- A
- AAAA records, 24–25, 355
- acceptable use policy (AUP), 271, 285, 452, 459
- access points, deploying multiple, 117, 385
- AccessChk (Sysinternals), 209, 425
- AccessEnum, 209, 425
- accidental threats, 291, 461
- account management policy, 280, 456
- active defense, 124, 389
- Active Directory (AD), 19, 164, 168, 354, 408, 409
- active fingerprinting, 358
- active scanning, 24, 355
- Activity Monitor, 187, 416, 439
- address space location randomization (ASLR), 155, 224–225, 404, 431
- administrative controls, 379
- Adobe Flash, 99, 379
- Advanced Encryption Standard (AES), 57, 275, 366, 454
- advanced persistent threat (APT), –4, 27, 174, 184, 211, 239, 258, 266, 297, 348, 356, 411, 415, 426, 439, 446, 450, 463
- Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, 160, 161, 406, 407
- adverse events, 228, 433
- AES-256, 124, 389
- AES-GCM, 46, 362
- African Network Information Center (AFRINIC), 23, 355
- agent-based, out-of-band NAC solution, 155–156, 304, 404, 465–466
- agent-based monitoring, 69, 89, 95, 369, 376, 378
- agent-based NAC solutions, 201, 422
- agent-based scanning, 35, 359
- Agile model, 112, 121, 141, 383, 387, 398
- air gap, 118, 132, 228, 383, 386, 393, 433
- Akamai, 27, 356
- analysis
- availability, 154, 294, 403, 462
- behavioral, 110, 252, 261, 358, 382, 444, 448
- business impact analysis (BIA), 82, 86, 320, 375, 471
- code, 402
- dynamic code, 116, 385, 441
- forensic, 230, 434
- heuristic, 187, 204, 290, 416, 423, 461
- information impact, 258, 446–447
- malware, 177, 252, 412, 444
- manual review and, 123, 388
- signature, 95, 378
- static, 109, 115, 180, 197, 203, 382, 385, 413, 420, 422, 441
- static code, 384
- trend, 186, 416
- URL, 196–197, 204–205, 420, 423
- wireless, , 350
- Angry IP Scanner, 24, 355
- annual reviews, 275, 454
- annualized loss expectancy (ALE), 272, 283–284, 341, 453, 458, 477
- annualized rate of occurrence (ARO), 272, 283–284, 453, 458
- antimalware tool, 205, 424
- anti-tamper protection, 134, 394
- Apache, 12, 351
- API keys, 120, 128, 135, 387, 391, 395
- application-based multifactor authentication, 306, 466
- approved scanning vendor (ASV) scan, 71, 370
apt
command, 220, 430
- ARP tables, 68, 369
- artificial intelligence (AI), 191, 418, 423
- Asia-Pacific Network Information Centre (APINC), 23, 355
- asset inventory, 88, 376
- asset tagging, 117, 385
- asset value (AV), 341, 477
at
command, 178–179, 413
- atomic execution, 130, 135, 140, 392, 394, 397
- attack surface, 404
- attack vectors, 418
- attribute-based access control (ABAC), 122–123, 125, 139–140, 388, 390, 397
- attrition, as an attack vector for classifying threats, 428
- audits, 226–227, 429, 432
- authenticated scans, 97–98, 231, 379, 435
- authentication
- context-based, 119, 306, 386, 466
- multifactor authentication (MFA), 112, 118, 122, 137, 383, 386, 388, 395, 399
- plain-text, 65, 368
- requiring, 350
- token-based multifactor, 306, 466
- two-factor, 113, 383
auth.log
file, 155, 231, 310, 404, 435, 468
- automated patching, 396
- automated testing sandbox, 381
- automated vulnerability scanning, 138, 396
- availability analysis, 154, 294, 403, 462
- awareness campaigns, 190–191, 417–418
- B
- background screening, 266, 450
- back-off algorithm, 160–161, 406
- backups, 229, 232, 236, 279, 342, 367, 434, 435, 438, 456, 478
- banner grabbing, 10, 59, 350, 366
- basic input/output system (BIOS), 126, 298, 390, 463
bcrypt
, 109, 145, 382, 400
- beaconing, 342, 478
- behavioral analysis, 110, 252, 261, 358, 382, 444, 448
- behavior-based detection, 154, 404
- binary diffing, 153, 403
- binary file, 200, 421
- birthday attacks, 98, 379
- BitLocker, 255, 426, 445
- blackholing, DNS, 185, 415
- blacklisting, 158, 184, 405, 407–408, 415
- blind SQL injection, 42, 308, 361, 377, 467
- block size, 296, 463
- blocking
- boot log, 109, 382
- Border Gateway Protocol (BGP), 118, 133, 385–386, 394
- bounds checking, 73, 371
- Bring Your Own Device (BYOD), 86, 168, 238, 307–308, 375, 409, 438, 467
- brute-force attacks, 14, 160–161, 179, 246, 348, 349, 352, 390, 399, 406, 413, 428, 441
- BSSID, 232, 435
- buffer overflows, 13, 50, 69–70, 72–73, 254, 351, 364, 370, 371, 445
- buffer overwriting, 222, 430–431
- bug, 361
- built-in editing tools, 414
- Burp Proxy, 343, 479
- bus encryption, 134, 393, 394
- business impact analysis (BIA), 82, 86, 320, 375, 471
- business partnership agreements (BPAs), 86, 320, 375, 471
- C
- call list, 260, 447
- canonical name (CNAME), 31, 358
