A
- AbuseIPDB, 275, 388
- acceptable use policy (AUP), 160, 340
- accessing hosts, 4–5, 282
- account lockouts, 289
- accounts
- management policy for, 156, 338
- storing information for, 37, 296
- active defenses, 21, 289
- active fingerprinting, 313
- active scanners, 312
- Activity Monitor, 43, 55, 298, 303
- address space location randomization (ASLR), 148, 334
- administrative control, 317
- advanced encryption standard (AES), 22, 289
- advanced persistent threat (APT)
- about, 199–200, 234, 335, 347, 354, 358, 373
- characteristics of, 59, 304
- as a threat actor, 37, 296
- threat actors associated with, 3, 282
- adverse event, 183, 351
- AFRINIC, 283
- agent-based monitoring, 113–114, 322
- agent-based scanning, 81, 89, 90, 313, 316
- Agile software development, 139, 145, 330, 332, 333
- air gap, 16, 18, 286, 287
- air-gapped networks, using systems on, 22, 289
- Akamai, 312
- alerting thresholds, 221, 368
- alerts
- allowlisting, 40, 293, 297
- Amazon's Web Services (AWS) environment, 266–267
- analyzing malware, 44, 299
- Angry IP Scanner, 312, 342
- annualized loss expectancy (ALE), 152, 336, 339, 386
- annualized rate of occurrence (ARO), 152, 336, 339
- anomalous behavior, 42, 298
- anomaly analysis, 56, 303
- antiforensic activities, 178
- antimalware tools
- antivirus package, 28, 293
- Apache error log, 178, 348
- APFS, 178, 348
- API keys, 287–288
- API-based CASB, 63, 307
- API-based integration, 37, 280, 296, 390
- APNIC, 283
- application programming interfaces (APIs), 344
- application/token-based multifactor authentication, 245, 377
- approved exception, 115, 323
- approved scanning vendor (ASV), 323
app.run.any
, 39, 297
- ARP tables, 111, 322
- artificial intelligence (AI), 43, 298
- asset inventory, 127, 327
- asset value (AV), 386
at
command, 39, 296
- ATA Secure Erase command, 270, 374, 385
- attack surface, reducing, 27, 71, 243, 248, 292, 309, 376, 379
- attack vectors, 149, 169, 345
- authenticated vulnerability scan, 185, 352
-
auth.log
file, 27, 292
- Authman, 291
- automating
- automated testing tool, 204, 359
- deprovisioning, 154, 337
- recommended processes for, 63, 307
- security gates, 143, 332
- auto-scaling, 389–390
- availability analysis, 26, 231, 292, 372
- awareness training, 14, 43, 65, 221, 285, 298, 308, 368
- AWS secret keys, 72, 310
B
- Babbage machine, 299–300
- background investigation, 157, 339
- backups, 105, 186, 189, 272, 320, 338, 351, 352, 353, 386
- bandwidth consumption, 261
- banner grabbing, 72, 103, 310, 320
- Basic Metric Group, 220, 226, 366, 367
- beaconing, 192, 275, 386, 387
- behavioral analysis, 58–59, 303, 304
- behavioral sources, 282
- behavior-based analysis tool, 59, 305
- behavior-based detection, 27, 292
/bin
directory, 305
- binaries, testing, 15, 285
- binary diffing, 26, 291
- biometric factors, 308
- BIOS, 235, 332, 373
- bit-by-bit acquisition, 349
bit.ly
, 61, 306
- blackhole, 287
- blacklisting, 28, 293, 332
- blind SQL injection, 88, 132, 315, 328, 375
- Border Gateway Protocol (BGP), 205
- BotScout, 44–45, 299
- broken access control, 73, 310
- browser developer, 126
- brute-force attack
- about, 283
- against root account, 38–39, 296
bs
parameter, 233, 372
- buffer overflow attack, 202, 317, 323, 324, 358, 378
- bug bounty, 166, 344
- Burp Suite, 387
- business continuity plan, 204, 360
- business impact analysis (BIA), 257, 362, 363, 381
- business process interruption issue, 225, 370
- business requirements, changing, 224, 369
- business rules, in data loss prevention (DLP) systems, 49, 300
C
- call list, 201, 358
- CAPEC, 205
- CAPTCHAs, 289
- captive portal, 286
- capturing network flows, 57, 304
- causal factors, 226, 371
- Center for Internet Security (CIS), 162, 274, 341, 387
- central processing unit (CPU), 60, 305
- CERT/CC, 364
- certificate authority (CA), 329
- certificates, replacing, 133, 264, 328, 383
