- A
- abnormal OS process behavior, 427–428
- acceptable use policy (AUP), 538
- access, as a GAPP privacy practice, 4
- access control list (ACL), 13, 82–83, 268
- access control models, 266–268
- access controls, 282, 528
- access validation, 268–269
- AccessChk (Sysinternals), 429
- accidental threats, 7, 26–27
- account management policy, 539
- accounts
- introduction of new, 434
- threats to creation of, 275–276
- acquiring
- data from mobile devices, 469–470
- drive images, 463–466
- log data, 467
- Actions on Objective, as a stage in Cyber Kill Chain, 51, 52
- active defense, 231
- Active Directory (AD), 265, 274
- Active Directory Federation Services (ADFS), 293, 294–295
- active monitoring, 409–410
- active reconnaissance, 65, 99
- active scanning, 75, 117
- administrative controls, 233
- Advanced Intrusion Detection Environment (AIDE), 424
- Advanced Office Password Recovery (ElcomSoft), 454
- advanced persistent threat (APT), 7, 394
- Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, 48–50, 362
- adversarial threats, 7, 26
- adversary capability, 46
- African Network Information Center (AFRINIC), 87
- agent-based NAC solutions, 11
- agent-based scanning, 121–122
- agentless NAC solutions, 11
- Agile model, 312–315
- agility, as a benefit of cloud computing, 193
- air gap, 224
- Aircrack-ng, 136
- alerts, as a category of security event indicators, 383
- AlienVault, 37
- Amazon Lambda service, 199
- Amazon Linux, 120
- Amazon Web Service (AWS), 28, 192, 195, 197, 206–207, 209–213
- American Registry for Internet Numbers (ARIN), 87
- Analysis and Requirements Definition phase, in SDLC, 310, 327
- analysis component, of intelligence cycle, 42, 43, 55
- analysis tools, 92
- analysis utilities, 449–450
- analyzing
- data, 97–99
- email, 365–367
- images in forensic investigations, 473–476
- risk, 512–518
- security architecture, 240–249
- security data, 350–351
- security requirements, 240–241
- Angry IP Scanner, 73–74
- annualized loss expectancy (ALE), 515
- annualized rate of occurrence (ARO), 515
- anomalous activity, 434
- anomalous behavior, 361–362
- anomaly analysis, 98
- anomaly-based detection, 416
- answers, for practice exam, 612–619
- anti-tamper protection, 340
- ApacheDS, 263
- API keys, 207–208
- AppFlow (Citrix), 78
- application logs, 83, 431
- application programming interfaces (APIs), 207–208, 325
- applications
- about, 269
- behavior analysis, 433
- detecting attacks on, 434–435
- error monitoring, 433
- generating, 316
- patching, 497–498
- testing, 327
- unsupported, 161–163
- whitelisting, 427
- arbitrary code execution, 164–165
- architecture
- common issues with, 242–246
- maintaining security design, 248–249
- reviewing, 241, 246–247
- Asia-Pacific Network Information Centre (APINC), 87
- assessing
- about, 554
- attack frameworks, 53
- clouds, 232
- confidence level of intelligence, 40, 55
- threat intelligence, 39–40
- asset criticality, 114–115
- asset inventory, 114–115
- asset management, 229
- atomic execution, 339
- attack complexity metric, 150
- attack frameworks
- about, 48, 55, 56
- assessing, 53
- Common Vulnerability Scoring System (CVSS), 53, 125, 130, 148–155
- Diamond Model of Intrusion Analysis, 50–51
- Lockheed Martin's Cyber Kill Chain, 51–52
- MITRE's ATT&CK framework, 48–50, 362
- Unified Kill Chain, 53
- Attack phase, of penetration tests, 20, 21–22, 27
- attack surface, 46, 224
- attack vectors, 46, 149
- attackers, isolating, 492–493
- attacks
- attribute-based access control (ABAC), 267–268
- attrition, as an attack vector for classifying threats, 393
- audits, 553–554
- Australian Signals Directorate's Cyber Security Centre, 38
- authentication
- broken, 320
- coding and, 323
- context-based, 284–287
- location-based, 286
- multifactor, 283–284
- security and, 281–288
- security architecture and, 245–246
- authentication, authorization, and accounting (AAA) framework, 261, 270–274
- authentication protocols, 264–265
- authentication vulnerabilities, 181–183
- authorization
- in Planning phase of penetration tests, 20
- rights management and, 282–283
- security and, 281–288
- security architecture and, 245–246
- Automated Indicator Sharing (AIS) program, 37
- automated malware signature creation, 238
- autonomous system (AS), 87
- Autopsy, 450
- availability
- in CIA Triad, 223
- coding and, 323
- as a cybersecurity objective, 2–3, 26
- as a metric, 152
- aviation ISAC, 44
- AWS Commercial Cloud Services (C2S), 201
- AWS Outposts, 202–203
- Azure Government Secret, 201
- B
- background checks, as a personnel control, 239
- bandwidth consumption, 413–414
- banner, 71
- bare-metal virtualization, 175
- base score, 154–155
- baselines, 416
- basic input/output system (BIOS), 338
- beaconing, 415
- behavioral analysis, 98
- behavior-based detection, 416
- Big Bang SDLC model, 317
- binary, 452
- biometric factors
- context-based authentication and, 286
- MFA and, 283
- bit-by-bit copies, 463
- BitLocker, 455
- blacklisting, 235, 427
- Border Gateway Protocol (BGP), 85
- brand damage, 47
- Bring Your Own Device (BYOD), 463
- British Ministry of Defense's Architecture Framework (MODAF), 241
- brute-force attacks, 89, 279–280, 465
- buffer overflows, 163
- building
- final reports, 501–502
- forensic toolkits, 444–448
- incident response teams, 389–391
- secure networks, 10–17, 27
- “burner” phones, 448
- Burp Proxy, 135, 137
- Burp Suite, 336
- bus encryption, 340
- business constraints, vulnerability management and, 117
- business impact analysis (BIA), 515–518
- business modeling, 315–316
- C
- C2S (AWS Commercial Cloud Services), 201
- cables, as a component of forensic toolkits, 446
- Cacti, 413
- CAINE, 450
- cameras, as components of forensic toolkits, 446
- CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), 279–280
- capture the flag (CTF) exercises, 526
- capturing
- data, 97–99
- memory-resident data, 468–469
- carving, 450
- C/C++, 23–24
- CCleaner, 475
- ccTLD (country code top-level domain), 86
- cell phone forensics, 453–454
- Centers for Medicare & Medicaid Services (CMS), 537
- Central Authentication Service (CAS), 266
- Centre for Protection of National Infrastructure, 44
- Certificate Authority (CA), 171, 230
- certificate issues, 170–172
- certificate management, 230
- cflowd (Juniper), 78
- chain-of-custody tracking, 450
- change control processes, managing, 501
- change management, 132, 229
- choice and consent, as a GAPP privacy practice, 4
- Chrome, 359
- CIA Triad, 2–3, 26, 223
- cipher use, 169–170
- CISA (U.S. Cybersecurity and Infrastructure Security Agency), 37
- Cisco
- ASA firewall logs, 82
- core routers, 225
- router logs, 77
- Talos Intelligence reputation lookup tool, 38, 47
- Citrix AppFlow, 78
- classifying incidents, 393–397
- client-server application model, security implications of, 321
- closed source intelligence, 39
- cloud access security brokers (CASBs), 208, 213–214, 232
- cloud computing
- about, 192–193
- assessing the cloud, 232
- case for, 193–194
- deployment models, 200–203
- infrastructure security and the cloud, 231–232
- mapping and scanning clouds, 67
- cloud monitoring, 208
- cloud security
- about, 192
- cloud environments, 192–203
- exercises on, 216
- infrastructure security, 208–214
- operating in the cloud, 204–208
- review questions, 217–220, 590–592
- cloud service forensics, 458
- cloud service models
- function as a service (FaaS), 198–199
- infrastructure as a service (IaaS), 194–195
- platform as a service (PaaS), 98, 196–198, 204–205, 232
- software as a service (SaaS), 98, 194, 205, 232
- CloudFormation, 207
- Codacy, 329
- code analysis, 310
- code of conduct/ethics, 539
