CompTIA-Security-notes

Notes by @edoardottt, exam passed with 788 points.

Thanks @Average_Down for original notes.

Info about Security+ certification here.

Read also my blog post about Security+ certification.

1.1 - Compare and contrast different types of social engineering

techniques
Typosquatting - URL Hijacking eg: google.com vs g00gle.com
Pretexting - Lying to get your info; actor and a story
Pharming - Poisoned DNS server, redirects a legit website to a bogus site
Vishing - Voice phishing, often spoofed numbers
Smishing - SMS phishing, spoofing here too (text messages)
Spear Phishing - Targeted phishing
Whaling - Spear phishing the CEO or other “large catch” (C level)
Eliciting Information - Extracting information from the victim, often used with vishing
Computer Hoaxes - A threat that doesn’t exist
Watering Hole Attack - It targets groups of users by infecting websites that they commonly
visit
 Defense in Depth - Layered defense
Spam - Unsolicited messages
Spim - Spam over instant messaging
Mail Gateway - On-site or cloud-based filter for unsolicited email
Tarpitting - Slow down the server conversation intentionally
Credential Harvesting - Attacker collects usernames and passwords

Social Engineering principles: Authority, Intimidation, Social proof/Consensus, Scarcity, Urgency,

Familiarity/Liking, Trust

1.2 - Given a scenario, analyze potential indicators to determine

the type of attack
Malware - Malicious software, gathers information ie: keystrokes, controlled over a botnet,
show advertisements, viruses or worms with malware, your computer must run a program, use
links or pop-ups
Virus - Malware that reproduces itself, needs a user to start the process, reproduces through file
systems or the network, and may or may not cause problems.
Virus types:
program viruses (part of an application)
boot sector viruses (starts in the boot sector of OS)
script viruses (operating system and browser-based)
macro viruses (common in Microsoft Office, similar to script virus)
fileless virus - a stealth attack, doesn’t install or save on the system, good for avoiding anti-
virus detection, operates in the memory could be in the registry
Worms - Malware that self-replicates, doesn’t need you to do anything, uses network as
transmission medium, spreads quickly, signatures can be stopped at the IDS/IPS or Firewall
Wannacry worm - 2017, installed crypto-malware, smbV1 used to infect vulnerable systems and
installed double pulsar to encrypt user data
Crypto-malware - A new generation of ransomware, malware encrypts the data files
Protect against ransomware - Always have a backup, offline and not on the same system
Trojan Horse - Software that pretends to be something else, doesn’t replicate, circumvents anti-
virus
PUP - Potentially Unwanted Program, undesired program often installed along with other
software, can hijack your browser
RAT - Remote Administration Tool or Remote Access Trojan, controls the device (ie: DarkComet
RAT)
 Rootkit - Originally a Unix technique, modifies core system files in part of the kernel, invisible to
antivirus software
Zeus/Zbot malware - Kernel driver famous for cleaning out bank accounts, combined with
Necurs rootkit, Necurs ensures Zbot can’t be deleted and denies any termination process
Secure boot with UEFI - Protects against rootkits in the BIOS
Adware - Pop-up ads everywhere, cause performance issues
Spyware - Malware that spies on you; advertising, identity theft, and affiliate fraud; often a
trojan, can capture browser surfing habits, keylogger
Logic Bomb - Often used by someone with a grudge; time bombs, user event, difficult to
identify, many logic bombs delete themselves
Spraying Attack - Common passwords, used only a few times to prevent lockout before moving
to the next account; hidden from alarms and detection
Brute Force - Every possible password combination until the hash is matched, can take some
time, a strong hash algorithm slows things down, most accounts will lockout, more common for
an attacker to check for the hash offline
Dictionary attack - Using common words, password crackers can substitute letters
Rainbow tables - Pre-built set of hashes, contains pre-calculated hash chains, speed increased
over previous password attacks, rainbow tables are application or OS-specific
Salt - Random data added to a password before hashing takes place
Birthday attack - 23 students have 50% of 2 students having the same birthday, for 30 there’s a
70% chance, hash collisions happen when different input gives an output that uses the same
hash.
MD5 hash - Has hashing collisions.
Downgrade Attack - Force the system to use a weaker encryption method

1.3 - Given a scenario, analyze potential indicators associated

with application attacks
XSS (cross-site scripting) - Originally called cross-site because of browser security flaws, info
from one site could be shared with another, very common; malware that uses javascript
Non-persistent (reflected) XSS - Website allows javascript to run in user input fields,
Persistent (stored) XSS - Stored permanently on the website via a post, no specific targets
Code injection attack - Code added into a data stream, enabled because of bad programming;
SQL injection - Uses SQL to access, add, or remove info from a DataBase
XML injection - Modify XML requests
LDAP attack - Manipulates LDAP databases
 DLL injection - Injects code into applications and uses the app to run the DLL inside a new
process
Buffer overflows - Overwriting a buffer of memory; developers should perform bounds
checking, not easy to exploit
Pass the Hash - A replay attack that lets the attacker intercept a hash and replay it back to the
server to authenticate, use SSL/TLS to encrypt the hash and stop this attack

1.4 - Given a scenario, analyze potential indicators associated

with network attacks
Bluejacking - Sending unsolicited messages over Bluetooth
Bluesnarfing - Access data on a mobile device over Bluetooth

1.5 - Explain different threat actors, vectors, and intelligence

sources

1.6 - Explain the security concerns associated with various types

of vulnerabilities

1.7 - Summarize the techniques used in security assessments

Syslog - Standard for centralized logging
UEBA (User and Entity Behavior Analytics) - Examine how people are using the network
Sentiment Analysis - Measure how your organization is viewed from the outside
SOAR (Security Orchestration, Automation and Response) - Automate routines, tedious and
time invasive activities

1.8 - Explain the techniques used in penetration testing

Rules of Engagement - Defines purpose and scope of a penetration test
Wardriving / Warflying - Search WiFi access points with your car or with a drone

