Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
A
AAA (Authentication, Authorization, and Accounting), 343–344
ABAC (attribute-based access control), 382
Abstract Syntax Notation One (ASN.1) encoding rules, 565
acceptable use policies (AUPs), 410
accepting risk strategy, 432
access control
ABAC, 382
DAC, 381–382
identity and access. See identity and access services
MAC, 381
models, 379–383
RBAC, 382
rule-based, 382–383
access control lists (ACLs)
description, 380
error handling, 86
firewalls, 106
misconfigurations, 89
routers, 121
violations troubleshooting, 170
access points (APs)
antenna types and placement, 129–130
band selection/width, 128
controller-based vs. standalone, 130
fat vs. thin, 130
MAC filtering, 128
rogue, 43
signal strength, 128
SSIDs, 127–128
troubleshooting, 172
accounting
description, 344
RADIUS, 371–372
TACACS+, 368
accounts
credential management, 354
default, 250
disabling, 356
expiration, 355
general concepts, 350–354
Group Policy objects, 355
guest, 349
locking out, 356
maintenance, 352
misconfigurations, 89
password complexity, 355
password history, 357
password length, 357
password reuse, 357
policy enforcement, 354–358
privileged, 349
questions, 358–362
recovery, 356
review, 358
service, 349
shared and generic, 348–349
user, 347–348
ACLs. See access control lists (ACLs)
active-active load balancers, 126
active logging, 471
active-passive load balancers, 126
active reconnaissance, 72–73
active tools, 156–157
Acunetix WVS (Web Vulnerability Scanner), 153
ad hoc networks, 227
Address Resolution Protocol (ARP), 32–33
Adleman, Leonard, 518
administrative controls, 220, 434
Advanced Encryption Standard (AES), 514–515
advanced malware tools, 162
advanced persistent threat (APT) attacks
description, 60
penetration testing, 74
adverse actions, 411
adware, 7–8
AES (Advanced Encryption Standard), 514–515
affinity-based scheduling for load balancers, 126
after-action reports for continuity of operation planning, 453
agent NAC, 135
agentless NAC, 135
aggregation in SIEM, 131
aggregation switch placement, 235
agile model, 275–276
agreement types, 404–405
AHs (Authentication Headers) in IPSec, 112–115
aircraft, 267–268
AirSnort sniffing program, 43, 530
aisles, hot and cold, 330
alarms, 323
ALE (annual loss expectancy), 425–426
all-glass cockpits, 267–268
all nines keys, 327
alternate business practices, 454
alternate processing sites, 453–454
always-on VPNs, 116
amplification attacks, 33
analysis engines in NIDS, 117
analytics for NIDSs and NIPSs, 119
annual loss expectancy (ALE), 425–426
annualized rate of occurrence (ARO), 426
anomalies
logs and events, 170
NIDSs, 118
anonymizing proxies, 124
ANT connections, 185–186
antenna types and placement, 129–130
anti-scale fencing, 322
anti-XSS input libraries, 31
antispoofing for routers, 121
antivirus (AV) applications, 161
Apache Software Foundation, 218
Apple App Store, 192
appliances operating systems, 246
application-based firewalls, 106–107
application cells in virtualization, 296
application development and deployment
code quality and testing, 285–288
compiled vs. runtime code, 288–289
development lifecycle models, 275–277
DevOps, 277–279
provisioning and deprovisioning, 280
questions, 289–294
review, 289
secure coding techniques, 280–285
version control and change management, 279–280
application layer
firewall proxies, 105
OSI model, 576
application/service attacks
amplification, 33
ARP poisoning, 32–33
buffer overflow, 29–30
cross-site request forgery, 32
cross-site scripting, 31
DDoS, 27–29
DNS poisoning, 33–35
domain hijacking, 35
DoS, 26–27
driver manipulation, 38–39
hijacking and related attacks, 37–38
injection, 30–31
man-in-the-browser, 36
man-in-the-middle, 29
overview, 25–26
pass the hash, 37
privilege escalation, 32
replay, 36–37
spoofing, 39–41
zero day, 36
applications
managing, 187–188
policies, 412
proxies, 124–125
server guides, 219
vulnerability scanners, 152–153
whitelisting and blacklisting, 162, 249–250
APs. See access points (APs)
APT (advanced persistent threat) attacks
description, 60
penetration testing, 74
architecture frameworks, 215
benchmarks and secure configuration guides, 217–219
industry-standard, 216–217
network. See secure network architectures
questions, 236–240
review, 236
architecture weaknesses, 93
argon fire suppression systems, 331
armored viruses, 4
ARO (annualized rate of occurrence), 426
ARP (Address Resolution Protocol), 32–33
arp command, 159–160
ARP poisoning, 32–33
ASN.1 (Abstract Syntax Notation One) encoding rules, 565
ASs (authentication servers) in Kerberos, 364
asset value (AV), 426
assets
managing, 177
undocumented, 92–93
asymmetric algorithms, 517
cryptography, 494–495
DH Groups, 519
DHE, 519
Diffie-Hellman, 518–519
DSA, 518
ECC, 519
ECDHE, 519
PGP and GPG, 520
RSA, 518
attacks
application/service. See application/service attacks
cryptographic, 47–50
description, 17
questions, 51–56
review, 50–51
social engineering, 18–25
wireless, 42–47
attestation, 243
attribute-based access control (ABAC), 382
auditing and review
permissions, 350
usage, 350–351
AUPs (acceptable use policies), 410
authentication
AAA, 343–344
vs. access control, 379–380
accounts. See accounts
biometrics, 327–328
certificate-based, 392–393
context-aware, 191
cryptography, 506
issues, 177
multifactor, 344–346
questions, 358–362
RADIUS, 370
review, 358
single sign-on, 347
TACACS+, 366
transitive trusts, 347
wireless security, 532–534
Authentication, Authorization, and Accounting (AAA), 343–344
Authentication Headers (AHs) in IPSec, 112–115
authentication servers (ASs) in Kerberos, 364
authority in social engineering attacks, 24
authorization
description, 344
penetration testing, 431
RADIUS, 370–371
TACACS+, 366–367
vulnerability testing, 431
automated alerting in SIEM, 131
automated courses of action, 308
automatic fire suppression systems, 332
automation. See resiliency and automation strategies
AV (antivirus) applications, 161
AV (asset value), 426
availability
license compliance violation, 176
MTTR, 421
avoiding risk strategy, 432
awareness training, role-based, 407–409
B
backdoors, 9–10
background checks, 407
backups
differential, 449
full, 450
geographic considerations, 450–452
incremental, 449
overview, 448–449
snapshots, 450
utilities, 155
band selection and width for access points, 128
banner grabbing, 155–156
barricades, 328–329
baseline deviations, 176
baselining
DevOps, 278
secure, 254
Basic Input/Output System (BIOS), 243
basic packet filtering in firewalls, 105
BCRYPT mechanism, 522
behavioral NIDSs, 117–118
benchmarks for architecture frameworks, 217–219
best evidence rule, 465
BIA. See business impact analysis (BIA)
calculation example, 389
crossover error rate, 388–389
facial recognition, 386
false positives and false negatives, 386–388
fingerprint scanners, 385
iris scanners, 385–386
overview, 384–385
retinal scanners, 385
something you are, 345
voice recognition, 386
BIOS (Basic Input/Output System), 243
birthday attacks, 47
bit-level error-correcting code, 314
black box penetration testing, 75
blacklisting
applications, 249–250
spam filters, 135
block operations
cryptography, 501–502
symmetric algorithms, 517
block-striped with error check, 314
Bloover program, 45
Blowfish algorithm, 515
Blue Pill rootkit, 7
bluejacking, 44
bluesnarfing, 45
Bluetooth connections, 184–185
body language, 18
bollards, 328–329
Bosch, Robert, 267
bots, 8
BPAs (business partnership agreements), 404
brandjacking attacks, 38
bridge CAs, 558
bridges, 138
bring your own device (BYOD) deployment model, 197
broadband EMI, 325
BTUs, 329
buffers
vulnerabilities, 90–92
bump keys, 327
burn-down charts, 277
burning data, 478
business impact analysis (BIA)
identification of critical systems, 421
impact, 422–423
mission-essential functions, 421
MTBF, 420
MTTR, 420–421
overview, 419
privacy impact assessment, 423
privacy threshold assessment, 423
questions, 435–440
review, 435
RTO and RPO, 420
single points of failure, 421–422
business partnership agreements (BPAs), 404
business process vulnerabilities, 89
BYOD (bring your own device) deployment model, 197
byte-striped with error check, 314
C
cabinets, 323
cable locks, 334
cabling, 324
caching proxies, 125
CACs (Common Access Cards), 392
cages, 322
callback verification for spam filters, 136
cameras
digital, 252
embedded systems, 265–266
mobile devices, 194
surveillance, 334–335
camouflage, 283
CAN (controller area network) bus, 267
CAN-SPAM Act, 135
CAPI (CryptoAPI), 504
captive portals, 535–536
capturing
system images, 466
video, 467
carbon dioxide (CO2) fire suppression systems, 331
cards, 329
carrier unlocking, 193
CAs (certificate authorities)
online vs. offline, 552
PKI, 544–547
trust models, 554–558
CASBs (cloud access security brokers), 300–301
category definitions for incident response plans, 442
CBC (Cipher Block Chaining), 516
CC (Common Criteria for Information Technology Security Evaluation), 249
CCMP (Counter Mode with Cipher Block Chaining–Message Authentication Code Protocol), 531
CCTV (closed-circuit television), 334–335
cellular connections, 184
Center for Internet Security (CIS), 218
CER (crossover error rate), 388–389
CER files, 565
certificate authorities (CAs)
online vs. offline, 552
PKI, 544–547
trust models, 554–558
certificate-based authentication, 392–393