- code review models, 328–331
- coding
- best practices for, 323–325
- for security, 318–331
- collaboration cloud services, 95
- collection, as a GAPP privacy practice, 4
- collection component, in intelligence cycle, 42, 43, 55
- Command and Control (C2), as a stage in Cyber Kill Chain, 51, 52
- commodity malware, 45
- Common Configuration Enumeration (CCE), 124
- Common Platform Enumeration (CPE), 125
- Common Vulnerabilities and Exposures (CVE), 125
- Common Vulnerability Scoring System (CVSS), 46, 53, 125, 130, 148–155
- communication, in remediation workflow, 127–129
- community cloud, 201–202
- community threat intelligence, 43–44
- compensating controls, 18, 131, 543–544, 553
- Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), 279–280
- compliance requirements, 524–525
- components, insecure, 320
- compromise, of other services, 279
- Computer Security Incident Handling Guide (SP 800-61), 389, 488, 494, 496
- computer security incident response teams (CSIRTs), 381, 389–391
- confidence level, assessing for intelligence, 40, 55
- Confidence Value, in Diamond Model of Intrusion Analysis, 50
- Confidential classification, 523
- confidential information breach, 397
- confidentiality
- in CIA Triad, 223
- as a cybersecurity objective, 2–3, 26
- confidentiality metric, 150–151
- configuration management systems, reconciling scan results with, 158
- configurations
- vulnerability scans, 118–125
- weak/default, 320
- Connectionless LDAP service (CLDAP), 271
- consumer, 288
- container forensics, 459–460
- containerization, 228
- containment
- about, 489–490
- evidence gathering and handling, 495
- identifying attackers, 495–496
- isolation, 492–495
- network segmentation, 490–491
- strategy criteria for, 489–490
- Containment, Eradication, and Recovery phase
- about, 488–490
- conducting lessons learned sessions, 501
- containment, 489–496
- developing final reports, 501–502
- eradication, 496–500
- evidence gathering and handling, 495
- evidence retention, 502
- exercises on, 503–506, 631–633
- identifying attackers, 495–496
- of incident response, 384–385
- isolation, 492–493
- managing change control processes, 501
- network segmentation, 490–491
- patching systems/applications, 497–498
- reconstruction, 497
- recovery, 496–500
- reimaging, 497
- removal, 493–495
- review questions, 507–510, 607–608
- sanitization, 498–499
- secure disposal, 498–499
- validating recovery effort, 500
- content filtering and caching devices, as physical network architectures, 227
- content-based carving, 450
- context-based authentication, 284–287
- continual improvement processes (CIP), 248
- continuous deployment (CD), 317–318
- continuous integration (CI), 317–318
- continuous monitoring, 125, 539
- control objectives, 552
- Control Objectives for Information and Related Technologies (COBIT), 550
- Controller Area Network bus (CAN bus), 176
- controls. see also sec urity controls
- compensating, 18
- improving, 233–240
- reviewing, 10
- cookie management, 323
- coordination, incident response and, 391–392
- core dumps, 469
- Core Features, in Diamond Model of Intrusion Analysis, 50
- corrective controls, 233, 553
- cost effectiveness, as a benefit of cloud computing, 194
- country code top-level domain (ccTLD), 86
- credential stuffing, 182
- credentialed scanning, 121
- credentials, acquiring, 277–280
- Creepy, 96
- cron jobs, 429–430
- cross training, as a personnel control, 239
- cross-site request forgery (CSRF), 272
- cross-site scripting (XSS) attack, 179–180
- cryptographic hardware, 337
- cryptography tools, 455
- customer commitments, 131
- customer relationship management (CRM) tool, 194
- CVSS vector, 153
- Cyber Kill Chain (Lockheed Martin), 51–52
- cybersecurity analyst
- exercises on, 622
- review questions, 30–34, 582–583
- cybersecurity analytics, future of, 25
- cybersecurity objectives, 2–3, 26
- D
- dashboard, 357
- data
- acquiring from mobile devices, 469–470
- analyzing, 97–99
- capturing, 97–99
- Exif, 94
- harvesting from DNS and Whois, 83–90
- methods for analysis of, 98–99
- organizational, 93–94
- sources of, 97–98, 158
- trusting, 244–245
- data breach notification laws, 545
- data classification policy, 538
- data enrichment, 355
- data exfiltration, 414
- data exposure, 320
- Data Leakage Case, 471
- data life cycle, 524
- data loss prevention (DLP), 236, 526–527
- data minimization, 524, 527–528
- data modeling, 315–316
- data obfuscation, 527
- data ownership, 522, 538
- data retention, 524, 538
- data sovereignty, 524–525
- data validation, 244–245
- database security, coding and, 323
- datatypes, severity classification and, 395–397
- dd utility (Linux), 464
- debugging modes, 166–167
- defense-in-depth
- active defense, 231
- asset and change management, 229
- encryption, 230
- identity and, 280–281
- infrastructure security and the cloud, 231–232
- layered security, 222–223
- logging, monitoring, and validation, 229
- network architecture, 226
- physical network architectures, 227
- segmentation, 224–226
- software-defined networks, 227
- virtualization, 228–229
- zero trust, 223–224
- defensive measures, 16–17
- deidentification process, 527
- Delivery, as a stage in Cyber Kill Chain, 51, 52
- demilitarized zone (DMZ), 12–13, 15–16
- denial-of-service (DoS) attacks, 417–420
- deployment models, 200–203
- deprovisioning, 275–276
- dereferencing, 319
- Design phase, in SDLC, 310, 327
- designing, for security, 318–331
- detecting
- application and service anomalies, 432–433
- attacks, 288
- attacks on applications, 434–435
- common network issues, 413–417
- denial-of-service (DoS) attacks, 417–420
- distributed denial-of-service (DDoS) attacks, 417–420
- other network attacks, 420
- probes, 417
- rogue devices, 420–422
- scans, 417
- security operations, 288
- detection and analysis phase, of incident response, 383–384
- detective controls, 233, 553
- deterrent controls, 553
- development environment, 310
- development models, software, 310–317
- Development (Implementation) phase, in SDLC, 310, 327
- device and system logs, 98
- DevOps model, 205–206, 317–318
- DevSecOps model, 317–318
df
command, 425
- DHCP logs, 80–81
- DHCP server configuration files, 80–81
- Diamond Model of Intrusion Analysis, 50–51
dig
command, 369
- DigiNinja, 89
- digital certificates, 170–172
- digital forensics workstations, as components of forensic toolkits, 445
- digital rights management (DRM), 527
- digital signatures (Email), 368
- directory services, 262–264
- directory traversal, 180–181
- disclosure, as a GAPP privacy practice, 4
- Discord, 359
- discovery, 88
- Discovery phase, of penetration tests, 20, 21, 27
- discretionary access control (DAC), 268
- disk forensics, 453
- Disposition phase, in SDLC, 310, 327
- disruptive innovation, as a benefit of cloud computing, 193
- dissemination component, in intelligence cycle, 42, 43, 55
- distributed denial-of-service (DDoS) attacks, 177, 417–420
- DNS amplification, 172–173
- DNS sinkholes, 17
- Document Inspector (Microsoft Word), 94
- Document Object Model (DOM)-based XSS attacks, 180
- documentation tools, as components of forensic toolkits, 446
- documented exceptions, 156–157
- documenting incident response plans, 388–389
- domain generation algorithms (DGAs), 363
- Domain Name System (DNS)
- brute forcing, 89
- discovery, 88
- domain names, 86–87
- entries, 87
- fast flux, 363
- harvesting data from, 83–90
- IP ranges, 86–87
- traceroute information, 84–86
- as a vulnerability, 172–173
- zone transfers, 88–89
- domain names, 86–87
- Domain Tools history service, 90
- Domain-based Message Authentication, Reporting, and Conformance (DMARC), 368, 369
