring), 227–228
S
- SaaS (software as a service), 705
- safety, 263–264
- cryptography and, 422
- requirements, 665
- security and, 71
- salting, 351–353
- SAML (Security Assertion Markup Language), 36–38, 574
- SAN (storage area network), 509
- sandboxing, malicious activity and, 688
- SAs (security associations), 583
- SCADA (supervisory control and data acquisition), 271, 501
- industrial control systems attacks, 563–564
- SCAP (Security Content Automation Protocol), 134
- Schneier, Bruce, 395–396
- scoping guidance, 128
- SCTP (Stream Control Transmission Protocol), 499
- SDL (secure development lifecycle), threat modeling, 181–182
- SDLC (systems development lifecycle) model, 111–112, 134–135
- vulnerability management
- access control, 660–661
- applications design, 661–662
- code movement, 661
- false invoice attack, 659–660
- hardware supply chain, 661
- lateral data, 661
- living off the land attack, 660
- software supply chain, 661
- user input, 662–663
- SDN (software-defined networking), 509
- search space, key strength, 393, 394
- secure browsing, endpoint device security and, 697–699
- secure cryptoprocessors, 410–413
- secure message digest, 385
- security. See also incident response
- accountability, 82
- authentication, 91–92
- authenticity, 70
- availability, 70, 81–82
- confidentiality, 70, 72–73
- corporate espionage, 77–79
- industrial espionage, 77–79
- intellectual property, 74–76, 74–77
- requirements, 665
- controls, 70
- compensating controls, 105–106
- corrective, 104
- detective controls, 103–104
- deterrent controls, 101–103
- dual control, 97
- implementation, 120–130
- least privilege, 94–95
- lifecycle, 106–107
- need to know, 61, 94, 98–99
- preventative, 103
- separation of duties, 95–98
- two-person integrity, 97
- functional requirements, 665
- integrity, 70, 79–81
- job rotation, 99–100
- nonfunctional requirements, 665
- nonrepudiation, 71, 90–91
- physical, 650
- possession, 70
- privacy, 71, 82–83, 89–90
- in information systems, 83–86
- in law, 83–86
- NPI, 86–87
- PII, 86–87
- in practice, 83–86
- privilege creep, 99–100
- ransom attacks, 249
- safety, 71, 92–93
- safety requirements, 665
- supply chain, 667
- transparency, 71
- utility, 70
- security assessment, 203–204
- assessment strategies, 213–215
- assessment-driven training, 212–213
- asset management, 218–219
- audit strategies, 213–215
- audits, findings, remediation, 217
- configuration control, 218–219
- configuration management, 218–219
- remediation validation, 216–217
- testing
- black-box, 207–208
- gray-box, 207–208
- OT&E, 206, 209–210
- penetration, ethical, 210–212
- reporting, 215–216
- requirements-driven, 206
- result interpretation, 215–216
- strategies, 213–215
- white-box, 207–208
- vulnerability scanning, 208–209
- reporting, 215–216
- result interpretation, 215–216
- workflow management, 204–206
- security awareness, 135–137
- security baselines, 128
- security classification, cryptography, 417
- security classification level,
- security culture building, 137–138
- security devices
- network-based, 593
- cloud-hosted devices, 596
- endpoints as security devices, 596–597
- firewall deployment, 602–604
- firewall disruptions, 604–605
- firewalls, 598–602
- gateways, 602
- jump boxes, 597
- NAT (network address translation), 594–595
- proxies, 602
- servers, 597
- wireless, 645–646
- security event information management, 597
- security models, –10
- Bell-LaPadula, 10
- Biba, Kenneth, 11
- Brewer and Nash model, 11
- Chinese Wall model, 11
- CIA, 71–72
- CIANA, 72
- Clark-Wilson model, 11
- Gogun-Meseguer model, 11
- Graham-Denning model, 11
- Parkerian hexad, 72
- security questions, 21–22
- segmentation, 484–485, 587
- defense in depth, 590
- DMZs (demilitarized zones), 589
