Term
a. Electronic Communications Privacy Act (ECPA)
Electronic Communications Privacy Act
(ECPA) of 1986 |
|
Definition
The Electronic Communications Privacy Act of 1986 governs the privacy and disclosure, access, and interception of content and traffic data related to electronic communications.
Requires both parties to consent to the recording of a conversation.
Basic subscriber information—This information includes name, address, billing information including a credit card number, telephone toll billing records, subscriber’s telephone number, type of service, and length of service. An investigator can obtain this type of information with a subpoena, court order, or search warrant.
Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant.
Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails.
Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order. |
|
|
Term
| Health Insurance Portability and Accountability Act (HIPPA) |
|
Definition
| Law related to the disclosure of personally identifiable protected health information (PHI). |
|
|
Term
|
Definition
| Law criminalizing the act of knowingly using a misleading domain name with the intent to deceive a minor into viewing harmful material. |
|
|
Term
| The Privacy Protection Act (PPA) |
|
Definition
| Law protecting journalists from turning over their work or sources to law enforcement before the information is shared with the public. |
|
|
Term
| NIST SP 800-72 Guidelines |
|
Definition
| Law or guideline that lists the four states a mobile device can be in when data is extracted from it. |
|
|
Term
| Communications Assistance to Law Enforcement (CALEA) |
|
Definition
Law that includes a provision permitting the wiretapping of VoIP calls.
The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded in 2004 to include wireless, voice over packets, and other forms of electronic communications, including signaling traffic and metadata. |
|
|
Term
| Policy included in the CAN-SPAM Act |
|
Definition
| The email sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out. |
|
|
Term
| Which U.S. law requires telecommunications equipment manufacturers to provide built-in surveillance capabilities for federal agencies? |
|
Definition
| Communication Assistance to Law Enforcement Act (CALEA) |
|
|
Term
| Which law requires a search warrant or one of the recognized exceptions to the search warrant requirements for searching email messages on a computer? |
|
Definition
| The Fourth Amendment to the U.S. Constitution |
|
|
Term
| The Chief Information Officer of an accounting firm believes sensitive data is being exposed on the local network. Which tool should the IT staff use to gather digital evidence about this security vulnerability? |
|
Definition
|
|
Term
| A police detective investigating a threat traces the source to a house. The couple at the house shows the detective the only computer the family owns, which is in their son's bedroom. The couple stated that their son is presently in class at a local middle school. How should the detective legally gain access to the computer? |
|
Definition
| Obtain consent to search from the parents. |
|
|
Term
| How should a forensic scientist obtain the network configuration from a Windows PC before seizing it from a crime scene? |
|
Definition
| By using the ipconfig command from a command prompt on the computer. |
|
|
Term
| The human resources manager of a small accounting firm believes he may have been a victim of a phishing scam. The manager clicked on a link in an email message that asked him to verify the logon credentials for the firm's online bank account. Which digital evidence should a forensic investigator collect to investigate this incident? |
|
Definition
|
|
Term
| After a company's single-purpose, dedicated messaging server is hacked by a cyber criminal, a forensics expert is hired to investigate the crime and collect evidence. Which digital evidence should be collected? |
|
Definition
|
|
Term
| Thomas received an email stating that he needed to follow a link and verify his bank account information to ensure it was secure. Shortly after following the instructions, Thomas noticed money was missing from his bank account. Which digital evidence should be considered to determine how Thomas' information was compromised? |
|
Definition
|
|
Term
| The CEO of a small computer company has identified a potential hacking attack from an outside competitor. Which type of evidence should a forensic investigator use to identify the source of the hack? |
|
Definition
|
|
Term
| A forensic scientist arrives at a crime scene to begin collecting evidence. What is the first thing the forensic scientist should do? |
|
Definition
| Photograph all evidence in its original place |
|
|
Term
| Which method of copying digital evidence ensures proper evidence collection? |
|
Definition
| Make the copy at the bit-level |
|
|
Term
| A computer involved in a crime is infected with malware. The computer is on and connected to the company's network. The forensic investigator arrives at the scene. Which action should be the investigator's first step? |
|
Definition
| Unplug the computer's Ethernet cable |
|
|
Term
| What are the three basic tasks that a system forensic specialist must keep in mind when handling evidence during a cybercrime investigation? |
|
Definition
A. Find evidence
B. Preserve Evidence
C. Prepare Evidence. |
|
|
Term
| How do forensic specialists show that digital evidence was handled in a protected, secure manner during the process of collecting and analyzing the evidence? |
|
Definition
|
|
Term
| Which characteristics applies to magnetic drives compared to solid-state drives (SSDs)? |
|
Definition
|
|
Term
| Which characteristics applies to solid-state drives (SSDs) compared to magnetic drives? |
|
Definition
| They are less susceptible to damage |
|
|
Term
| Which type of storage format should be transported in a special bag to reduce electrostatic interference? |
|
Definition
|
|
Term
| Which Windows component is responsible for reading the boot.ini file and displaying the boot loader menu on Windows XP during the boot process? |
|
Definition
|
|
Term
| The following line of code is an example of how to make a forensic copy of a suspect drive: dd if=/dev/mem of=/evidence/image.memory1 Which operating system should be used to run this command? |
|
Definition
|
|
Term
| Which file system is supported by Mac? |
|
Definition
| Hierarchal File System Plus (HFS+) |
|
|
Term
| Where are local passwords stored for the Windows operating system? |
|
Definition
| SAM file in \Windows\System32 |
|
|
Term
| Where on a Windows system is the config folder located that contains the SAM file? |
|
Definition
|
|
Term
| A forensic examiner wants to try to extract passwords for wireless networks to which a system was connected. Where should passwords for wireless networks be stored on a Windows XP system? |