2.1 - Explain the importance of security concepts in an enterprise

environment
Network Diagrams - Document physical wire and device
IP schema - IP address plan; number of subnets, hosts, and ranges
Data masking - Hide some of the original data; obfuscating, i.e. ***-**-5555
Data encryption - Encode information into unreadable data; plain text to cipher text
Diffusion - Changing even 1 character results in a completely different output
Data at-rest - The data in on a storage device
Data in-transit - Data moving over the network
Data in-use - Typically decrypted to be used by humans, very attractive to attackers
Tokenization - Replace sensitive data with non-sensitive data; used in NFC with mobile phone
credit cards
IRM - Information Rights Management; prevents certain document functions or changes e.g.
copy and paste
DLP - Data Loss Prevention is a system that prevents leaking sensitive information
SSL/TLS inspection - Often attacks use TLS to encrypt their malicious site; this inspection gets
between the endpoints to determine if the signature is trusted by a Certificate Authority (CA)
SSL/TLS Proxy - Often starts with a firewall, contains an internal CA certificate
Hashing - Message digest as a short string; one-way trip, impossible to recover the original
message (verify downloads by comparing hashes; used with digital signatures providing non-
repudiation)
Hashing collision - Multiple messages can have the same hash if there is a “collision”; hashing
algorithms that have collisions should not be used
SHA256 - 256 bits / 64 hexadecimal characters
API - Application programming interfaces; control software or hardware programmatically;
secure and harden a login page
On-Path attack - Intercept and modify API messages or replay API commands
API injection - Inject data into an API message
API security - Authentication, limit API access to legitimate users over secure protocols;
authorization, API should not allow extended access, each user has limited roles
WAF - Web Application Firewall, apply rules to Web/API communication
Hot site - Constantly updated replica of your production network
Cold site - The complete opposite of a hot site, no data, no applications, no people, only access
to power and a network
Warm site - Somewhere in the middle, racks and some equipment, quicker to get ready than a
cold site, just bring your software and data
Honeypot - Very attractive (for attackers) fake system to get information about attackers
Honeyfile - File with fake sensitive data (e.g. passwords.txt)
DNS Sinkhole - A DNS that hands out incorrect IP address
2.2 - Summarize virtualization and cloud computing concepts
Edge Computing - Process application data on an edge server close to the user (the local IoT
device, often processing on the device itself). No latency, no network requirement; processes
data on the device, not the cloud
Fog Computing - A cloud that’s close to your data; cloud and IoT combined, extends the cloud
Thin Client - Basic application using VDI or DaaS; local device using a keyboard, mouse, and
screen; no huge memory or CPU needs
Virtualization - Run many different OSes on the bare-metal hardware (needs Hypervisor)
Containerization - A container that contains everything you need to run an application; isolated
processes in a sandbox, self-contained, apps don’t interact with each other. No OS is needed,
using the Kernel of the current OS.
APIs - Break up an application into microservices; APIs are resilient and scalable; more secure
than a monolithic application
Serverless architecture - Function as a Service (FaaS); stateless compute containers, quick
launch servers that are ephemeral (temporary), managed by a third party (Pay as you use)
VPC - Virtual Private Cloud; pool of applications
Transit gateway - Provides cloud routing to VPC often through a VPN

2.3 - Summarize secure application development, deployment,

and automation concepts
SDN (Software Defined Networking) - Two planes of operation (Control and Data),
programmable networks
VM sprawl - Uncontrolled growth of VMs within an environment; administrators can no longer
manage them effectively
Sandboxing - Isolated testing environment
Elasticity - Increase the amount of app instances (horizontal scaling)
Scalability - Increase the hardware capability (resources) of VMs (vertical scaling)
Orchestration - Automation for deploying cloud components
Stored Procedure - Prevent SQL injection
Obfuscation - Turn readable code into unreadable code
Software Diversity - Alternative compiler paths would result in a different binary each time
(minimize the attack surface)
Continuous Integration (CI) - Code is constantly written and merged into a central repository
Continuous Delivery/Deployment (CD) - Automates the process for testing and then release
without human intervention
2.4 - Summarize authentication and authorization design
concepts
Directory Service - Single database with all usernames and passwords for an organization (e.g.
Microsoft Active Directory)
Federation - Provides network access to others (other organization)
Attestation - Prove the hardware is yours; a system you can trust. Remote attestation uses TPM
and unique hardware identifiers (e.g. IMEI)
TOTP - Time-Based One-Time Password algorithm
HTOP - HMAC-Based One-Time Password algorithm (no short time limit)
Retinal Scanner - Unique capillary structure in the back of the eye
Iris Scanner - Texture, color
Facial recognition - Shape of the face and features
Gait Analysis - Identify a person on how they walk
Vascular scanner - Match the blood vessels visible from the skin
False Acceptance Rate (FAR) - Likelihood an unauthorized user will be accepted
False Rejection Rate (FRR) - Likelihood an authorized user will be rejected
Crossover Error Rate (CER) - Defines the overall accuracy of a biometric system (FAR=FRR)

2.5 - Given a scenario, implement cybersecurity resilience

RAID (Redundant Array of Independent Disks):
RAID 0 - Striping without parity: High performance, no fault tolerance
RAID 1 - Mirroring: Fault tolerant, requires twice the disk space
RAID 5 - Striping with parity: Fault tolerant, additional disk for redundancy
Combinations of items above
NIC Teaming - Aggregate bandwidth using multiple NICs (fail over on other NICs)
SAN Replication - A specialized high-performance network of storage devices; can replicate
between SANs, share data between different devices
Full Backup - Backup everything
Incremental Backup - Backup since the last incremental backup; starts with the first incremental
backup after the initial full backup. Must use all incremental backups and initial full backup to
restore data.
Differential Backup - Backup since the last full backup; this includes the information in the
previous differential backup. Only one full backup and the last differential needed to restore the
data.
 NAS - Network Attached Storage; file-level access, must overwrite the entire data to add
changes
SAN - Storage Area Network; block-level access, can add to the files

2.6 - Explain the security implications of embedded and

specialized systems
Embedded System - Hardware and software designed for a specific function (e.g. traffic light
controllers, digital watches, medical imaging systems)
SoC (system on a chip) - Multiple components running on a single chip, common with
embedded systems; small form factor, low power consumption.
Field-programmable gate array (FPGA) - Integrated circuit that can be configured after
manufacturing (new software can be pushed to the device)
SCADA/ICS - Supervisory Control And Data Acquisition, large-scale multi-site Industrial Control
Systems (ICS). Requires extensive segmentation
HVAC - Heating, Ventilation and Air Conditioning (traditionally not built with security in mind)
RTOS (Real-Time Operating System) - Operating system with a deterministic processing
schedule. No time to wait for other processes (e.g. anti-lock brakes)
SIM Card - Subscriber Identity Module; A universal integrated circuit card, contains mobile
details like IMSI
Narrowband - Narrow range of frequency that can transmit over long distances (opposite of
broadband)
Baseband - The communication signal uses all of the bandwidth (uses single frequency)
Zigbee - IoT networking IEEE 802.15.4 PAN, an alternative to WiFi; less power used and lets you
mesh your IoT network. Uses ISM band (Industrial, Scientific, and Medical band)

2.7 - Explain the importance of physical security controls

USB Data Blocker - Don’t connect to unknown interfaces (Allow the voltage, reject the data)
Juice Jacking - USB data theft through unknown USB jacks ie: phone charger at an airport
FM-200 - Fire suppressor avoiding data center destruction
Screened Subnet - Or DMZ, an additional layer of security between the Internet and internal
network
PDS (Protected Distribution System) - Physically secure cabled network
Air-Gap - Physical separation between networks; not able to access the separated network
devices
Shredder/Pulverizer/Hammer/Drill - Destruct the storage device
 Degaussing - Drive unusable using electromagnetic fields
Purge - Only delete some of the data
Wipe - Unrecoverable removal of data; usually overwrites the data, useful for reusing the drives
Sdelete - Windows sysinternals; file level overwriting
DBAN - Darik’s Boot and Nuke; whole drive wipe secure data removal