- domain-based network architecture, 589
- endpoints and, 591
- firewalls, 604
- microsegmentation, 491, 591, 604
- security level, 590
- versus subnets, 587
- trust surfaces, 590
- VLANs (virtual LANs), 588–589
- zero-trust architecture, 590–591
- self-inflicted attacks, 593
- semiprime numbers, 374
- separation of duties, 52, 61, 95–98
- serialization, 500
- servers
- network-based security devices, 597
- security log, 232
- service provision model, 521
- services, directory services, 233
- session keys, encryption, 372
- Session layer (OSI Layer 5), 497
- full duplex, 499
- half-duplex, 499
- network attacks, 546–548
- simple operation, 499
- session sniffing, 547
- sessions, 652
- SHA-1 (Secure Hash Algorithm-1), 299
- Shannon, Claude, 344
- shared key generation, 372
- shared responsibility model, cloud security, 718–719
- shared storage, 729–730
- shoulder-surfing,
- side-channel attacks, 393, 404–406
- AES, 362
- guest operating system, 722
- SIEM (security incident and event management), 221, 607–608
- signals, 265, 268
- simplex operation, 499
- simulations, 327
- single sign-off, 574
- SIP (Session Initiation Protocol), 577
- SKA (shared key authentication), 626–627
- SLAs (service level agreements), 143–144, 305, 701
- AWS (Amazon Web Services), 144–145
- ethical penetration testing, 701
- service monitoring, 145–146
- SMB (server message block), 480, 500, 548
- S/MIME (Secure/Multipurpose Internet Mail Extension), 390, 432–433
- SMTP (Simple Mail Transfer Protocol), 507
- smurf amplifiers, 559
- smurfing attacks, 559–560
- SNMP (Simple Network Management Protocol), 507, 535
- SOC (security operations center), 65, 251, 253
- social engineering, 252, 330
- phishing attacks, 330–332
- software
- inventory, 113–114
- supply chain security, 667
- software security
- antivirus, 668
- positive control models, 668
- software vulnerabilities, 654–655
- development, 655–656
- built-in vulnerabilities, 656–657
- code library use, 657
- coding practices, 657
- data modeling, 657–658
- data typing enforcement, 657–658
- design patterns, 656
- vulnerability management, 658–659
- false invoice attack, 659–660
- living off the land attack, 660
- SDLC risks, 660–663
- software-centric approach, threat modeling, 181
- software-defined networks, 723–725
- SOHO (small office/home office), –5
- something you are, biometric identification, 26
- body weight, 27
- considerations, 30–32
- facial recognition, 28
- fingerprints, 27
- iris scan, 28
- palm print, 27
- retina scan, 28
- something you do, 28
- distress codes, 30
- handwriting dynamics, 29
- keystroke dynamics, 29
- signature, 29
- voice print, 29
- something you have
- security tokens, 25–26
- smart cards, 23–24
- something you know, 16
- memorable information, 22
- passphrases, 19–21
- password escrow, 22–23
- password recovery, 22–23
- password reset, 22–23
- passwords, 16–19
- PINs, 22
- recent access history, 22
- security questions, 21–22
- somewhere you are, 32
- source systems, 230–232
- applications, 233–234
- endpoints, 235
- external servers/services, 234
- IoT devices, 236
- network infrastructure devices, 235–236
- on-premises servers/services, 232–233
- platforms, 233–234
- workstations, 235
- SPAP (Shiva Password Authentication Protocol), 582
- spear phishing attacks, 331
- split horizon, 508
- split knowledge, PKI and, 458–459
- SQL (Structured Query Language), attacks and, 550
- SS (simple security) property, 10
- SSCADA (Supervisory Control and Data Acquisition), 652
- SSCP (Systems Security Certified Practitioner), 65
- SSH (Secure Shell), 507
- SSL (Secure Sockets Layer), 427
- SSO (single-sign on)
- AD (Active Directory), 34
- integrated Windows Authentication, 35
- logging, 233
- SAML-based systems, 35