Certificate Revocation Lists (CRLs), 547–549
certificate signing requests (CSRs), 550
Certificate usage field for certificates, 550
certificates
asymmetric algorithms, 494–495
certificate-based authentication, 392–393
improper management, 94
IPSec, 114
PKI. See public key infrastructure (PKI)
troubleshooting, 171
certification practices statements (CPSs), 546
chain-link-type fencing, 322
chain of custody, 462–463
Challenge Handshake Authentication Protocol (CHAP), 366, 368–369
Change Control Boards, 433
change management, 279–280, 432–433
chip cards, 384
choose your own device (CYOD) deployment model, 197
CIP (Critical Infrastructure Cybersecurity), 216
Cipher Block Chaining (CBC), 516
ciphers
description, 491
vulnerabilities, 89–90
ciphertext
attacks, 47
description, 492
CIS (Center for Internet Security), 218
classes of fire, 332
classic Bluetooth mode, 185
clean-agent fire suppression systems, 331
clean desk policies, 407
clear box testing, 75
cleartext credentials, 169
clickjacking attacks, 37
client-side execution and validation, 284
closed-circuit television (CCTV), 334–335
closed ports, scanning for, 148
cloud access security brokers (CASBs), 300–301
cloud-based DLP in SIEM, 133
Cloud Computing Security Reference Architecture, 216
cloud storage
CASBs, 300–301
deployment models, 298–299
vs. on-premise and hosted, 300
overview, 297–298
questions, 302–306
review, 301
VDI/VDE, 300
CO2 (carbon dioxide) fire suppression systems, 331
COBO (corporate-owned, business only) deployment model, 197
code
code signing certificates, 562
code signing process, 283
compiled vs. runtime, 288–289
obfuscation, 501
reuse, 283–284
code quality and testing
dynamic analysis, 286–287
model verification, 288
overview, 285–286
sandboxing, 288
secure coding. See secure coding techniques
static code analyzers, 286
stress testing, 287–288
cold sites, 447
collectors, 233
collisions in hashing, 49–50, 496, 500
command-line tools, 157–160
Common Access Cards (CACs), 392
Common Criteria for Information Technology Security Evaluation (CC), 249
common port assignments, 581–582
Common Vulnerabilities and Exposures (CVE), 308
community clouds, 299
compensating controls, 434
competent evidence, 465
competitor attacks, 61
compiled code, 288–289
compliance in data security and privacy, 483–485
computer certificates, 563
computer forensics. See digital forensics
conficker botnet, 8
confidential data, 480
confidentiality in cryptography, 506
configuration control, 433
configurations
compliance scanners, 153–154
default, 87
IPSec, 109–111
operating systems, 248–249
rollback to known configuration, 311
secure configuration guides, 217–219
troubleshooting, 171–173
validation, 308
weak, 173
confused deputy problems, 32
confusion in cryptography, 500
connection methods for mobile devices, 183–186
connection oriented protocols, 579
consensus in social engineering attacks, 24
constraints in cryptography, 506
contactless access cards, 383–384
containerization, 191
containers in virtualization, 296
containment in incident response process, 445
content filters
description, 172
proxies, 125
spam, 136
content management, 188
context-aware authentication, 191
CONTINUE packets in TACACS+, 366
continuing education, 410
continuity of operation planning, 452–454
continuous integration, 278
continuous monitoring, 308
contractors, 21
control diversity, 220–221
controller area network (CAN) bus, 267
controller-based access points, 130
Coordinated Universal Time (UTC), 131
COPE (corporate owned, personally enabled) deployment model, 197
corporate-owned, business only (COBO) deployment model, 197
corrective controls, 434
correlation engines, 233
correlation in SIEM, 131
Counter Mode (CTM), 516–517
Counter Mode with Cipher Block Chaining–Message Authentication Code Protocol (CCMP), 531
counterintelligence gathering, 470–471
CPSs (certification practices statements), 546
CRC (cyclic redundancy check) in hashing algorithms, 468
credentialed vulnerability scanning, 77
credentials
unencrypted, 169
criminal activity, 59
Critical Infrastructure Cybersecurity (CIP), 216
critical systems, identifying, 421
CRLs (Certificate Revocation Lists), 547–549
cross-site request forgery (XSRF), 32, 86
cross-site scripting (XSS), 29, 31, 86
crossover error rate (CER), 388–389
cryptanalysis, 492
crypto-malware, 4–5
CryptoAPI (CAPI), 504
cryptographic algorithms
asymmetric, 517–520
cipher modes, 516–517
hashing, 520–522
key stretching, 522
obfuscation, 523–524
questions, 524–527
review, 524
symmetric algorithms, 513–515
cryptographic attacks
birthday, 47
known plaintext/ciphertext, 47
password, 47–50
vulnerabilities, 89–90
cryptographic concepts
asymmetric algorithms, 494–495
collisions, 500
common use cases, 505–507
confusion, 500
data-at-rest, 503
data-in-transit, 503
data-in-use, 503
diffusion, 500
digital signatures, 499
elliptic curve cryptography, 497
ephemeral keys, 502
fundamental methods, 492
hashing functions, 495–497
implementation plans, 504–505
key exchange, 498
key strength, 502
obfuscation, 501
objectives, 498
overview, 491–492
perfect forward secrecy, 505
questions, 507–511
random number generation, 504
review, 507
secret algorithms, 503
security through obscurity, 505
session keys, 502
steganography, 500–501
stream vs. block operations, 501–502
symmetric algorithms, 492–494
weak and deprecated algorithms, 498
cryptographic modules, 505
cryptographic service providers (CSPs), 504
cryptography
IPSec, 114–115
tokens, 391
wireless security, 530–532
CryptoLocker ransomware, 5
CSF (Cybersecurity Framework), 216–217
CSPs (cryptographic service providers), 504
CSRs (certificate signing requests), 550
CTM (Counter Mode), 516–517
CTM/CTR mode, 516–517
custodial crews, 61
custodians of data, 482
custom firmware for mobile devices, 193
CVE (Common Vulnerabilities and Exposures), 308
cyber-incident response teams, 443
Cyber Observable Expression (CybOX), 11
Cybersecurity Framework (CSF), 216–217
cyclic redundancy check (CRC) in hashing algorithms, 468
CYOD (choose your own device) deployment model, 197
D
DAC (discretionary access control), 381–382
DAP (Directory Access Protocol), 364
data acquisition
evidence rules, 465–466
evidence standards, 465
evidence types, 465
hashing algorithms, 468
network traffic and logs, 467
overview, 464
record time offset, 467
screenshots, 468
system images, 466
video capture, 467
witness interviews, 469
data-at-rest, 503
Data Encryption Standard (DES), 498, 513–514
data execution protection (DEP), 163
data exfiltration, 171
data exposure secure coding techniques, 285
data-in-transit, 503
data-in-use, 503
data link layer in OSI model, 578
data loss prevention (DLP)
data exfiltration, 171
description, 163
mail gateways, 137
SIEM, 132–133
data owners in role-based awareness training, 408
data rates in Bluetooth, 185
data sanitization tools, 154
data security and privacy
data sensitivity labeling and handling, 479–482
destruction and media sanitization, 477–479
legal and compliance, 483–485
overview, 479–480
questions, 486–488
retention, 482–483
review, 485
roles, 482
data sovereignty for backups, 452
database security, 393–394
DCSs (distributed control systems), 262
DDoS (distributed denial-of-service) attacks
mitigators, 235
overview, 27–29
dead code, 283–284
dedicated parity drives, 314
deep-freeze software, 176
default accounts and passwords, disabling, 250
default configurations vulnerabilities, 87
defense-in-depth security, 220–221
Defense Information Security Agency (DISA), 218
defenses for impersonation, 21–22
degaussing, 479
delay-based spam filtering, 136
demilitarized zones (DMZs), 222–223
demonstrative evidence, 465
denial-of-service (DoS) attacks
overview, 26–27
Smurf attacks, 39–40
deny commands for ACLs, 106
DEP (data execution protection), 163
deployment models
applications. See application development and deployment
cloud storage, 298–299
mobile devices, 196–198
deprecated cryptographic algorithms, 498
deprovisioning, 280
DER (Distinguished Encoding Rules), 565
dereference, pointer, 91–92
DES (Data Encryption Standard), 498, 513–514
design weaknesses, 93
destruction, data, 477–479
detection devices for fire, 332–333
detective controls, 434
deterrent controls, 433
development environment, 253
development lifecycle models
Scrum, 276–277
waterfall vs. agile, 275–276
XP, 277
DevOps
baselining, 278
continuous integration, 278
immutable systems, 279
infrastructure as code, 279
overview, 277–278
security automation, 278
DH (Diffie-Hellman) groups, 519
DHE (Diffie-Hellman Ephemeral), 519
dictionary attacks, 48–49
differential backups, 449
differential cryptanalysis, 492
Diffie, Whitfield, 494
Diffie-Hellman (DH) groups, 519
Diffie-Hellman Ephemeral (DHE), 519
Diffie-Hellman key exchange, 114, 498, 518–519
diffusion in cryptography, 500
dig command, 158–159
digital cameras, 252
digital forensics
chain of custody, 462–463
data acquisition, 464–469
legal holds, 463–464
order of volatility, 461–462
preservation, 469–470
questions, 472–476
recovery, 470
review, 471
strategic intelligence gathering, 470–471
tracking man-hours, 471
Digital Signature Algorithm (DSA), 518, 521
Digital Signature Standard (DSS), 521
digital signatures
CRLs, 548
overview, 499
direct evidence, 465
directories, LDAP, 363–364
Directory Access Protocol (DAP), 364
directory services, 207