|
Definition
|
|
Term
| Which Windows password cracking tool uses rainbow tables? |
|
Definition
|
|
Term
| How does a rainbow table work to crack a password? |
|
Definition
| It uses a table of all possible keyboard combinations and their hash value, then searches for a match. |
|
|
Term
| What should a forensic investigator use to gather the most reliable routing information for tracking an email message? |
|
Definition
|
|
Term
| Which activity involves email tracing? |
|
Definition
| Determining the ownership of the source email server. |
|
|
Term
| A forensic examiner reviews a laptop running OS X which has been compromised. The examiner wants to know if there were any mounted volumes created from USB drives. Which digital evidence should be reviewed? |
|
Definition
/var/log
This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and get data from them. This folder includes data on removable media, including serial numbers. |
|
|
Term
| Which log or folder contains information about printed documents on a computer running Mac OS X |
|
Definition
/var/spool/cups
In this folder, you will also find information about printed documents. If you need to know what documents have been printed from this Apple device, this folder can give you that information. This includes the name of the document printed and the user who printed it. |
|
|
Term
| Which Windows event log should be checked for evidence of invalid logon attempts? |
|
Definition
|
|
Term
| A cyber security organization has issued a warning about a cybercriminal who is using a known vulnerability to attack unpatched corporate Macintosh systems. A network administrator decides to examine the software update logs on a Macintosh system to ensure the system has been patched. Which folder contains the software update logs? |
|
Definition
/Library/Receipts
This folder contains information about system and software updates.This might be of some
interest in investigating malware crimes. |
|
|
Term
| A forensic investigator wants to image an older BlackBerry smartphone running OS 7.0. Which tool should the investigator use? |
|
Definition
| BlackBerry Desktop Manager |
|
|
Term
| An investigator wants to extract information from a mobile devices by connecting it to a computer. What should the investigator take great care to ensure? |
|
Definition
| That the mobile devices does not synchronize with the computer. |
|
|
Term
| Which state is a device in if it is powered on, performing tasks, and able to be manipulated by the user? |
|
Definition
|
|
Term
| What is the purpose of steganography? |
|
Definition
| To deliver information secretly |
|
|
Term
| Which method is used to implement steganography through pictures? |
|
Definition
| LSB (Least Significant Bit) |
|
|
Term
| The Chief Information Security Officer of a company believes that an attacker has infiltrated the company's network and is using steganography to communicate with external sources. A security team is investigating the incident. They are told to start by focusing on the core elements of steganography. Which are the core elements of steganography? |
|
Definition
| Payload, carrier, channel |
|
|
Term
| A system administrator believes data is being leaked from the organization. The administrator decides to use steganography to hide tracking information in the types of files he thinks are being leaked. Which steganographic term describes this tracking information? |
|
Definition
|
|
Term
| A criminal organization has compromised a third-party web server and is using it to control a botnet. The botnet server hides command and control messages through the DNS protocol. Which steganographic component are the command and control messages? |
|
Definition
|
|
Term
| Which method is commonly used to hide data via steganography? |
|
Definition
|
|
Term
| A systems administrator believes an employee is leaking information to a competitor by hiding confidential data in images being attached to outgoing emails. The administrator has captured the outgoing emails. Which tool should the forensic investigator use to search for the hidden data in the images? |
|
Definition
|
|
Term
| A foreign government is communicating with its agents in the U.S. by hiding text messages in popular American songs, which are uploaded to the web. Which steganographic tool can be used to do this? |
|
Definition
|
|
Term
| During a cyber-forensics investigation, a USB drive was found that contained multiple pictures of the same flower. How should an investigator use properties of a file to detect steganography? |
|
Definition
| Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase |
|
|
Term
| Children's Online Privacy Protection Act of 1998 |
|
Definition
| The Children's Online Privacy Protection Act of 1998 (COPPA) protects children 13 years of age and under from the collection and use of their personal information by websites. |
|
|
Term
| The Wireless Communications and Public Safety Act of 1999 |
|
Definition
The Wireless Communications and Public Safety Act of 1999 allows for collection and use of “empty” communications, which means nonverbal and nontext communications, such as GPS information.
|
|
|
Term
|
Definition
The USA PATRIOT Act is the primary law under which a wide variety of internet and communications information content and metadata is currently collected. Provisions exist within the PATRIOT Act to protect the identity and privacy of U.S. citizens.
|
|
|
Term
|
Definition
Warrants are not needed when evidence is in plain sight. Courts have held that only the actual owner of a property can grant consent, or someone who has legal guardianship of the owner. For example, a parent of a minor child can
grant consent to search the child’s living quarters and computers. |
|
|
Term
|
Definition
Integrated Drive Electronics (IDE)
Because the data is stored magnetically, the drives are susceptible to magnetic interference. This can include being demagnetized. If a drive has been demagnetized, there is no way to recover the data. You should transport drives in special transit bags that reduce electrostatic interference. This reduces the chance of inadvertent loss of data. |
|
|
Term
|
Definition
Most SSDs use Negated AND (NAND) gate–based flash memory, which retains memory even without power. Because there are no moving parts, these drives are
usually less susceptible to physical damage than magnetic drives are. The startup time for SSDs is usually much faster than for magnetic storage drives. |
|
|
Term
|
Definition
| Because there are no moving parts, these drives are resilient to shock damage (i.e., dropping them probably won’t hurt them). |
|
|
Term
| The Advanced Forensic Format |
|
Definition
The advanced forensic file format (abbreviated AFF).