- canonicalization, 222, 430–431
- CAPEC, 161, 407
- CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), 399
- captive portals, 160, 406
- cell phone forensics, 228, 433
- CERT/CC, 248, 442
- Certificate Authority (CA), 96, 378
- certificates, digital, 30, 92, 96, 97, 124, 131, 239, 357, 377, 379, 389, 392, 393, 474, 479
certutil
utility, 223–224, 431
- chain-of-custody tracking, 213, 221, 231, 427, 430, 435
- change control processes, managing, 68, 372
- change management, 72, 80, 120, 370–371, 373, 387, 479
- checksum, 108, 298, 309, 381, 463, 467–468
chmod
command, 214, 427
- Chrome (Google), 73, 246–247, 371, 442
- cipher support, 40–41, 57, 361, 366
- clearing, 434
- client-server platform, 399
- clock synchronization, 302, 465
- cloning, 410
- closed source intelligence, , 348
- cloud access security brokers (CASBs), 123, 203, 388, 423
- Cloud Formation, , 350
- Cloudflare, 27, 356
- CloudSploit, 16, 353
- clusters, 10, 238, 240, 351, 439
- code
- code of conduct/ethics, 280, 456
- collision, 98, 379
- command history, 250, 443
- commodity malware, , 349
- Common Platform Enumeration (CPE), 10, 17, 195, 350, 353, 419–420
- Common Vulnerability Scoring System (CVSS), 161, 195, 323, 407, 419–420, 472
- communication, in remediation workflow, 72, 370–371
- community cloud, , 349
- compensating controls, 71, 370
- Computer Security Incident Handling Guide (NIST), 235, 437
- containerization, 77, 120–121, 372, 387, 401
- containment, 303, 343, 465, 479
- content distribution networks (CDNs), 27, 356
- context-based authentication, 119, 306, 386, 466
- continual service improvement (CSI), 287, 459
- continuous delivery (CD), 196, 204, 420, 423
- continuous integration (CI), 196, 420
- continuous monitoring, 93, 94–95, 377, 378
- continuous scanning, 294, 462
- Control Objectives for Information and Related Technologies (COBIT), 271, 280, 325, 452, 456, 473
- Controller Area Network bus (CAN bus), 16, 353, 464
- cookie management, 44, 362
- copyrights, 237, 438
- corporate policy, 91, 376
- corporate-owned, personally enabled (COPE) strategy, 86, 307–308, 375, 467
- crash carts, 442
- credential stuffing, 14, 352
- credentialed scanning, 43, 44, 81, 91, 95, 97–98, 362, 373, 377, 378, 379
- credit cards, 425–426
- cross-site scripting (XSS) attack, 125, 140, 339, 389, 398, 477
- cryptolocker, 392
- CVSS vector, 60, 366
- D
- data
- data carving, 218, 429
- data classification, 61, 266, 273, 288, 322, 337, 367, 450, 453, 460, 472, 476
- data collection, 139, 396
- data disposal, 322, 472
- data encoding, 116, 385
- data encryption key (DEK), 147–148, 401
- Data Encryption Standard (DES) algorithm, 57, 366
- data enrichment, 185, 194, 415, 419
- Data Execution Prevention (DEP), 155, 251, 404, 443
- data exfiltration, 279–280, 356, 413, 456
- data flows, 27, 356
- data loss prevention (DLP), 88, 124, 167, 185–186, 202, 270, 273, 341, 376, 389, 409, 415, 422, 452, 453, 477–478
- data masking, 267, 450
- data ownership, 288, 290, 460, 461
- data privacy, 61, 367
- data remanence, 61, 367
- data retention, 61, 276, 288, 322, 329, 367, 454, 460, 472, 474
- data sovereignty, 269, 451
- database servers
- database vulnerability scan, 367
- datacenter, 272, 453
- datacenter firewalls, 22, 355
- DBAN, 475
- debuggers, 177, 412, 414
- deception technology, 124, 389
- decompilers, 177, 412
- decomposition diagram, 111, 382
- Defense Microelectronics Activity (DMEA), 147, 401
- degaussing, 229, 434
- demilitarized zone (DMZ), 12, 351
- DemoHost2, 25, 355
- denial-of-service (DoS) attacks, 15, 120, 135, 212, 352, 364, 387, 395, 426, 461
- deprovisioning, 275, 454
- destruction, 434
- detection systems, 142–143, 399
- deterministic sampling, 186, 416
- DevOps model, 138, 396
- DevSecOps model, 126, 149, 389, 390, 402
- Diamond Model of Intrusion Analysis, –6, 349
dig
command, 30, 314, 357, 469
- digital certificates, 30, 92, 96, 97, 124, 131, 239, 357, 377, 379, 389, 392, 393, 474, 479
- disassemblers, 177, 412, 414
- disaster recovery plans (DRPs), 82, 374
- disclosure, as a GAPP privacy practice, 431
- discretionary access control (DAC), 120, 122–123, 125, 139–140, 387, 388, 390, 397
- DiskView, 254, 445
- disposition, 115, 141, 150, 384, 398, 402
- dissemination component, in intelligence cycle, , 348
- distributed denial-of-service (DDoS) attacks, 17, 284, 353, 458
- DNS blackholing, 185, 415
- DNS brute-force attack, , –7, 348, 349
- DNS sinkholes, 165, 173, 197, 408, 411, 420
- Docker, 128, 137, 148, 391, 395–396, 401