DISA (Defense Information Security Agency), 218
disabling
accounts, 356
default accounts and passwords, 250
ports and services, 247–248
disassociation attacks, 46–47
disaster recovery
backups, 448–452
continuity of operation planning, 452–454
order of restoration, 448
overview, 446–447
questions, 455–459
recovery sites, 447
review, 454
discretionary access control (DAC), 381–382
discretionary actions, 411
displays, 251
Disposal Rule, 483
dissolvable NAC, 134
distance considerations for backups, 451
Distinguished Encoding Rules (DER), 565
distributed control systems (DCSs), 262
distributed denial-of-service (DDoS) attacks
mitigators, 235
overview, 27–29
distribution, 324
distribution points for CRLs, 549
distributive allocation, 312
DLLs (dynamic link libraries), 92
DLP. See data loss prevention (DLP)
DMZs (demilitarized zones), 222–223
DNS (Domain Name Service), 204
checks for spam, 136
poisoning, 33–35
spoofing, 35
DNSSEC (Domain Name System Security Extensions), 35, 204, 208
Document Object Model (DOM) process, 31
documentary evidence, 465
documented incident types, 442
DOM-based XSS attacks, 31
DOM (Document Object Model) process, 31
domain name resolution, 208
Domain Name Service (DNS), 204
checks for spam, 136
poisoning, 33–35
spoofing, 35
Domain Name System Security Extensions (DNSSEC), 35, 204, 208
domains
hijacking, 35
PKI, 564
doors, 328
DoS (denial-of-service) attacks
overview, 26–27
Smurf attacks, 39–40
downgrade attacks, 50
driver manipulation attacks, 38–39
DSA (Digital Signature Algorithm), 518, 521
DSS (Digital Signature Standard), 521
dumpster diving, 22
dynamic analysis of code, 286–287
dynamic learning in port security, 123
dynamic link libraries (DLLs), 92
dynamic NAT, 227
E
encryption, 137–138
personal, 412
personnel issues, 175
secure protocols, 207
SIEM, 133
spam, 135–137
e-mail certificates, 563
EAP (Extensible Authentication Protocol)
description, 532
messages, 44
TACACS+, 366
EAP-FAST (EAP Flexible Authentication via Secure Tunneling), 532
EAP-TLS protocol, 533
EAP-TTLS protocol, 533
ECB (Electronic Code Book), 516
ECC (elliptic curve cryptography), 494, 497, 519
ECDH (Elliptic Curve Diffie-Hellman), 519
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral), 519
ECPA (Electronic Communications Privacy Act), 466
EDH (Ephemeral Diffie-Hellman) key exchange, 502
EDR (enhanced data rate), 184
EDUROAM project, 533–534
egress spam filtering, 136
elasticity, 312
electromagnetic interference (EMI)
Faraday cages, 324–325
sources, 244
electromagnetic pulse (EMP), 244
Electronic Code Book (ECB), 516
Electronic Communications Privacy Act (ECPA), 466
electronic key exchange, 518
Electronic Privacy Information Center (EPIC) website, 484
elite hackers, 59–60
elliptic curve cryptography (ECC), 494, 497, 519
Elliptic Curve Diffie-Hellman (ECDH), 519
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE), 519
embedded systems
camera, 265–266
home automation, 263–264
HVAC, 264
overview, 261
printers and MFDs, 265
questions, 269–273
review, 268
RTOS, 264–265
SCADA, 262
smart devices, 262–263
SoC, 264
special-purpose, 266–268
vulnerabilities, 85
wearable technology, 263
EMI (electromagnetic interference)
Faraday cages, 324–325
sources, 244
EMP (electromagnetic pulse), 244
Encapsulating Security Payload (ESP), 112–115
encapsulation, message, 580–581
enclaves, 228–229
enclosures, 323
encryption. See also cryptographic concepts; cryptography
FDE and SEDs, 242
full device, 191–192
hardware security modules, 139
mail gateways, 137–138
secure coding techniques, 283
end-entity certificates, 560–561
end-of-life system vulnerabilities, 84
Enforce password history option, 357
enforcement and monitoring mobile devices
camera use, 194
carrier unlocking, 193
custom firmware, 193
external media, 194
firmware OTA updates, 193–194
GPS tagging, 195
payment methods, 196
recording microphones, 195
rooting/jailbreaking, 192–193
sideloading, 193
SMS/MMS, 194
tethering, 196
third-party app stores, 192
USB OTG, 194–195
Wi-Fi direct/ad hoc, 195–196
enhanced data rate (EDR), 184
enrollment in biometrics, 327–328
Enterprise mode in wireless security, 534
environment and environmental controls
fire suppression, 330–333
hot and cold aisles, 330
HVAC, 329–330
system design, 253–254
threat assessment, 424
Ephemeral Diffie-Hellman (EDH) key exchange, 502
ephemeral keys, 502
EPIC (Electronic Privacy Information Center) website, 484
eradication in incident response process, 445
error handling
secure coding techniques, 281
vulnerabilities, 86–87
escalation in incident response plans, 443
escalation of privilege in penetration testing, 74–75
escape protection for VMs, 297
ESP (Encapsulating Security Payload), 112–115
EV (extended validation) certificates, 564
events
anomalies, 170
deduplication in SIEM, 132
evidence
chain of custody, 462–463
data acquisition, 464–469
legal holds, 463–464
order of volatility, 461–462
preservation, 469–470
evil twin attacks, 43
exclusionary rule, 466
exclusive OR (XOR) cipher operation, 523
execution, server-side vs. client-side, 284
executive users awareness training, 409
exercises for continuity of operation planning, 452–453
exit interviews, 407
expiration of accounts, 355
exploitation frameworks, 154
extended validation (EV) certificates, 564
Extensible Authentication Protocol (EAP)
description, 532
messages, 44
TACACS+, 366
Extensions field for certificates, 550
external media for mobile devices, 194
external storage devices, 252
external threats
actors, 62
assessment, 424–425
extranets, 223
Extreme Programming (XP), 277
F
facial recognition, 386
failover in continuity of operation planning, 453
Fair Credit Reporting Act, 483
fake URL attacks, 38
false acceptance rate (FAR), 387–388
false positives and negatives
biometrics, 386–387
NIDSs/NIPSs, 119
vulnerability scanning, 77–78
false rejection rate (FRR), 388
familiarity in social engineering attacks, 25
FAR (false acceptance rate), 387–388
Faraday cages, 324–325
fat access points, 130
fault tolerance, 313
FDE (full disk encryption), 242
FE-13 fire suppression systems, 331
Federal Communications Commission (FCC), 325
Federal Risk and Authorization Management Program (FedRAMP), 217
Federal Trade Commission (FTC), 483
federation, 346
fencing, 322
file integrity checks, 161
file system security, 393
file transfer, 207
filtered ports, scanning for, 148
filters
content, 172
MAC, 128
packet, 233–234
screen, 334
spam, 135–137
finance issues in business impact analysis, 423
fingerprint scanners, 327, 385
fire suppression, 330
clean-agent, 331
fire detection devices, 332–333
handheld fire extinguishers, 331–332
water-based, 330–331
firewalls
ACLs, 106
application-based vs. network-based, 106–107
DMZs, 222
host-based, 161–162
implicit deny rule, 107
operation, 105–106
overview, 103–105
placement, 234
secure network administration principles, 108
stateful vs. stateless, 107
troubleshooting, 172
WAF, 162–163
firmware
mobile devices, 193–194
system design, 241–244
fixed-temperature fire detectors, 333
flame-activated fire detectors, 333
flood guards for switches, 123–124
FOIA (Freedom of Information Act), 484
forensics. See digital forensics
form submissions in cross-site request forgery, 32
forward proxies, 124
forward secrecy protection in WPA2, 531
Fourth Amendment to the U.S. Constitution, 466
Freedom of Information Act (FOIA), 484
FRR (false rejection rate), 388
FTC (Federal Trade Commission), 483
FTPS, 205
full backups, 450
full device encryption, 191–192
full disk encryption (FDE), 242
full tunnel VPN concentrators, 115
funding threat actors, 62
fuzzing, 286–287
gain, antenna, 129
G
Galois Counter Mode (GCM), 516
gates, 322
gateways
IPSec, 110
mail, 135–138
media, 139
proxies, 124
GCM (Galois Counter Mode), 516
general purpose guides for architecture frameworks, 219
general security policies, 411–412
generic accounts, 348–349
geofencing, 188–189
geographic considerations for backups, 450–452
geolocation, 189
gets() function, 30
Global Positioning System (GPS)
description, 188–189
GPS tagging, 195
Gnu Privacy Guard (GPG), 520
Google Play, 192
GPOs (Group Policy objects), 355
GPS (Global Positioning System)
description, 188–189
GPS tagging, 195
Gramm-Leach-Bliley Act, 484
gray box penetration testing, 75–76
Great Firewall of China, 35
group-based access control, 352–354
Group Policy objects (GPOs), 355
guards, 322–323
guest accounts, 349
guest zones, 225
H
hacktivists, 58
halocarbon fire suppression systems, 331
handheld fire extinguishers, 331–332
hardening operating systems, 248
hardware
roots of trust, 244
system design, 241–244
hardware security modules (HSMs), 139, 242–243
hardware tokens, 391
Hashed Message Authentication Code (HMAC), 496, 521–522
hashing algorithms
cryptography, 495–497
data acquisition, 468
HMAC, 521–522
MD5, 520
SHA, 520
Health Insurance Portability and Accountability Act (HIPAA), 481–483
hearsay rule, 466
Heartbleed buffer overflow, 30
heating, ventilation, and air conditioning (HVAC) systems, 264, 329–330
Hellman, Martin, 494
help desk, 21
heuristic NIDSs, 117–118
HIDSs (host-based intrusion detection systems), 161
hierarchical trust models, 555–559
high availability, 313
high resiliency systems in cryptography, 506
high-security locks, 326–327
high speed Bluetooth mode, 185
highly structured threats, 60
hijacking and related attacks, 35, 37–38