The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format. |
|
|
Term
|
Definition
| The evidence file is an exact copy of the hard drive. EnCase calculates an MD5 hash when the drive is acquired. This hash is used to check for changes, alterations, or errors |
|
|
Term
|
Definition
| from AccessData Forensic Toolkit is particularly useful at cracking passwords. FTK also provides tools to search and analyze the Windows Registry. FTK gives you a robust set of tools for examining email. FTK is available for Windows or Mac OS. With AccessData’s Forensic Toolkit, processing and analysis can be distributed across up to three computers. FTK has an Explicit Image Detection add-on that automatically detects pornographic images |
|
|
Term
|
Definition
| The Sleuth Kit is a collection of command-line tools that are available as a free download. This particular utility is best used when you know the specific file you are searching for. It is not a good option for a general search. That GUI is named Autopsy. |
|
|
Term
|
Definition
| Payload is the information to be covertly communicated. In other words, it is the message you want to hide. |
|
|
Term
|
Definition
| The carrier (or carrier file) is the signal, stream, or file in which the payload is hidden. |
|
|
Term
|
Definition
| The channel is the type of medium used. This may be a passive channel, such as photos, video, or sound files, or even an active channel, such as a Voice over IP (VoIP) voice call or streaming video connection. |
|
|
Term
|
Definition
| Steganalysis is the process of analyzing a file or files for hidden content. Forensic Toolkit (FTK) and EnCase both check for steganography, |
|
|
Term
|
Definition
First and foremost, it is one-way, not reversible. That means you cannot “unhash” something. The second characteristic is that you get a fixed-length output no matter what input is given. The third is that the algorithm must be collision resistant. A collision occurs when two different inputs to the same hashing algorithm produce the same output (called a hash or digest).
Cryptographic hashes are how many systems, including Microsoft Windows, store passwords. For example, if your password is “password”, then Windows will first hash it, producing something like this:
0BD181063899C9239016320B50D3E896693A96DF
Windows will then store that hash in the SAM (Security Accounts Manager) file in the Windows System directory.
|
|
|
Term
|
Definition
| Ophcrack depend on rainbow tables. Ophcrack is usually very successful at cracking Windows local machine passwords. [know Ophcrack as a spoiler answer] |
|
|
Term
|
Definition
| This is probably the most important log from a forensics point of view. It has both successful and unsuccessful login events. [anything about external connections] |
|
|
Term
| SAM (Security Accounts Manager) |
|
Definition
REGISTRY HIVE
HKEY_LOCAL_MACHINE\SAM
SUPPORTING FILES
Sam, Sam.log, Sam.sav |
|
|
Term
|
Definition
The command prompt in Mac OS is a BASH shell
so you can execute Linux commands. |
|
|
Term
|
Definition
The GUID Partition Table is used primarily with computers that have an Intel-based processor. It
requires OS X v10.4 or later. Intel-based Mac OS machines can boot only from drives that use
the GUID Partition Table. |
|
|
Term
Mac OS Logs
The /var/log Log |
|
Definition
| This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and get data from them. This folder includes data on removable media, including serial numbers. |
|
|
Term
Mac OS Logs
The /var/spool/cups Folder |
|
Definition
| In this folder, you will also find information about printed documents. If you need to know what documents have been printed from this Apple device, this folder can give you that information. This includes the name of the document printed and the user who printed it. |
|
|
Term
Mac OS Logs
The /private/var/audit Logs |
|
Definition
As the name suggests, these are logs of system audits. This includes things like user login. Obviously, this can be very interesting forensically. These audits are often not in a human-readable format. However, Guidance software makes an audit log parser for Mac OS
audit logs, |
|
|
Term
Mac OS Logs
The /private/var/VM Folder |
|
Definition
This folder contains swap and sleep image files. If you hibernate your Mac, this directory will
usually occupy more than 5 gigabytes of disk space. This can be a source of important forensic
data. |
|
|
Term
Mac OS Logs
The /Library/Receipts Folder |
|
Definition
| This folder contains information about system and software updates. This might be of some interest in investigating malware crimes. |
|
|
Term
Mac OS Logs
/Library/Mobile Documents |
|
Definition
This folder is what syncs with iCloud. This is where you will find items that have been saved to
iCloud. It should be quite clear that this can be very interesting forensically. |
|
|
Term
Mac OS Logs
The /Users/<user>/.bash_history Log |
|
Definition
| As you know, Mac OS is based on FreeBSD, a Unix variant. When you launch the terminal window, what you actually get is a BASH shell. So this particular log can be very interesting. It will show you a variety of commands. You might look for commands such as rm, which would be removing or deleting something, or commands like dd, indicating the user might have tried to make an image of the drive. |
|
|
Term
|
Definition
|
|
Term
Mac OS Logs
The var/vm Folder |
|
Definition
In this folder, you will find a subfolder named app profile. This will contain lists of recently
opened applications as well as temporary data used by applications. Both of these can be very
interesting in a forensic examination. |
|
|
Term
Mac OS Logs
The /Users/ Directory |
|
Definition
This is where various users’ files are stored. It is always a good idea to check in this directory to
find out if users have saved data here that could be used as evidence. |
|
|
Term
Mac OS Logs
The /Users/<user>/Library/Preferences Folder |
|
Definition
As you probably suspect, this folder contains user preferences. This folder even maintains the
preferences of programs that have been deleted. This could be a very valuable place to get
clues about programs that have been deleted from the system. |
|
|
Term
| The /etc Directory (Mac OS) |
|
Definition
| Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system’s configuration. Sometimes this is done in order to facilitate the criminal’s return to the system later. |
|
|
Term
| Can You Undelete in Mac OS? |
|
Definition
Recall that in Windows systems, deleting actually just removes a file from the master file table
(MFT) or file allocation table (FAT) and marks those clusters as available. The file’s data is still
there and can be recovered. What happens when a file is deleted on an HFS or HFS+ volume?