- documents, 228, 283, 433, 458
- $ character, 116, 385
- domain controllers (DCs), 168, 409
- domain generation algorithms (DGAs), 197, 408, 420
- Domain Name System (DNS), querying, 22, 354
- domain names, 166, 408
- domain registration information, 34, 359
- DomainKeys Identified Mail (DKIM), 405–406
- drive adapters, as components of forensic toolkits, 259, 447
- drives
- encrypting, 213, 426–427
- purging, 218, 428
- self-encrypting drives (SEDs), 131, 134, 147–148, 393, 394, 401
- dual control, as a personnel control, 276, 282, 286, 328, 455, 457, 459, 474
- due diligence, 279–280, 456
- dynamic code analysis, 116, 385, 441
- E
- economic impact, 250–251, 443
- edge router, 136–137, 395
- eFuse (IBM), 129, 147, 309, 392, 401, 467
- 802.1x protocol, 155, 404
- email
- email headers, 159, 229, 236, 406, 434, 437
- email signatures, 412
- embedded systems, 399
- emergency change procedure, 80, 261–262, 373, 448
- Encapsulating Security Payload (ESP), 183, 415
- encryption, 133, 213, 352, 356, 393, 417, 426–427, 472
- end-of-life (EOL), 80, 373
- endpoint detection and response (EDR), 171, 203, 410, 422
- endpoint security software, 187, 417
- endpoints, 14, 352
- end-to-end encryption, 27, 356
- engagement, 276–277, 279, 455
- enumeration, 369
- Eraser, 218, 429
- error log, 217, 428
- escalation list, 447
- escalation of privilege vulnerability, 47, 363
- event indicators, 319–320, 471
- evidence production, 472
- exceptions, in policy documents, 280, 456, 459, 479
- exposure factor (EF), 272, 341, 452–453, 477
- Extensible Authentication Protocol (EAP), 161, 407
- external scan, 71, 163, 326, 370, 407, 473
- F
- Facebook, 247, 442
- Fagan inspection, 114, 146, 204, 384, 400, 423
- false positives, , 42, 63, 64, 348, 361, 367–368
- Family Educational Rights and Privacy Act (FERPA), 38, 268, 280–281, 360, 451, 456
- fast-flux DNS networks, 339, 477
- fault injection, 111, 318–319, 383, 470–471
- feasibility phase, of projects, 150, 402
- Federal Information Processing Standard (FIPS), 119, 386
- Federal Information Security Management Act (FISMA), 95, 248, 378, 442
- feedback component, in intelligence cycle, , 348
- fences, 276, 455
- fiber links, 255, 445
- field-programmable gate arrays (FPGAs), 13, 351
file
command, 220, 429
- File System audit, 245, 441
- File Transfer Protocol (FTP), 84, 324, 374, 472
- filesystem, 204, 423
- FileVault, 211, 426
- filtering beacons, 426
- fingerprinting software, 66, 350, 368
- Firefox (Mozilla), 72–73, 83, 371, 374
- firewall logs, 187, 416, 464
- firewalls
- about, 32, 358, 373
- configuring, 49, 363
- defined, 118, 386
- rules for, 87–88, 304, 327, 331, 376, 465, 474
- upgrading, 79, 372
- FireWire, 445
- firmware, 125–126, 129, 132, 144, 390, 392, 393, 399
- flow logs, 226, 432
- forensic analysis and techniques, 230, 434
- forensic artifacts, 423
- forensic examiners, 237, 438
- forensic images, importing, 291, 461
- forensic SIM, 226, 432
- Framework Core (NIST Cybersecurity Framework), 286, 459
- Framework Profiles, 286, 459
- frameworks, 469
- FTK Imager Light, 223, 245, 431, 441
- full interruption tests, 448
- full-disk encryption (FDE), 13, 113, 167, 270–271, 273, 341, 352, 383, 409, 452, 453, 477–478
- function as a service (FaaS), , 349
- functional impact, severity classification and, 334, 475
- fuzz testing (fuzzing), 111, 114, 116, 145, 318–319, 383, 384, 385, 396, 400, 470–471
- G
- General Data Protection Regulation (GDPR), 275, 454
GET
command, 200, 421
getfacl
command, 426
- Google Chrome, 72–73, 246–247, 371, 442
- GPS systems, 228, 433
- Gramm-Leach-Bliley Act (GLBA), 268, 280–281, 282, 307, 451, 456, 457, 467
- greater than/less than brackets (<>), 116, 385
grep
command, 65, 177, 368, 412
- Group Policy Objects (GPOs), 168, 409
groups
command, 474
- guidelines, in policy documents, 283, 458
- H
- hacktivists, 201, 422
- hardware security modules (HSMs), 107, 108, 128, 129, 133, 134, 381, 391, 392, 394
- hardware write blockers, 213, 427
- hash function, 96, 378
- Hashcat, 351
- hashing, 118, 235, 386, 437
head
command, 214, 427
- Health Insurance Portability and Accountability Act (HIPAA), 38, 267, 268, 277, 280–281, 282, 291–292, 307, 360, 450, 451, 455, 456, 457, 462, 467
- heuristic analysis, 187, 204, 290, 416, 423, 461
- hibernation files, 242, 333, 439–440, 475
- high-priority vulnerabilities, 374
- holographic stickers, 131, 393
- honeynet, 120, 387
- honeypots, 107, 120, 297, 306, 381, 387, 463, 466
- host enumeration, 369