HIPAA (Health Insurance Portability and Accountability Act), 481–483
HIPSs (host-based intrusion prevention systems), 161
HITECH Act, 483
HITRUST Common Security Framework, 217
HMAC (Hashed Message Authentication Code), 496, 521–522
HMAC-based One-Time Password (HOTP) algorithm, 392
HMI (human–machine interface), 262
hoaxes, 23
home automation, 263–264
honeypots, 155
host-based firewalls, 161–162
host-based intrusion detection systems (HIDSs), 161
host-based intrusion prevention systems (HIPSs), 161
host health checks in NAC, 134
host vulnerability scanners, 150–151
hosted services vs. cloud storage, 300
hostile situations, 18
hot and cold aisles, 330
hot sites, 447
hotfixes for operating systems, 247
HOTP (HMAC-based One-Time Password) algorithm, 392
HSMs (hardware security modules), 139, 242–243
HTTPS (Hypertext Transfer Protocol Secure), 206
human–machine interface (HMI), 262
humidity, 329
HVAC (heating, ventilation, and air conditioning) systems, 264, 329–330
hybrid clouds, 299
hybrid password attacks, 49
hybrid spam filtering, 137
hybrid trust models, 557–558
Hypertext Transfer Protocol Secure (HTTPS), 206
hypervisors, 295–296
I
IaaS (Infrastructure as a Service), 298, 309
ICCs (integrated circuit cards), 384
ICMP (Internet Control Message Protocol)
ping packets, 27
scanning, 147–148
ICSs (industrial control systems), 262
identification, 343–344
critical systems, 421
federation, 346
questions, 358–362
review, 358
vulnerability, 76
identification phase in incident response process, 444–445
identity and access management controls
biometric factors, 384–389
certificate-based authentication, 392–393
database security, 393–394
file system security, 393
models, 379–383
physical access control, 383–384
questions, 394–399
review, 394
tokens, 389–392
identity and access services
CHAP, 368–369
Kerberos, 364–365
LDAP, 363–364
MSCHAP, 369
NTLM, 373–374
OAUTH, 372–373
OpenID Connect, 372
PAP, 369
questions, 374–378
RADIUS, 369–372
review, 374
SAML, 372
secure token, 373
Shibboleth, 373
TACACS+, 365–368
IDSs (intrusion detection systems). See network-based intrusion detection systems (NIDSs)
IEEE 802.1X authentication standard, 392–393, 533
ifconfig command, 160
IKE (Internet Key Exchange), 114
IKMP (Internet Key Management Protocol), 114
images, master, 310
IMAP, 206
immutable systems, 279
impact
business. See business impact analysis (BIA)
risk assessment, 427
impersonation, 21–22
implementation plans for cryptography, 504–505
implicit deny rule for firewalls, 107
improper certificate and key management, 94
improper error handling, 86–87
improper input handling, 85–86
in-band NIDSs/NIPSs, 118
incident response plans
cyber-incident response teams, 443
documented incident types and category definitions, 442
exercises, 444
overview, 442
questions, 455–459
reporting requirements and escalation, 443
review, 454
roles and responsibilities, 442–443
incident response process
containment, 445
eradication, 445
identification phase, 444–445
lessons learned, 446
overview, 444
preparation phase, 444
questions, 455–459
recovery, 446
review, 454
incremental backups, 449
indicators of compromise (IOCs), 10–11
industrial control systems (ICSs), 262
industry-specific frameworks, 217
industry-standard frameworks, 216–217
Inergen fire suppression systems, 331
information classifications, 381
Information Sharing Analysis Centers (ISACs), 63–64
Information Sharing and Analysis Organizations (ISAOs), 64
information warfare, 59–60
InfraGard program, 63–64
infrared (IR)
connections, 186
detection, 336
Infrastructure as a Service (IaaS), 298, 309
infrastructure as code, 279
infrastructure attacks, 60
initial exploitation in penetration testing, 74
initialization vectors (IVs)
attacks, 43
hashing functions, 497
WEP, 530
injection attacks
DLL, 92
SQL, 30–31
inline NIDSs and NIPSs, 118
input handling vulnerabilities, 85–86
input validation in secure coding techniques, 281–282
integer overflows, 91
integrated circuit cards (ICCs), 384
integrity
cryptography, 506
license compliance violation, 176
measurement, 254–255
intelligence gathering, 470–471
intent of threat actors, 62–63
interconnection security agreements (ISAs), 405
interference
EMI, 244
Faraday cages, 324–325
internal threats
actors, 62
assessment, 424–425
international frameworks, 217
Internet Control Message Protocol (ICMP)
ping packets, 27
scanning, 147–148
Internet Key Exchange (IKE), 114
Internet Key Management Protocol (IKMP), 114
Internet of Things (IoT), 262–263, 266
Internet Protocol (IP)
description, 574
overview, 579–580
Internet protocols, 573–574
IP, 579–580
message encapsulation, 580–581
TCP, 578–579
UDP, 579
Internet Security Association and Key Management Protocol (ISAKMP), 114
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, 564
interviews in data acquisition, 469
intimidation in social engineering attacks, 24
intranets, 224
intrusion detection systems (IDSs). See network-based intrusion detection systems (NIDSs)
intrusive vulnerability scanning, 77
IOCs (indicators of compromise), 10–11
ionization smoke detectors, 333
IoT (Internet of Things), 262–263, 266
IP addresses
load balancers, 126
NAT, 225–227
routers, 121
spoofing, 39
IP-based cameras, 334–335
ip command, 160
IP (Internet Protocol)
description, 574
overview, 579–580
ipconfig command
description, 160
ipconfig /displaydns, 34
ipconfig /flushdns, 34
IPSec
AH and ESP, 114–115
configurations, 109–111
overview, 109
transport mode, 112–114
tunnel mode, 112–113
IR (infrared)
connections, 186
detection, 336
iris scanners, 385–386
ISACs (Information Sharing Analysis Centers), 63–64
ISAKMP (Internet Security Association and Key Management Protocol), 114
ISAOs (Information Sharing and Analysis Organizations), 64
ISAs (interconnection security agreements), 405
ISO (Organization for Standardization), 574
Issuer field for certificates, 550
IVs (initialization vectors)
attacks, 43
hashing functions, 497
WEP, 530
J
jailbreaking mobile devices, 192–193
jamming attacks, 43
job rotation, 406
K
Kerberos, 364–365
key distribution centers (KDCs), 364
Key Distribution Servers (KDSs), 365
key escrow in PKI, 559
key exchange in cryptographic concepts, 498
KEY files, 565
key strength in cryptography, 502
key stretching in cryptography, 504, 522
keyboards, wireless, 250–251
keyloggers, 7–8
keys
3DES, 514
asymmetric algorithms, 494–495
Blowfish, 515
improper management, 94
PKI. See public key infrastructure (PKI)
RC4, 515
symmetric algorithms, 492–493
WEP, 530
WPA, 531
keyword spam filtering, 136
kiosks, 246
known plaintext attacks, 47
L
LAMP stacks, 309
LAN Manager (LANMAN), 373–374
laptop thefts, 326
Last Known Good Configuration option, 311
layered security, 220–221
LDAP (Lightweight Directory Access Protocol), 205, 363–364
LE (Low Energy) Bluetooth mode, 185
leaf CAs, 555
least functionality for operating systems, 248
least privilege principle, 350
legal holds in digital forensics, 463–464
legal implications
backups, 451
data security and privacy, 483–485
length of passwords, 357
lessons learned in incident response process, 446
level control for user accounts, 250
libraries, third-party, 285
license compliance violation, 176
life impact in business impact analysis, 422
lifecycle models, 275–276
lighting, 321
Lightweight Directory Access Protocol (LDAP), 205, 363–364
likelihood of occurrence, 426–427
linear cryptanalysis, 492
litigation holds in digital forensics, 463–464
live boot media, 311
load balancers
overview, 125–127
placement, 234–235
local area networks, 229
location-based policies, 354
location selection for backups, 451
locking out accounts, 356
locks
cable, 334
types, 325–327
logic bombs, 9
logs
active logging, 471
anomalies, 170
data acquisition, 467
security, 336
SIEM, 132
loop prevention for switches, 123
Low Energy (LE) Bluetooth mode, 185
low latency operations in cryptography, 505
low power devices for cryptography, 505
LSB encoding, 501
Lyon, Gordon, 160
M
MAC (mandatory access control), 381
MAC addresses. See Media Access Control (MAC) addresses
machine certificates, 563
mail gateways
DLP, 137
encryption, 137–138
spam filters, 135–137
maintenance of accounts, 352
malware
advanced tools, 162
adware, 7–8
backdoors, 9–10
bots, 8
crypto-malware, 4–5
description, 3–4
indicators of compromise, 10–11
keyloggers, 7
logic bombs, 9
polymorphic, 4
questions, 12–16
ransomware, 5
RATs, 8–9
review, 11
rootkits, 6–7
spyware, 8
Trojans, 6
viruses, 4
worms, 5
man-hours, tracking, 471
man-in-the-browser (MitB) attacks, 36
man-in-the-middle attacks, 29
managed security service providers (MSSPs), 300
mandatory access control (MAC), 381
mandatory vacations, 405–406
manmade threats, 424
mapping tools, 149
master images, 310
Maximum password age setting, 357
MBSA (Microsoft Baseline Security Analyzer), 151–152
MD5 (Message Digest 5), 468, 496, 498, 520–521
MDM. See mobile device management (MDM)
mean time between failures (MTBF), 420
mean time to repair (MTTR), 420–421
Media Access Control (MAC) addresses
filtering, 128
port security, 122–123
spoofing, 39
WEP, 530
media gateways, 139
media sanitization, 477–479
medical devices, 266–267
memorandums of agreement (MOAs), 405
memorandums of understanding (MOUs), 405
memory
secure coding techniques, 285
vulnerabilities, 90–92
memory leaks, 90–91
Message Digest 5 (MD5), 468, 496, 498, 520–521