Although the details are a bit different, a similar thing occurs. The references to the file are gone
and the clusters might be used and overwritten. But, depending on how soon after the deletion
you attempt to recover data, you may be able to recover some or all of the data. Even if the data
is overwritten, data may still exist in unallocated space and in index nodes. When a file is
deleted in Mac OS, it is moved to the Trash folder—much like the Recycle Bin in Windows. The
Trash is represented on the file system as a hidden folder, .Trash, on the root directory of the file
system. |
|
|
Term
|
Definition
Data Doctor—This product recovers all Inbox and Outbox data and all contacts data, and has
an easy-to-use interface. Most important, it has a free trial version, but there is a cost for the full
version. [know this as a spoiler answer] |
|
|
Term
Forensics for a Windows 10 phone is done in much the same way as forensics for a Windows
10 PC or laptop is done. |
|
Definition
| Forensic Toolkit and EnCase can both image a phone for you |
|
|
Term
|
Definition
| breaking an iPhone passcode |
|
|
Term
|
Definition
| When a file is deleted on the iPhone, iPad, or iPod, it is actually moved to the .Trashes\501 folder. Essentially, the data is still there until it is overwritten, so recently deleted files can be retrieved. |
|
|
Term
|
Definition
Pwnage—This utility allows you to unlock a locked iPod Touch and is available from
https://pwnage.com/. [know it as a spoiler answer] |
|
|
Term
|
Definition
.pst (Outlook)
.ost (Offline Outlook Storage)
.mbx or .dbx (Outlook Express)
.mbx (Eudora)
.emi (common to several email clients) |
|
|
Term
| File Extensions associated to Email server Software |
|
Definition
Exchange Server (.edb)
Exchange Public Folders (pub.edb)
Exchange Private Folders (priv.edb)
|
|
|
Term
|
Definition
|
|
Term
| How does windows store passwords? |
|
Definition
| Encrypted copy or hash? *Hash. |
|
|
Term
| The Fourth Amendment to the U.S. Constitution |
|
Definition
| If an email message resides on a sender’s or recipient’s computer or other device, the Fourth Amendment to the U.S. Constitution and state requirements govern the seizure and collection of the message. Determine whether the person on whose computer the evidence resides has a reasonable expectation of privacy on that computer. The Fourth Amendment requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner. |
|
|
Term
Center for Internet Security (CIS) Benchmarks |
|
Definition
The Center for Internet Security (CIS) benchmarks are a set of security configuration best practices developed by a consensus community of experts. They provide a secure baseline configuration for various operating systems, applications, and hardware devices. The benchmarks define best practice approaches to patching, hardening, and system logging and are the industry standard for secure configuration.
Several vulnerability scanners, such as the licensed version of Tenable's Nessus scanner, include configuration scanning options to compare an endpoint's active configuration to the settings detailed in a CIS benchmark. |
|
|
Term
Open Web Application Security Project (OWASP) |
|
Definition
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of web applications and services. It is an international organization that provides unbiased, practical information about application security. The OWASP provides tools, documents, and other resources to help people build more secure software. |
|
|
Term
| Payment Card Industry Data Security Standard (PCI DSS) |
|
Definition
| Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. PCI DSS identifies controls designed to prevent fraud and protect credit and debit card data. Organizations that take credit and debit cards are required to follow the standards described within the PCI DSS. |
|
|
Term
| Center for Internet Security (CIS) |
|
Definition
| A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations). |
|
|
Term
|
Definition
internal scans focus on the view from the "inside."
Internal scans are also important to protect systems from abuse from internal threats and to provide layered security. For example, if an attacker makes it past external protections, their job should still be difficult even if they have made it to the "inside." Internal scans should include detailed, comprehensive vulnerability information |
|
|
Term
|
Definition
External scans focus on the view of devices and services from the "outside" of the network, broadly referring to the Internet
Externally accessible (Internet-facing) systems are continuously pushed, poked, probed, scanned, enumerated, subjected to automated exploits, fingerprinted, and exposed to many other malicious actions. Paying close and careful attention to externally visible vulnerabilities is essential, and the approaches used to address any identified vulnerabilities should be swift |
|
|
Term
|
Definition
Hardware or software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.
An infrastructure vulnerability scanner is a type of software that scans network hosts (client and servers) and intermediate systems (routers, switches, access points, and firewalls) for data such as patch level, security configuration and policies, network shares, unused accounts, weak passwords, rogue devices, antivirus configuration, and so on. A scanner can be implemented purely as software or as a security appliance connected to the network. |
|
|
Term
| Credentialed/Noncredentialed |
|
Definition
Noncredentialed scans are simple to implement, produce a relatively low impact on the device, and provide insight regarding what vulnerabilities are discoverable to non-authenticated users, for example, someone with access to the network only
Credentialed scans provide the most comprehensive evaluation of devices. By authenticating to the device, the scanner can enumerate all installed software, the file system, configuration data, user accounts, and many other attributes. Special care is needed when using credentialed scans, as the most effective scanner credentials also have privileged access. If the scanner does not correctly protect the credentials, or if staff are not careful to protect the credentials, they can be abused or potentially exposed and stolen. Accounts such as root, Domain Administrator, or Administrator are inappropriate for vulnerability scanning. Scanning endpoints should be done with purpose-specific and carefully provisioned credentials, granting only the necessary access.