certutil
utility, 181, 349
- chain of custody, 176–177, 179, 251, 348, 349, 352, 356, 380
- change management process, 164, 209, 325, 361–362
- checklist review, 202, 359
- CIA triad, 264
- classifying
- clear, purge, destroy, 184, 351
- clock synchronization, 374
- closed-source intelligence, 282
- cloud access security broker (CASB), 50, 301, 306
- Cloudflare, 312
- CloudSploit, 310
- cluster image, 278
cmd.exe
command, 28, 32, 292, 294
- code
- code of conduct, 156, 338
- Common Platform Enumeration (CPE) data, 72, 310
- common vulnerabilities and exposure (CVE), 365
- Common Vulnerability Scoring System (CVSS), 103, 205, 217, 220, 223, 226, 248, 259, 320, 365, 366, 367, 369, 370, 371, 379, 382
- community clouds, 6, 282
- compensating controls, 160, 161, 217, 219, 225, 226, 249, 277, 335, 340, 344, 365, 369, 370, 380, 389
- computer security incident response team (CSRT), 303
- configuration management, 222, 368
- configuring
- containerization
- distributing workloads, 19, 288
- tools for, 25, 291, 297
- virtualization compared with, 19, 288
- containment, 205, 359
- containment, eradication, and recovery, 182, 192, 197, 274, 350, 357
- content distribution networks (CDNs), 78, 312
- context-based authentication, 377
- continuous scanning, 372
- cookies, 90, 316
- core dump, 267, 384
- corporate policy, 212, 363
- corrective control types, 155, 156, 338
- CPU utilization, 51–52, 302
- credential scanning, 89, 121, 131, 316, 325, 328, 329
- credential stuffing attack, 283
- credit card information, 87, 217, 315, 365
- crime scene tape, 201, 358
- critical assets, bundling, 44, 299
- cross-site request forgery (XSRF/CSRF), 163, 328, 342
- cross-site scripting (XSS) attacks, 73, 143, 144, 310, 317, 328, 332, 333, 342
- cross-training, 161, 340
- crypters, 294
- cryptographic erase, 175
- CSIRT, 360
- Cuckoo, 62, 306
- customer and executive communication, 221, 368
- customer relationship management (CRM) tool, 301
D
- Dark Web, 279, 390
- darknets, 304, 306
- dashboard (SIEM), 50, 301
- data at rest, 300
- data carving, 178, 348
- data classification
- data encoding, 331
- data enrichment, 42, 46, 276, 298, 299, 388
- data execution prevention (DEP), 148, 334
- data exfiltration
- data flows, data exfiltration and, 10, 284
- data loss prevention (DLP)
- data ownership policy, 160, 161, 338, 340, 341
- data poisoning, 342
- data privacy, 320, 385
- data remanence, 320, 385
- data retention, 155, 320, 337, 338, 341, 385
- database servers, 106, 321, 382
- database service, 90–91, 316
- database vulnerability scan, 104, 320
- databases, encrypting, 165
- datacenter networks, 77, 311
- deception technology. see active defenses
- degaussing, 351, 374
- delivery, 168–169, 345
- demilitarized zone (DMZ), 305
- denial of critical services, 172, 346
- denial of noncritical services, 172, 346
- denial-of-service (DoS) attack
- deploying
- Design phase, in SDLC cycle, 139, 331
- destination disk, 197
- detection and analysis, 188, 197, 237, 374
- deterrent controls, 338
/dev
directory, 305
- developers, 215, 364
- device fingerprint, 245
- DevSecOps, 332
- Diamond framework, 168, 345
- digital signatures, 308
- directory permissions, 244
- directory traversal attacks, 81, 248, 313, 378
- disaster recovery, 204, 360
- disaster recovery plans (DRPs), 362
- disclosure, 215, 364
- disk duplication tool, 384
- disposition, 140, 145, 331, 333
- DNS brute-force attack, 70, 309
- DNS sinkhole, 171–172, 205, 346
- DNS zone transfer, 309
- Docker, as a containerization tool, 25, 291
- documentation, 183, 351
- documenting decisions, 153
- $ (dollar sign), 141, 331
- Domain-based Message Authentication, Reporting, and Compliance (DMARC), 29, 293, 389
- DomainKeys Identified Mail (DKIM), 249, 379, 389
- drive analysis, 182, 350
- drive capacity consumption, 203
- dual control, 155, 157, 338, 339