2.8 - Summarize the basics of cryptographic concepts

Key Stretching - Hashing a hash
Bcrypt - Key stretching library; uses blowfish cipher to perform multiple rounds of hashing on
passwords
PBKDF2 - Password-Based Key Derivation Function 2; part of RSA public key cryptography
standards (PKCS #5, RFC 2898)
Lightweight cryptography - IoT devices have less power (compute or otherwise); NIST leads the
effort, providing powerful encryption at low cost
Homomorphic encryption (HE) - Performs the calculation while the data stays encrypted and
saves the decrypted data to be only viewed with the encryption key
Symmetric encryption - Only uses a single key to encrypt and decrypt; “a shared secret”,
doesn’t scale well. Very fast to use, less overhead than asymmetric encryption (about 128-bits or
larger)
Asymmetric encryption - Multiple keys; public key cryptography, the private key is not shared
while the public key is shared, the private key is the only key that can decrypt the data
encrypted by the public key
Diffie-Hellman key exchange - Taking user1 private key and user2 public key to create a
symmetric key that can only be deciphered with both user1 and user2 public/private keys.
ECC - Elliptic Curve Cryptography; used by mobile and IoT devices, uses curves to make smaller
keys than other asymmetric encryption methods
Key strength: Larger keys tend to be more secure
Key exchange:
out-of-band key exchange - doesn’t send symmetric key over the network
in-band key exchange - sending it on the network using another encryption method
Session keys - Ephemeral keys (not reusable) need to be unpredictable; session keys are made
from in-band key exchange
RSA key pair - SSL/TLS encryption key pair
Perfect Forward Secrecy (PFS) - Change the method of key exchange; elliptic curve or Diffie-
hellman ephemeral; session keys that change, PFS requires more computing power not all
servers can choose PFS and not all browsers can use PFS
 Quantum Computing - Uses qubits instead of classical binary; qubits represent both 0 and 1
simultaneously; it breaks our existing encryption mechanisms by quickly factoring prime
numbers
NTRU - Cryptosystem using lattice theory; “closest-vector” problem instead of prime numbers;
not vulnerable to quantum computing
Quantum communication protects against eavesdropping; once a QKD (quantum key
distribution) is viewed it will change the key
Stream cipher - Encryption is done one bit or byte at a time; high speed, low hardware
complexity, used with symmetric encryption not commonly used with asymmetric encryption,
the key is often combined with an initialization vector (IV)
Block cipher - Encrypt a fixed-length group; often 64-bit or 128-bit blocks
ECB - Electronic Code Book; block encryption without salt that can give an idea as to what the
data was before masking, not ideal
CBC - Cipher Block Chaining; easy to implement, each plaintext block is XORed with the
previous ciphertext block; adds additional randomization, uses an IV for the first block
XOR - Exclusive OR; 2 identical inputs are a zero and 2 different inputs are a one
CTR - Counter; acts like a stream cipher, encrypts successive values of a “counter”, plaintext can
be any size since it’s part of the XOR.
GCM - Galois/Counter Mode; encrypts quickly and authenticates where it came from, SSH or
TLS
weak IV in RC4 resulted in the WEP security issue
DES - Created in 1977 and able to be decrypted

3.1 - Given a scenario, implement secure protocols

SRTP - Secure Real-time Transport Protocol; keeps VoIP conversations private; uses AES, uses
HMAC-SHA1 for authentication, integrity, and replay protection
NTP - Network Time Protocol, it has no security features and is used to amplify DDoS attacks
NTPsec - Secure Network Time Protocol
S/MIME - Secure/Multipurpose Internet Mail Extension; uses PKI
IPSec - Authentication and Encryption for every packet; Security for OSI layer 3; an encrypted
tunnel that uses packet signing. Uses Authentication Header (AH) and Encapsulation Security
Payload (ESP)
FTPS - FTP over SSL
SFTP - SSH File Transfer Protocol; more advanced capabilities
LDAP - Lightweight Directory Access Protocol; protocol for reading and writing directories over
an IP network
 LDAPS - LDAP over SSL
SASL - Simple Authentication and Security Layer; Provides authentication using many different
methods
DNS - Domain Name System, no security features
DNSSEC - Domain Name System security extensions; validates DNS responses with public key
cryptography
SNMPv3 - Simple Network Management Protocol v3 (All three of CIA triad)
DHCP - Dynamic Host Configuration Protocol; no security (starvation attack or dhcp snooping)

3.2 - Given a scenario, implement host or application security

solutions
EDR - Endpoint Detection and Response; detects threats based on behavior and process
monitoring and not just malware signatures, uses root cause analysis and responds.
NGFW - Next-Generation Firewall; identifies the applications on the internet not just the IP or
protocol, also called application layer gateway, stateful multilayer inspection, or deep packet
inspection. Examines encrypted data before sending it to the destination.
HIDS - Host-based Intrusion Detection System
HIPS - Host-based Intrusion Prevention System
TPM - Trusted Platform Module; cryptographic functions, persistent memory, uses anti-brute
force technology
Secure Boot - BIOS includes the manufacturer’s public key, and secure boot verifies the
bootloader (prevents unauthorized writes to the flash memory).
Trusted Boot - Bootloader verifies the digital signature of the OS kernel; the kernel verifies
other startup components. Just before loading the drivers, ELAM (Early Launch Anti-Malware)
starts and checks every driver for trust. Windows won’t load an untrusted driver
Measured Boot - UEFI stores a hash of the firmware, boot drivers, and everything else. This
hash is stored on the TPM.
Remote Attestation - Device provides an operational report to a verification server. Encrypted
and digitally signed with the TPM
Fuzzing - Sending random input into applications to find a crash/panic
CERT - Computer Emergency Response Team; Carnegie Mellon CERT created Basic Fuzzing
Framework (BFF)
SAST - Static Application Security Testing; finds security vulnerabilities with automation, not
everything can be identified through analysis. false positives are an issue and will need to be
verified.
FDE - Full Disk Encryption
 SED - Self-Encrypting Drive; uses the Opal storage specification as a standard for SEDs

3.3 - Given a scenario, implement secure network designs

SSL Offloading - SSL Encryption/Decryption
Round Robin - each new user is moved to the next server to give the same amount of load to
each server; weighted round robin can prioritize a server for use, dynamic round robin will
monitor the server load and distribute to the server with the lowest use. this is used with
Active/Active load balancing
Affinity - A user will always be distributed to the same server; users tracked with IP or session
IDs.
Active/Active - All servers are active
Active/Passive - If an active server fails, the passive server takes its place
Air-Gap - Physical segmentation
VLAN - Logical segmentation (Virtual Local Area Networks)
Extranet - A private network for partners; doesn’t allow full access to the intranet, different from
a DMZ
Intranet - Internal Private Network
Zero Trust - A holistic approach to network security; every device, every process, and every
person need to be verified
SSL VPN - Uses TCP/443 to authenticate users. Can be run from a browser
HTML5 VPN - Create a VPN tunnel without a separate VPN application (using a browser)
Full Tunnel - All encrypted data is passing through the VPN Server
Split Tunnel - Only a subset of connections pass through the VPN Server
L2TP - Layer 2 tunneling protocol; connecting sites over layer 3 network as if they were
connected at layer 2, commonly implemented with IPsec (broadcast storm control via switch)
Broadcast Storm Control - Limit the number of broadcast messages per second
Loop Protection - IEEE standard 802.1D prevents loops via STP (Spanning Tree Protocol)
BPDU Guard - Bridge Protocol Data Unit Guard; If a BPDU frame is seen on a PortFast interface,
shut down the interface
DHCP snooping - IP tracking on a layer 2 device; the switch becomes a rogue DHCP firewall
MAC Filtering - Limit access through the physical hardware access (beware MAC addresses can
be spoofed)
DNS Sinkhole - Redirect users to internal location for known bad domains
FIM - File Integrity Monitoring; Be notified when some files that shouldn’t change are modified
(e.g. Tripwire on Linux)
 Stateless Firewall - Does not keep track of traffic flows; rule base will cover communication in
both directions
Stateful Firewall - Keeps track of traffic flows; create a session table for each flow
UTM - Unified Threat Management (web security gateway); router, firewall, IDS/IPS, spam filter,
etc.
Jump Server - Provides an access mechanism to a protected network (highly secured device,
but a significant security concern)
HSM - Hardware Security Module; used in large environments with clusters and redundant
power. High-end Cryptographic Hardware that is a plug-in card or separate hardware device.
keeps overhead away from the server.