- host firewalls, 61, 77, 79, 113–114, 367, 372, 384
- host intrusion prevention systems (HIPSs), 14, 185–186, 188, 352, 415, 417
- host-based solution, 14, 352
- hosts, accessing, , 349
- Hping, 13, 351
- HTTP TRACK/TRACE methods, 86, 375
- HTTP/HTTPS traffic vulnerabilities, 59, 154, 366, 403
- hybrid cloud, , 349
- I
- ICANN, 22, 354
- ICMP protocol, 412
- identification phase, 258, 447
- identity and access management (IAM) systems, 139, 397
- identity provider (IDP), 127, 138, 147, 327, 391, 396, 401, 473
- IDS logs, 65, 368
ifconfig
command, 322, 439, 471, 472
- impact score, 367
- impersonation attacks, 428
- incremental mode, 217, 428
- indicators of compromise (IOCs), 191, 348, 418
- industrial control systems (ICSs), 42, 361
- information asset value, 44, 362
- information impact analysis, 258, 446–447
- information leakage vulnerability, 36, 359
- information sharing and analysis centers (ISACs), –5, 236, 349, 437
- Information Technology Infrastructure Library (ITIL), 269, 273, 451, 455
- infrastructure as a service (IaaS), 27–28, 262, 279–280, 356, 449, 456
- infrsatructure as code (IAC) computing, 350
- input validation, 79, 116, 143, 372, 385, 399, 479
- insurance, 271, 272, 452, 453
- integrated circuit (IC), 111, 382
- integrated development environment (IDE), 132, 393
- intelligence criteria, 348
- intelligence cycle, , 348
- interactive logins, 70–71, 370
- interception proxies, 343, 479
- internal audit, 268, 451
- internal scan, 48, 71, 326, 363, 370, 473
- Internet Explorer, 75, 309–310, 371, 468
- intrusion detection systems (IDSs), 87–88, 116, 182, 270, 376, 385, 414, 452
- intrusion prevention systems (IPSs), 32, 182, 187, 270, 314, 333, 358, 361, 367, 414, 416, 422, 452, 469, 475
- IP addresses, 79, 193, 239, 310, 339, 373, 412, 419, 439, 468, 477
- IP port, 19, 354
- IP ranges, , 184, 349, 399, 415
- IP reputation, 225–226, 432
ipconfig
command, 322, 439, 472
- iPhone backups, 236, 438
- IPP port, 19, 354
- IPsec, 50, 129, 364, 389, 391, 392
- IPsSec, 398
iptables
, 169–171, 410
- IPv6 records, 24–25, 355
- IR life cycle, phases in, 232, 435
- ISO 9000, 270, 452
- ISO 17799, 270, 452
- ISO 27001, 270, 286, 342, 452, 459, 478
- ISO 30170, 270, 452
- isolating, 112, 237, 383, 438
- IT Infrastructure Library (ITIL), 325, 473
- J
- John the Ripper, 260, 338, 447, 476
- jump boxes, 108–109, 381, 415
- jump host/box, 122, 388
- jump kit, 246, 442
- K
- Kerberos, 30, 357, 388, 462–463
- kernel-mode drivers, 53, 364
- keychain, 236, 438
- keys, access associated with, , 350
kill
command, 170, 410
- knowledge-based factors, 305, 340, 466, 477
- Kubernetes, 148, 401
- L
- LACNIC, 23, 355
- Lambda service (Amazon), , 349
- LANMAN hashes, 17, 353
- latency, 11–12, 351
- least privilege, 276, 286, 455, 459
- level 5 vulnerabilities, 91, 377
- level-based access control, 109, 382
- Lightweight Directory Access Protocol (LDAP), 72, 96, 139, 371, 378, 397
- link failure, 290, 461
- Linux
- about, 174–175, 211, 412, 426
- permissions, 216, 427
- processors and, 137, 395–396
- syslogs, 140, 397
- live forensics imaging, 243–244, 440–441
- load balancers, 29, 100–101, 357, 380
- local scans, 213, 426
- Lockheed Martin's Cyber Kill Chain, 299, 464
- log files, 123–124, 388
- logging, 116, 168, 343, 385, 409, 478–479
- logins, blocking, 288, 460
- logs, 188, 252, 417, 444
- LOIC, 164, 407–408
ls
command, 168, 409
- M
- MAC address, 15, 30, 117, 158, 161, 170–171, 216, 229, 239, 352, 357, 385, 405, 407, 410, 422, 427, 434, 439
- machine learning (ML), 191, 195, 204, 418, 419, 423
- macOS drive, 218, 429
malloc()
function, 13, 351
- malware, , 177, 191, 194, 200, 237, 252, 349, 412, 418, 419, 421, 438, 444
- managed detection response (MDR) system, 414
- management, primary role of, 231, 435
- mandatory access control (MAC), 109, 120, 122–123, 125, 139–140, 382, 387, 388, 390, 397
- mandatory vacation, as a personnel control, 273, 281, 453, 457
- man-in-the-middle (MitM) attacks, 343, 428, 479
- manual review and analysis, 123, 388
- mapping and enumeration, 369
- MD5 hash, 209, 425
- measured boot, 117, 132–133, 385, 393
- media sanitization, 229, 434
- memorandums of understanding (MOUs), 82, 86, 320, 374, 375, 471
- memory pressure, 250, 443
- memory protection, 79, 372
- memory usage monitoring, 221–222, 430
memstat
command, 168, 409
- metadata, 209, 425, 441–442
- MetaScan, 254, 445
- metrics, 297–298, 463
- Microsoft
- Internet Information Server (IIS), 47, 57, 363, 365–366
- MBSA, 442