- DVD-ROM, 269
- dynamic analysis, 140, 301, 303, 331
- dynamic analysis sandbox
E
- eavesdropping, 109, 322, 327
- ec2-user, 171, 346
- ECC, 22, 289
- e-discovery, 185, 352, 358
- Electronic Discovery Reference Model (EDRM), 358
- email
- forwarding, 35, 295
- headers, 29, 293
- headers from, 54–55, 303
- servers, 108, 321
- signature block, 38, 296
- emergency change, 202, 358
- Encapsulating Security Payload (ESP), 41–42, 297
- encrypting
- end-of-life (EOL), 325
- endpoint detection and response (EDR), 34, 49, 66, 295, 301, 308
- endpoint forensics, 191
- end-to-end encryption, 312
- enterprise resource planning (ERP) software, 73, 310
- entrusted network segment, 348
- environmental metric group, 224, 370
- Eraser, 348, 355
- escalation, 213, 348, 363
- escalation of privilege, 93, 317
/etc
directory, 60, 305
/etc/group
, 272, 386
- evasion techniques,
nmap
and, 79, 312
- event logs, 228, 371
- Event Viewer, 169, 345
- events, 245, 377
- evidence
- Executive Report, 362, 372
- executive summary, 216, 223, 365, 368
- expired certificates, 21, 288
- exploit code, maturity of, 219, 366
- exploit developers, 257, 381
- exposure factor (EF), 152, 336, 386
- Extensible Markup Language (XML), 250, 380
- external networks, exposure to, 254, 380–381
- external scans, 115, 262, 323, 383
F
- Facebook, 356
Fail2ban
, 39, 297
- false positive, 241
- false positive report, 106–107, 321
- Family Educational Rights and Privacy Act (FERPA), 314
- FAT32, 185, 351
- fault injection, 330, 381
- feasibility, 147, 334
- Federal Information Security Management Act (FISMA), 364
- federated identity protocols, 25, 291
- federation
- identity protocols for, 20, 288
- integrating with, 23, 290
- file carving, 267, 384
file
command, 349
- File Transfer Protocol (FTP), 260, 362, 382
- files, deleted, 188
- FileVault, 175, 347
- filtering
- financial value, 316
- fingerprinting, 304, 322
- firewalls
- about, 31, 238, 294, 313, 374
- configuring, 95, 317
- logs, 237, 374
- rules for, 127, 327
- firmware protection, 143, 332
- flow logs
- about, 12–13, 285
- with heuristic analysis, 53, 302
- forwarding email, 35, 295
- FTK Imager Lite, 193, 349, 355
- full-disk encryption (FDE)
- function-as-a-service (FaaS), 4, 282
- fuzz testing, 138, 140, 256, 290, 330, 331, 381
- fuzzers, 146, 166, 334, 344
G
GET
command, 48, 300
getfacl
, 174, 347
- GNU debugger, 342
- Google Chrome, 101, 179, 319, 349
- graphs, for binary diffing, 26, 291
grep
command, 295, 321
- Group Policy Object (GPO), 114, 322–323
- GUI tools, 55, 303
- guidelines, 158, 339
H
- hacktivists, 49, 300, 306
- hard disk drives (HDDs), 305
- hardware firewall, 225, 370
- hardware tokens, 280
- hash values, 235, 373
- hashing, 18, 287, 299–300
- Health Insurance Portability and Accountability Act (HIPAA), 314
- heuristic analysis
- hibernation file, 191, 267, 384
- High Severity Report, 83, 314, 363
- honeynet, 19, 287
- honeypots, 14, 234, 240, 285, 287, 373, 375
- horizontal scaling, 19, 287–288
- host firewalls, 17, 286
- Host-Based Intrusion Detection System (HIDS), 332
- hostname, 219, 367
- hosts
- hosts file, modifying, 169, 345
htop
command, 295
- human resources (HR), 62, 216, 307, 365
- hybrid clouds, 64, 282, 308
- Hypertext Transfer Protocol (HTTP)
- Hypertext Transfer Protocol Secure (HTTPS)
- hypervisor, 86, 315
- hypothesis formation, 43, 298
I
- ICS, 324
- identification phase, 201, 358
- identifying risks, 209, 362
- identity providers (IDPs), 246, 377
ifconfig
command, 54, 302, 354
- Immunity Debugger, 342
- impact, of attacks, 74, 172, 173, 311
- impersonation, 150
- implementing
- incident escalation process, 224, 369
- incident remediation, 292
- incident reports, 222, 368
- incident response process, 188, 352
- incident response reports, 370
- incident response KPI, 222, 368
- incident response team (IRT), 215, 217, 218, 221, 303, 364, 365, 366, 367