- smart cards, 35
- TGT (ticket granting ticket) systems, 34
- STAMP (Systems Theoretic Accident Model and Process), 93
- standards, 126–127
- star topography, 518–519
- stateful communications processes, 534
- stateless communications processes, 534
- statements of principles, 69. See also ethics
- static IP addresses, 510
- STIX (Structured Thread Information eXpression) language, 609
- STP (shielded twisted pair) cabling, 488, 529
- stream ciphers, 365–366
- A5/1, 369–370
- A5/2, 369–370
- common, 368
- keystream generators, 366
- practical stream ciphers, 367–368
- RC4 (Rivest Cipher 4), 370
- Salsa20/ChaCha20, 370–371
- stream versus streaming, 353
- STRIDE (spoofing, tempering, repudiation, information disclosure, denial of service, elevation of privilege), 181–182
- subdomains, 479
- subject-based access control, 62
- subjects, –7
- subnets, 485
- subnetting, IPv4, 512–513
- supply chain relationships, cloud services and, 701
- supply chain security, 667
- surfaces, 254
- switching, 472, 478, 484
- SWOT (strengths, weaknesses, opportunities, and threats), 69–70
- symmetric algorithms, 341
- symmetric ciphers, 409
- symmetric encryption, 337
- symmetric encryption algorithms, 353
- SYN flooding attacks, 558–559
- SYN-ACK packet, 558
- syntax layer. See Presentation layer (OSI Layer 6)
- synthetic transactions, 227–228
- system logs, 232
- system-centric approach, threat modeling, 181
- systems availability, 82
- systems management, 651
- systems-of-systems-centric approach, threat modeling, 181
T
- table top assessment, 326
- TACACS (Terminal Access Controller Access Control System), 579
- TACACS+ (Terminal Access Controller Access Control System Plus), 578
- tangible assets, 172
- TCG (Trusted Computing Group), 695
- TCP (Transmission Control Protocol), 505
- TCP/IP (Transmission Control Protocol/Internet Protocol), 469, 470
- addressing, 472
- datagrams, 471, 473–474
- encapsulation, 472, 562–563
- flag fields, 506
- handshakes, 471, 474–475, 496
- name resolution, 479–481
- network segmentation, 472
- packets, 472
- protocols, 471
- routing, 472
- switching, 472
- URLs, 472
- TCP/IP reference model, 501–503
- Application layer, 507–508
- Internet layer, 505
- Link layer, 504–505
- Transport layer, 505–506
- teardrop attacks, 544
- TECHINT, 22
- technical controls, 121–122
- telltales, 266
- Telnet, 507
- testing, 259-260, 322–325
- black-box, 207–208, 324
- drills, 327
- environments, 325–326
- full interruption tests, 327
- gray-box, 207–208, 324
- OT&E, 206, 209–210
- parallel tests, 327
- penetration, ethical, 210–212
- penetration testing, 259, 323, 701
- read-throughs, 326
- reporting, 215–216
- requirements-driven, 206
- result interpretation, 215–216
- simulations, 327
- strategies, 213–215
- table top assessment, 326
- walk-throughs, 326
- war games, 323
- white-box, 207–208, 324
- zero-knowledge, 324
- thin clients, 577
- third-party connections, 41–42
- threat hunting activities, 546
- threat modeling, 179–180
- asset-centric approach, 180–181
- attacker-centric approach, 180
- CORAS, 183
- NIST 800-154 data-centric, 182
- OCTAVE, 183
- PASTA, 183
- SDL, 181–182
- software-centric approach, 181
- STRIDE, 181–182
- system-centric approach, 181
- systems-of-systems-centric approach, 181
- TRIKE, 183
- VAST, 183
- threat surface, 543
- threat-based risk, 173
- threats
- advanced persistent threats, 550
- advanced threat detection, 684
- insider threats, 686–688
- intelligence sharing, 161–162
- UTM (Unified Threat Management), 592
- time details, 303
- timeouts, 122
- TKIP (Temporal Key Integrity Protocol), 625, 629
- TLP (Traffic Light Protocol), –8
- TLS (Transport Layer Security), 390–391
- DHE (Diffie-Hellman Ephemeral), 429
- ECDHE, 429
- ephemeral key exchange and, 429