3.4 - Given a scenario, install and configure wireless security

settings
WPA2 - Uses CCMP block cipher mode; data confidentiality with AES and CBC-MAC for MIC,
PSK (pre-shared key aka password) brute-force is a problem.
WPA3 - Uses GCMP block cipher mode; Galois/Counter Mode protocol; uses AES and GMAC
SAE - Simultaneous Authentication of Equals; WPA3 uses a shared session key, no more hand-
shakes. Adds Perfect Forward Secrecy. IEEE standard is known as the “dragonfly handshake”
802.1x - Centralized authentication for wireless networks using login credentials; also referred to
as port-based network access control (NAC); uses RADIUS, LDAP, or TACACS+ as an access
database
WPS - Wi-Fi Protected Setup; Allows “easy” setup of mobile device (PIN, Push a button, NFC);
Absolutely insecure, disable it!
EAP - Extensible Authentication Protocol; an authentication framework for wireless networks,
many ways to authenticate based on RFC standards
EAP-FAST - EAP Flexible Authentication via Secure Tunneling; Authentication Server (AS) and
supplicant (client) share a protected access credential (PAC) (shared secret) over TLS tunnel;
needs a RADIUS server
PEAP - Protected Extensible Authentication Protocol; created by Cisco, Microsoft, and RSA
Security; encapsulates EAP in a TLS tunnel, AS uses a digital certificate instead of a PAC. Client
doesn’t use a certificate. Microsoft uses PEAP with MSCHAPv2, can also be used with GTC
(generic token card) or hardware token generator.
EAP-TLS - EAP Transport Layer Security; strong security, wide adoption, and support from most
of the industry; Requires digital certificates on the AS and all other devices. AS and supplicant
exchange certificates for mutual authentication. TLS tunnel is then built for the user
authentication process. Complex implementation; needs PKI (public key infrastructure), all
 wireless clients need certificates managed and deployed. Not all devices support digital
certificates.
EAP-TTLS - EAP Tunneled TLS; supports other authentication protocols in a TLS tunnel; requires
a digital certificate on the AS, does not require digital certificates on every device. Builds a TLS
tunnel using this digital certificate. Can use other types of EAP, MSCHAPv2, or anything else
RADIUS Federation - Members of one organization can authenticate to the network of another
organization using their normal credentials; use 802.1x as the authentication method and
RADIUS on the backend. EAP to authenticate.

3.5 - Given a scenario, implement secure mobile solutions

Geofencing - Restrict or allow features when the device is in a particular area
Containerization - Separate enterprise mobile apps and data from a user-owned device.
MicroSD HSM - Same as Hardware Security Module but much smaller and used on a mobile
device
UEM - Unified Endpoint Management; Manage mobile and non-mobile devices; end users use
different types of devices
MAM - Mobile Application Management; Provision, update and remove apps; Create an
enterprise app catalog
SEAndroid - SELinux (Security-Enhanced Linux) on Android OS
Geotagging - Adds location to document metadata
BYOD - Bring Your Own Device; Need to meet the company’s requirements
COPE - Corporate-Owned, Personally Enabled; Company buys the device
CYOD - Choose Your Own Device; similar to COPE, but with the user’s choice
Corporate-Owned - The company owns the device and controls the content

3.6 - Given a scenario, apply cybersecurity solutions to the

cloud
AZ - Availability Zones; Isolated locations with a cloud region; has independent power, HVAC
and networking
IAM - Identity and Access Management; who gets access to a cloud resource, maps job
functions to roles
Compute cloud instances:
Amazon Elastic Compute Cloud (EC2)
Google Compute Engine (GCE)
Microsoft Azure Virtual Machines
 CASB - Cloud Access Security Broker; makes your security policies work in the cloud, determines
what apps are in use and if users are authorized (Visibility), Compliance, Threat Prevention, and
Data Security
SWG - Next-Gen Secure Web Gateway; Monitor APIs, make policies; protect users and devices.
Can apply different policies to different resources

3.7 - Given a scenario, implement identity and account

management controls
Identity Provider (IdP) - Authentication as a service; commonly used with SSO applications.
Uses standard authentication methods ie. SAML, OAuth, OpenID Connect, etc.
ssh-keygen - A command to create public/private key pairs on Linux and macOS. Use the ssh-
copy-id command to apply the public key to the server.
Service Accounts - Run in the background and exclusively used by services. Access can be
defined for a specific service.
Password Entropy - Entropy measures how difficult the password would be to guess.

3.8 - Given a scenario, implement authentication and

authorization solutions
KBA - Knowledge-Based Authentication; static (pre-configured shared secrets e.g. question and
answer) or dynamic
PAP - Password Authentication Protocol; a basic authentication method, used in legacy
operating systems. Sends everything in the clear, non-encrypted.
CHAP - Challenge-Handshake Authentication Protocol; three-way handshake, after a link is
established the server sends a challenge message. The client responds with a password hash
calculated from the challenge and the password. The server compares the received hash with
the stored hash. This occurs periodically during the connection.
MS-CHAP - Microsoft version of CHAP; uses DES, easy to brute force the NTLM hash. DON’T
USE MS-CHAP!
RADIUS - Remote Authentication Dial-in User Service; very common AAA protocol. Centralized
authentication.
TACACS - Terminal Access Controller Access-Control System; remote authentication protocol;
TACACS+ most advanced version (Cisco)
Kerberos - Network Authentication Protocol; auth once, trusted by the system; mutual
authentication (secure against MiTM and replay attacks).
IEEE 802.1X - Port-based Network Access Control; you don’t get access to the network until you
authenticate
 SAML - Security Assertion Markup Language; Open standard for authentication and
authorization; not originally built for mobile devices
OAuth - Authorization framework; used with OpenID connect. OAuth determines what can be
used by the third-party app and OpenID Connect provides the authentication.
MAC - Mandatory Access Control; every object gets a label and the user gets a minimum access
level.
DAC - Discretionary Access Control; the owner picks the control access, and the data owner can
change access at any time (used in most OSes).
RBAC (Role-Based Access Control) - You are assigned rights and permissions based on your
role.
ABAC - Attribute-Based Access Control; a next-generation authorization model: combines and
evaluates multiple parameters ie: IP address, time of day, desired action, etc.
RBAC (Rule-Based Access Control) - System admin makes the rules for the object trying to be
accessed ie: only able to access lab resources between 9am-5pm.
Privileged access management (PAM) - Managing superuser access; privileged access is used
temporarily.