- indicators of compromise (IoCs), 44, 64, 259, 299, 307, 382
- industrial control system (ICS), 82, 88, 314, 315, 324
- INDX files, 371
- information
- information security management system (ISMS), 341
- information sharing and analysis centers (ISACs), 3, 54, 62, 282, 303, 307
- informational report, 95–96, 317
- infrastructure-as-a-service (IaaS), 6–7, 78, 202, 283, 312, 359
- input validation, 117, 130, 146, 324, 328, 331, 334
- insiders, 306, 323
- integration, API-based, 37, 296
- integrity loss, 192, 355
- intellectual property, 306
- intelligence
- criteria for, 3, 282
- sources for gathering, 12, 284
- interactive behavior analysis, 57, 304
- internal network vulnerability scan, 260, 382
- internal scans, 93, 115, 262, 317, 323, 383
- Internet Corporation for Assigned Names and Numbers (ICANN), 311
- intrusion detection system (IDS), 299, 308
- intrusion prevention system (IPS), 245, 300, 301, 313, 314, 377, 384
- IP address
- IP reputation, 53, 302
ipconfig
, 354
- IPsec, 96, 288, 289, 318
- ISO 27001, 272, 341, 386
- isolation, 182, 189, 238, 350, 354, 374
K
- Kerberos, 288
- kernel-mode drivers, 99, 318
- key loggers, multifactor authentication and, 20, 288
- key performance indicators (KPIs), 366
kill
command, 34, 295
- knowledge factors
- about, 247, 378
- for multifactor authentication, 18, 287
- Kubernetes, as a containerization tool, 25, 291
L
- LACNIC, 283
- Lambda, 282
- latency, 6, 232, 283, 372
- law enforcement, incident response team and, 218, 366
- least privilege, 338
- legacy applications, 212
- legacy systems, 214, 364, 370
- legal hold, 251, 380
less
command, 295
- lessons learned reviews, 177, 188, 222, 225, 348, 350, 353, 368
- leveraging threat intelligence, 371
- Lightweight Directory Access Protocol (LDAP), 290, 323, 329
- link failure, 228, 371
- live images, to external drives, 229, 371
- live memory imaging, 348
- load balancing, 79, 312, 330
- local file inclusion (LFI), 164, 343
- Lockheed Martin Cyber Kill Chain, 236, 359, 373
- logging
- logic bombs, 308
- logical acquisition, 179, 349
- logical segmentation, 17, 286
- logs
- denial-of-service (DoS) attack and storage of, 7, 283
- troubleshooting, 49, 56, 300, 303
ls
command, 294
LSASS.EXE
, 305
M
- MAC address, 53, 141, 263, 302, 331
- machine learning (ML), 43, 47, 298, 299–300
- maintenance, scheduling, 214, 363
- malware
- malware analysis sandbox, 62, 306
- malware beaconing, 51, 301
- malware binary, analyzing, 50, 301
MALWARESCAN.EXE
, 60, 305
malwr.com
, 12, 284
- managed detection response (MDR), 297
- managerial control, 164
- mandatory vacations, 153, 337, 339
- Master File Tables, 371
- maturity, of exploit code, 219, 366
- maxOS-based systems, 43, 298
- MD5, 15, 285
- mean time to compromise, 276, 388
- mean time to defend, 277, 389
- mean time to detect, 218, 249, 366
- mean time to remediate, 220, 366
- mean time to respond, 366, 368
- media life span, 264
- media practice sessions, 226, 370
- media sanitization clearing, 351
- media training, 216, 365
- medical records, 137
mem
command, 294
- memorandum of understanding (MOU), 211, 362, 363, 381
- memory analysis, 354
- memory pressure, 56–57, 298, 303
- memory usage, monitoring, 52, 302
memstat
command, 294
- metadata, purging, 309
- MetaScan, 304
- Metasploit, 342
- Microsoft Internet Information Services (IIS), 93, 317
- Microsoft Office document metadata, 183, 351
- Microsoft SQL, port for, 309
- Microsoft SQL Server, port for, 319
- Microsoft Windows servers, SharePoint on, 87, 315
- Microsoft Word, 196, 356
- Minibis, 62, 306
- MISP tool, 46–47, 299
- mitigation service, 74, 311
- MITRE ATT&CK framework, 62–63, 169, 307, 345, 360, 365
- monitoring
- memory usage, 52, 302
- procedures for, 382
- Mopar, 205
more
command, 295
- multifactor authentication, 17, 18, 23, 286, 287, 289
- multi-interface drive adapter, 201