message encapsulation, 580–581
Metasploit framework, 154
MFDs (multifunction devices)
description, 251–252
embedded systems, 265
mice, wireless, 251
microphones for mobile devices, 195
MicroSD cards, 251
Microsoft Baseline Security Analyzer (MBSA), 151–152
Microsoft Challenge Handshake Authentication Protocol (MSCHAP), 369
MIME (Multipurpose Internet Mail Extensions), 204
Minimum password age setting, 357
mirrored disks, 314–315
misconfigurations
troubleshooting, 171–173
mission-essential functions, 421
MitB (man-in-the-browser) attacks, 36
mitigating risk strategy, 432
MMS (Multimedia Messaging Service), 194
MOAs (memorandums of agreement), 405
mobile device management (MDM)
application management, 187–188
biometrics, 191
containerization, 191
content management, 188
context-aware authentication, 191
full device encryption, 191–192
geofencing, 188–189
geolocation, 189
overview, 187
passwords and pins, 190
push notification services, 189–190
remote wipe, 188
screen locks, 189
storage segmentation, 191
mobile devices
connection methods, 183–186
deployment models, 196–198
enforcement and monitoring, 192–196
MDM. See mobile device management (MDM)
operating systems, 246
questions, 198–201
review, 198
model verification for code, 288
modes of operation for symmetric algorithms, 493–494, 516–517
monitoring, continuous, 308
Morris finger worm, 30
motion detection, 335
motivation of threat actors, 62–63
MOUs (memorandums of understanding), 405
MS SGC Authorities, 551
MSCHAP (Microsoft Challenge Handshake Authentication Protocol), 369
MSSPs (managed security service providers), 300
MTBF (mean time between failures), 420
MTTR (mean time to repair), 420–421
multifactor authentication, 344–346
multifunction devices (MFDs)
description, 251–252
embedded systems, 265
multilevel security, 381
Multimedia Messaging Service (MMS), 194
multiple encryption, 514
Multipurpose Internet Mail Extensions (MIME), 204
multipurpose proxies, 124–125
N
NAC (network access control), 133–135
naming conventions for accounts, 351–352
NAP (Network Access Protection), 133–134
narrowband EMI, 325
NAS (network-attached storage) devices, 252
NAT (Network Address Translation)
firewalls, 105
overview, 225–227
nation states, 59–60
National Checklist Program (NCP) Repository, 218
national frameworks, 217
National Software Reference Library (NSRL), 468
National Vulnerability Database (NVD), 218
NCP (National Checklist Program) Repository, 218
NDAs (non-disclosure agreements), 409
Near Field Communication (NFC), 46, 185
Needham-Schroeder symmetric key protocol, 364
Nessus vulnerability scanner, 150–151
NetBus backdoor, 10
netcat command, 160
netstat command, 158
network access control (NAC), 133–135
Network Access Protection (NAP), 133–134
network address allocation, 208
Network Address Translation (NAT)
firewalls, 105
overview, 225–227
network analyzers, 145–147
network-attached storage (NAS) devices, 252
network-based firewalls, 106–107
network-based intrusion detection systems (NIDSs)
analytics, 119
anomalies, 118
heuristic/behavioral, 117–118
in-band vs. out-of-band, 118
inline vs. passive, 118
overview, 116–117
rules, 118–119
signature-based, 117
network-based intrusion prevention systems (NIPSs), 116
analytics, 119
in-band vs. out-of-band, 118
inline vs. passive, 118
rules, 118–119
network components
access points, 127–130
bridges, 138
firewalls, 103–108
hardware security modules, 139
load balancers, 125–127
mail gateways, 135–138
media gateways, 139
NAC, 133–135
NIPS/NIDS, 116–119
proxies, 124–125
questions, 140–144
review, 140
routers, 120–121
SIEM, 130–132
SSL decryptors, 139
SSL/TLS accelerators, 138–139
switches, 121–124
VPN concentrators, 108–116
network fabrics, 228
network infrastructure device guides, 219
network layer in OSI model, 577–578
Network Mapper (Nmap) scanner, 72–73, 147
network mapping tools, 149
network operating systems, 245
network scanners, 147–149
Network Time Protocol (NTP)
digital forensics, 462
time synchronization, 207
network traffic and logs in data acquisition, 467
networking frameworks and protocols
common port assignments, 581–582
Internet, 578–581
OSI model, 574–578
overview, 573–574
review, 582
new threats, 93
NFC (Near Field Communication), 46, 185
NFPA 75: Standard for the Protection of Information Technology Equipment, 330–331
NIDSs. See network-based intrusion detection systems (NIDSs)
Nimba worm, 5
NIPSs. See network-based intrusion prevention systems (NIPSs)
NIST Risk Management Framework, 172
nmap command, 160
Nmap (Network Mapper) scanner, 72–73, 147
non-credentialed vulnerability scanning, 77
non-disclosure agreements (NDAs), 409
non-intrusive vulnerability scanning, 77
non-persistence, 310
non-persistent XSS attacks, 31
non-regulatory frameworks, 216–217
non-repudiation in cryptography, 506
nonces, 497
normalization, 282
Notice of Privacy Practices (NPP), 481
notification services for mobile devices, 189–190
nslookup command, 33–34, 158–159
NSRL (National Software Reference Library), 468
NT LAN Manager (NTLM), 373–374
NTP (Network Time Protocol)
digital forensics, 462
time synchronization, 207
NVD (National Vulnerability Database), 218
O
Oakley protocol, 114
OAuth (Open Authorization) protocol, 372–373
obfuscation
overview, 523–524
secure coding techniques, 283
object identifiers (OIDs), 552
OCI (Open Container Initiative), 296
OCSP (Online Certificate Status Protocol), 549
OECD (Organisation for Economic Co-operation and Development), 485
off-site backups, 451
offboarding, 350
offline brute force attacks, 49
offline CAs, 552
OIDs (object identifiers), 552
omnidirectional antennas, 129
on-premise storage vs. cloud storage, 300
one-time password (OTP) generators, 345
online attacks
brute force, 49
description, 21
online CAs, 552
Online Certificate Status Protocol (OCSP), 549
online services for CRLs, 549
Open Authorization (OAuth) protocol, 372–373
Open Container Initiative (OCI), 296
open ports, scanning for, 148
open proxies, 125
Open Shortest Path First (OSPF) protocol, 123
open source intelligence, 63–64
Open System authentication, 535
Open Systems Interconnection (OSI) model
application layer, 576
data link layer, 578
message encapsulation, 580–581
network layer, 577–578
overview, 574–576
physical layer, 578
presentation layer, 577
session layer, 577
transport layer, 577
OpenID Connect, 372
OpenIOC tool, 11
OpenPGP standard, 520
operating systems (OSs)
accounts and passwords, 250
application whitelisting/blacklisting, 249–250
guides, 218
least functionality, 248
overview, 244–245
patch management, 247
ports and services, 247–248
secure configurations, 248–249
trusted, 249
types, 245–246
Operation Night Dragon, 60
Orange Book, 381
order of restoration in disaster recovery, 448
order of volatility in digital forensics, 461–462
Organisation for Economic Co-operation and Development (OECD), 485
Organization for Standardization (ISO), 574
organized crime, 59
OSI model. See Open Systems Interconnection (OSI) model
OSPF (Open Shortest Path First) protocol, 123
OSs. See operating systems (OSs)
OTA (over the air) firmware updates, 193–194
OTP (one-time password) generators, 345
out-of-band NIDSs and NIPSs, 118
outside parties, 21
over the air (OTA) firmware updates, 193–194
overflow
attacks, 29–30
vulnerabilities, 91
OWASP software error enumerations, 281
owners of data, 482
P
P7B files, 566
P12 files, 566
PaaS (Platform as a Service), 298
packet filters
description, 233–234
firewalls, 105
packet sniffers, 145–147
PACs (Protected Access Credentials), 532
Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks, 516
panel antennas, 130
PAP (Password Authentication Protocol) authentication, 369
pass the hash attacks, 37
passive reconnaissance, 72–73
passive tools
vs. active, 156–157
NIDSs/NIPSs, 118
vulnerability scanning, 76
Password Authentication Protocol (PAP) authentication, 369
Password-Based Key Derivation Function 2 (PBKDF2) mechanism, 522
passwords
attacks on, 47–50
brute force attacks, 49
collision attacks, 49–50
complexity, 355
crackers, 150
default, 250
dictionary attacks, 48–49
history, 357
HOTP/TOTP, 392
hybrid attacks, 49
length, 357
mobile devices, 190
one-time generators, 345
poor, 48
rainbow tables, 48
reuse, 357
screen locks, 189
something you know, 345–346
PAT (Port Address Translation), 227
patch management
operating systems, 247
tools, 162
Payment Card Industry Data Security Standards (PCI DSS), 229
payment methods for mobile devices, 196
PBKDF2 (Password-Based Key Derivation Function 2) mechanism, 522
PEAP (Protected EAP), 532
peer-to-peer trust models, 557
PEM (Privacy-enhanced Electronic Mail), 565
penetration testing
authorization, 431
black box, 75
concepts, 71–76
escalation of privilege, 74–75
gray box, 75–76
initial exploitation, 74
persistence, 74
pivoting, 74
questions, 78–82
reconnaissance, 72–73
review, 78
vs. vulnerability scanning, 76
white box, 75
perfect forward secrecy, 505
peripherals, 250–252
permanent NAC, 134
permissions
auditing and review, 350
database security, 393–394
file system security, 393
troubleshooting, 170
user accounts, 348
permit commands for ACLs, 106
persistence in penetration testing, 74
persistent XSS attacks, 31
Personal Identity Verification (PIV) cards, 392
personally identifiable information (PII), 481, 483
personnel issues