3.9 - Given a scenario, implement public key infrastructure

PKI - Public Key Infrastructure; digital certificates: create, distribute, manage, store, and revoke.
Digital Certificate - Binds a public key with a digital signature and other details about a key
holder
RA (Registration Authority) - The entity requesting the certificate needs to be verified
CRL - Certificate Revocation List; Maintained by the CA, can contain many revocations in a large
file.
OCSP - Online Certificate Status Protocol; the status of the certificate is stapled to the SSL/TLS
handshake (OCSP stapling)
Domain Validation (DV) Certificate - Owner of the certificate has some control over a DNS
domain
Extended Validation (EV) Certificate - Additional checks have verified the certificate owner’s
identity
Subject Alternative Name - Lists additional identification information
Code Signing Certificate - Applications can be signed by the developer (user has the
opportunity to stop the application if some security check is not passed)
Self-Signed Certificate - Internal certificates don’t need to be signed by a public CA
DER - Format designed to transfer syntax for data structures (binary format, not human
readable)
 PEM - Privacy-Enhanced Mail; Base64-encoded DER certificate
PKCS #12 - Personal Information Exchange Syntax Standard; Container format for many
certificates, often used to transfer a private and public key pair
CER - Windows X.509 file extension; usually contains a public key
PKCS #7 - Cryptographic Message Syntax Standard (contains certificates and chain certificates)
Pinning - “Pin” the expected certificate or public key to an application (compiled in the app)
Key Escrow - Hand over your private keys to a 3rd-party

4.1 - Given a scenario, use the appropriate tool to assess

organizational security
traceroute - Determine the route a packet takes to a destination (ICMP messages could be
filtered by firewalls)
nslookup/dig - DNS lookup
ipconfig - Determine TCP/IP and network adapter information on Windows
ifconfig - Determine TCP/IP and network adapter information on Linux
ping - Test reachability using ICMP packets
pathping - Windows command that runs traceroute and ping together to display combined
output.
netstat - Network Statistics; -a shows all active connections; -b show binaries (windows); -n just
IP addresses
arp - Address Resolution Protocol command; -a will show IP with MAC address
route - Windows Device Routing Table;
Windows: route print
Linux: netstat -r
curl - client URL; grab raw data from sites and display into a terminal
hping - TCP/IP packet assembler/analyzer; can send almost anything modified in the packet.
nmap - network mapper; port scans, operating system scan, service scans, add scripts;
theHarvester - gathers OSINT; scrapes Google or Bing, DNS brute force, and more
sn1per - combines many recon tools into a single framework
scanless - port scan proxy; run port scans from a different host.
dnsenum - enumerate DNS information; view host information from DNS servers
Nessus - Vulnerability Scanner; extensive reporting.
Cuckoo - A sandbox for malwares; test a file in a safe environment. Track and trace executable
files
cat - Concatenate files
 head - View the first part of a file
tail - View the last part of a file
grep - Find text in a file
chmod - Change mode of a file system object (read/write/execute)
logger - Add information to the syslog file
OpenSSL - Manages SSL/TLS X.509 certificates; encrypt and decrypt also possible
Wireshark - Graphical packet analyzer
tcpdump - Capture packets from the command line; installed in most Linux versions
tcpreplay - A suite of packet replay utilities; great to use for testing your IPS and firewall with
malicious packets
dd - Linux command creates a bit-by-bit copy of a drive; used for forensics
Create a disk image: dd if=/dev/sda of=/tmp/out.img
Restore a disk image: dd if=/tmp/out.img of=/dev/sda
memdump - Copy system memory (RAM) to the standard output stream; then copy to another
host
WinHex - A universal hexadecimal editor; edit disks, files, RAM, and disk cloning on Windows
OS
FTK imager - Windows AccessData forensic drive imaging tool; includes file utilities and read-
only image mounting. Support for many different file systems and full disk encryption methods,
the investigator still needs the password. Can also import other image formats ie: dd, Ghost,
Expert Witness, etc
Autopsy - Performs digital forensics of hard drives or smartphones; views many different types
of data.

4.2 - Summarize the importance of policies, processes, and

procedures for incident response
NIST SP 800-61 Revision 2 - Computer Incident Handling Guide
PICERL:
Preparation: Communication, Resources, Policies
Identification: Monitoring
Containment: Isolation, Sandboxes
Eradication: Remove, Disable, Fix and Patch
Recovery: Backup
Lessons Learned: Learn and Improve
Tabletop exercise - Analysis of a potentially real situation in a meeting
 Walkthrough exercise - Applies the concepts from the tabletop exercise
Simulation - Test with a simulated event (phishing, breaches…)
Communication Plan - Get your contact list together (internal and external)
Disaster Recovery Plan - Part of Business Continuity Plan; Keep the organization up and
running
COOP - Continuity Of Operations Planning; Must be documented and tested before a problem
occurs
Incident Response Team - Receives, Review and Responds
Retention Policy - Backup data! Copies, versions of copies, lifecycle of data, purging of data
(also for Regulatory Compliance)
MITRE ATT&CK Framework - Determine the actions of an attacker, identify the point of
intrusion, understand methods used to move around, and identify potential security techniques
to block future attacks.
Diamond Model of Intrusion Analysis - Adversary, Capability, Victim, Infrastructure
Cyber Kill Chain:
Reconnaissance
Weaponization
Delivery
Exploit
Installation
Command & Control (C2)
Actions on objectives

4.3 - Given an incident, utilize appropriate data sources to

support an investigation
NVD - National Vulnerability Database (nvd.nist.gov)
False Positive - A vulnerability is identified that doesn’t really exist
False Negative - A vulnerability exist, but you didn’t detect it
SIEM - Security Information and Event Management; used for data correlation and forensic
analysis
Rsyslog - Rocket-fast System for log processing
Syslog-ng - A popular syslog daemon with additional filtering and storage options
NXLog - Collection for many diverse log types
Journalctl - Method for querying the system journal
Metadata - Data that describes other types of data
 NetFlow - Gather traffic statistics from all traffic flows
IPFIX - IP Flow Information Export (newer NetFlow standard)
sFlow - Sampled Flow; Only a portion of the actual network traffic

4.4 - Given an incident, apply mitigation techniques or controls

to secure an environment
Approved/Allow List - Nothing runs unless it’s approved
Block/Deny List - Nothing on this “bad list” can be executed
URL Filter - Limit access to untrusted / known malicious websites
Isolation - Administratively isolate a compromised device (or process) from everything else
Containment - Run each application in its own sandbox (limit interaction)
Segmentation - Separate the network; Prevent unauthorized movement, limit the scope of a
breach
Playbook - Conditional steps to follow (e.g. investigate a data breach, recover from
ransomware)

4.5 - Explain the key aspects of digital forensics

RFC 3227 - Guidelines for Evidence Collection and Archiving
Legal Hold - A legal technique to preserve information; prepare for impending litigation
Admissibility - Not all data can be used in a court of law
Chain of Custody - Document evidencing that nothing changed from the incident
Recording time offsets - Timezone determines how the time is displayed (FAT/NTFS)
Order of Volatility:

1. CPU registers, CPU cache

2. Router table, ARP cache, process table, kernel statistics
3. RAM
4. Temporary file systems
5. Disk
6. Remote logging and monitoring data
7. Physical configuration, network topology
8. Archival media

Snapshot - Backup of a VM, then incremental update

Right-to-audit - A legal agreement to have the option to perform a security audit at any time
 E-Discovery - Gathering electronic data required by the legal process
Data Recovery - Extract missing data without affecting the integrity of the data
Non-Repudiation - Proof of data integrity and the origin of the data (MAC or Digital Signature)
Strategic CounterIntelligence - Prevent hostile intelligence operations, discover and disrupt
foreign intelligence threats

5.1 - Compare and contrast various types of controls

Managerial controls - Focus on the security design or security policies; Standard Operational
Policies
Operational controls - Implemented by people; security guards or awareness programs
Technical controls - Implemented by the system; OS controls, firewalls, or anti-virus
Preventive - Prevents access to an area; firewalls, door locks, security guards
Detective - May not prevent access; identify and record an intrusion; Motion detectors or IDS
Corrective - Designed to mitigate damage; IPS blocking, restore from backup, backup sites
Deterrent - May not directly prevent access; discourages an intrusion attempt; warning signs,
login banners, or security lighting
Compensating - Doesn’t prevent an attack; attempts to recover
Physical - Fences or door locks

5.2 - Explain the importance of applicable regulations, standards,

or frameworks that impact organizational security posture
GDPR - General Data Protection Regulation; Controls export of personal data for individuals in
the EU (right to be forgotten, privacy policy…)
PCI DSS - Payment Card Industry Data Security Standard
CIS - Center for Internet Security
CIS CSC - Critical security controls for effective cyber defense using 20 key actions (practical
information)
NIST RMF - NIST Risk Management Framework; mandatory for US federal agencies;
Categorize - Define Environment
Select - Pick appropriate controls
Implement - Define proper implementation
Assess - Determine if controls are working
Authorize - Make a decision to authorize a system
Monitor - Check for ongoing compliance
NIST CSF - NIST Cybersecurity Framework;
Framework Core:
Identity
Protect
Detect
Respond
Recover
Framework Implementation Tiers: An organization’s view of cybersecurity risk and process
to manage the risk
Framework Profile: The alignment of standards, guidelines, and practices to the framework
core
ISO/IEC Frameworks - International Organization for Standardization / International
Electrotechnical Commission;
27001 - Standard for an Information Security Management System (ISMS)
27002 - Code of practice for information security controls
27701 - Privacy information management systems (PIMS)
31000 - International standards for risk management practices
SSAE SOC 2 Type I/II - The American Institute of Certified Public Accountants (AICPA) auditing
Standard Statement of Standards for Attestation Engagements number 18 (SSAE 18)
SOC 2 - Trust Services Criteria (security controls); firewalls, intrusion detection, and multi-factor
authentication
Type I - Audit that tests controls in place at a particular point in time
Type II - Audit that tests controls over a period of at least 6 months consecutive
CSA - Cloud Security Alliance; security in cloud computing.
CCM - Cloud Controls Matrix, cloud-specific security controls.
Web Server Hardening:
Info leak: banner information, disable directory browsing
Permissions: run from a non-privileged account, configure file permissions
Configure SSL: manage and install certificates
Log files: monitor access logs
Operating System Hardening:
Updates: OS updates/service packs, security patches
User accounts: minimum password length and complexity, account limitations
Network access and security: limit network access
Monitor and secure: anti-virus, anti-malware
Application Server:
 Middleware - usually between the web server and the database (programming languages,
runtime, libraries, etc)
OS patches
Limit access from other devices
Network Infrastructure devices:
Configure authentication, NO DEFAULTS!
Check for security updates from the manufacturer

5.3 - Explain the importance of policies to organizational

security
AUP - Acceptable Use Policy; Used by an organization to limit legal liability
Job Rotation - Keep people moving between responsibilities to limit a single person maintains
control for long period of time
Mandatory Vacations - Rotate others through the job, limit the ability for one person to
commit a type of fraud
Separation of Duties:
Split Knowledge - No one person has all of the details
Dual Control - Two people must be present to perform the business function
Clean Desk Policy - When you leave, nothing is on your desk
Least Privilege - No rights beyond job duties, minimal privileges granted
Background Check - Pre-employment screening (verify claims, criminal history…)
Adverse Actions - Not hiring a candidate due to a failed background check
NDA - Non-Disclosure Agreement; confidentiality agreement/legal contract, prevents the use of
dissemination of confidential information
Social Media Analysis - Gather data on social media; build a personal profile, used in hiring
On-Boarding - Policy for new hires, IT agreements need to be signed, Provide required IT
equipment, create accounts…
Off-Boarding - Policy for people leaving the organization, opposite of on-boarding (delete
accounts…)
Phishing Simulation - See which users are susceptible to phishing attacks without being a
victim of phishing
Role-based Security Awareness Training - Before providing access, train your users
Supply Chain - The system involved when creating a product
SLA - Service Level Agreement; minimum terms for services provided; uptime, response time
agreements
 MOU - Memorandum of Understanding; both sides agree on the contents of the memo; usually
includes statements of confidentiality, informal letter of intent, not a signed contract!!!!
MSA - Measurement System Analysis; used with quality management systems, assess the
measurement process
BPA - Business Partnership Agreement; going into business together, owner stake, financial
contract
EOL - End Of Life; stops selling a product, but may continue supporting the product
EOSL - End Of Service Life, no longer selling or supporting the device with patches
Data Governance - Rules, processes and accountability associated with an organization’s data
Data Classification - Identify data types (personal, public, restricted…); to protect data efficiently
Data Retention - Keep files that change frequently for version control (for legal requirements
too!)
Change Control - A formal process for managing change (avoid downtime, confusion and
mistakes):
Determine the scope of the change
Analyze the risk associated with the change
Create a plan
Get end-user approval
Present the proposal to the change control board
Have a backout plan! if the change doesn’t work
Document the changes
Asset Management - Identify and track computing assets to respond faster to security problem
Data Steward - Manages the governance process, responsible for data accuracy, privacy, and
security; associates sensitivity labels to the data, ensures compliance with any applicable laws
and standards

5.4 - Summarize risk management processes and concepts

Risk Acceptance - We’ll take the risk
Risk Avoidance - Stop participating in high-risk activity
Risk Transference - Buy some cybersecurity insurance
Risk Mitigation - Decrease the risk level, invest in security systems
Inherent Risk - Risk that exists in the absence of controls; impact + likelihood
Residual Risk - Risk that exists after the controls are considered; inherent risk + control
effectiveness
Risk Appetite - The amount of risk an organization is willing to take
 HIPAA - Health Insurance Portability and Accountability Act; New storage requirements,
network security, protect against threats
ARO - Annualized Rate of Occurrence
SLE - Single Loss Expectancy: What is the monetary loss if a single event occurs?
ALE - Annualized Loss Expectancy: ARO x SLE
RTO - Recovery Time Objective; how long it takes to get back to a particular service level
RPO - Recovery Point Objective; how much data loss is acceptable
MTTR - Mean Time To Repair; time required to fix the issue
MTBF - Mean Time Between Failures: predict the time between outages
DRP - Disaster Recovery Plan: detailed plan for resuming operations after a disaster
Mission-Essential Functions - The most important systems in your organization; identify these
critical systems!