- multitenancy, public cloud for, 60, 306
- mutation testing, 330, 381
- MySQL, port 3306 for, 70, 309
N
- National Cyber Security Authority, 364
- National Cyber Security Center, 364
- National Software Reference Library, 286
- nation-state actors, 64, 306, 308
- natural language processing, 301
- Nessus, 128, 274, 327, 387
netcat
, 40, 297, 312
- NetFlow, 47, 108, 300, 302
netstat
command, 34, 295
- Network Address Translation (NAT) environment, 148, 334
- network firewalls, 8, 33, 283, 286, 294, 325
- network flows, 57, 300, 304
- network hosts, 79, 312
- network IPS, 91, 98, 316, 318
- network scans, 4, 282
- network segmentation
- about, 16, 25, 120, 150, 286, 291, 324, 335
- uses for, 23, 289
- network tap, 300
- Network Time Protocol (NTP), 97, 318, 366, 372, 383, 389
- network traffic, Wireshark for gathering, 11, 284
- New Technology File System (NTFS), 348
- next-generation firewalls (NGFWs), 306
- NIST SP 800-61, 221, 368
- NIST SP 800-88, 262, 374, 383
nmap
, 77, 79, 312
- Nmap scans
- about, 78, 229, 235, 242, 271, 273, 309, 312, 357, 371, 373, 376, 385, 387
- commands, 236
- Common Platform Enumeration (CPE) data and, 72, 310
- proxy support for, 72, 310
- TCP SYN, 71, 309
- wireless routers and, 71, 309
- nondisclosure agreements (NDAs), 366
O
- OAuth, 20, 25, 63, 286, 288, 290, 291, 307, 336
- obfuscating code, 30, 294
- Onion Router (TOR), 390
- Online Certificate Status Protocol (OCSP), 293
- on-path (man-in-the-middle) attack, 378
- on-site networks, performing scans from, 80, 313
- open redirect, 240–241, 375
- Open Source Security Testing Methodology Manual (OSS TMM), 359
- Open Web Application Security Project (OWASP), 143, 332–333, 342
- OpenFlow, 19, 287
- OpenID, 20, 25, 288, 291
- OpenID Connect, 63, 290, 307
- open-source collection, 62, 307
- open-source intelligence (OSINT)
- about, 3, 282
- for intelligence gathering, 12, 284
- port scans as a source, 64, 308
- OpenSSH, 265, 384
- OpenSSL, 99, 103, 318, 319
- OpenVAS, 199, 357
- operating systems, 243, 268, 376, 384
- Oracle Database TNS Listener Poison Attack vulnerability, 126, 326
- Oracle databases
- order of volatility, 239, 353, 356, 375, 385
- organizational governance, 221, 367
- organizational policies, 276, 388
- output encoding, 143, 332
- output validation, 146, 334
- outsourcing, 184, 351
P
- packers, for obfuscating code, 30, 294
- packet analyzer, 297
- packet capture tool, 199
- packet header flags, 79, 312
- packet loss, 6, 283
- packet sniffing, 302
- Pacu, 310
- parallel test, 203, 359
- parameterized queries, 144, 248, 333, 379
- passive defenses, 285
- passive discovery techniques, 344
- passive fingerprinting, 80, 313
- passive network mapping, 77, 312
- passive network monitoring, 128, 327
-
passwd
binary, 35, 295
- password spraying attack, 7, 247, 283, 378
- passwordless authentication, 306, 390
- passwords, complexity rules for, 288
- PASTA process, 365
- patch management, 380
- Patch Report, 314, 363
- patching
- about, 125, 164, 183, 213, 219, 223, 270, 326, 350, 363, 366, 369
- automated, 290
- compensating control and, 217, 365
- deploying, 208, 242, 361, 376, l375
- procedures for, 382
- scheduling, 208–209, 361
- servers, 75, 311
- Payment Card Industry (PCI) compliance reporting, 222, 368
- Payment Card Industry Data Security Standards (PCI DSS), 79, 84, 87, 96–97, 102, 263, 270, 306, 313, 314, 315, 318, 319, 323, 324, 330, 340, 342, 383, 385
- PCI Technical Report, 362, 372
- peer-to-peer botnets, 304
- peer-to-peer communication, 278, 389
- permissions
- persistence, scheduled tasks and, 59, 305
- personal health information (PHI), 306
- personally identifiable information (PII), 61, 306, 354
- phishing attacks
- PHP language, 382
- phpinfo file, 328
- physical access, 21, 289
- physical security controls, 338
- PINs, 64, 308
- plain-text authentication, 322