- DomainKeys Identified Mail (DKIM), 368
- Don't Route or Peers List (DROP), 38
- double flux, 363
- Dread Pirate Roberts, 465
- drive adapters, as components of forensic toolkits, 446
- drive capacity monitoring, 423
- drive images, acquiring and validating in forensic investigations, 463–466
- dual control, as a personnel control, 239–240
- DumpIt, 468
- dynamic code analysis, 332–333
- Dynamic Host Configuration Protocol (DHCP), 80–81
- E
- echo reply, 67
- echo request, 67
- EDGAR database, 93
- eFuse (IBM), 338
- 802.1x protocol, 10–11
- Elastic Block Store (EBS), 209–210
- Elastic Compute Cloud (EC2), 195, 209–210
- elasticity, as a benefit of cloud computing, 193
- Elasticsearch, Logstash, and Kibana (ELK), 351
- ElcomSoft's Advanced Office Password Recovery, 454
- electronic document harvesting, 94–96
- Electronic Signature Guidelines, 543
- email
- as an attack vector for classifying threats, 393
- analyzing, 365–367
- attacks, 368
- elements of, 367–368
- forwarding, 367
- protecting, 365–366
- security options for, 368–369
- embedded systems, 176, 321
enable
command, 82
- EnCase, 446, 451, 469
- encryption, 230, 465, 526
- endpoint data analysis, 358–362
- endpoint detection and response (EDR), 236
- endpoint forensics
- cell phone forensics, 453–454
- cryptography tools, 455
- disk forensics, 453
- log viewers, 455
- memory dump analysis, 452–455
- memory forensics, 453
- mobile device forensics, 453–454
- operating system, 452–455
- password crackers, 454–455
- password recovery, 454–455
- process, 452–455
- Endpoint Manager (Microsoft), 229
- endpoint security software, 19, 27
- endpoint vulnerabilities, 158–167
- endpoints, 269
- enterprise risk management (ERM), 512
- entries (DNS), 87
- enumeration. see mapping and enumeration
- environmental threats, 7, 27
- environments, cloud
- about, 192–193
- case for cloud computing, 193–194
- cloud deployment models, 200–203
- cloud service models, 194–199
- eradication
- about, 496–497
- patching systems/applications, 497–498
- reconstruction, 497
- reimaging, 497
- sanitization, 498–499
- secure disposal, 498–499
- validating recovery effort, 500
- error handling, 319
- error message management, coding and, 323
- event logs, security monitoring and, 351–352
- evidence
- gathering, 495
- handling, 495
- procedures for, 542
- retention of, 502
- Examine Document tool (Adobe Acrobat), 94
- exceptions, in policy documents, 543–544
- exercises
- Analyze a CVSS Vector, 185, 623–624
- Analyze a Network Capture File, 372
- Analyze a Phishing Email, 373
- Compliance Auditing Tools, 556, 634
- Conduct the NIST Rhino Hunt, 480–481, 630
- Containment, Eradication, and Recovery phase, 503–506, 631–633
- Create a Disk Image, 479–480
- Create a Group Policy Object, 28–29
- Create an Inbound Firewall Rule, 28
- Develop an Incident Communications Plan, 400
- Explore the ATT&CK framework, 57–58
- Explore the Exploits Available with Pacu, 216
- Federated Security Scenario, 299–300, 625
- Identify a Network Scan, 436–437
- Identify and Access Management Terminology, 626
- Identity and Access Management Terminology, 301–302
- Incident Containment Options, 503–505, 631–632
- Incident Response Activities, 505–506, 632
- Incident Response Phases, 400, 629
- Incident Severity Classification, 399–400, 628
- Install a Vulnerability Scanner, 139
- Intelligence Gathering Techniques, 58, 103, 622
- Intelligence Gathering Tools, 623
- Interpret a Vulnerability Scan, 185
- Learn About Web Application Exploits from WebGoat, 342–343
- On-site Identity Issues Scenario, 300–301, 625
- Policy Documents, 555, 634
- Port Scanning, 102
- Recognize Security Tools, 30, 622
- Remediate a Vulnerability, 185–186
- Review a NIST Security Architecture, 251–252
- Review an Application Using the OWASP Application Security Architecture Cheat Sheet, 342
- Review an Application Using the OWASP Attack Surface Analysis Cheat Sheet, 250–251
- Risk Identification and Assessment, 530
- Risk Management, 530, 633
- Risk Management Strategies, 529–530, 633
- Run a ScoutSuite Assessment, 216
- Run a Vulnerability Scan, 140
- Sanitization and Disposal Techniques, 506, 633
- Scan an AWS account with Prowler, 216
- SDLC Terminology, 343
- Security Architecture Terminology, 252–253, 373–374, 624, 627–628
- Security Tools, 438, 481, 627, 629–630
- Set Up as STIX/TAXII Feed, 58
- Using a Cybersecurity Framework, 556
- Write a Penetration Testing Plan, 30
- Write a Service Issue Response Plan, 437
- Write an Intelligence Gathering Plan, 102–103
- Exif data, 94
- Exiftool, 94
- exploitability score, 154
- Exploitation, as a stage in Cyber Kill Chain, 51, 52
- exploitation phase. see Attack phase, of penetration tests
- Exploits Block List (XBL), 38
- exposure factor (EF), 515
- Extensible Configuration Checklist Description Format (XCCDF), 125
- external communications, incident response and, 392
- external media, as an attack vector for classifying threats, 393
- F
- Facebook Connect, 266
- Fagan inspection, 331
- false negative report, 156
- false positives, 156
- Family Educational Rights and Privacy Act (FERPA), 545
- fast flux DNS, 363
- fault injection, 333
- Feasibility phase, in SDLC, 310, 327
- Federal Information Processing Standard (FIPS), 112–114
- Federal Information Security Management Act (FISMA), 111, 112–114
- federation
- federated identity design choices, 291–293
- federated identity security considerations, 288–291
- federated identity technologies, 293–297
- federation incident response, 297
- hacking from inside, 290–291
- feedback component, in intelligence cycle, 42, 43, 55
- Fiddler, 336
- field-programmable gate arrays (FPGAs), 176
- file sharing, 95
- file structure-based carving, 450
- File Transfer Protocol (FTP), 166
- filesystem changes and anomalies, 424
- filesystem monitoring, 362
- financial services ISAC, 44
- fingerprinting software, 24
- firewalls
- configuration files, 82–83
- exercises on, 28, 30
- logs, 82–83, 353
- networks and, 12–15, 27
- as physical network architectures, 227
- as technical controls, 236
- firmware
- missing updates for, 168
- security implications of, 321, 338
- flows, 411
- fmem, 468
- footer-based carving, 450
- forensic analysis and techniques
- about, 444
- building forensics capability, 444–448
- cloud forensics, 458
- container forensics, 459–460
- endpoint forensics, 452–455
- example of a forensic investigation, 471–478
- exercises on, 479–481, 630
- forensic investigations, 460–478
- forensic software, 448–452
- network forensics, 455–458
- review questions, 482–485, 605–606
- virtual forensics, 458–459
- forensic copies, 463
- forensic drive duplicators, as components of forensic toolkits, 445
- forensic images, importing, 471–473
- forensic investigation suite, as components of forensic toolkits, 445
- forensic investigations, conducting, 460–478
- forensic software
- analysis utilities, 449–450
- capabilities and application, 448–452
- carving, 450
- chain-of-custody tracking, 450
- as component of forensic toolkit, 445
- hashing, 451–452
- imaging media/drives, 449
- legal holds, 450–451
- validation, 451–452
- forensic toolkits, 444–448
- forensic workstations, 446
- forwarded events logs, 83
- forwarding email, 367
- Framework Core (NIST Cybersecurity Framework), 546–547
- FTK, 446, 463, 466, 469
- function as a service (FaaS), 198–199
- functional impact, severity classification and, 394–395
- functions, insecure, 320
- fuzz testing (fuzzing), 333
- G
- General Data Protection Regulation (GDPR), 524
- Generally Accepted Privacy Principles (GAPP), 4
- generic top-level domain (gTLD), 86
- geographic access requirements, 528