- storing Office files, 249–250, 442–443
- support for Internet Explorer, 72–73, 371
- Microsoft SQL, , 27, 61, 348, 356, 357, 365
- Microsoft SQL Server, 96, 378
- mitigation service, 17, 353
- mobile device management (MDM), 86, 375
- mobile devices, 77, 372
- Modbus protocol, 13, 299, 351, 464
- Mozilla Firefox, 72–73, 83, 371, 374
- multifactor authentication (MFA), 112, 118, 122, 137, 383, 386, 388, 395, 399
- mutation testing, 111, 318–319, 383, 470–471
- MX records, 31, 358
- MySQL, , 156, 348, 405
- N
- National Software Reference Library (NSRL), 438
- Nessus (Tenable), 89, 343, 376, 479
- Netcat, –9, 24, 250, 305, 308, 350, 355, 443, 466, 467
- NetFlow, 64–65, 187, 198, 214, 368, 416, 421, 427
netstat
command, , 319, 322, 349–350, 471, 472
- network access control (NAC), 161, 179, 341, 407, 413, 478
- network address translation (NAT), 160, 301, 406, 464
- Network Admission Control. see network access control (NAC)
- network cards, 462
- network firewalls, 18, 353, 409, 465
- network flows, 189, 417, 421
- network segmentation, 79, 112, 135, 137, 139, 148, 215, 266, 372, 383, 384, 395, 396, 401, 427, 450, 474
- Network Time Protocol (NTP) server, 51–52, 364
- Network Transfer Protocol (NTP), 326–327, 473
- NetworkMiner, 31, 358
- networks, scanning, 21, 354
- Nikto scan, 33, 358
- NIST
- Computer Security Incident Handling Guide, 235, 437
- Cybersecurity Framework, 279, 456
- recoverability effort categories, 226, 432
- Nmap, , 10, 17, 20, 24, 28, 29–30, 32, 35, 291, 298, 311, 350, 351, 353, 354, 355, 357, 358, 359, 461–462, 463, 468
nmap
command, 26, 356
- nondisclosure agreements (NDAs), 281, 457
- notifications, 154, 403–404
- NTP synchronization, 292, 462
- O
- OAuth, 122, 139, 150, 267, 307, 388, 397, 402, 450, 467
- observable occurrences, 314, 469
- one-time password (OTP), 122, 388
- Online Certificate Status Protocol (OCSP), 161, 406–407
- on-site network scan, 32, 358
- Open Indicators of Compromise (OpenIOC) format, , 348
- open source intelligence, , 348
- Open Web Application Security Project (OWASP), 126, 390
- OpenFlow, 119, 386
- OpenID, 122, 150, 388, 402
- OpenSSH, 330–331, 362, 474
- OpenSSL, 59, 366
- OpenVAS, 257, 446
- operating systems
- Ophcrack, 220, 430
OPTIONS
method, 50, 363
- Oracle, , 96, 348, 378
- Oracle databases
- organizational unique identifier (OUI), 435
- original equipment manufacturers (OEMs), 107, 381
- OSINT, 19, 33–34, 354, 359
- output encoding, 126, 140, 390, 398
- outsourcing, 228, 433
- overflowing, 261, 448
- over-the-shoulder code review, 114, 384
- P
- packers, 162, 407
- packet capture, 307, 467
- packet sniffing, 214, 427
- Pacu, 16, 353
- page file, 232, 435
- pair programming, 114, 384
- parameterized queries, 116, 127, 140, 385, 391, 397, 401
- pass-around code reviews, 114, 384
- passive defenses, 107, 381
- passive fingerprinting, 32, 358
- passive network mapping, 24, 89, 355, 376
- passive reconnaissance, 24, 355
- passphrases, 254–255, 445
- password crackers, 260, 338, 447, 476
- password hashes, 342, 478
- password policy, 374
- password reuse, 144, 399
- password spraying attack, 14, 352
- password-hashing algorithm, 382
- passwords, 145, 209, 400, 425
- patch deployment, 58, 91–92, 366, 370, 375, 377
- patch management, 31, 36, 62–63, 67, 99, 227, 290, 335, 358, 359–360, 367, 369, 379, 433, 461, 476, 479
- patents, 237, 438
- Payment Card Industry Data Security Standard (PCI DSS), 38, 41, 58, 79, 100, 167, 266, 273, 277, 282, 284, 285, 307, 328–329, 338, 360, 361, 366, 372, 380, 408, 435, 450, 453, 455, 457, 458, 467, 474, 476–477
- peer-to-peer botnets, 444
- penetration testing, 38, 276–277, 309, 360, 455, 457, 467
- pepper, 137, 395
- permissions, 67, 88, 216, 369, 376, 427
- permissions inventory, 12, 351
- personally identifiable information (PII), 230–231, 242, 277, 435, 440, 455
- phishing attacks, 160, 406
- PHP language, 322–323, 472
- phpinfo file, 94, 377
- physical access, 128, 391
- physical inventory, 133, 394
- ping scan, 32, 358
- ping sweep, 34, 359
- pivot, preparing to, 26, 356
- plain-text authentication, 65, 368
- platform as a service (PaaS), , 349
- playbooks, in incident response, 254, 305, 445, 466
- pluggable authentication module (PAM), 239, 438–439
- PNG processing, 58, 366
- Point-to-Point Tunneling Protocol (PPTP), 50, 124, 364, 389
- poisoning vulnerability, 375
- policies, 312, 469
- POODLE vulnerability, 54, 365
- port 22, 176–177, 197, 317, 412, 420, 470
- port 23, 38, 317, 360, 470
- port 80, 154, 403