- forward secrecy and, 429
- handshake, 428
- inspection, 677
- OSI model and, 427
- RTT (round-trip time), 429
- TLS cipher suite, 429
- topographies
- topologies, 490
- TORs (terms of reference), 305, 701
- TPMs (Trusted Platform Modules), 411
- endpoint device security, 695
- Private Endorsement Key, 411
- traffic
- analysis, 546
- flow, deviation, 267
- monitoring, 546
- training, incident response and, 321–322
- transaction processing, cryptography and, 439
- transactions, synthetic transactions, 227–228
- TRANSCEC (transmission security), 642–644
- DSSS (direct sequence spread spectrum), 645
- FHSS (frequency hopping spread spectrum), 644–645
- OFDM (orthogonal frequency-division multiplexing), 645
- transmission media
- cabling, 526–530
- Ethernet, 525–526
- transparency
- cryptography and, 423–424
- security and, 71
- Transport layer (OSI Layer 4), 495–496
- connectionless protocols, 497
- connection-oriented protocols, 496–497
- handshake, 496
- network attacks, 545–546
- packets, 496
- ports, 496
- Transport layer (TCP/IP model), 505–506
- trapdoor functions, 374
- trends, monitoring, 243–244
- triage, 251
- forensic triage, 275
- security events, 271–273
- TRIKE, 183
- trust anchors, 39
- trust architectures, 38
- chain of trust, 39
- extranets, 40
- DMZ and, 41
- EDI and, 40
- SOAs and, 40
- third-party connections, 41–42
- trust relationships
- hierarchical, 39
- one-way, 39
- transitive, 39
- two-way, 39
- web, 39
- zero trust architectures, 42–43
- trust domains, 38
- trust hierarchies, 459–460
- CAs (certificate authorities), 460
- trust relationships
- hierarchical, 39
- one-way, 39
- transitive, 39
- two-way, 39
- web, 39
- web of trust, 462–464
- trust surfaces, 590
- trusted installers, 53
- TSLA (TLS trust anchors), 481
- twisted-pair cabling, 528–529
- Twofish, 362–363
- two-person integrity, 97
- Type 1 errors, 12
- Type 2 errors, 12
- Type I authentication factor, 13
- Type II authentication factor, 13
- Type III authentication factor, 13
U
- UASs (untended or uncrewed aerial systems), cryptography and, 441
- UBA (user behavior analytics), 687
- UDP (User Datagram Protocol), 473, 495, 505
- unauthorized access, triage, 272
- unicasting, 511–512
- Universal Declaration of Human Rights, 84
- URLs (uniform resource locators), 472, 485–486
- US-CERT (Computer Emergency Readiness Team), TLP (Traffic Light Protocol), –8
- user hijacking, 551
- user identities,
- users, RUM (real-user monitoring), 227–228
- utility
- cryptography and, 337
- security and, 70
- UTM (Unified Threat Management), 592
- UTP (unshielded twisted pair) cabling, 488
V
- value chain, 151–152
- values, 69. See also ethics
- VAST (Visual, Agile, and Simple Threat Modeling), 183
- vigilance by walking around, 252–253
- virtual environments, 720
- appliances, 726–727
- attacks, 727–729
- containerization, 722–723
- continuity, 727
- countermeasures, 727–729
- desktop, 723
- endpoint security, 723
- resilience, 727
- shared storage, 729–730
- snapshot management, 722
- system image management, 722
- virtual networks, 724
- virtual networks, 724
- virtualization
- forensics and, 304
- serverless services, 708–709
- VMs (virtual machines), 706–707
- containerization, 707
- hypervisor, 706, 725–726
- security, 706–707
- visibility appliances, 587
- visualizations, monitoring, 243–244
- visually mapping incidents, 274–275
- VLANs (virtual local area networks)
- attacks, 563
- segmentation, 588–589
- VLC (visible light communications, 618
- VMs (virtual machines), 706–707
- VoIP (voice over IP), 495
- volatile data, 302
- VPNs (virtual private networks), 276, 579–580
- cryptography and, 437–438
- digital certificates, 390
- downsides, 699–700
- IPsec VPN, 583
- L2TP (Layer 2 Tunneling Protocol), 583