|
|
|
Term
|
Definition
| Agentless scans can be the simplest to implement, as the scanner can collect information from endpoints using protocols such as ssh, WMI, or SNMP. Some organizations do not allow the use of WMI or SNMP in response to risks associated with these protocols. Additionally, collecting data can become complicated when network firewalls are in the line of communication between the vulnerability scanner and the endpoints. |
|
|
Term
|
Definition
| Agent-based scans require the installation of small, special-purpose software utilities designed to collect information from the endpoint and pass it to the vulnerability scanner. The advantages of agent-based scanning include improved vulnerability and host configuration data, less processing overhead on the vulnerability scanner server, and simplified communication across network firewalls. Agent-based scans require the deployment and installation of the agent software, which requires time and effort to test, deploy, and maintain. Adding agents to endpoints also adds a new attack vector and additional software to track and patch. |
|
|
Term
|
Definition
| Identifying vulnerabilities can be accomplished in many ways, and a vulnerability scanner is just one of them. Directly interacting with a device or software to identify vulnerabilities is called active scanning. Examples of active scanning include using a vulnerability scanner, enumerating services, performing banner grabbing, content enumeration, or using a web application scanner such as Burp Suite or OWASP ZAP. |
|
|
Term
|
Definition
§ Passive scanning describes methods used to identify vulnerabilities without direct interaction with a device or software. The primary example of this is network packet capture. By inspecting the traffic to and from a device, issues such as insecure protocols, cleartext credentials, inadequate encryption methods, DNS query data, and other problems are easily identifiable. |
|
|
Term
|
Definition
The scope of a scan refers to the range of hosts or subnets included within a single scan job. The scope is configured in the scan as a single IP address or range of IP addresses. For a large network, it is sensible to schedule scans of different portions of the network to occur at different times. This will reduce the impact on network performance and make it easier to analyze the results of each scan. Scans of limited scope can also be used to identify particular issues or meet a particular compliance goal. Asset criticality might also affect scanning scope, with targeted scans of critical assets being scheduled more often. |
|
|
Term
|
Definition
| A map, or discovery, scan identifies the devices connected to a network or network segment. Discovery scans allow security teams to identify connected devices and uncover potential problems. |
|
|
Term
|
Definition
Identifying the type and version of an operating system (or server application) by analyzing its responses to network scans.
Fingerprinting describes the effort taken to more specifically identify details about a device. Whereas a map or discovery scan looks for connected devices, a fingerprint scan looks to focus attention on an individual device to better understand its purpose, vendor, software versions, configuration details, and the existence of vulnerabilities. |
|
|
Term
|
Definition
The process of reviewing uncompiled source code either manually or using automated tools.
Static analysis can be performed in a variety of ways. One method involves manual inspection of source code in order to identify vulnerabilities in programming techniques. Another approach uses specialty applications or add-ons to development tools that are designed to look for well-known programming methods and constructs that are known to be problematic. |
|
|
Term
|
Definition
| Software testing that examines code behavior during runtime. It helps identify potential security issues, potential performance issues, and other problems |
|
|
Term
|
Definition
| A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds. |
|
|
Term
|
Definition
The process of analyzing the structure of hardware or software to reveal more about how it functions
Reverse engineering describes deconstructing software and/or hardware to determine how it is crafted. Reverse engineering's objective is to determine how much information can be extracted from delivered software
Reverse engineering is not limited to software. Hardware can be reverse engineered to better understand how it operates in order to insert malicious components, for the theft of intellectual property, and/or to carefully inspect how a device operates in order to confirm it meets security requirements or to determine if it has been tampered with. Reversing can be performed on all nature of devices, and some examples might include security tokens, computer equipment, network and wireless equipment, cars, wearables, IoT devices, and many others. |
|
|
Term
Compliance Scans and Regulatory Requirements |
|
Definition
Legal and regulatory environments will usually be accompanied by a security framework or checklist of the controls and configuration settings that must be in place. Security software products such as IDS, SIEM, and vulnerability scanners can often be programmed with compliance templates and scanned for deviations from the template.
Some sources of external compliance may dictate a scanning frequency that your organization must follow; others take a more hands-off approach and simply require that you have a plan in place to scan at certain intervals. |
|
|
Term
Center for Internet Security
(CIS) benchmarks |
|
Definition
CIS Benchmark configuration guides can be downloaded for free for non-commercial use and include detailed descriptions of all configuration points, although the documents are very lengthy to use in this way https://www.cisecurity.org/cis-benchmarks/. CIS offers a software tool for checking configurations, called CIS CAT, but access to the tool is limited to CIS Members. CIS Benchmarks™ are also available within the professional version of the Tenable Nessus vulnerability scanner, and CIS hardened images are available for deployment within major Cloud platforms, such as AWS or Azure. |
|
|
Term
|
Definition
| Enforcing a security zone by separating a segment of the network from access by the rest of the network. This could be accomplished using firewalls or VPNs or VLANs. A physically separate network or host (with no cabling or wireless links to other networks) is referred to as air-gapped |
|
|
Term
| segmentation scanning considerations |
|
Definition
This segmentation has a performance benefit and a security benefit because traffic flows between zones are more predictable and easier to monitor and filter. When you perform vulnerability scanning across a segmented network, you need to consider the requirements and limitations:
§ A server-based scanner must be able to communicate with remote subnets, possibly including multiple VLANs, and through one or more firewalls. Alternatively, multiple scanning host nodes can be deployed in multiple segments and configured to report back to a central management server.
§ An agent-based scanner must be able to communicate reports to the management server. |
|
|
Term
Performance Considerations |
|
Definition
§ Identification of Operating System - Identifying the operating system of the target system is essential to ensure that the correct vulnerability scans used and to identify any unsupported or non-compliant operating system versions.
§ Scanning Interval - Scanning should be done regularly to identify new vulnerabilities. Scans should agree on an automated schedule or use specialized agents that support near real-time vulnerability identification.
§ Scan Speed - The scan speed is important as it can affect the accuracy of scan results. If a scan is too slow or too fast, it may miss important vulnerabilities and produce inaccurate results or overwhelm the target system resulting in negative performance impacts and downtime.
§ Vulnerability Database - The accuracy of the scan results depends on the quality of the vulnerability database used. It is essential to use a comprehensive and up-to-date vulnerability database prior to performing a vulnerability scan.