- Gmail (Google), 194
- Google
- about, 86–87
- Gmail, 194
- Safe Browsing tool, 363
- Google Cloud Platform, 206–207
- Google Compute Platform, 195
- Gramm-Leach-Bliley Act (GLBA), 110, 545
grep
command, 370–371
- Group Policies, 18–19, 27, 274
- Guidance Software, 446
- guidelines, in policy documents, 542–543
- H
- hacktivists, 45
- hardening system configurations, 17, 27
- hardware
- best practices for, 337–340
- for reverse-engineering, 24–25, 27
- security for, 339–340
- hardware root of trust, 337
- hardware security modules (HSMs), 337
- hardware write blockers, 466
- Hashcat, 136
- hashing, 24, 451–452, 527
- HathiTrust digital library, 201–202
- header-based carving, 450
- Health Insurance Portability and Accountability Act (HIPAA), 110, 545
- healthcare ISAC, 44
- heap overflows, 163
- Heroku, 196
- heuristic analysis, 98, 359
- heuristics, 359, 416
- hibernation files, 469
- honeypots, 16, 231
- Honig, Andrew
- Practical Malware Analysis, 358
host
command, 89–90
- host enumeration, 64. see also mapping and enumeration
- host intrusion detection systems (HIDSs), 97
- host intrusion prevention systems (HIPSs), 19
- host-based DLP, 526–527
- hosted services, 98
- hosted virtualization, 175
- host-related issues
- malicious processes, 426–428
- malware, 426–428
- system resources, 422–426
- unauthorized access, changes, and privileges, 428–430
- unauthorized software, 426–428
- hosts, pinging, 67–68
- HP's NetStream, 78
- HttpFox, 336
- hybrid cloud, 202–203
- Hyper-V (Microsoft), 66
- hypervisors, 173–174
- I
- IBM's eFuse, 338
- identifying
- attackers, 495–496
- requirements for vulnerability management, 111–117
- scan targets, 114–115
- threats, 6–8
- vulnerabilities, 8
- identity
- about, 260–261
- defense-in-depth and, 280–281
- identity and access management (IAM) systems
- about, 260
- exercises on, 299–302, 625–626
- federated identities, 289–297
- identities, 260–269
- identity as a security layer, 280–288
- review questions, 303–306, 595–597
- single sign-on, 289–297
- threats and, 269–280
- identity as a service (IDaaS), 287–288
- identity provider (IDP), 288
- Imager Lite (FTK), 463, 466
- images
- analyzing in forensic investigations, 473–476
- verifying, 466
- imaging media/drives, 449
- impact, determining likelihood, risk and, 8–9
- impact score, 154
- impact sub-score (ISS), 153–154
- impersonation attacks
- about, 182, 276–277
- as an attack vector for classifying threats, 393
- in email, 368
- improper usage, as an attack vector for classifying threats, 393
- in-band NAC solutions, 11
- incident response program
- about, 380
- building foundation for, 387–389
- classifying incidents, 393–397
- coordination and information sharing, 391–392
- creating teams for, 389–391
- exercises on, 399–400, 628–629
- phases of, 381–386
- review questions, 401–404, 601–602
- security incidents, 380–381
- incident response providers, 391
- incidents, classifying, 393–397
- indicators of compromise (IOCs)
- about, 48, 406, 501
- exercises on, 436–438, 629–630
- host-related issues, 422–430
- network events, 406–422
- review questions, 439–442, 603–604
- service and application-related issues, 430–435
- industrial control systems (ICSs), 176
- information aggregation, 92
- information classification, 522–523
- information security, SDLC and, 327–328
- information security policy, 536, 538
- information sharing, incident response and, 391–392
- Information Sharing and Analysis Centers (ISACs), 43
- Information Sharing and Analysis Organizations program, 37
- Information Systems Audit and Control Association (ISACA), 550
- Information Technology Infrastructure Library (ITIL), 551
- informational results, 157–158
- infrastructure as a code (IaC), 206–207
- infrastructure as a service (IaaS), 194–196
- infrastructure security and controls
- about, 222
- analyzing security architecture, 240–249
- cloud, 208–209
- defense-in-depth, 222–232
- exercises on, 250–253, 624
- improving controls, 233–240
- review questions, 253–257, 592–594
- infrastructure vulnerability scanning, 133
- injection attacks, 177–179
- input validation, coding and, 323
- insecure protocol use, 165–166
- insider threats, 8, 45
- Installation, as a stage in Cyber Kill Chain, 51, 52
- integer overflow, 163
- integrity
- in CIA Triad, 223
- as a cybersecurity objective, 2–3, 26
- as a metric, 151
- integrity loss, 396, 397
- intellectual property breach, 397
- intelligence cycle, 42–43, 55
- intentional threats, 45
- interception proxies, 134–136, 335
- internal communications, incident response and, 392
- internal footprint, 75
- Internet Archive, 95
- Internet Assigned Numbers Authority (IANA), 69, 87
- Internet Connection Sharing (ICSLAP), 72
- Internet Control Message Protocol (ICMP), 67
- Internet of Things (IoT), 176–177
- Internet registries (RIRs), 87
- intrusion detection systems (IDSs), 97, 355
- intrusion prevention systems (IPSs)
- about, 97
- as physical network architectures, 227
- security monitoring and, 355
- as technical controls, 236
- IP addresses, 173
- IP ranges, 86–87
- iPerf, as an example of active monitoring, 407
- ISO 27001, 549–550
- isolating
- about, 23, 492–495
- affected systems, 492
- attackers, 492–493
- IT governance, 132
- IT service management (ITSM) tool, 125
- J
- Jamf Pro, 229
- Java, 23–24
- JavaScript Object Notation (JSON), 207
- J-Flow, 407
- Jflow (Juniper), 78
- Jotti, 359
- jump boxes, 15–16, 225, 226
- Juniper's cflowd, 78
- Juniper's Jflow, 78
- K
- kaizen, 248
- Kerberos, 265, 273
- key distribution center (KDC), 273
- knowledge factors, MFA and, 283
- known-bad Internet protocol (IP) addresses, 356
- known-good behavior, 361
- L
- L., Monappa
- Learning Malware Analysis, 358
- labeling tools, as components of forensic toolkits, 446
- Lambda service (Amazon), 199
- Latin America and Caribbean Network Information Centre (LACNIC), 87
- laws and regulation, 545
- layered host security, 234
- layered security, 222–223
- Learning Malware Analysis (K.), 358
- least privilege, 276
- legacy systems, 131
- legal holds, 450–451
- legal requirements, 524
- lessons learned sessions, conducting, 501
- licensing limitations, vulnerability management and, 117
- Lightweight Directory Access Protocol (LDAP), 262–264, 270–271
- likelihood, determining impact, risk and, 8–9
- LiME, 468
- LINDDUN, 46
- Linux
- about, 426, 427
- cron jobs, 429–430
- dd utility, 464
ps
command, 360
- service status, 432–433
- live imaging, 467
- load testing, 334
- localized impact, of events, 351
- location
- MFA and, 283
- as a NAC solution criteria, 12
- location-based authentication, 286
- Lockheed Martin's Cyber Kill Chain, 51–52
- log and configuration analysis, 76–80
- log data, acquiring, 467
- log viewers, 455
- logging
- logical views, 241
- Login with Facebook, 266
- logs
- as a category of security event indicators, 383
- reconciling scan results with, 158
- security monitoring and, 351–355
- types of, 83
- loss of equipment, as an attack vector for classifying threats, 393
- Low Orbit Ion Cannon (LOIC), 418
- M
- MAC address, 70, 420
- machine learning, 25, 27
- magnitude, of risk, 514
- malicious processes, 426–427
- Maltego, 92
- malware
- about, 45
- analysis of, 358–359
- in email, 368
- system issues and, 426–427
- malware signatures, 237–238
- management
- as a GAPP privacy practice, 4
- role of in CSIRTs, 390
- management information base (M1B), 407
- management interface access, 175
- managerial security controls, 552
- managing
- change control processes, 501
- encrypted drives, 465
- evidence, 495
- mandatory access control (MAC), 19, 268
- mandatory vacation, as a personnel control, 240