- port 139, 50, 363
- port 389, 72, 371
- port 443, 56, 365
- port 445, 50, 363
- port 636, 96, 378
- port 1433, 56, 96, 365, 378
- port 1521, 96, 378
- port 3306, 156, 405
- port 3389, 28, 39, 180, 356, 360, 413
- port scanning, 17, 33–35, 353, 355, 359, 426
- ports
- about, , 348, 354
- for database servers, 38, 320, 360, 471
- open, 28, 30–31, 357
- for remote desktop protocol services, 38, 360
- security of, 158, 405
- for web servers, 38, 320, 360, 471
- Post Office Protocol v3 (POP3), 64, 368
- Postgres, , 30, 348, 357
- postincident communication, 260, 447–448
- postmortem forensics, 243–244, 440–441
- PowerShell, 153–154, 403
- preparation phase, of incident response, 211, 425
- pretexting, 19, 354
- printers, 71–72, 370
- private cloud, , 349
- private key, 148–149, 402
- privilege escalation, 15, 245, 352, 441
- privileged accounts, 122, 139, 388, 397
- proactive network segmentation, 209–210, 425
- process flow, 447
- Process Monitor, 231–232, 435
- processor monitoring, 135, 395
- processor security extensions, 148, 401
- profiling, 245, 354, 441
- proprietary breaches, 440
- proprietary intelligence, , 348
- proprietary protocols, 144, 399
- protected health information (PHI), 248, 277, 280–281, 442, 455, 456
- Prowler, 16, 353
- proxies, 11, 351
ps
command, 65, 158, 368, 405
- PS tools, 156, 404–405
- pseudocode, 242, 440
- public cloud, , 349
- purging, 212, 218, 267, 341, 426, 428, 434, 450, 478
- purpose limitation, 268, 451
- PuTTY, 76, 371–372
- Q
- qualitative risk assessment, 274, 454
- quantitative risk assessment, 274, 454
- quarantine networks, 160, 406
- query parameterization, 116, 127, 140, 385, 391, 397, 401
- R
- rainbow table attacks, 14, 220, 352, 430
- random sampling, 186, 416
- Rank Software, 416
- Rapid Application Development (RAD), 112, 121, 383, 387
- RAW images, 234, 436
- real-time operating system (RTOS), 13, 351, 464
- reconnaissance and intelligence gathering, 62, 367
- Red Hat Linux, 83, 374
- redirect attack, 307, 467
- redundant system, 79, 136, 372, 395
- reformatting, 426
- registry changes/anomalies, 166–167, 194–195, 222, 258, 304–305, 408, 419, 429, 430, 446, 461, 466
- regression testing, 111, 145, 382, 400
- regular expressions, 143–144, 399
- relying party (RP), 127, 391
- remediation workflow, 46, 48, 51, 52, 55–56, 60, 85, 92, 94–95, 361, 362, 363, 364, 365, 366–367, 369, 374–375, 377, 378
- remote attestation, 382
- Remote Authentication Dial-In User Service (RADIUS), 30, 296, 357, 462–463
- remote code execution, 376
- Remote Desktop Protocol (RDP), 38, 39, 155, 180, 320, 360, 404, 413, 471
- remote server logs, 402
- reporting, 94, 378
- Representational State Transfer (REST), 142, 398
- reputational source, , 349
- requirements, as component in intelligence cycle, , 348
- resource exhaustion, 322, 471–472
- Resource Monitor (resmon), 221, 430, 439
- Responder, 13, 351
- REST-based web services, 128, 135, 391, 395
- restoration, of application and service issues, 233, 242, 436, 440
- reverse engineering, 396, 398
- reverse image search tools, 255, 445
- RIPE, 23, 355
- risk acceptance, 270, 272–273, 274, 452, 453, 454
- risk appetite, 98, 379
- risk assessment, 275, 454
- risk avoidance, 268, 270, 451, 452
- risk identification process, 454
- risk mitigation, 270, 452
- risk tolerance, 98, 379
- risk transference, 268, 270, 451, 452
- role-based access control (RBAC), 109, 120, 122–123, 125, 139–140, 382, 387, 388, 390, 397
- rootkits, 15, 352
- rotation list, 447
route
command, 465
- routers, 118, 386, 395
- RSA encryption keys, 115, 384, 392
- rules, 163, 164, 407
- rules of engagement (RoE), 282, 457
runas
command, 65, 368
- runtime packers, 162, 407
- S
- salt, 137, 395
- SAM, 248–249, 258, 442, 446
- sampling, 416
- sandboxing, 108, 110, 179–180, 203, 310, 340–341 381, 382, 412, 422, 468, 477
- Sarbanes-Oxley (SOX) Act, 38, 268, 280–281, 282, 360, 451, 456, 457, 467
- scalability, as a benefit of cloud computing, 120, 387
- Scalpel, 321, 332–333, 471, 475
- scans
- log for, 157, 405
- scheduling, 101, 380
- sensitivity of, 68–69, 72, 78, 369, 371, 372
- standard, 59, 366
- scheduling scans, 101, 380
- ScoutSuite, 16, 353
- scripts, 423, 446, 448
- Secure Boot, 134, 135, 145, 394, 399–400
- Secure Enclave, 392
- Secure Shell (SSH) protocol, 188, 378, 417
- Secure Sockets Layer (SSL), 50, 273, 364, 453
- Secure/Multipurpose Internet Mail Extensions (S/MIME), 168, 409
- security. see specific topics
- security artifacts, 115, 384