§ Scanning Type - Different types of scans can be performed to identify vulnerabilities in the target system. These include port scans, vulnerability scans, and comprehensive security configuration scans.
§ Authentication - Authenticated scans are more comprehensive as they identify vulnerabilities using an authenticated session and have greater access to the host and software for deeper inspection. Unauthenticated scans have less performance impact on the target system but produce limited results compared to authenticated scans.
§ False Positives -False positives are sometimes generated when vulnerability scans are performed. False positives represent invalid warnings generated by a scanner and waste the analyst's time researching and verifying the results. |
|
|
Term
Vulnerability Scan Scheduling |
|
Definition
Scheduling vulnerability scans is essential to maintaining a secure environment and is often required to maintain regulatory compliance. Vulnerability scans help identify system weaknesses that malicious actors may exploit. By scheduling scans regularly, organizations can ensure that any newly discovered vulnerabilities are identified and addressed before they can be exploited. Regular vulnerability scans also help ensure that installed patches are effective and do not introduce new vulnerabilities. Additionally, vulnerability scans help identify misconfigurations and unauthorized changes. Scheduling vulnerability scans is important to ensure that an organization's systems and networks remain secure. |
|
|
Term
|
Definition
Vulnerability scanning can unfortunately cause problems such as negatively impacting a system's performance or causing services to crash. For these reasons, it is important to carefully consider the needs of the organization prior to performing any type of vulnerability scan. It is common for vulnerability scanning activity to follow standard change management procedures to ensure all impacted parties are aware of scanning activity and the potential for problems. |
|
|
Term
|
Definition
A data inventory, or data map, describes the mechanisms used to identify and track the data assets created, controlled, or maintained by an organization. The data inventory describes the data in terms of what it contains, such as intellectual property; customer data; third-party, confidential business data; and others, as well as its classification and sensitivity. Having a clear view of data is the first step in protecting it. Gaining full visibility is hindered by the complexity and dynamics of how data is stored as well as obtaining clear information regarding what each piece of identified data represents. |
|
|
Term
| Operational technology (OT) |
|
Definition
Communications network designed to implement an industrial control system rather than data networking.
Operational technology (OT) is a term used to describe the hardware and software technologies used to manage physical devices, processes, and events within an organization. It is the type of technology used to monitor and control actual physical systems, processes, and events in the environment. Examples of OT include industrial control systems, robotics, sensors, Programmable Logic Controllers (PLCs), and SCADA systems, as well as the networks and devices used to operate them. |
|
|
Term
| Industrial control systems (ICSs) |
|
Definition
| Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function) |
|
|
Term
| human-machine interfaces (HMIs). |
|
Definition
| Input and output controls on a PLC to allow a user to configure and monitor the system. |
|
|
Term
|
Definition
| Software that aggregates and catalogs data from multiple sources within an industrial control system. |
|
|
Term
| supervisory control and data acquisition (SCADA) |
|
Definition
Type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer
A supervisory control and data acquisition (SCADA) system takes the place of a control server in large-scale, multiple-site ICSs. SCADA typically run as software on ordinary computers, gathering data from and managing plant devices and equipment with embedded PLCs, referred to as field devices. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices. |
|
|
Term
| Programmable logic controllers (PLCs) |
|
Definition
| Type of processor designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems. |
|
|
Term
| Security Content Automation Protocol (SCAP) |
|
Definition
A NIST framework that outlines various accepted practices for automating vulnerability scanning.
Security Content Automation Protocol (SCAP) describes a suite of interoperable specifications designed to standardize the formatting and naming conventions used to identify and report on the presence of software flaws, such as misconfigurations and/or vulnerabilities |
|
|
Term
| Open Vulnerability and Assessment Language (OVAL) |
|
Definition
An XML schema, maintained by MITRE, for describing system security state and querying vulnerability reports and information.
Open Vulnerability and Assessment Language (OVAL)—Helps describe three main aspects of an evaluated system including (1) system information, (2) machine state, and (3) reporting. Using OVAL provides a consistent and interoperable way to collect and assess information regardless of the security tools being used |
|
|
Term
| Asset Reporting Format (ARF) |
|
Definition
| As the name suggests, ARF helps to correlate reporting formats to assess information independently from any specific application or vendor product for consistency and interoperability. |
|
|
Term
| Extensible Configuration Checklist Description Format (XCCDF) |
|
Definition
| Written in XML, XCCDF provides a consistent and standardized way to define benchmark information as well as configuration and security checks to be performed during an assessment. |
|
|
Term
| Common Platform Enumeration (CPE) |
|
Definition
Scheme for identifying hardware devices, operating systems, and applications developed by MITRE.
Uses a syntax similar to Uniform Resource Identifiers (URI). CPE is a standardized naming format used to identify systems and software. |
|
|
Term
| Common Vulnerabilities and Exposures (CVE) |
|
Definition
Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST
A list of records where each item contains a unique identifier used to describe publicly known vulnerabilities. Unique identifiers begin with CVE, followed by the year of identification, and a unique number - CVE-YEAR-#####.
|
|
|
Term
| Common Configuration Enumeration (CCE) |
|
Definition
Scheme for provisioning secure configuration checks across multiple sources developed by MITRE and adopted by NIST.