insider threats, 174
policy violations, 173–174
social engineering, 174–175
social media, 175
personnel management
acceptable use policies, 410
adverse actions, 411
background checks, 407
clean desk policies, 407
continuing education, 410
exit interviews, 407
job rotation, 406
mandatory vacations, 405–406
non-disclosure agreements, 409
onboarding, 409–410
role-based awareness training, 407–409
separation of duties, 406
PFX files, 566
PGP (Pretty Good Privacy), 138, 520
PHI (Protected Health Information), 481–482
phishing, 19
photoelectric smoke detectors, 333
physical access control, 383–384
physical controls, 434–435
physical layer in OSI model, 578
physical security controls, 321
airgaps, 324
alarms, 323
barricades and bollards, 328–329
biometrics, 327–328
cable locks, 334
cameras, 334–335
distribution and cabling, 324
environmental controls, 329–333
Faraday cages, 324–325
fencing, gates, and cages, 322
infrared detection, 336
key management, 336
lighting, 321
lock types, 325–327
logs, 336
mantraps, 324
motion detection, 335
questions, 337–340
review, 336–337
safes, 323
screen filters, 334
secure cabinets and enclosures, 323
security guards, 322–323
signs, 322
tokens and cards, 329
physical segregation, 229
PIA (privacy impact assessment), 423
piggybacking, 20
PII (personally identifiable information), 481, 483
ping of death (POD) attacks, 27
pinning in PKI, 553
PINs
mobile devices, 190
screen locks, 189
tokens, 391
PIV (Personal Identity Verification) cards, 392
pivoting in penetration testing, 74
PKI. See public key infrastructure (PKI)
plaintext, 492
Platform as a Service (PaaS), 298
Platform Configurations Register (PRC), 255
platform/vendor-specific guides for architecture frameworks, 218–219
POD (ping of death) attacks, 27
Point-to-Point Protocol (PPP), 366, 532
pointer dereference, 91–92
policies and procedures, 403
accounts, 354–358
agreement types, 404–405
general policies, 411–412
location-based, 354
mobile device management, 187–192
personnel management, 405–411
questions, 413–417
review, 413
standard operating procedures, 404
policy certificates, 561
policy violations, 173–174
polyalphabetic substitution, 524
polymorphic malware, 4
POODLE (Padding Oracle On Downgraded Legacy Encryption) attacks, 516
POP3, 206
Port Address Translation (PAT), 227
port mirrors
overview, 146–147
placement, 235
port scanners, 147–149
port security for switches, 122–123
ports
common, 581–582
disabling, 247–248
PPP (Point-to-Point Protocol), 366, 532
PRC (Platform Configurations Register), 255
preparation phase in incident response process, 444
presentation layer in OSI model, 577
preservation in digital forensics, 469–470
Pretty Good Privacy (PGP), 138, 520
preventative controls, 433
printers
embedded systems, 265
MFDs, 251–252
privacy. See data security and privacy
Privacy Act, 484
Privacy-enhanced Electronic Mail (PEM), 565
privacy impact assessment (PIA), 423
Privacy of Consumer Financial Information Rule, 484
privacy officers, 482
privacy threshold assessment, 423
private clouds, 299
private data, 480
private IP addresses, 226
private keys in PKI, 552
privilege escalation
overview, 32
penetration testing, 74–75
privileged accounts, 349
privileged users awareness training, 409
production environment, 254
program obfuscation, 501
proper input validation, 281–282
property damage in business impact analysis, 422
proprietary data, 481
Protected Access Credentials (PACs), 532
Protected EAP (PEAP), 532
Protected Health Information (PHI), 481–482
protocol analyzers, 145–147
protocols, Internet, 573–574, 578–581
provisioning, 280
proxies
overview, 124–125
placement, 234
proximity cards, 383–384
pseudo-random number generation, 504
PSK mode for wireless security, 534
PTR checks in spam filters, 136
public clouds, 299
public data, 480
public key cryptography, 494–495
Public key field for certificates, 550
public key infrastructure (PKI)
certificate authorities, 546
certificate chaining, 559–560
certificate fields, 550–551
certificate formats, 564–566
certificate paths, 556–557
certificate revocation, 547
certificate revocation lists, 547–549
certificate signing requests, 550
certificate suspension, 549–550
certificate types, 560–564
components, 543–546
domain validation, 564
intermediate CAs, 546
key escrow, 559
online vs. offline CAs, 552
pinning, 553
questions, 566–570
review, 566
SAN, 562
stapling, 553
trust models, 554–558
public keys in PKI, 552
public/private key pairs in PKI, 545
pulping process, 478
pulverizing data, 478
purging data, 479
push notification services, 189–190
Q
qualitative risk assessment, 427–431
quality of code, 285–288
quantitative risk assessment, 427
R
race conditions, 83–84
RACE Integrity Primitives Evaluation Message Digest (RIPEMD), 522
radio frequency identification (RFID) technology
geofencing, 188–189
tags, 45–46
RADIUS. See Remote Authentication Dial-In User Service (RADIUS)
RAID (Redundant Array of Independent Disks), 314–315
rainbow tables, 48
random number generation
cryptography, 504
key stretching, 504
Rapid Spanning Tree Protocol (RSTP), 228
RARP (reverse ARP) requests, 159
RAs (registration authorities) in PKI, 544–545
rate-of-rise fire detectors, 333
RATs (remote-access Trojans), 8–9
RBAC (role-based access control), 382
RC4 algorithms, 515
RDS (Reference Data Set), 468
real evidence, 465
real-time operating systems (RTOSs), 264–265
recertification, 351
Recommendation for Block Cipher Modes of Operation: Methods and Techniques, 494
reconnaissance, 72–73
record time offset in data acquisition, 467
recording microphones for mobile devices, 195
recovery
accounts, 356
digital forensics, 470
disaster. See disaster recovery
incident response process, 446
recovery point objective (RPO), 420
recovery sites, 447
recovery time objective (RTO), 420
RedFang program, 45
redundancy, 312–313
Redundant Array of Independent Disks (RAID), 314–315
refactoring attacks, 38–39
reference architectures, 216–217
reference counters, 83–84
Reference Data Set (RDS), 468
registration authorities (RAs) in PKI, 544–545
regulatory frameworks, 216
relevant evidence, 465
reliability in MTTR, 421
remote access
secure protocols, 208
tunneling/VPN, 232
VPN concentrators, 108
remote-access Trojans (RATs), 8–9
Remote Authentication Dial-In User Service (RADIUS)
accounting, 371–372
authentication, 370
authorization, 370–371
federation networks, 533–534
overview, 369–370
remote procedure call (RPC) errors
description, 86–87
secure coding techniques, 281
remote wipe, 188
removable media controls, 162
REPLY packets in TACACS+, 366
reports
continuity of operation planning, 453
incident response plans, 443
NIDS, 443
reputation in business impact analysis, 423
REQUEST messages in TACACS+, 366
residual risk, 432
resiliency and automation strategies
DevOps, 278
distributive allocation, 312
elasticity, 312
fault tolerance, 313
high availability, 313
master images, 310
non-persistence, 310–311
overview, 307–309
questions, 315–319
RAID, 314–315
redundancy, 312–313
review, 315
scalability, 312
templates, 309
resource exhaustion, 88
resources in threat actors, 62
RESPONSE messages in TACACS+, 366–367
restrictive policies for software, 250
retention, data, 482–483
retinal scanners, 385
reuse, password, 357
reverse ARP (RARP) requests, 159
reverse proxies, 124
reverting to known state, 311
revocation of certificates, 547
RFID (radio frequency identification) technology
geofencing, 188–189
tags, 45–46
Rijndael algorithm, 514–515
RIPEMD (RACE Integrity Primitives Evaluation Message Digest), 496, 522
RIPEMD-160 algorithm, 522
risk management
business impact analysis, 419–423
change management, 432–433
questions, 435–440
review, 435
risk assessment, 425–432
security controls, 433–435
threat assessment, 424–425
Risk Management Framework (RMF) methodology, 308
risk registers, 426
risk response techniques, 432
Rivest, Ron, 518
Rivest Cipher, 515
RMF (Risk Management Framework) methodology, 308
rogue AP attacks, 43
rogue system detection, 149
role-based access control (RBAC), 382
role-based awareness training, 407–409
roles and responsibilities
data, 482
incident response plans, 442–443
rollback to known configuration, 311
root CAs, 555
root certificates, 563–564
Root SGC Authorities, 551
rooting mobile devices, 192–193
rootkits, 6–7
roots of trust, hardware, 244
ROT13 substitution cipher, 523
round-robin scheduling for load balancers, 126
routers, 120–121
routing secure protocols, 208
RPC (remote procedure call) errors
description, 86–87
secure coding techniques, 281
RPO (recovery point objective), 420
RSA algorithm, 518
RSTP (Rapid Spanning Tree Protocol), 228
RTO (recovery time objective), 420
RTOSs (real-time operating systems), 264–265
rule-based access control, 382–383
rule-based spam filtering, 136
rules
evidence, 465–466
NIDSs/NIPSs, 118–119
rules of behavior, 410
runtime code, 288–289
S
S/MIME (Secure/Multipurpose Internet Mail Extensions), 204
SaaS (Software as a Service), 298
sadmind worm, 5
Safeguards Rule, 484
safes, 323
safety issues in business impact analysis, 422–423
salts for hashing functions, 496–497
SAML (Security Assertion Markup Language), 372
SAN (Subject Alternative Name) field, 562
sandboxing
code quality and testing, 288
description, 252–253
sanitization tools, 154
SAs (security associations), 109–111