- Security Assertion Markup Language (SAML), 122, 133, 139, 150, 161, 388, 393, 397, 402, 406–407
- Security Content Automation Protocol (SCAP), 174, 191, 195, 411, 418, 419–420, 423
- security information and event management (SIEM) systems, 154, 186, 192, 205, 403, 416, 418–419, 424, 443
- security operations center (SOC), 228, 433
- Security Orchestration, Automation, and Response (SOAR) tool, 176, 182, 192, 193, 334, 412, 414, 418–419, 475
- security patches, 47, 363, 367
- security screws, 147, 401
- security through obscurity, 116, 385
- security updates, 66, 368–369, 372
- segmentation, 79, 112, 135, 137, 139, 148, 215, 266, 372, 383, 384, 395, 396, 401, 427, 450, 474
- self-encrypting drives (SEDs), 131, 134, 147–148, 393, 394, 401
- self-signed certificates, 18, 353
- sensitive personal information (SPI), 455
- separation of duties, as a personnel control, 274, 281, 282, 287, 453, 454, 455, 456, 459–460
- server logs, 87–88, 376
- server-based scanning, 44, 89, 362, 376
- serverless computing, 146, 387, 400
- servers, upgrading, 371
- service level agreements (SLAs), 82, 86, 320, 374, 375, 471
- service ports, 356
- service provider (SP), 127, 391
- service-oriented architectures (SOA), 127, 391
- session hijacking, 160, 406, 465
- session IDs, 142, 398
setfacl
command, 426
- severity classification, 36, 37, 51, 52, 55, 83, 87, 98, 99–100, 312, 316–317, 359, 360, 364, 365, 369, 374, 375, 379, 398, 450, 469, 470
- sFlow (sampled flow), 198, 421
- shadowed rule, 300, 464
- SharePoint, 41, 361
- sharing data, 285, 458
- shim cache, 318, 470
- shutdown scripts, 256, 446
- Signal protocol, 217, 428
- signature analysis, 95, 378
- signature-based detections, 197–198, 290, 421, 461
- signatures, 325, 473
- Simple Network Management Protocol (SNMP), 31, 38, 214, 313, 316, 357–358, 360, 427, 469, 470
- simultaneous hosts per scan, 43–44, 362
- single crack mode, 428
- single loss expectancy (SLE), 283–284, 341, 453, 458, 477
- single quotation mark ('), 116, 385
- single sign-on (SSO) systems, 122, 138, 388, 396
- sinkholes, DNS, 165, 173, 197, 408, 411, 420
- slack space, 232, 256, 436, 446
- SMB, 72, 371
- SMS messages, 119, 386
- SMTP, 159, 406
- snapshotting, 217, 428
- sniffing tool, 24, 355
- SNMP command, 302, 465
- SOAP messages, 391
- Social Security Number (SSN), 278, 455
- software as a service (SaaS), 14, 145, 299, 352, 400, 464
- software development life cycle (SDLC), 115, 141, 384, 398
- software-defined networking (SDN), 119, 137, 145–146, 386, 396, 400
- software-defined wide area network (SDWAN), 421
- source data, modifying, 252, 444
- spear phishing, 190–191, 417–418
- SPF records, 31, 358, 405–406
- Spiral model, 121, 141, 149, 387, 398, 402
- spoofing, 357, 410, 428
- SQL injection attack, 15, 25–26, 47, 50, 52, 53, 69–70, 86, 116, 124, 125, 140, 180–181, 352, 356, 363, 364, 369, 375, 385, 389, 397, 414
- SQL queries, 147, 223, 401, 431
- SQL Server, 45, 362
- SSH access, 159, 176–177, 406, 412
- SSH communication, 262, 448
- SSH key, 148–149, 402
- SSH logins, 253, 444
- SSH port forwarding, 33, 358
- SSH traffic, 420
- SSH tunneling, 33, 358
- SSID, 210, 425
- standards, in policy documents, 286, 459
- Start of Authority (SOA), 31, 358
stat
command, 474
- static analysis, 109, 115, 180, 197, 203, 382, 385, 413, 420, 422, 441
- static code analysis, 384
- stolen cookie, 304, 465
strcpy()
function, 16, 353
- stress testing, 110, 145, 318–319, 382, 383, 400, 470–471
strings
command, 173, 328, 411, 474
- Structured Threat Information Expression (STIX), , 161, 190, 192, 193, 195, 196, 348, 406–407, 417, 418, 419–420
su
command, 65, 368
- subnet, 406
- succession planning, as a personnel control, 279, 286, 456, 459
sudo
command, 65, 189, 205, 368, 417, 424
- Super Timeline, 235, 437
- supervisory control and data acquisition (SCADA) systems, 13, 42, 79, 351, 361, 372
- symbols, 385
- symmetric encryption, 133, 394
- SYN floods, 157, 405
- SYN packets, 336, 476
- SYN scan, 299, 464
- SYN-based port scan, 296, 462
- Sysinternals suite for Windows, 209, 425
- system binary kits, 238, 438
- System on a Chip (SoC), 13, 351, 464
- system restore, 245, 441
- T
- tabletop exercises, 262, 269, 448, 451
- TACACS+, 296, 462–463
- tag-out, 19, 354
tail
command, 214, 427
- Tamper Data, 343, 479
- tamper-proof seals, 251–252, 443
- tarpits, 107, 381
- TCP ports, 19, 26, 27, 28, 30, 319, 354, 356, 357, 418, 471
- TCP SYN scan, , 311, 350, 468
- TCP transport protocol, 406
- TCP/80, 144, 399
- tcpdump, 215, 427