- platform-as-a-service (PaaS), 282
- playbooks, 198, 357, 375
- pluggable authentication module (PAM), 346
- Point-to-Point Tunneling Protocol (PPTP), 288
- policies, 244, 376
- POODLE vulnerability, 99, 318
- port scanning, 64, 175, 284, 308
- Portable Network Graphics (PNG) processing, 102, 319
- Portmon, 51, 302
- ports
- 22, 59, 133, 305, 329
- 23, 85, 255, 314, 381
- 80, 24, 26, 84, 111, 290, 291, 314, 382
- 389, 116, 323
- 139, 96, 317
- 443, 10, 26, 284, 291, 319
- 445, 96, 317
- 515, 75, 311
- 631, 75, 311
- 636, 10, 284
- 1433, 203, 319
- 1521, for Oracle databases, 101, 319
- 3306, for MySQL, 70, 309
- 3389, 10, 27, 40, 85, 284, 292, 297, 314
- 8080, 10, 284
- 8443, 10, 284
- 9100, 75, 311
- about, 335
- troubleshooting, 70, 309
- for web servers, 84, 314
- Post Office Protocol v3 (POP3), 321
- Postgres, port for, 309
- post-incident communications, 215, 364
- post-incident recovery, 183
- postmortem forensics, 192, 355
- precursor, 182, 350
- preparation phase, 174, 204, 261, 347, 382
- preventive security controls, 150, 159, 165, 336, 338, 340
- printers, 149, 256
- private clouds, 282
- privileged accounts
- privileged escalation attack, 168, 193, 345, 355
- proactive network segmentation, 173–174
- proactive risk assessment, 292
- procedure document, 155
- processor security extensions, 22, 289
- promiscuous mode, 80, 313
- proprietary intelligence, 282
- proprietary system, 225, 370
- Prowler, 310
- proxy scans, 72, 310
ps
command, 321
PS
utility, 29, 293
- public clouds
- public key encryption (PKI), 170, 346
- purge, validate, and document, 178
- purging, 184, 309, 347, 351
- PuTTY, 324
Q
- qualitative risk assessment, 154, 249, 337, 379
- Qualys Top 20 Report, 362, 372
- quantitative risk assessment, 154, 337
- query parameterization, 331
R
- rainbow table attack, 283
- random access memory (RAM), 305
- random sampling, 166, 344
- Rank Software, 298
- Rapid Application Development (RAD), 330, 332
- RAW files, 176, 187, 351, 353
- real-time black hole list (RBL), 379
- Reaver malware, 46–47, 299
- reconnaissance stage, 12, 70, 106, 110, 284, 309, 321
- Recon-ng, 342
- recurrence, 220, 367
- reformatting, 347
reg.exe
, 32–33, 294
- regional Internet registry for Europe, the Middle East, and parts of Central Asia (RIPE), 9, 283
- registry, 239, 375
- regression testing, 138, 330, 334
- regulatory bodies, 216, 365
- regulatory compliance, 275, 388
- regulatory requirements, 224, 369
- relevancy, 249, 380
- remediation
- prioritization of, 104, 320
- timeliness of, 83, 87, 97, 101, 314, 315, 318, 319
- Remote Desktop Protocol (RDP), 10, 27, 40, 85, 284, 292, 297, 314, 382
- remote execution of code, 26, 291
- removal, 242, 376
- reputational sources, 3, 282
- Resource Monitor, 26, 51–52, 291, 302, 303
- retention policy, 352
- reverse engineering, 57, 304
- rights, removing, 165
- risk acceptance
- risk appetite, 136, 329
- risk avoidance, 151, 152, 336, 337
- risk identification, 154, 209, 337, 362
- risk mitigation, 151, 160, 239, 335, 336
- risk transference, 151, 153, 336, 337
- root account, brute-force attacks against, 38–39, 296
- root level, 305
- root-cause analysis (RCA)
- rootkits, 74, 310
- routers, 286
- rules of engagement (RoE), 155, 158, 338, 339
runas
command, 321
- running strings, 304
- runtime packers, for obfuscating code, 30, 294
S
- safety systems, 172
- sandbox
- about, 271, 386
- for automated antimalware tools, 38, 296
- deploying patches in, 242, 376
- patching in, 126, 326
- running software in a, 65, 308
- for testing binaries, 15, 285
- tool for, 39, 297
- Sandboxie, 39, 297
- Sarbanes-Oxley (SOX) Act, 314
- Scalpel, 382, 384
- scanner maintenance, 98, 318
- scans
- frequency of, 100, 117, 120, 122, 137, 319, 324, 325, 330
- importance of, 116, 323
- permissions for, 127, 208, 327, 361
- sensitivity level for, 210, 362
- sensitivity of, 89, 112, 116–117, 137, 316, 322, 324