- man-in-the-middle (MitM) attacks, 182–183, 277
- manual review and analysis, 99, 268–269
- mapping and enumeration
- about, 64
- active reconnaissance, 65
- common tools, 71–75
- mapping networks, 65–67
- operating system fingerprinting, 71
- pinging hosts, 67–68
- port scanning, 69–71
- service discovery techniques/tools, 69–71
- service/version identification, 71
- virtual machines (VMs), 67
- masking, 528
- maturity model, 547
- MD5, 451–452
- measured boot, 337
- memorandums of understanding (MOUs), 131–132
- memory analysis, 359–361
- memory dump analysis, 452–455
- memory forensics, 453
- memory leaks, 423
- memory monitoring, 423
- memory overflows, 435
- memory-resident data, capturing, 468–469
- metadata scrubbing, 94
- Meta-Features, in Diamond Model of Intrusion Analysis, 50
- Metasploit, 74, 96, 428
- microservices, 326
- Microsoft
- Azure Government Secret, 201
- Endpoint Manager, 229
- Group Policy Object (GPO), 18
- Hyper-V, 66
- Office 365, 194
- STRIDE classification model, 46
- System Center Configuration Manager (SCCM), 17
- threat intelligence blog, 37
- Microsoft Azure, 28, 192, 195, 206–207
- Microsoft Endpoint Configuration Manager, 427
- Microsoft Office, 455
- Microsoft Remote Procedure Call (MSRPC), 72
- Minimum Security Standards for Electronic Information, 540
- Mirai, 177
- The MISP Threat Sharing project, 37
- missing patches, 160–161
- MITRE's ATT&CK framework, 48–50
- mobile device forensic toolkit, 448
- mobile device forensics, 453–454
- mobile device management (MDM), 161
- mobile devices
- acquiring data from, 469–470
- security of, 161
- mobile platforms, security implications of, 321
- Modbus, 176
- modeling, threat research and, 46–48
- monitoring
- active, 409–410
- coding and, 323
- enforcement and, 229
- as a GAPP privacy practice, 4
- insufficient, 320
- procedures for, 542
- thresholds for, 423
- multifactor authentication (MFA), 278, 283–284, 323
- mutation testing, 333
- N
- Nagios, 413
- National Council of ISACs, 43
- National Institute of Standards and Technology (NIST), 64, 124–125, 192, 246
- National Security Agency (NSA), 24, 25
- National Software Reference Library (NSRL), 424
- nation-state threat actors, 44
- negative report, 156
- Nessus (Tenable), 133
netcat
command, 427
- NetFlow, 78, 364, 407
- netstat, 78–80
- NetStream (HP), 78
- network access control (NAC)
- about, 10–12, 27, 421
- as physical network architectures, 227
- as technical controls, 237
- network address translation (NAT), 173
- Network Admission Control. see network access control (NAC)
- network architecture
- about, 226
- physical, 227
- software-defined networking (SDN), 227
- virtualization, 228–229
- network data analysis, 362–365
- network devices
- configuration, 77–78
- DHCP logs, 80–81
- DHCP server configuration files, 80–81
- firewall logs and configuration files, 82–83
- logs, 76–77
- Netflow, 78
- netstat, 78–80
- system log files, 83–84
- network events
- about, 406
- capturing, 407–410
- detecting and finding rogue devices, 420–422
- detecting common network issues, 413–417
- detecting denial-of-service and distributed denial-of-service attacks, 417–420
- detecting other network attacks, 420
- detecting scans and probes, 417
- monitoring tools, 411–413
- network flows, 407
- network forensics
- about, 455–456
- Tcpdump, 457–458
- Wireshark, 456–457
- network intrusion detection systems (NIDSs), 97
- network monitoring tools
- about, 411
- Cacti, 413
- Nagios, 413
- Paessler Router Traffic Grapher (PRTG), 411–412
- SolarWinds, 412
- network segmentation, 15–16, 27, 224–225, 490–491
- Network Time Protocol (NTP) server, in detection and analysis phase of incident response, 383
- network traffic, 323
- network-based DLP, 526–527
- network-related events
- active monitoring, 409–410
- passive monitoring, 410
- router-based monitoring, 407–409
- networks
- building secure, 10–17, 27
- detecting common issues with, 413–417
- firewalls, 12–15, 27
- mapping, 65–67
- network perimeter security, 12–15
- perimeter security of, 12–15
- scanning, 120–122, 227, 420
- vulnerabilities of, 168–173
- Nexpose (Rapid7), 133
- next-generation firewalls (NGFWs), 15
- Nikto, 133–134
- NIST Cloud Computing Security Reference Architecture, 246
- NIST Cybersecurity Framework, 546–549
- NIST National Software Reference Library, 452
- NIST SP 800-30 risk assessment process, 6–8
- NIST SP 800-88: Guidelines for Media Sanitization, 498–499
- NIST SP 800-117: Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0, 125
- NIST Special Publication 800-53, 113–114
- NIST "Systems Security Engineering" Sp 800-160, 328
- NISTIR 8006, NIST Cloud Computing Forensic Challenges, 458
- Nmap, 71–73
- nondisclosure agreements (NDAs), 525
- nontechnical security controls, 522–526
- notebooks, as components of forensic toolkits, 446
- notice, as a GAPP privacy practice, 4
- nslookup command, 84–86
- O
- OAuth, 266, 271–272, 293–294, 296
- object references, 319
- oclHashcat, 136
- Office 365 (Microsoft), 194
- ongoing operations and maintenance phase, in SDLC, 310
- ongoing scanning, 125
- Open Indicators of Compromise (OpenIOC) format, 42
- Open Source Security Testing Methodology Manual (OSSTMM), 64
- open source threat intelligence, 37–38, 55
- Open Vulnerability and Assessment Language (OVAL), 125
- Open Web Application Security Project (OWASP), 134–136, 319, 323–324
- OpenDJ, 263
- OpenID, 266, 271–272
- OpenID Connect, 266, 271–272, 293–294, 297
- OpenLDAP, 263
- The Open Threat Exchange, 37
- OpenVAS, 74, 133
- operating system fingerprinting, 71
- operating systems
- about, 452–455
- unsupported, 161–163
- operational security controls, 552
- operational views, 241
- Operations and Maintenance phase, in SDLC, 327
- order of volatility, 461
- Organization for the Advancement of Structured Information Standards (OASIS), 41
- organizational data, 93–94
- organizational impact, of events, 350–351
- organizational intelligence
- about, 92–93
- electronic document harvesting, 94–96
- organizational data, 93–94
- organized crime, 44
- original equipment manufacturers (OEMs), 24
- OSSEC, 362
- outbound communication, 434
- out-of-band NAC solutions, 11
- output, unexpected, 434
- output encoding, coding and, 323
- over-the-shoulder code review, 329
- OWASP File Hash Repository, 452
- P
- packers, 455
- packet analysis, 97
- packet capture, 74, 92
- packet filtering firewalls, 14
- packet sniffing, 411
- Pacu, 210–211
- Paessler Router Traffic Grapher (PRTG), 411–412
- pair programming, 329
- Parallels, 175
- parameterized queries, 323
- pass-around code reviews, 329
- passive footprinting
- about, 75
- log and configuration analysis, 76–80
- passive monitoring, 410
- passive reconnaissance, 99–100
- passive scanning, 75, 117
- password crackers, 454–455
- password management, 282
- password policy, 539
- password recovery, 454–455
- password reuse, 182
- password safes, 282
- password spraying, 182
- passwords, complexity guidelines for, 282
- patch management, 17, 27, 497–498, 542
- pattern matching, 527
- Payment Card Industry Data Security Standard (PCI DSS), 64, 111, 118, 205, 542, 545
- penetration testing, 19–22, 27, 74
- Penetration Testing Execution Standard, 64
- people, as a category of security event indicators, 383
- Performance Monitor (perfmon), 424, 426
- permissions, 235
- persistent XSS attacks, 180
- personally identifiable information (PII), 3, 397
- personnel controls, 238–240
- personnel-based identity security, 269
- phishing, 96, 278, 368
- physical controls, 233, 553
- physical network architecture, 227
- physical segmentation, 224
- physical testing, 93–94
- physically unclonable functions (PUFs), 337