Similar to CVE, except focused on configuration issues which may result in a vulnerability. |
|
|
Term
| Common Vulnerability Scoring System (CVSS) |
|
Definition
| A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information. |
|
|
Term
|
Definition
| Nessus is a widely used vulnerability assessment tool to identify system vulnerabilities. It also enables organizations to gauge the risk associated with those vulnerabilities based on several factors, including the CVSS score. |
|
|
Term
|
Definition
OpenSCAP is an open-source scanner used to identify system vulnerabilities. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in the system. |
|
|
Term
|
Definition
| Qualys is another widely used vulnerability assessment tool to identify system vulnerabilities. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in a system. |
|
|
Term
|
Definition
| OpenVAS is an open-source scanner used to identify vulnerabilities in systems. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in the system. |
|
|
Term
|
Definition
SecurityScorecard is a cloud-based solution that enables organizations to assess and improve their security posture. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in the system |
|
|
Term
|
Definition
|
Score
|
Description
|
|
0
|
None
|
|
0.1+
|
Low
|
|
4.0+
|
Medium
|
|
7.0+
|
High
|
|
9.0+
|
Critical
|
|
|
|
Term
|
Definition
|
Base Metrics
|
Possible Values
|
Notes
|
|
Attack Vector (AV)
|
Physical (P), Local (L), Adjacent network (A), or Network (N)
|
The physical attack vector includes physical access to the system, such as accessing the device in person. The local attack vector consists of the ability to manipulate the system with local access, such as by using a USB-connected device. The network attack vector includes two distinct categories: adjacent network and network. Network (N) refers to connectivity from any location, whereas Adjacent network (A) describes access via the same broadcast domain. Network attacks include access to a system via the network and include actions such as sending malicious data packets or instructions. The attack vectors help organizations identify the best way to implement protections.
|
|
Attack Complexity (AC)
|
High (H) or Low (L)
|
Refers to the difficulty of the attack techniques used by a threat actor. Low indicates a straightforward attack, and high indicates a more complicated attack. Attack complexity is important to consider when evaluating the risk posed by a vulnerability. If the attack complexity is high, it may be difficult or impossible for a threat actor to exploit the vulnerability, thus reducing the risk. On the other hand, if the attack complexity is low, the risk posed by the vulnerability is greater.
|
|
Privileges Required (PR)
|
None (N), Low (L), or High (H)
|
This represents permissions such as guest or anonymous (N), standard user (L), and administrator (H).
|
|
User Interaction (UI)
|
None (N) or Required (R)
|
Whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment.
|
|
Scope (S)
|
Unchanged (U) or Changed (C)
|
This indicates whether the exploit affects only the local security context (U) or not (C). For example, a hypervisor vulnerability might allow an exploit from one VM to other VMs.
|
|
Confidentiality (C), Integrity (I), and Availability (A)
|
High (H), Low (L), or None (N)
|
Where the metrics above assess exploitability, these three separate metrics measure impacts to the CIA triad.
|
|
|
|
Term
|
Definition
Vulnerability scans check for open ports, protocol compliance, misconfigured firewalls or routers, unpatched software, cross-site scripting (XSS) problems, SQL injection weaknesses, and many other issues. The vulnerability scanning software creates simple informative output or a formal report identifying the vulnerabilities it discovered. Scan targets can include an individual system, a subnet, or logical grouping of assets, such as database, web, application servers, or perhaps industrial control systems. It is essential to save reports to establish trends over time that demonstrate the effectiveness of the vulnerability management program. |
|
|
Term
|
Definition
|
When a vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not. For example, a scanner may identify that vulnerable software is present on an endpoint, but closer inspection reveals that is not actually installed. This can sometimes happen when software uninstall routines leave traces of the original software. False positives are frustrating and waste valuable analyst time.
|
|
|
|
Term
|
Definition
| When a vulnerability scan correctly identifies a vulnerability. For example, a true positive would be when a scan correctly identifies the presence of default credentials on network equipment. |
|
|
Term
|
Definition
| When a vulnerability scan incorrectly identifies that a vulnerability does not exist. For example, when a vulnerability scan identifies that a web server is using compliant cipher suites when it is not, if the scanner is misconfigured or uses an outdated signature engine during evaluation. False negatives are the most concerning issue as they represent a failure of the scanning tool to report on a legitimate issue. Using multiple scanning tools can mitigate the risk of false negatives because the scan outputs of each tool can be correlated to identify vulnerabilities more confidently. |
|
|
Term
|
Definition
| A vulnerability scan that correctly indicates that a system or device does not have a vulnerability. |
|
|
Term
|
Definition
§ Assesses the likelihood that an attacker will be able to weaponize a vulnerability to achieve their objectives. This metric considers factors such as the attack vector (AV) and attack complexity (AC) which affect the ease with which an attacker can create a functional exploit. An attacker can easily use weaponized exploits to gain unauthorized access to a system, steal sensitive information, or carry out other malicious activities. Additionally, attackers can easily share weaponized exploits for others to use. |
|
|
Term
|
Definition
| A vulnerability with high exploitability is more likely to be targeted by an attacker and therefore requires urgent attention. Conversely, a vulnerability with low exploitability may be less urgent as it is less likely to be exploited. The exploitability of a vulnerability depends on many factors, including its attack complexity (AC), the availability of tools and techniques to exploit it (weaponization), and any security measures already in place to defend against the vulnerability. Vulnerability scanning tools and penetration testing can help quantify a vulnerability's exploitability. It is important to note that low exploitability does not mean that a vulnerability is not severe. Analysts must carefully consider all aspects of a vulnerability, including its potential impact, to make informed decisions about remediating it. |
|
|
Term
|
Definition
A zero-day represents an exploitable vulnerability with no available patch.
The lack of available patch is caused either because the vulnerability is new, and a patch is not yet available, or because the vulnerability is entirely unknown to the software provider.
These vulnerabilities are highly valuable to attackers. Standard vulnerability scanning techniques cannot detect unknown zero-day exploits because the scanner depends upon a vulnerability database of known vulnerabilities. |
|
|
Term
|
Definition
§ An asset's value may influence a vulnerability's score. Highly valuable assets, like those with far-reaching impacts if breached, may have little tolerance for vulnerabilities, skewing all scores into the high/critical range. |
|
|
Term
CVSS Score Calculations
Categories |
|
Definition
§ Impact—The potential damage or harm caused by the vulnerability.