SASL (Simple Authentication and Security Layer), 205
SATCOM (satellite communications) connections, 184
SB 1386 (Senate Bill 1386), 484
SCADA (supervisory control and data acquisition) systems, 262
scalability, 312
SCAP (Security Content Automation Protocol), 153–154, 308
scarcity factors in social engineering attacks, 25
scheduling algorithms for load balancers, 126
Schneier, Bruce, 515
screen filters, 334
screen locks, 189
screenshots in data acquisition, 468
script kiddies, 58
scripting, 307–309
Scrum programming methodology, 276–277
SDKs (software development kits), 285
SDLC (software development lifecycle), 280
SDLM (Software Development Life Cycle Methodology), 280
SDN (software-defined networking), 236
secret algorithms for cryptography, 503
secure baselines, 254
Secure Boot, 243
secure coding techniques, 280–281
code reuse and dead code, 283–284
code signing, 283
data exposure, 285
encryption, 283
error handling, 281
input validation, 281–282
memory management, 285
normalization, 282
obfuscation and camouflage, 283
server-side vs. client-side, 284
stored procedures, 282
third-party libraries and SDKs, 285
secure configurations
architecture frameworks, 217–219
operating systems, 248–249
Secure Hash Algorithm (SHA), 468, 496, 520–521
Secure Key Exchange Mechanism for Internet (SKEMI), 114
Secure/Multipurpose Internet Mail Extensions (S/MIME), 204
secure network administration principles for firewalls, 108
secure network architectures
defense-in-depth and layered security, 220–221
questions, 236–240
review, 236
zones and topologies, 221–227
Secure POP/IMAP, 206
secure protocols, 203
DNSSEC, 204
FTPS, 205
HTTPS, 206–207
LDAPS, 205
questions, 209–212
review, 209
S/MIME, 204
Secure POP/IMAP, 206
SFTP, 205
SNMPv3, 205
SRTP, 205
SSH, 204
SSL/TLS, 206–207
use cases, 206–209
Secure Real-time Transport Protocol (SRTP), 205, 207
Secure Shell (SSH) protocol, 204
Secure Sockets Layer (SSL), 206, 208, 503
secure token services, 373
Security as a Service, 301
Security Assertion Markup Language (SAML), 372
security associations (SAs), 109–111
security automation in DevOps, 278
Security Content Automation Protocol (SCAP), 153–154, 308
security controls
types, 433–435
vulnerability scanning, 77
security device and technology placement, 232–235
security guards, 322–323
Security Information and Event Management (SIEM) systems, 130–132
Security Technical Implementation Guides (STIGs), 218
security through obscurity, 505
security tools and technologies
backup utilities, 155
banner grabbing, 155–156
command-line tools, 157–160
configuration compliance scanners, 153–154
data sanitization tools, 154
exploitation frameworks, 154
honeypots, 155
network scanners, 147–149
passive vs. active, 156–157
password crackers, 150
protocol analyzers, 145–147
questions, 164–167
review, 164
steganography, 154–155
technologies, 161–164
vulnerability scanners, 150–153
wireless scanners/cracker, 149
SEDs (self-encrypting disks), 242
segregation, segmentation, and isolation
air gaps, 231
overview, 228–229
physical, 229
SDN, 236
security device and technology placement, 232–235
tunneling/VPN, 232
virtualization, 231
VLANs, 229–231
self-encrypting disks (SEDs), 242
self-signed certificates, 563
Senate Bill 1386 (SB 1386), 484
sensors
NIDS, 117
placement, 233
separation of duties, 406
sequence numbers, spoofing, 41–42
Serial number field for certificates, 550
serial numbers for CRLs, 548
server-side execution and validation, 284
servers
operating systems, 245
proxies, 124–125
service accounts, 349
service level agreements (SLAs), 404
service packs for operating systems, 247
service set identifiers (SSIDs), 127–128
services, disabling, 247–248
session keys in cryptography, 502
session layer in OSI model, 577
SFTP, 205
SGX (Software Guard Extensions), 503
SHA-2, 521
SHA-3, 521
SHA (Secure Hash Algorithm), 468, 496, 520–521
Shamir, Adi, 518
shared accounts, 348–349
Shibboleth service, 373
shielded twisted pair (STP) cable, 325
shift ciphers, 492–493
shimming attacks, 38
Short Message Service (SMS), 194
shredding data, 478
sideloading, 193
SIEM (Security Information and Event Management) systems, 130–132
signal strength for access points, 128
Signature algorithm field for certificates, 550
signature-based NIDSs, 117
signature databases for NIDS, 117
signatures for something you do, 346
signs, 322
Simple Authentication and Security Layer (SASL), 205
Simple Network Management Protocol (SNMP)
routers, 120
SNMPv3, 205
switches, 122
SIMs (subscriber identity modules), 193
single loss expectancy (SLE), 425
single points of failure, 421–422
single sign-on (SSO), 347
site-to-site communication links, 232
site-to-site VPN concentrators, 108
SKEMI (Secure Key Exchange Mechanism for Internet), 114
Slammer, 30
SLAs (service level agreements), 404
SLE (single loss expectancy), 425
smart devices, 262–263
smoke detectors, 333
SMS (Short Message Service), 194
Smurf attacks, 39–40
snapshots
backups, 450
virtual machines, 310–311
sniffers, 145–147
SNMP (Simple Network Management Protocol)
routers, 120
SNMPv3, 205
switches, 122
Sobig worm, 5
social engineering attacks
dumpster diving, 22
hoaxes, 23
impersonation, 21–22
overview, 18–19
personnel issues, 174–175
phishing, 19
principles, 23–24
shoulder surfing, 22–23
tailgating, 20
tools, 24–25
vishing, 20
watering hole attacks, 23
whaling, 19–20
social media
personnel issues, 175
policies, 412
SoCs (systems on a chip), 264
software
restrictive policies, 250
unauthorized, 175–176
Software as a Service (SaaS), 298
software-defined networking (SDN), 236
software development kits (SDKs), 285
Software Development Life Cycle Methodology (SDLM), 280
software development lifecycle (SDLC), 280
Software Guard Extensions (SGX), 503
software tokens, 391
something you are, 345
something you do, 346
something you have, 345
something you know, 345–346
somewhere you are, 346
sophistication levels of threat actors, 62
spam filters, 135–137
SPAN (Switched Port Analyzer), 146–147
Spanning Tree Protocol (STP)
limitations, 228
switches, 123
spear phishing, 19
special-purpose systems
aircraft and UAV, 267–268
medical devices, 266–267
vehicles, 267
split tunnel VPN concentrators, 115
spoofing
DNS, 35
IP addresses, 39
MAC, 39
sequence numbers, 41–42
Smurf attacks, 39–40
trusted relationships, 40–41
sprawl avoidance for VMs, 297
spyware, 8
SQL Slammer worm, 5
SQL statements
injection attacks, 30–31
stored procedures, 282
vulnerabilities, 86–87
SRTP (Secure Real-time Transport Protocol), 205, 207
SSH (Secure Shell) protocol, 204
SSIDs (service set identifiers), 127–128
SSL decryptors, 139
SSL (Secure Sockets Layer), 206, 208, 503
SSL/TLS accelerators
description, 138–139
placement, 234
SSO (single sign-on), 347
staging environment, 253–254
standalone access points, 130
standard naming conventions for accounts, 351–352
standard operating procedures, 404
standards for evidence in data acquisition, 465
stapling in PKI, 553
START accounting records in TACACS+, 366
START packets in TACACS+, 366
stateless firewalls, 107
static code analyzers, 286
static learning for port security, 123
static NAT, 227
statistical content spam filtering, 136
steganography, 154–155, 500–501
stereotypical behavior, 18
stewards of data, 482
sticky learning for port security, 123
STIGs (Security Technical Implementation Guides), 218
STIX (Structured Threat Information Expression), 11
STOP accounting records in TACACS+, 366
storage segmentation, 191
stored procedures, 282
STP (shielded twisted pair) cable, 325
STP (Spanning Tree Protocol)
limitations, 228
switches, 123
strategic intelligence gathering, 470–471
stream ciphers, 515
stream operations
cryptography, 501–502
symmetric algorithms, 517
stress testing, 287–288
striped disks, 314–315
Structured Threat Information Expression (STIX), 11
Subject Alternative Name (SAN) field, 562
Subject field for certificates, 550
subscriber identity modules (SIMs), 193
subscription services, 209
substitution ciphers, 523–524
SubVirt rootkit, 7
sufficient evidence, 465
supervisory control and data acquisition (SCADA) systems, 262
supply chain
assessment, 427
description, 243–244
suspension of certificates, 549–550
Switched Port Analyzer (SPAN), 146–147
switches
aggregation, 235
flood guards, 123–124
loop prevention, 123
overview, 121–122
port security, 122–123
switching secure protocols, 208
symmetric algorithms
3DES, 514
cipher modes, 516–517
cryptography, 492–494
DES, 513–514
RC4, 515
SYN flooding attacks, 26–27
synchronization
NTP, 207
SIEM, 131
system administrators awareness training, 408
system design
environment, 253–254
hardware and firmware security, 241–244
integrity measurement, 254–255
operating systems, 244–250
peripherals, 250–252
questions, 255–259
review, 255
sandboxing, 252–253
secure baselines, 254
system images, 466
system owners awareness training, 408
system sprawl, 92–93
system vulnerabilities, 84–85
systems on a chip (SoCs), 264
T
tabletop exercises in continuity of operation planning, 452–453
TACACS+ protocol. See Terminal Access Controller Access Control System+ (TACACS+) protocol
TAPs (Test Access Points), 235
TAXII (Trusted Automated Exchange of Indicator Information), 11
TCP. See Transmission Control Protocol (TCP)
TCP/IP hijacking, 37
tcpdump command, 160
tech support, 21
Telnet/SSH
banner grabbing, 155–156
routers, 120
switches, 122