5.5 - Explain privacy and sensitive data concepts in relation to

security
Information Life Cycle:
Creation and Receipt
Distribution
Use
Maintenance
Disposition
Privacy Impact Assessment (PIA) - Privacy risk needs to be identified in each initiative; fix the
concerns before they become an issue
Data Classification:
Proprietary Data - Data that’s unique to an organization
PII - Personally Identifiable Information
PHI - Protected Health Information
Public/Unclassified - No restrictions on viewing
Private/Classified/Restricted - Restricted access
Sensitive - Intellectual Property, PII, PHI
Confidential - Very sensitive, must be approved to view
Critical - Data should always be available
Tokenization - Replace sensitive data with a non-sensitive placeholder (SSN 322-09-5366 –>
100-91-7294); this isn’t encryption or hashing
Minimization - Only collect and retain necessary data (HIPAA and GDPR rules this)
 Masking - Hide some of the original data (e.g. credit card number ****-****-****-5912)
Anonymization - Make it impossible to identify individual data from a dataset; allows for data
use without privacy concerns. ie: hashing, masking, etc.; cannot be reversed, no way to associate
the data to a user
Pseudo-Anonymization - Replace personal information with pseudonyms, may be reversible,
original data is stored in the database.
Data Responsibilities:
Data Owner - Accountable for specific data, often a senior officer; ie: VP of Sales owns the
customer relationship data
Data Controller - Manages the purpose and means by which personal data is processed
Data Processor - Process data on behalf of the data controller, often a third-party
Data Custodian/Steward - Responsible for data accuracy, privacy, and security; labels the
data, ensures compliance, and manages access rights
Data Protection Officer (DPO) - Responsible for the organization’s data privacy, sets
policies and implements processes and procedures