- of UDP ports, 11, 284
- SCAP, 299
- scheduling
- maintenance, 214, 363
- patching, 208–209, 361
- persistence and scheduled tasks, 59, 305
- scope statement, 217, 366
- ScoutSuite, 74, 310
- screened subnet, 60, 73, 305, 310, 322
- script kiddies, 62, 275, 306, 388
<SCRIPT>
tag, 267, 384
sdelete
command, 192
- secure access service edge (SASE), 61, 306
- secure administrative host. see jump box
- secure domain registration, 309
- secure shell (SSH)
- about, 170, 257, 346
- logs, 197, 357
- on port 22, 133, 329
- on port 1433, 203
- port forwarding, 80–81, 313
- server, 59, 305, 311
- tunneling, 80–81, 313
- Secure Sockets Layer (SSL), 82, 288, 313
- Security Assertion Markup Language (SAML), 20, 22, 24, 25, 288, 289, 290, 291, 293
- security gates, automating, 143, 332
- security incident, 174, 347
- security information and event management (SIEM) system
- security operations center (SOC), 351
- security orchestration, automation, and response (SOAR) system
- about, 29, 41, 45, 268, 293, 297, 299, 384
- logins and, 42–43, 298
- for phishing attacks, 44, 299
- SIEM compared with, 47, 300
- security patches, 93, 110, 317, 322
- security through obscurity, 338
- segmentation, 23, 266, 276, 290, 388
- self-signed certificates, 8, 283
- Sender Policy Framework (SPF), 278, 379, 389
- separation of duties, 153, 157, 161, 337, 338, 340, 341
- server accounts, reviewing and securing, 125
- Server Message Block (SMB), 323
- server-based scanning, 133, 328
- serverless environment, 24, 290
- servers patching, 75, 311
- service access, 308
- service level agreements (SLAs), 211, 212, 218, 223, 362, 363, 366, 367, 369, 381, 388
- service level objectives (SLOs), 220, 275, 367, 388
- service replacement, 35, 295
SERVICES.EXE
, 305
- session hijacking, 148, 239, 335, 375, 378
- session IDs, 145, 333
setfacl
, 346
- sFlow, 47, 300
- SHA-256, 22, 133, 289, 329
- shadow files, 61, 306
- SharePoint, 87, 315
- shim cache, 256, 381
- shutdown scripts, 198, 357
- signature-based analysis, 299–300
- signature-based attack detection methods, 228, 371
- SIM swapping, 18, 287
- Simple Mail Transfer Protocol (SMTP), 311, 382
- Simple Network Management Protocol (SNMP), 100, 302, 319
- single loss expectancy (SLE), 271, 339, 386
- single sign-on (SSO) implementation, 20, 288
- slack space, 190, 191, 198, 352, 357
- S/MIME, 389
- SMS messages, attacks against, 18, 287
- snapshotting, 348
- sniffer, 300
- sniffing tool, 77, 312
- social media review, 284
- software threat modeling, 343
- software-as-a-service (SaaS), 73, 236, 310, 373
- software-defined networks (SDNs)
- software-defined wide area networks (SDWANs), 300
- solid-state drives (SSDs), 305
-sp
flag, 80, 313
- Spamhaus, 379
- sparse acquisition, 349
- Spiral model, 145, 332, 333
- spoofing target IP addresses, 81, 313
- SQL injection attack, 9, 92, 96, 97, 98, 144, 146, 149, 284, 316, 317, 318, 322, 333, 334, 335
- SQL Server, 90–91, 316
- SQLite, 179, 349
ssh
command, 80–81, 313
sshd
service, 39, 296
- stakeholders, 220, 278, 389
- standard scan, 102, 319
- standards, 160, 340
- static analysis, 16, 50, 140, 247, 285, 301, 303, 304, 331
- static code analysis, 139, 335
- storing account information, 37, 296
- stress testing, 138, 330, 334, 381
- strings, running, 304
strings
command, 36, 295
- Structured Threat Information Expression language (STIX), 74, 293, 310
su
command, 321
- succession planning, 156, 338, 340
sudo
command, 50–51, 65, 109, 301, 308, 321, 346
- supervisory control and data acquisition (SCADA), 88, 315, 324
- supplemented, 182
- suspension, 179, 349
- switches, 286
- SYN floods, 28, 269, 293
- SYN-based port scanning, 233, 372
- syslog levels, 60, 305
- system administrator, 208, 210, 361, 362
- System Monitor, 303
T
- tabletop exercise, 202, 359
- Tamper Data, 387
- tamper-proof seals, 197, 356