- team members, changes in, 269, 451
- telnet, –9, 20, 350, 354, 360
- Tenable's Nessus vulnerability scanner, 88–89, 343, 376, 479
- testing
- about, 162, 407
- code, 38, 360
- environment for, 99, 379
- full interruption tests, 448
- fuzz testing (fuzzing), 111, 114, 116, 145, 318–319, 383, 384, 385, 396, 400, 470–471
- mutation, 111, 318–319, 383, 470–471
- penetration, 38, 276–277, 309, 360, 455, 457, 467
- regression, 111, 145, 382, 400
- stress, 110, 145, 318–319, 382, 383, 400, 470–471
- unit, 149, 150, 402
- user acceptance testing (UAT), 110, 115, 145, 149, 382, 384, 400, 402
- for vulnerability scanners, 23–24, 355
- testing and integration phase, of software development life cycle, 150, 402
- third-party AV tool, 126, 390
- threat actors, 161, 222, 348, 407, 430
- threat intelligence, sharing, , 349
- threat intelligence feeds, 153, 267, 403, 450
- threat profiles, 191, 418
- Tier 3 risk management program, 335, 476
- time to live (TTL), 20, 354
- time zone settings, 421
- time-of-check/time-of-use (TOC/TOU) attack, 16, 352
- token-based multifactor authentication, 306, 466
- tokenization, 267, 450
top
command, 168, 170, 409, 410
- top tool, 403
traceroute
command, 465, 471
- trade secrets, 237, 438
- trademarks, 237, 438
- Transport Layer Security (TLS), 18, 86, 124, 127, 140, 167, 199, 273, 341, 353, 375, 389, 391, 397–398, 409, 421, 453, 466, 477–478
- trend analysis, 186, 416
- Tripwire, 156, 186–187, 204, 404, 416, 423
- trouble ticket system, 373
- Trusted Automated Exchange of Indicator Information (TAXII), , 161, 192, 193, 196, 204, 348, 406–407, 418, 420, 423
- trusted execution, 140, 397
- trusted execution environments (TEEs), 129, 130, 392
- trusted foundries, 107, 142, 321, 381, 398, 471
- Trusted Foundry Program, 111, 147, 382, 401
- Trusted Platform Module (TPM), 107, 115, 134, 145, 321, 381, 384, 394, 399–400, 471
- two-factor authentication, 113, 383
- two-person control, 281, 457
- U
- Ubuntu, 414
- UDP scan, 28, 29, 357
- uncredentialed scanning, 44, 301, 362, 464
- Unicode encoding, 125, 389
- Unified Extensible Firmware Interface (UEFI), 129, 135, 392, 394
- unit testing, 149, 150, 402
- Unix, 174–175, 412
- updating/upgrading
- firewalls, 79, 372
- operating systems, 62, 367
- servers, 371
- vulnerability scanners, 373
- URL analysis, 196–197, 204–205, 420, 423
- US-CERT, 248, 442
- user acceptance testing (UAT), 110, 115, 145, 149, 382, 384, 400, 402
- user accounts, 85, 374, 441
- user and event/entity behavior analytics (UEBA), 156, 182, 192, 203, 405, 414, 418–419, 422
- V
- validating
- NIST guidelines on, 443, 521
- output, 146–147, 401
- version control, 479
- virtual desktop infrastructure (VDI), 121, 387
- virtual desktops, 138, 396
- virtual machines (VMs), 223, 422, 431
- virtual private cloud (VPC), 120, 135, 384, 387, 395
- virtual private networks (VPNs), 113–114, 129, 148, 167, 187, 341, 383, 384, 392, 401, 409, 417, 477–478
- virtualization, 43, 120–121, 362, 387, 413
- virtualization platforms, 40, 54, 83, 101, 361, 365, 374, 380
- VirusTotal, 111, 153, 254, 382, 403, 445
- VLAN hopping, 118, 385–386
- VM escape attack, 36, 359
- VMware, 40, 118, 361, 385–386
- volatility, order of, 235, 248, 305, 334, 437, 442, 466, 475
- volume encryption, 13, 352
- vulnerability feeds, 348
- vulnerability scanners
- W
- Waterfall model, 121, 141, 387, 398
- watermarking, 276, 454
- Wayback Machine, 10, 350
- web application firewall (WAF), 124, 389
- web browsing, 19, 87, 164, 354, 375, 399, 408
- web content filtering, 67, 369
- web proxy, 125, 389
- web server logs, 64–65, 368
- web servers, 38, 320, 360, 399, 471
- wget, –9, 350
- whitelisting, 158, 161, 180, 405, 407, 414
- Whois, 22, 24, 354, 355
- Wi-Fi Protected Setup (WPS), 16, 353
- wildcard certificate, 131, 142, 392, 398
- Windows Event Viewer, 140, 397
- Windows file servers, 20, 354
- Windows Performance Monitor, 153, 403
- Windows Update, 81, 373–374
- wireless analysis, , 350
- wireless evil twin attacks, 250, 443
- Wireshark, 24, 181, 200, 215, 298–299, 355, 414, 421, 427, 463
- wmic, 153–154, 403
- workloads, 121, 387
- WPA2 Enterprise, 291, 461
- write blockers, 298, 463
- X
- X.509 certificates, 63, 368
- XML, , 348
- XML injection attack, 15, 352
- XSS vulnerability, 12, 351
- Z
- Zed Attack Proxy (ZAP), 343, 479
- Zenmap, 25, 355
- zero wipe, 13, 352, 383
- zero-day threats and vulnerabilities, 290, 433, 461
- zone transfers, 24, 355
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.