- PPTP (point-to-point tunneling protocol), 582–583
- protocols, 582
- tunneling, 580–582
- vulnerabilities, 173
- cryptography and, 444–446
- vulnerability management, 658–659
- false invoice attack, 659–660
- living off the land attack, 660
- SDLC
- access control, 660–661
- applications design, 661–662
- code movement, 661
- false invoice attack, 659–660
- hardware supply chain, 661
- lateral data, 661
- living off the land attack, 660
- software supply chain, 661
- user input, 662–663
- vulnerability scanning, 208–209
- reporting, 215–216
- result interpretation, 215–216
- vulnerability-based risk, 173
W
- walk-throughs, 326
- WANETs (wireless ad hoc networks), 640
- WAP (wireless access point), 612–613, 626–627, 630–634
- access point placement, 632–633
- access point testing, 632–633
- EAP (Extensible Authentication Protocol)
- infrastructure mode, 633
- SSIDs (service set identifiers), 633–634
- Wi-Fi site survey, 631–632
- war dialing, 635
- war droning, 635
- war games testing, 323
- weak forward secrecy, 373
- weak keys, 363
- weaponized malware, 653
- web browser, 485
- web crawler, 485
- web isolation technology, 591
- web of trust, 462–464
- web page, 485
- web trust relationships, 39
- WEP (Wired Equivalency Protocol), 624–625, 626–627
- WEP (Wired Equivalent Privacy), 370
- whaling attacks, 331
- white-box testing, 324
- whitelisting, 53, 668, 670, 693
- whois functions, 480
- Wi-Fi, , 620
- disabling, 276
- IEEE 802.11i, 627–628
- OSA (open system authentication), 626–627
- portals, captive, 635
- protocols, 625–626
- SKA (shared key authentication), 626–627
- standards, 625–626
- WAP (wireless access point), 626–627, 630–634
- access point placement, 632–633
- access point testing, 632–633
- infrastructure mode, 633
- SSIDs (service set identifiers), 633–634
- Wi-Fi site survey, 631–632
- WEP (Wired Equivalency Protocol), 624–625, 626–627
- wireless attacks, 635–637
- WPA (Wi-Fi Protected Access), 370, 625, 626–627
- authentication, 628–630
- CCMP, 629–630
- EAP, 630
- encryption, 628–630
- TKIP, 629
- WPA2 (Wi-Fi Protected Access Version 2), 625, 627–628
- wired communication, 478
- wireless attacks, 539–540, 635–637
- wireless backhaul networks, 616
- wireless connections
- Bluetooth, 620
- mobile phone, 620
- NFC (near-field communications), 620
- radio transmitter, 620–621
- Wi-Fi, 620
- wireless security devices, 645–646
- wireless technologies, 615
- ad hoc networks, 640–642
- Bluetooth, 637–638
- communication systems, 616–617
- endpoints, 621–622
- Li-Fi, 618–619
- mobile phone systems, 639–640
- NFC (near-field communications), 628
- radios, unlicensed, 620–621
- TRANSCEC (transmission security), 642–644
- Wi-Fi, , 620
- captive portals, 635
- disabling, 276
- IEEE 802.11i, 627–628
- OSA, 626–627
- protocols, 625–626
- SKA, 626–627
- standards, 625–626
- WAP, 626–627, 630–634
- WEP, 624–625, 626–627
- wireless attacks, 635–637
- WPA, 370, 625, 626–627, 626–630
- WPA2, 625, 627–628
- wireless connections, 619–620
- wireless security devices, 645–646
- workflow management, 204–206
- workflow processing, cryptography and, 439
- workspaces, collaborative, 329
- WPA (Wi-Fi Protected Access), 370, 625, 626–627
- authentication, 628–630
- CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), 629–630
- EAP (Extensible Authentication Protocol), 630
- encryption, 628–630
- TKIP (Temporal Key Integrity Protocol), 629
- WPA2 (Wi-Fi Protected Access Version 2), 625, 627–628
- write-down problems, –9
X–Y–Z
- X.509 certificate, 391–392
- X.5000 Directory Access Protocol Standard, 573
- XSRF (cross-site request forgery), 550
- XSS (cross-site scripting), 550
-
- zero-knowledge testing, 324
- zero-trust architecture, 42–43, 485
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.