- tarpits, 15, 285, 287
tcpdump
, 276, 388–389
- technical controls, 159, 162, 340, 341
- Technical Report, 211, 231–232, 314, 362, 363, 372
- telnet, 76, 85, 311, 314
- testing
- threat actors
- APTs as, 37, 296
- associated with advanced persistent threat (APT), 3, 282
- classifying, 30, 293
- defined, 150
- threat feeds, 299
- threat hunting, 47, 299, 300
- threat information, types of, 52–53, 302
- threat intelligence
- leveraging, 371
- recipients of information about, 5, 62, 282, 307
- threat modeling, 292
- 3DES, 22, 289
- time synchronization, 277
- time to resolve critical vulnerabilities metric, 234, 373
- time zones, 49, 300
- timeline, 218, 366
top
command, 33, 34, 291, 294, 295
traceroute
, 311
- tracking chain of custody, 251, 380
- traffic, filtering, 51, 301
- training and transition, 147, 334
- Transport Layer Security (TLS), 20, 21, 48, 288, 289, 300
- Tripwire, 28, 42, 292, 298
- Trojan horses, 308
- troubleshooting
- true positive, 137, 330
- Truman, 62, 306
- Trusted Automated eXchange of Intelligence Information (TAXII), 293
- trusted system binary kit, 190, 354
- two-person control, 157, 338, 339
U
- Ubuntu, 205
- UEFI, 332
- uncredentialed external scan, 237, 374
- Unicode, 332
- Unknown Device Report, 213, 314, 363
- unprotected storage, 73, 310
- unvalidated input, 139
- updating vulnerability feeds, 133, 328
- upgrading
- URL analysis, 50, 301
- usage, improper, 214, 364
- USB devices, 288
- USB token, 308
- US-CERT, 215, 364
- user acceptance testing (UAT), 138, 330, 334
- User Datagram Protocol (UDP) ports
- user entity behavior analytics (UEBA), 44, 297, 299, 301
- user input validation, 247, 378
V
- validation, 196, 356
- vendor testing and audits, 73, 310
- version detection, 107, 321
- virtual LANs (VLANs)
- virtual private networks (VPNs)
- virtualization
- containerization compared with, 19, 288
- tool for, 297
- virtualized systems, 88, 315
- viruses, 308
- VirusTotal, 16, 25, 58, 286, 291, 304
- VMware host, 17, 86, 286–287, 315
- VoIP hacks, 18, 287
- volume encryption
- about, 17, 286
- infrastructure-as-a-service and, 6–7, 283
- vulnerabilities. see also specific topics
- vulnerability feeds
- vulnerability management tools, 24, 290
- vulnerability scanning
W
- Wapiti, 357
- Waterfall software development, 142, 330, 332
- web application firewalls (WAFs), 131, 142, 149, 214, 328, 332, 335
- web application reconnaissance tool, 163
- web application SQL injection, 126, 326
- web content filtering, 322
- web proxy, 143, 332
- web server logs, 40–41, 62, 297, 307
- web servers
- about, 203, 259, 382
- embedded, 116
- port 8080 and, 10, 284
- port 8443 and, 10, 284
- ports for, 84, 314
- upgrading, 118
- website certificates, expiration of, 21, 288
- whitelisting. see allowlisting
- WHOIS query, 9, 50, 63, 76, 77, 283, 301, 307, 311, 312
- wide area network (WAN), 306
- Windows
- about, 263
- command prompt, 196
- file auditing, 50, 301
- patches, 86–87, 315
- ports for, 96, 317
- registry, 371
- system files, 193, 356
- upgrading, 105, 320
- Windows Event ID, 35, 295
- Windows Hello, 306
- Windows Performance Monitor, 25, 291
- Windows Quick Format option, 350
- Windows server, port 3389 for, 85, 314
- Windows System Restore, 355
- Windows Update, 122–123, 325
WINLOGIN.EXE
, 305
- wiping tool, 384
- wired networks, 78, 312
- wireless authentication logs, 228, 371
- wireless networks, 78, 312
- wireless routers, Nmap scans and, 71, 309
- Wireshark
- about, 235, 373
- for capturing download traffic, 49, 300
- for gathering network traffic, 11, 284
- for passive network mapping, 77, 312
- workstations
- worms, 64, 308
- WPA3 Enterprise, 78, 312, 371
- write blocker, 176, 347
Z
- ZAP, 342, 357, 387
- zero wipe, 286
- zero-day attacks, 371
- zero-trust networks
- zero-write drives, 237
- zone transfers, 77, 311
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.