ping
command, 68
- pinging
- as an example of active monitoring, 407–408
- hosts, 67–68
- Planning phase, of penetration tests, 20, 27
- platform as a service (PaaS), 98, 196–198, 204–205, 232
- playbooks, in incident response, 387–388
- plug-in feeds, 124–125
- pointer, 319
- point-of-sale (POS), 18
- points of failure, 242–244
- policies
- in incident response, 387
- in policy documents, 536–539
- policy and compliance
- about, 238–240, 536
- exercises on, 555–556, 634
- implementing policy-based controls, 552–553
- laws and regulation, 545
- policy documents, 536–544
- quality control, 553–554
- review questions, 557–560, 610–612
- security control verification, 553–554
- standard frameworks, 546–551
- Policy Block List (PBL), 38
- policy documents, 536–544
- policy-based controls, implementing, 552–553
- Pols, Paul, 53
- port and vulnerability scans, 98
- port scanning, 69–71
- port security, 237, 421
- ports, TCP, 14
- positive report, 156
- possession factors, MFA and, 283
- postincident activity, incident response and, 385–386
- Practical Malware Analysis (Sikorski and Honig), 358
- practice exam
- about, 561
- answers for, 612–619
- questions for, 562–580
- preparation phase, of incident response, 382
- preventive controls, 233, 553
- privacy, security compared with, 3–4
- privacy breach, 396
- private cloud, 200–201
- privilege creep, 276
- privilege escalation, 164, 277
- privilege management, 261
- privileged user management, 282
- privileges required metric, 150
- proactive threat hunting, 54–55
- probability, of risk, 514
- probes, detecting, 417
- procedures
- in forensic investigations, 460–461
- in incident response, 387–388
- in policy documents, 541–542
- Process for Attack Simulation and Threat Analysis (PASTA), 46
- process modeling, 315–316
- processor monitoring, 422–423
- processor security extensions, 339
- product diversity, 225
- production environment, 310
- programmable logic controllers (PLCs), 176
- proprietary breach, 396
- proprietary intelligence, 39
- proprietary systems, 131
- protected health information (PHI), 397
- protocol analysis, 97, 416
- provisioning, threats to, 275–276
- Prowler, 212–213
- proxy logs, security monitoring and, 354
ps
command, 360, 425
- public cloud, 200–201
- publicly available information, as a category of security event indicators, 383
- purpose limitation, 524
- Python, 23–24
- Q
- qualitative risk assessment, 515, 516–517
- quality
- as a GAPP privacy practice, 4
- for security controls, 553–554
- Qualys, 74, 121, 133
- quantitative risk assessment, 9, 515–516
- questions, for practice exam, 562–580
- R
- race conditions, 320
- Ransomware Playbook, 388
- Rapid Application Development (RAD), 315–316
- Rapid7's Nexpose, 133
- real-time operating systems (RTOSs), 176
- Reaver, 136
- Reconnaissance, as a stage in Cyber Kill Chain, 51, 52
- reconnaissance and intelligence gathering
- about, 64
- detecting, preventing, and responding to, 97–100
- exercises on, 102–103, 623
- mapping and enumeration, 64–75
- organizational intelligence, 92–96
- passive footprinting, 75–92
- review questions, 103–107, 585–587
- reconstruction, 497
- recoverability effort, severity classification and, 395
- recovery
- about, 496–497
- patching systems/applications, 497–498
- reconstruction, 497
- reimaging, 497
- sanitization, 498–499
- secure disposal, 498–499
- validating recovery effort, 500
- redundant system, 243–244
- reflected XSS attacks, 180
- registered ports, 69
- registrars, 86
- registry changes/anomalies, 429
- regression testing, 334, 335
- regular expressions, 370
- regulated information breach, 397
- regulation and laws, 545
- regulatory environment, vulnerability management and, 110–111, 115
- reimaging, 497
- relying party (RP), 288
- remediation workflow
- about, 125
- delayed remediation options, 131
- prioritizing remediation, 129–130
- reporting and communication, 127–129
- testing and implementing fixes, 130
- Remote Authentication Dial-in User Service (RADIUS), 10, 264, 273–274
- remote code execution, 165
- removable media, as an attack vector for classifying threats, 393
- renewing domains, 86–87
- reporting
- in forensic investigations, 476–478
- in penetration tests, 20, 22, 27
- in remediation workflow, 127–129
- for vulnerability scans, 146–183
- Representational State Transfer (REST), 326
- reputational damage, 47
- requirements
- analyzing for security, 240–241
- compliance, 524–525
- as component in intelligence cycle, 42–43, 55
- geographic access, 528
- identifying for vulnerability management, 111–117
- legal, 524
- Réseaux IP Européens Network Coordination Centre (RIPE NCC), 87
- Resource Monitor (resmon), 359–360, 424
- Responder, 91–92
- response, to application and service issues, 433–434
- RESTful HTTP, 326
- restoration, of application and service issues, 433–434
- retention, of evidence, 502
- retirement of processes, 248–249
- reverse engineering, 22–25, 27, 358
- review questions
- cloud security, 217–220, 590–592
- Containment, Eradication, and Recovery phase, 507–510, 607–608
- cybersecurity analyst, 30–34, 582–583
- forensic analysis and techniques, 482–485, 605–606
- identity and access management (IAM) systems, 303–306, 595–597
- incident response program, 401–404, 601–602
- indicators of compromise (IOCs), 439–442, 603–604
- infrastructure security and controls, 253–257, 592–594
- policy and compliance, 557–560, 610–612
- reconnaissance and intelligence gathering, 103–107, 585–587
- risk management, 531–534, 609–610
- security operations and monitoring, 374–378, 599–601
- software and hardware developments, 344–347, 597–599
- threat intelligence, 59–62, 583–585
- vulnerability management programs, 140–143, 587–588
- vulnerability scans, 187–190, 589–590
- rights and roles, threats to, 276
- rights management, authorization and, 282–283
- risk acceptance, 521
- risk appetite, 115
- risk assessment, 323
- risk assessment process, 8–9
- risk avoidance, 520
- risk calculation, 514–515
- risk identification process, 513–514
- risk management
- about, 512, 518–519
- analyzing risk, 512–518
- exercises on, 529–530, 633
- review questions, 531–534, 609–610
- risk acceptance, 521
- risk avoidance, 520
- risk mitigation, 519–520
- risk transference, 520–521
- security controls, 522–528
- risk matrix, 9
- risk mitigation, 519–520
- risk transference, 520–521
- risks
- analyzing, 512–518
- compared with threats and vulnerabilities, 5–6, 26
- defined, 5, 512
- determining likelihood, impact and, 8–9
- evaluating for security, 4–10
- overcoming for vulnerability scanning, 131–132
- RMON, 407
- rogue devices, detecting and finding, 420–422
- role-based access control (RBAC), 267
- roles
- about, 269
- of management in CSIRTs, 390
- as a NAC solution criteria, 11
- root cause analysis, 497
- rootkits, 164, 277
- router-based monitoring, 407–409
- Ruby, 23–24
- rule-based access control, 268
- S
- Safe Browsing tool (Google), 363
- SAML, 293–294
- sampled flow (sFlow), 78
- sandboxing, 23, 237
- sanitization, 498–499
- Sanmay, 86–87
- SANS, 470
- SANS Internet Storm Center, 38
- Sarbanes-Oxley (SOX) Act, 545
-
sc
command, 432
- scalability, as a benefit of cloud computing, 193
- scan perspectives, 122–123
- scanning systems, 65
- scans
- detecting, 417
- determining frequency of, 115–117
- identifying targets for, 114–115
- scheduled reviews, 248
- scope
- as a metric, 152
- in Planning phase of penetration tests, 20
- vulnerability scans and, 118
- scope of control, 391
- scope of impact, 394–395
- ScoutSuite, 209–210
- scripting, 369–371
- SDN-WANs, 227
- Secret classification, 523
- secure disposal, 498–499
- secure enclaves, 339