Acronym List
3DES Triple Data Encryption Standard
AAA Authentication, Authorization, and Accounting
ABAC Attribute-based Access Control
ACL Access Control List
AD Active Directory
AES Advanced Encryption Standard
AES256 Advanced Encryption Standards 256bit
AH Authentication Header
AI Artificial Intelligence
AIS Automated Indicator Sharing
ALE Annualized Loss Expectancy
AP Access Point
API Application Programming Interface
APT Advanced Persistent Threat
ARO Annualized Rate of Occurrence
ARP Address Resolution Protocol
ASLR Address Space Layout Randomization
ASP Active Server Pages
ATT&CK Adversarial Tactics, Techniques, and Common Knowledge
AUP Acceptable Use Policy
AV Antivirus
BASH Bourne Again Shell
BCP Business Continuity Planning
BGP Border Gateway Protocol
BIA Business Impact Analysis
BIOS Basic Input/Output System
BPA Business Partnership Agreement
BPDU Bridge Protocol Data Unit
BSSID Basic Service Set Identifier
BYOD Bring Your Own Device
CA Certificate Authority
CAPTCHA Completely Automated Public Turing Test to Tell Computers and Humans Apart A
CAR Corrective Action Report
CASB Cloud Access Security Broker
CBC Cipher Block Chaining
CBT Computer-based Training
CCMP Counter-Mode/CBC-MAC Protocol
CCTV Closed-Circuit Television
CERT Computer Emergency Response Team
CFB Cipher Feedback
CHAP Challenge-Handshake Authentication Protocol
CIO Chief Information Officer
CIRT Computer Incident Response Team
CIS Center for Internet Security
CMS Content Management System
CN Common Name
COOP Continuity of Operations Planning
COPE Corporate-owned Personally Enabled
CP Contingency Planning
CRC Cyclic Redundancy Check
CRL Certificate Revocation List
CSA Cloud Security Alliance
CSIRT Computer Security Incident Response Team
CSO Chief Security Officer
CSP Cloud Service Provider
CSR Certificate Signing Request
CSRF Cross-Site Request Forgery
CSU Channel Service Unit
CTM Counter-Mode
CTO Chief Technology Officer
CVE Common Vulnerabilities and Exposures
CVSS Common Vulnerability Scoring System
CYOD Choose Your Own Device
DAC Discretionary Access Control
DBA Database Administrator
DDoS Distributed Denial-of-Service
DEP Data Execution Prevention
DER Distinguished Encoding Rules
DES Data Encryption Standard
DHCP Dynamic Host Configuration Protocol
DHE Diffie-Hellman Ephemeral
DKIM Domain Keys Identified Mail
DLL Dynamic-link Library
DLP Data Loss Prevention
DMARC Domain Message Authentication Reporting and Conformance
DNAT Destination Network Address Transaction
DNS Domain Name System
DNSSEC Domain Name System Security Extensions
DoS Denial-of-Service
DPO Data Protection Officer
DRP Disaster Recovery Plan
DSA Digital Signature Algorithm
DSL Digital Subscriber Line
EAP Extensible Authentication Protocol
ECB Electronic Code Book
ECC Elliptic-curve Cryptography
ECDHE Elliptic-curve Diffie-Hellman Ephemeral
ECDSA Elliptic-curve Digital Signature Algorithm
EDR Endpoint Detection and Response
EFS Encrypted File System
EIP Extended Instruction Pointer
EOL End of Life
EOS End of Service
ERP Enterprise Resource Planning
ESN Electronic Serial Number
ESP Encapsulating Security Payload
ESSID Extended Service Set Identifier
FACL File System Access Control List
FDE Full Disk Encryption
FIM File Integrity Monitoring
FPGA Field Programmable Gate Array
FRR False Rejection Rate
FTP File Transfer Protocol
FTPS Secure File Transfer Protocol
GCM Galois/Counter Mode
GDPR General Data Protection Regulation
GPG GNU Privacy Guard
GPO Group Policy Object
GPS Global Positioning System
GPU Graphics Processing Unit
GRE Generic Routing Encapsulation
HA High Availability
HDD Hard Disk Drive
HIDS Host-based Intrusion Detection System
HIPS Host-based Intrusion Prevention System
HMAC Hash-based Message Authentication Code
HOTP HMAC-based One-time Pasword
HSM Hardware Security Module
HSMaaS Hardware Security Module as a Service
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
HVAC Heating, Ventilation, Air Conditioning
IaaS Infrastructure as a Service
IAM Identity and Access Management
ICMP Internet Control Message Protocol
ICS Industrial Control Systems
IDEA International Data Encryption Algorithm
IDF Intermediate Distribution Frame
IdP Identity Provider
IDS Intrusion Detection System
IEEE Institute of Electrical and Electronics Engineers
IKE Internet Key Exchange
IM Instant Messaging
IMAP4 Internet Message Access Protocol v4
IoC Indicators of Compromise
IoT Internet of Things
IP Internet Protocol
IPS Intrusion Prevention System
IPSec Internet Protocol Security
IR Incident Response
IRC Internet Relay Chat
IRP Incident Response Plan
ISA Interconnection Security Agreement
ISFW Internal Segmentation Firewall
ISO International Organization for Standardization
ISP Internet Service Provider
ISSO Information Systems Security Officer
ITCP IT Contingency Plan
IV Initialization Vector
KDC Key Distribution Center
KEK Key Encryption Key
L2TP Layer 2 Tunneling Protocol
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
LEAP Lightweight Extensible Authentication Protocol
MaaS Monitoring as a Service
MAC Media Access Control
MAM Mobile Application Management
MAN Metropolitan Area Network
MBR Master Boot Record
MD5 Message Digest 5
MDF Main Distribution Frame
MDM Mobile Device Management
MFA Multi Factor Authentication
MFD Multifunction Device
MFP Multifunction Printer
ML Machine Learning
MMS Multimedia Message Service
MOA Memorandum of Agreement
MOU Memorandum of Understanding
MPLS Multiprotocol Label Switching
MSA Measurement Systems Analysis
MS-CHAP Microsoft Challenge-Handshake Authentication Protocol
MSP Managed Service Provider
MSSP Managed Security Service Provider
MTBF Mean Time Between Failures
MTTF Mean Time to Failure
MTTR Mean Time to Repair
MTU Maximum Transmission Unit
NAC Network Access Control
NAS Network-attached Storage
NAT Network Address Translation
NDA Non-disclosure Agreement
NFC Near-field Communication
NFV Network Function Virtualization
NGFW Next-generation Firewall
NG-SWG Next-generation Secure Web Gateway
NIC Network Interface Card
NIDS Network-based Intrusion Detection System
NIPS Network-based Intrusion Prevention System
NIST National Institute of Standards & Technology
NOC Network Operations Center
NTFS New Technology File System
NTLM New Technology LAN Manager
NTP Network Time Protocol
OCSP Online Certificate Status Protocol
OID Object Identifier
OS Operating System
OSI Open Systems Interconnection
OSINT Open-source Intelligence
OSPF Open Shortest Path First
OT Operational Technology
OTA Over-The-Air
OTG On-The-Go
OVAL Open Vulnerability and Assessment Language
OWASP Open Web Application Security Project
P12 PKCS #12
P2P Peer-to-Peer
PaaS Platform as a Service
PAC Proxy Auto Configuration
PAM Privileged Access Management
PAM Pluggable Authentication Modules
PAP Password Authentication Protocol
PAT Port Address Translation
PBKDF2 Password-based Key Derivation Function 2
PBX Private Branch Exchange
PCAP Packet Capture
PCI-DSS Payment Card Industry Data Security Standard
PDU Power Distribution Unit
PE Portable Executable
PEAP Protected Extensible Authentication Protocol
PED Portable Electronic Device
PEM Privacy Enhanced Mail
PFS Perfect Forward Secrecy
PGP Pretty Good Privacy
PHI Personal Health Information
PII Personally Identifiable Information
PIN Personal Identification Number
PIV Personal Identity Verification
PKCS Public Key Cryptography Standards
PKI Public Key Infrastructure
PoC Proof of Concept
POP Post Office Protocol
POTS Plain Old Telephone Service
PPP Point-to-Point Protocol
PPTP Point-to-Point Tunneling Protocol
PSK Pre Shared Key
PTZ Pan-Tilt-Zoom
PUP Potentially Unwanted Program
QA Quality Assurance
QoS Quality of Service
PUP Potentially Unwanted Program
RA Registration Authority
RAD Rapid Application Development
RADIUS Remote Authentication Dial-in User Service
RAID Redundant Array of Inexpensive Disks
RAM Random Access Memory
RAS Remote Access Server
RAT Remote Access Trojan
RC4 Rivest Cipher version 4
RCS Rich Communication Services
RFC Request for Comments
RFID Radio Frequency Identification
RIPEMD RACE Integrity Primitives Evaluation Message Digest
ROI Return on Investment
RPO Recovery Point Objective
RSA Rivest, Shamir, & Adleman
RTBH Remotely Triggered Black Hole
RTO Recovery Time Objective
RTOS Real-time Operating System
RTP Real-time Transport Protocol
S/MIME Secure/Multipurpose Internet Mail Extensions
SaaS Software as a Service
SAE Simultaneous Authentication of Equals
SAML Security Assertions Markup Language
SCADA Supervisory Control and Data Acquisition
SCAP Security Content Automation Protocol
SCCM Microsoft System Center Configuration Manager
SCEP Simple Certificate Enrollment Protocol
SDK Software Development Kit
SDLC Software Development Life Cycle
SDLM Software Development Life-cycle Methodology
SDN Software-defined Networking
SDP Service Delivery Platform
SDV Software-defined Visibility
SED Self-Encrypting Drives
SEH Structured Exception Handling
SFTP SSH File Transfer Protocol
SHA Secure Hashing Algorithm
SIEM Security Information and Event Management
SIM Subscriber Identity Module
SIP Session Initiation Protocol
SLA Service-level Agreement
SLE Single Loss Expectancy
SMB Server Message Block
SMS Short Message Service
SMTP Simple Mail Transfer Protocol
SMTPS Simple Mail Transfer Protocol Secure
SNMP Simple Network Management Protocol
SOAP Simple Object Access Protocol
SOAR Security Orchestration, Automation, Response
SoC System on Chip
SOC Security Operations Center
SPF Sender Policy Framework
SPIM Spam over Instant Messaging
SQL Structured Query Language
SQLi SQL Injection
SRTP Secure Real-time Transport Protocol
SSD Solid State Drive
SSH Secure Shell
SSID Service Set Identifier
SSL Secure Sockets Layer
SSO Single Sign-on
STIX Structured Threat Information eXpression
STP Shielded Twisted Pair
SWG Secure Web Gateway
TACACS+ Terminal Access Controller Access Control System
TAXII Trusted Automated eXchange of Intelligence Information
TCP/IP Transmission Control Protocol/Internet Protocol
TGT Ticket Granting Ticket
TKIP Temporal Key Integrity Protocol
TLS Transport Layer Security
TOTP Time-based One Time Password
TPM Trusted Platform Module
TSIG Transaction Signature
TTP Tactics, Techniques, and Procedures
UAT User Acceptance Testing
UDP User Datagram Protocol
UEBA User and Entity Behavior Analytics
UEFI Unified Extensible Firmware Interface
UEM Unified Endpoint Management
UPS Uninterruptible Power Supply
URI Uniform Resource Identifier
URL Universal Resource Locator
USB Universal Serial Bus
USB OTG USB On-The-Go
UTM Unified Threat Management
UTP Unshielded Twisted Pair
VBA Visual Basic for Applications
VDE Virtual Desktop Environment
VDI Virtual Desktop Infrastructure
VLAN Virtual Local Area Network
 VLSM Variable-length Subnet Masking
VM Virtual Machine Vo
IP Voice over IP
VPC Virtual Private Cloud
VPN Virtual Private Network
VTC Video Teleconferencing
WAF Web Application Firewall
WAP Wireless Access Point
WEP Wired Equivalent Privacy
WIDS Wireless Intrusion Detection System
WIPS Wireless Intrusion Prevention System
WORM Write Once Read Many
WPA WiFi Protected Access
WPS WiFi Protected Setup
XaaS Anything as a Service
XML Extensible Markup Language
XOR Exclusive OR
XSRF Cross-site Request Forgery
XSS Cross-site Scripting

If you find an error or want to improve this page, just open an issue.

Don’t text/mail me looking for exam solutions.

This site is open source. Improve this page.