temperature, 329
TEMPEST program, 325
templates, 309
Temporal Key Integrity Protocol (TKIP), 531–532
Terminal Access Controller Access Control System+ (TACACS+) protocol
accounting, 368
authentication, 366
authorization, 366–367
overview, 365–366
Test Access Points (TAPs), 235
tests
code, 285–288
environments, 253
penetration. See penetration testing
risk assessment, 431
tethering mobile devices, 196
TGSs (ticket-granting servers), 364–365
thick access points, 130
thin access points, 130
third-party app stores for mobile devices, 192
third-party authorization, 21
third-party libraries, 285
third-party trust model in PKI, 545
thread synchronization, 84
threat actors
attributes, 62–63
competitors, 61
hacktivists, 58
insiders, 60–61
nation states, 59–60
open source intelligence, 63–64
organized crime, 59
questions, 64–69
review, 64
script kiddies, 58
types, 57–61
threat assessment, 424–425
three-way handshakes in TCP, 26–27
ticket-granting servers (TGSs), 364–365
tickets in Kerberos, 364
Time-based One-Time Password (TOTP) algorithm, 392
time bombs, 9
time-of-day restrictions, 351
time offset in data acquisition, 467
time synchronization
NTP, 207
SIEM, 131
TKIP (Temporal Key Integrity Protocol), 531–532
TLS. See Transport Layer Security (TLS)
TLS/SSL (Transport Layer Security/Secure Sockets Layer) setup downgrade attacks, 50
tokens, 329
access management controls, 389–392
secure token services, 373
TOTP (Time-based One-Time Password) algorithm, 392
TPM (Trusted Platform Module), 242
TPM-based integrity measurement, 254–255
tracert command, 158
tracking man-hours, 471
traffic collectors in NIDS, 117
training
continuing education, 410
data sensitivity labeling, 480
role-based, 407–409
user, 221
transferring risk strategy, 432
transitive trusts, 347
Transmission Control Protocol (TCP), 573
common port assignments, 581–582
overview, 578–579
scanning, 147–148
three-way handshakes, 26–27, 41–42
transparent proxies, 124
transport layer in OSI model, 577
Transport Layer Security (TLS)
data-in-transit, 503
description, 206
remote access, 208
VPN concentrators, 115
Transport Layer Security/Secure Sockets Layer (TLS/SSL) setup downgrade attacks, 50
transport mode in IPSec, 112–114
trifluoromethane fire suppression systems, 331
triggers in SIEM, 131
Triple DES (3DES), 514
Tripwire tool, 73
Trojans, 6
troubleshooting
access violations, 170
asset management, 177
authentication issues, 177
baseline deviations, 176
certificate issues, 171
data exfiltration, 171
license compliance violation, 176
logs and events anomalies, 170
misconfigured devices, 171–173
permission issues, 170
personnel issues, 173–175
questions, 178–181
review, 177
unauthorized software, 175–176
unencrypted credentials, 169
weak security configurations, 173
trunking VLANs, 230
trust models
hierarchical, 555–557
hybrid, 557–558
overview, 553–555
peer-to-peer, 557
Trusted Automated Exchange of Indicator Information (TAXII), 11
trusted operating systems, 249
Trusted Platform Module (TPM), 242
trusted servers for spam filters, 136
trusts
hardware roots of trust, 244
social engineering attacks, 25
spoofing, 40–41
transitive, 347
tunnel mode in IPSec, 112–113
tunneling proxies, 124
tunneling/virtual private networking (VPN) technologies, 232
two-factor authentication, 344
Twofish algorithm, 515
Type I hypervisors, 296
Type II hypervisors, 296
typo squatting attacks, 38
U
UAVs (unmanned aerial vehicles), 268
UDP. See User Datagram Protocol (UDP)
UEFI (Unified Extensible Firmware Interface), 243
unauthorized software, 175–176
undocumented assets, 92–93
unencrypted credentials, 169
Unified Extensible Firmware Interface (UEFI), 243
unified threat management (UTM), 163
Uniform Partnership Act (UPA), 404
Universal Serial Bus (USB)
blocking in SIEM, 132–133
connections for mobile devices, 186
USB OTG, 186
unmanned aerial vehicles (UAVs), 268
unshielded twisted pair (UTP) cable, 325
unstructured threats, 58
untrained users vulnerabilities, 88
UPA (Uniform Partnership Act), 404
UPDATE accounting records for TACACS+, 366
updates for operating systems, 247
urgency in social engineering attacks, 25
URL hijacking attacks, 38
usage auditing and review, 350–351
USB (Universal Serial Bus)
blocking in SIEM, 132–133
connections for mobile devices, 186
USB OTG, 186
USB On-The-Go (USB OTG), 194–195
USB OTG (USB On-The-Go), 194–195
user accounts
level control, 250
overview, 347–348
user certificates, 563
User Datagram Protocol (UDP), 573–574
common port assignments, 581–582
overview, 579
RADIUS, 369–370
scanning, 147–148
user IDs, 348
user interface and reporting in NIDS, 117
users
role-based awareness training, 408–409
training, 221
untrained, 88
UTC (Coordinated Universal Time), 131
UTM (unified threat management), 163
UTP (unshielded twisted pair) cable, 325
V
vacations, mandatory, 405–406
validation
configuration, 308
input, 281–282
server-side vs. client-side, 284
Validity field for certificates, 550
Van Eck emissions, 325
VDE (virtual desktop environment), 300
VDI (virtual desktop infrastructure)
description, 300
mobile devices, 197–198
vehicles, 267
vendors
diversity, 220
support for vulnerabilities, 85
version control, 279–280
Version number field for certificates, 550
video
capturing, 467
secure protocols, 207
Vigenère cipher, 524
virtual desktop environment (VDE), 300
virtual desktop infrastructure (VDI)
description, 300
mobile devices, 197–198
virtual IPs for load balancers, 126
virtual LANs (VLANs), 229–231
virtual private networking (VPN) technologies
concentrators. See VPN concentrators
overview, 232
virtualization
description, 231
hypervisors, 295–296
questions, 302–306
review, 301
VM escape protection, 297
VM sprawl avoidance, 297
vishing, 20
VLANs (virtual LANs), 229–231
VMs
escape protection, 297
sprawl avoidance, 297
voice, secure protocols for, 207
voice recognition, 386
volatility in digital forensics, 461–462
VPN concentrators
always-on VPNs, 116
IPSec, 109–115
placement, 234
remote access vs. site-to-site, 108
split tunnel vs. full tunnel, 115
TLS, 115
vulnerabilities, 89
architecture/design weaknesses, 93
business processes, 89
certificate and key management, 94
cipher suites and implementations, 89–90
error handling, 86–87
input handling, 85–86
memory/buffer, 90–92
misconfigurations, 87
new threats/zero day, 93
questions, 94–99
race conditions, 83–84
resource exhaustion, 88
review, 94
system, 84–85
system sprawl and undocumented assets, 92–93
untrained users, 88
vulnerability scanning
credentialed vs. non-credentialed, 77
false positives and negatives, 77–78
identifying vulnerabilities, 76
intrusive vs. non-intrusive, 77
misconfigurations, 77
passive, 76
vs. penetration testing, 76
questions, 78–82
review, 78
scanners, 150–153
security controls issues, 77
vulnerability testing authorization, 431
W
WAFs (web application firewalls), 162–163
walls, 328
WannaCry malware, 5
WAPs (wireless access points), 129
warm sites, 447
water-based fire suppression systems, 330–331
waterfall model, 275–276
watering hole attacks, 23
weak algorithms in cryptography, 498
weak cipher suites, 89–90
weak implementations, 50
wearable technology, 263
web application firewalls (WAFs), 162–163
web-based vulnerability scanners, 152–153
web proxies, 125
web secure protocols, 207
web servers guides, 218
Web Vulnerability Scanner (Acunetix WVS), 153
WEP (Wired Equivalent Privacy)
IV attacks, 43
overview, 530
whaling, 19–20
white box penetration testing, 75
whitelisting applications, 162, 249–250
Wi-Fi connections, 184
Wi-Fi direct connections, 195–196
Wi-Fi Direct Device and Service Discovery, 195
Wi-Fi-enabled MicroSD cards, 251
Wi-Fi Protected Access (WPA), 531
Wi-Fi Protected Access 2 (WPA2), 531, 535–537
Wi-Fi Protected Setup (WPS)
attacks, 44
description, 535
wildcard certificates, 561
windows, 328–329
Windows Challenge/Response, 373–374
wiping data, 479
Wired Equivalent Privacy (WEP)
IV attacks, 43
overview, 530
wireless access points (WAPs), 129
wireless attacks
bluejacking, 44
bluesnarfing, 45
disassociation, 46–47
evil twin, 43
IV, 43
jamming, 43
NFC, 46
replay, 42
RFID, 45–46
rogue AP, 43
WPS, 44
wireless keyboards, 250–251
wireless mice, 251
wireless networking, 224–225
wireless scanners/crackers, 149
wireless security, 529
authentication protocols, 532–534
cryptographic protocols, 530–532
methods, 534–537
questions, 538–541
review, 537
witness interviews in data acquisition, 469
workstation operating systems, 246
WORM (write once read many) concept, 132
worms, 5
WPA (Wi-Fi Protected Access), 531
WPA2 (Wi-Fi Protected Access 2), 531, 535–537
WPS (Wi-Fi Protected Setup)
attacks, 44
description, 535
write once read many (WORM) concept, 132
X
X.500 standard, 364
X.509 digital certificates, 550–551
XOR (exclusive OR) cipher operation, 523
XP (Extreme Programming), 277
XSRF (cross-site request forgery), 32, 86
XSS (cross-site scripting), 29, 31, 86
Y
Yagi antennas, 130
YARA tool, 10
Z
Zenmap tool, 73
zero day
attacks, 36
vulnerabilities, 93
zero-tolerance policies, 411
Zeus botnet
description, 8
MitB attacks, 36
Zeus Trojan, 4
Zimmermann, Philip, 520
zombies, 27–29
zones and topologies
ad hoc networks, 227
DMZs, 222–223
extranets, 223
guest, 225
honeynets, 225
intranets, 224
NAT, 225–227
overview, 221
segregation, segmentation, and isolation, 228–231
wireless networking, 224–225
Zotob worm, 5