- secure endpoint management, 17–19, 27
- Secure File Transfer Protocol (SFTP), 166
- Secure Hash Algorithm (SHA), 24, 263
- secure processing, 339
- secure session management, coding and, 323
- Secure Sockets Layer (SSL), 168–172
- security. see also specific topics
- analyzing architecture of, 240–249
- analyzing requirements for, 240–241
- as a benefit of cloud computing, 194
- compared with privacy, 3–4
- evaluating risks to, 4–10
- as a GAPP privacy practice, 4
- layered, 222–223
- layered host, 234
- of mobile device, 161
- Security Content Automation Protocol (SCAP), 124–125
- security controls
- about, 522
- categories of, 552
- defined, 552
- managerial, 552
- nontechnical, 522–526
- operational, 552
- technical, 233, 236–327, 526–528, 552
- types of, 553
- verification of, 553–554
- security data, analyzing, 350–351
- security device logs, 98, 352–355
- security events, compared with security incidents, 380
- security incident response
- compared with security event, 380
- as a component of SOAR, 357
- security information and event management (SIEM) systems
- about, 98, 229, 288, 351
- in detection and analysis phase of incident response, 383
- reconciling scan results with, 158
- security monitoring and, 355–357
- security logs, 83
- security operations and monitoring
- about, 350
- analyzing security data, 350–351
- detecting, 288
- email, 365–369
- endpoint data analysis, 358–362
- exercises on, 372–374, 627–628
- logs, 351–355
- network data analysis, 362–365
- protecting and analyzing email, 365–369
- review questions, 374–378, 599–601
- scripting, searching, and text manipulation, 369–371
- security information and event management systems (SIEMs), 355–357
- security orchestration, automation, and response (SOAR), 357
- security operations automation, as a component of SOAR, 357
- security orchestration, automation, and response (SOAR), 357
- security tools
- for cloud infrastructure, 209–213
- exercises on, 30
- Security-Enhanced Linux (SELinux), 19
- segmentation, 224–226
- self-encrypting drives (SEDs), 340
- Sender Policy Framework (SPF), 368
- SendGrid, 369
- Senki.org, 37
- sensitive information, coding and, 323
- sensitive personal information (SPI), 397
- sensitivity levels, for vulnerability scans, 119–120
- separation of duties, as a personnel control, 239
- server vulnerabilities, 158–167
- server-based exploits, 269
- server-based scanning, 121–122
- serverless computing, 228–229
- service and application-related issues
- about, 430–431
- application and service monitoring, 430–433
- detecting attacks on applications, 434–435
- response and restoration, 433–434
service
command, 432–433
- service degradations, 131
- service discovery techniques/tools, 69–71
- service identification, 71
- service interruption, 434
- service provider (SP), 288
- service-level agreements (SLAs), 131–132
- service-oriented architectures (SOA), 325–326
- service-oriented views, 241
- services, 269
- session hijacking, 183, 277
- setup logs, 83
- severity classification, 394–397
- sFlow (sampled flow), 78, 407
- SHA1, 451–452
- shared authentication, 265
- shared responsibility model, 204
- Shodan, 92
- SIFT, 450
- signature analysis, 98
- signature blocks (Email), 367
- Sikorski, Michael
- Practical Malware Analysis, 358
- Simple Authentication and Security Layer (SASL), 263
- Simple Network Management Protocol (SNMAP), 76, 407, 411
- Simple Object Access Protocol (SOAP), 326
- single flux, 363
- single loss expectancy (SLE), 515
- single points of failure, 242–244
- single sign-on (SSO) systems, 265–266. see also federation
- sinkholes, DNS, 17
- sinkholing, 237
- site surveys, 420
- Slate customer relationship management (CRM) tool, 194
- SMS messages, 286–287
- Snowden, Edward, 24, 518
- social engineering, 96
- Social Engineering Toolkit (SET), 96
- social media analysis, 96, 100
- software
- assessing, 332–335
- common development issues, 319–320
- forensic, 448–452
- for reverse-engineering, 23–24, 27
- scanner, 123–124
- software and hardware developments
- about, 308
- designing and coding, 318–331
- exercises on, 342–343, 627
- hardware assurance best practices, 337–340
- review questions, 344–347, 597–599
- software assurance best practices, 308–318
- software security testing, 331–336
- software as a service (SaaS), 98, 194, 205, 232
- software development life cycle (SDLC), 308–309, 327–328
- software development models, 310–317
- software write blockers, 466
- software-defined networking (SDN), 227
- SolarWinds, 364, 412
- source code management, 328
- Spamhaus, 38
- Spamhaus Block List (SBL), 38
- Spiral model, 311–312
- Splunk, 351
- SQL injection attack, 177
- stack overflows, 163
- standard frameworks, for policy and compliance, 546–551
- standards, in policy documents, 539–541
- start of authority (SOA) record, 89
- stateful inspection firewalls, 14
- static code analysis, 332
- STOP tag, 519–520
- strcpy, 320
- stress testing, 334, 335
- STRIDE classification model, 46
- Stroz Friedberg forensic investigation, 477–478
- structural threats, 7, 27
- Structured Threat Information Expression (STIX), 41–42
- succession planning, as a personnel control, 239
- supervisory control and data acquisition (SCADA) systems, 176
- supply chain assessment, 518
- Susteen, Inc., 448
- Sysinternals suite for Windows, 424–425
- Sysinternals's AccessChk, 429
- syslog utility, 76, 352
- system and application behavior, 361–362
- System Center Configuration Manager (SCCM), 17
- System Center Operations Manager (SCOM), 423
- system health, as a NAC solution criteria, 12
- system isolation, 224, 225
- system logs, 83–84
- system ports, 69
- system resource monitoring tools, 424–426
- system-on-chip (SOC) systems, 176, 321
- systems assessment, 514
- systems-based views, 241
- T
- TACACS+, 264
tail
command, 433
- Talos Intelligence reputation lookup tool (Cisco), 38, 47
- Tamper Data, 336
- target locations, in forensic investigations, 462
- target platforms, security implications of, 321–322
- Task Scheduler, 429–430
- TCP ports, 14
- Tcpdump network forensics, 457–458
- technical constraints, vulnerability management and, 117
- technical security controls, 233, 236–327, 526–528, 552
- technical views, 241
- Tenable's Nessus vulnerability scanner, 74, 115–117, 133
- Terminal Access Controller Access Control System (TACACS), 77–78, 264
- termination, as a personnel control, 239
- test environment, 310
- testing
- fixes, 130
- incident response plans, 391
- penetration, 19–22, 27
- Testing and Integration phase, in SDLC, 310, 327
- testing and turnover, 316
- text
- manipulating, 369–371
- scripting, 369–371
- searching, 369–371
- theft of equipment, as an attack vector for classifying threats, 393
- theHarvester, 92
- third parties, hiring, 336
- threat actors, 44–45
- threat and vulnerability management, as a component of SOAR, 357
- threat classification
- about, 44, 45–46, 56, 393–394
- threat actors, 44–45
- threat research and modeling, 46–48
- threat data, threat intelligence and, 36–44
- threat feeds, 39
- threat hunting, proactive, 54–55
- threat intelligence
- about, 36
- applying organizationwide, 53–55, 56–57
- assessing, 39–40
- closed source, 39
- community, 43–44, 56
- exercises, 622
- intelligence cycle, 42–43, 55, 56
- open source, 37–38, 55, 56
- proprietary, 39
- review questions, 59–62, 583–585
- threat data and, 36–44
- threat feeds, 39
- threat indicator management and exchange, 41–42, 56, 58
- threat reputation, 47
- threat research, modeling and, 46–48
- ThreatConnect, 40
- Threatfeeds.io, 37
- threats
- compared with risks and vulnerabilities, 5–6, 26
- defined, 5, 512