§ Exploitability—The ease and likelihood of exploiting a vulnerability.
§ Remediation—The cost and effort required to fix the vulnerability. |
|
|
Term
CVSS Score Calculations
Metrics: |
|
Definition
§ Scope—The number of systems and people affected by the vulnerability.
§ Confidentiality—The extent to which data is disclosed.
§ Integrity—The extent to which the system's functionality is changed or impaired.
§ Availability—The extent to which a system is unavailable.
§ Privacy—The extent to which the system's privacy is impacted.
§ Operations—The extent to which the system's security is affected.
§ Other—Any other relevant or important factors. |
|
|
Term
| Vulnerability Management Reporting Benefits |
|
Definition
Increased awareness—A vulnerability management program helps organizations identify potential weaknesses in systems, software, and networks to help organizations reduce their risk of cyberattacks and ensure that the environment remains secure. |
|
|
Term
Vulnerability Management Reporting Benefits
Improved response |
|
Definition
| Organizations can reduce the time it takes to respond to cybersecurity incidents by incorporating vulnerability management into their incident response plan to respond more effectively to cyber threats. For example, using incident response processes to help quickly mitigate newly identified, critical vulnerabilities. |
|
|
Term
Vulnerability Management Reporting Benefits
Improved security posture |
|
Definition
| Vulnerability management reporting provides metrics and measures designed to track the progress and effectiveness of vulnerability management efforts. |
|
|
Term
Vulnerability Management Reporting Benefits
Better compliance
|
|
Definition
| Vulnerability management reporting capabilities are required to maintain compliance with regulations, laws, data privacy legislation, and security standards. |
|
|
Term
|
Definition
| Using top 10 style lists (or top 5, 15, 20, etc.) can help highlight potential problems or focus on important activities, trends, or environmental changes. Some examples of top 10 lists include traffic volume by device, protocols by volume, inbound traffic protocols by volume, outbound protocols, top external IP connections, email volume by user, malware alerts by user, and many other metrics. |
|
|
Term
|
Definition
Compliance reports provide a detailed overview of how an organization is adhering to the laws, regulations, and standards that apply to its operations. They are typically used to evaluate the effectiveness of an organization's compliance practices, assess the organization's compliance with applicable laws, and provide important information to stakeholders and regulators. Organizations can use compliance reports to demonstrate their commitment to compliance and help ensure that legal and regulatory requirements are being followed. |
|
|
Term
| Regulatory compliance reports |
|
Definition
| Prepared by qualified personnel and often include information on policies and procedures, internal audit results, employee training records, risk assessments, and other relevant data. The law, policy, contract, or regulation mandating the compliance report dictates its content. |
|
|
Term
| Internal compliance reports |
|
Definition
| Include assessments of endpoints to validate configuration per required secure configuration baselines, employee adherence to established procedures, vendor management practices, change management practices, user account management, and many other areas. |
|
|
Term
| Key Performance Indicators |
|
Definition
KPIs help organizations measure progress toward goals and identify areas for improvement in operations. Any stage of the cybersecurity lifecycle can use KPIs—prevention, detection, or response. KPIs are essential for organizations to understand how their cybersecurity efforts are performing, and they can also use them to determine areas where the organization needs to improve.
KPIs provide this data by tracking metrics, such as the number of security incidents and the time it takes to detect them. KPIs also allow organizations to compare their cybersecurity efforts against other organizations and industry averages. This comparison can help identify where cybersecurity efforts are exceeding expectations and areas where they need to catch up. By tracking KPIs, organizations can determine if additional cybersecurity staff or equipment resources are required or if existing resources are working sufficiently. |
|
|
Term
Examples of KPIs
Incidents |
|
Definition
This KPI indicates the number of incidents an organization experiences, such as data breaches and cyberattacks. Organizations can track this KPI over time to determine if there is an upward or downward trend in incidents. |
|
|
Term
Examples of KPIs
Detection Time |
|
Definition
§ This KPI indicates the average time it takes to detect incidents. Organizations can use this metric to track how their incident response efforts are improving over time. They can also compare the detection time to industry averages to see where they can improve. |
|
|
Term
Examples of KPIs
Indicators of Compromise (IoCs) |
|
Definition
§ This KPI indicates the number of IoCs that organizations have in their systems and networks or that they have identified in others' systems. Organizations can track this KPI over time to determine if the IoCs are increasing in their environment. |
|
|
Term
|
Definition
§ This KPI indicates the number of threats organizations know about and have identified. Organizations can track this KPI over time to determine if the number of threats increases. |
|
|
Term
Examples of KPIs
Risk Assessment |
|
Definition
§ This KPI indicates the organization's risk assessment results. Organizations can compare their risk assessments with those of other organizations to see if they are on par. |
|
|
Term
Examples of KPIs
Resource Allocation |
|
Definition
| This KPI indicates the percentage of cybersecurity resources organizations allocate to different areas, such as prevention and detection. Organizations can track this KPI over time to determine if they are allocating an appropriate percentage of resources to each function. |
|
|
Term
Service Level Objectives (SLOs) |
|
Definition
Service level objectives (SLOs) are essential in any customer-oriented operation. SLOs provide a benchmark by which security operations can measure their performance and help ensure they meet leadership's expectations. Service level objectives must be measurable, achievable, and realistic, like any goal-setting initiative. This means that security operations teams should set targets that are attainable but also challenging enough to foster growth. Additionally, SLOs should be flexible and adaptable as the cybersecurity landscape and organization's capabilities change over time. |
|
|