- identifying, 6–8
- to identity and access, 269–280
- insider, 8
- types of, 7, 26–27
- 389 Directory Server, 263
- ticket-granting ticket (TGT)-focused attacks, 273
- time of day, as a NAC solution criteria, 11
- time to live (TTL), 65–66
- Time Travel Service, 95
- timing, in Planning phase of penetration tests, 20
- tokenization, 528
- tool-assisted reviews, 329
- tool-based analysis, 359
top
command, 425
- Top Secret classification, 523
- topology, 65–67
- traceroute information, 84–86
- traffic
- analysis of, 97, 420
- unexpected, 416–417
- training
- exercises and, 525–526
- penetration tests and, 22
- Training and Transition phase, in SDLC, 310, 327
- Transport Layer Security (TLS), 168–172
- trend analysis, 98, 158, 351
- triple-homed, 12, 15–16
- Tripwire, 362, 424
- true positive report, 156
- trust, zero, 223–224
- Trusted Automated Exchange of Indicator Information (TAXII), 41
- trusted execution environments (TEEs), 338
- Trusted Foundry Program, 339
- Trusted Platform Module (TPM) chip, 337
- trusting data, 244–245
- U
- Ulbricht, Ross, 465
- unauthorized access/changes/privileges, 428–429
- unauthorized scheduled tasks, 429–430
- unauthorized software, 426–427
- Unclassified classification, 523
- unexpected output, 434
- unexpected traffic, 416–417
- Unified Extensible Firmware Interface (UEFI), 338
- Unified Kill Chain, 53
- unified threat management (UTM) devices, as physical network architectures, 227
- unintentional threats, 45
- Unix, 360
- unsupported operating systems and applications, 161–163
- U.S. Cybersecurity and Infrastructure Security Agency (CISA), 37
- U.S. Department of Defense (DoD), 24, 241
- U.S. Department of Defense Cyber Crime Center, 37
- U.S. Intelligence Community (IC), 201
- USB device history, viewing, 468
- USB Historian, 468
- use, retention, and disposal, as a GAPP privacy practice, 4
- user acceptance testing (UAT), 310, 335
- user and entity behavior analytics (UEBA), 362
- user interaction metric, 150
- users, security architecture and, 245
- V
- V model, 316
- valid MAC address checking, 420
- validating
- about, 229, 451–452
- access, 268–269
- data, 244–245
- drive images, 463–466
- recovery effort, 500
- scan results, 155–158
- Veracode, 331–332
- version control, 328
- version identification, 71
- VirSCAN, 359
- virtual desktop infrastructure (VDI), 228
- virtual guest issues, 175
- virtual host patching, 175
- virtual LAN (VLAN), 490–491
- virtual machine escape, 175
- virtual machines (VMs), 67, 175
- virtual network issues, 176
- virtual private cloud (VPC), 232
- virtual private networks (VPNs), 173, 226
- virtual segmentation, 224
- virtualization, 228–229
- virtualization forensics, 458–459
- virtualization vulnerabilities, 173–176
- VirusShare, 38
- VirusTotal, 359
- VMware, 66
- volatility, order of, 461
- Volatility Framework, 453, 469
- vulnerabilities
- arbitrary code execution, 164–165
- authentication, 181–183
- buffer overflows, 163
- common, 158–183
- compared with risks and threats, 5–6, 26
- cross-site scripting (XSS) attack, 179–180
- debugging modes, 166–167
- defined, 5, 512
- directory traversal, 180–181
- Domain Name System (DNS), 172–173
- endpoint, 158–167
- identifying, 8
- impersonation, 182
- injection attacks, 177–179
- insecure protocol use, 165–166
- IoT (Internet of Things), 176–177
- management interface access, 175
- man-in-the-middle (MitM) attacks, 182–183
- missing firmware updates, 168
- missing patches, 160–161
- network, 168–173
- password reuse, 182
- privilege escalation, 164
- server, 158–167
- session hijacking, 183
- SSL (Secure Sockets Layer) issues, 168–172
- TLS (Transport Layer Security) issues, 168–172
- unsupported operating systems and applications, 161–163
- virtual guest issues, 175
- virtual host patching, 175
- virtual network issues, 176
- virtualization, 173–176
- VM escape, 175
- VPNs (virtual private networks), 173
- web application, 177–181
- vulnerability feeds, 123
- vulnerability management programs
- about, 110
- active vs. passive scanning, 117
- configuring and executing vulnerability scans, 118–125
- corporate policy, 114
- determining scan frequency, 115–117
- developing remediation workflows, 126–131
- exercises on, 139–140
- identifying requirements for, 111–117
- identifying scan targets, 114–115
- overcoming risks of vulnerability scanning, 131–132
- regulatory environment, 110–111
- review questions, 140–143, 587–588
- scan perspectives, 122–123
- scanner maintenance, 123–125
- scanner software, 123–124
- supplementing network scans, 120–122
- vulnerability plug-in feeds, 124–125
- vulnerability scanning tools, 133–137
- vulnerability scans, 146
- about, 21
- common vulnerabilities, 158–183
- exercises on, 185–186, 623–624
- review questions, 187–190, 589–590
- reviewing and interpreting scan reports, 146–155
- validating scan results, 155–158
- web application, 335–336
- W
w
command, 425
- Waterfall model, 310–311
- watermarking, 527
- Weaponization, as a stage in Cyber Kill Chain, 51, 52
- web, as an attack vector for classifying threats, 393
- web application firewalls (WAFs), 15, 323, 354
- web application scanning, 133–134
- web application vulnerabilities, 177–181, 335–336
- Web Services on Devices API (WSDAPI), 72
- websites
- AlienVault, 37
- Australian Signals Directorate's Cyber Security Centre, 38
- Automated Indicator Sharing (AIS) program, 37
- aviation ISAC, 44
- Centre for Protection of National Infrastructure, 44
- Cisco Talos reputation lookup tool, 38
- Cisco's Talos Intelligence reputation lookup tool, 47
- Computer Security Incident Handling Guide (SP 800-61), 389
- CVSS calculator, 155
- Data Leakage Case, 471
- Electronic Signature Guidelines, 543
- financial services ISAC, 44
- FTK, 446
- Guidance Software, 446
- healthcare ISAC, 44
- Information Sharing and Analysis Organizations program, 37
- Internet Archive, 95
- Lockheed Martin Cyber Kill Chain, 52
- Microsoft's threat intelligence blog, 37
- Minimum Security Standards for Electronic Information, 540
- The MISP Threat Exchange, 37
- MITRE's ATT&CK framework, 50
- National Council of ISACs, 43
- NIST National Software Reference Library, 452
- NISTIR 8006, NIST Cloud Computing Forensic Challenges, 458
- OASIS GitHub documentation, 41
- Open Source Security Testing Methodology Manual (OSSTMM), 64
- organizational intelligence and, 95
- OWASP File Hash Repository, 452
- Penetration Testing Execution Standard, 64
- Ransomware Playbook, 388
- Responder, 92
- SANS Internet Storm Center, 38
- Security Content Automation Protocol (SCAP), 125
- Senki.org, 37
- shared risk assessment tools, 232
- SP 800-115, 64
- Spamhaus, 38
- ThreatConnect, 40
- Threatfeeds.io, 37
- Time Travel Service, 95
- U.S. Cybersecurity and Infrastructure Security Agency (CISA), 37
- U.S. Department of Defense Cyber Crime Center, 37
- VirusShare, 38
- What to Do if Compromised document, 541
- WhiteHat Security, 336
- well-known ports, 69
- What to Do if Compromised document, 541
- WhiteHat Security, 336
- whitelisting, 235, 427
- Whois, 83–90, 89–90
- WinDbg, 432
- Windows Management Instrumentation (WMI), 411
- Windows registry, 429
- Windows service status, 432
- wiped drives, as components of forensic toolkits, 445
- wiped removable media, as components of forensic toolkits, 445
- wired rogues, 421
- wireless analysis, 97
- wireless assessment tools, 136–137
- wireless rogues, 421–422
- Wireshark, 364–365, 456–457
- write blockers, 445, 465–466
- Y
- Yet Another Markup Language (YAML), 207
- Z
- Zed Attack Proxy (ZAP), 134–136
- Zenmap, 65–66, 73
- zero trust, 223–224
- zero-day threats and vulnerabilities, 45, 394
- zone transfers, 88–89