Security+ SY0-601: Definitions and Catchwords

This entry is part 3 of 47 in the series [ Security+ SY0-601 ]

A Note About “Inclusive Language”

In today’s highly politically-charged environment, the words “white“, “black” and “gray” (or “grey”) are no longer allowed. This means we can’t use terms like White Hat, Black Hat or Gray Hat. Instead we must use “Allowed“, “Not Allowed” or “Partially Allowed“. Military terms are off limits. No more DMZ.


Deprecated Terminology and Updated Terminology

White Hat Hacker Authorized Hacker
Black Hat Hacker Unauthorized Hacker
Gray Hat Hacker Partially Authorized Hacker
Whitelist Allow list/Approved list
Blacklist Block list/Deny list
White box Known environment
Black box Unknown environment
Grey box Partially known environment
Mantrap Access Control Vestibule
Demilitarized Zone (DMZ) Screened subnet
Man-in-the-Middle/Man-in-the-Browser On-path Attack

Be A Ninja With The OSI/DoD Models

OSI and DoD Models

Ports, well-known and otherwise

NAT and Private Address Ranges (thanks JP)

Asset – anything valuable, such as information, software or a car stereo

Threat – any event or object that might result in a loss, like theft or fire damage

Threat Agent – any person or thing that can carry out a threat, like a thief or a flood

Vulnerability – a weakness in security, like an unprotected server or a hole in a fence

Exploit – a way to actually take advantage of a weakness, for instance by attacking an unprotected server or going through that hole in the fence

Risk – the likelihood that that an exploit will actually be performed

Risk management is what it’s all about: how much risk can you tolerate, and how much will you spend to avoid it?

According to CompTIA:

    1. Confidentiality – Only authorized persons have access to the information.
    2. Integrity – Insurance that a message, software or other item hasn’t been changed in any way.
    3. Availability – Information is available to properly authorized users.

Other sources discuss:

      1. Privacy – Only authorized persons know that information exists. Security practices acknowledge the importance of Privacy, but security certifications walk glassy-eyed right past it.
      2. Non-repudiation -The impossibility of denying that information comes from a specific source.
      3. Authenticity – An affirmation that information is intact (has Integrity) and comes from the stated source (Non-repudiation). CompTIA does not use this term, but it’s common on other tests, e.g. the CEH.

While proper IAM (Identity and Access Management) provides these benefits:

      1. Authentication – Providing both a username (Identification) and a password or something similar (Authentication).
      2. Authorization – The permissions granted by the entity providing access, for instance share access permissions in Active Directory. People also call this Permissions, though usually that’s more correctly applied to individual settings rather than the collective environment of Authorization. See how smart you are now?
      3. Audit/Accounting – The ability to review accesses and actions of resources.

Layering -Providing multiple layers of protection: physical access control, a firewall, antivirus software, etc. The key concept is preventing one layer’s configuration from compromising other layers. If you leave workstations logged in overnight to distribute antivirus updates, you’ve weakened security with that compromise.

Limiting – Basically, limiting access, whether physical or logical.

Diversity – Using more than one type of a given security method; for instance, both a physical and a software firewall.

Obscurity – Limiting the information available to attackers. For example, your web server should not reveal that it’s Apache 1.2.

Simplicity – Put simply, don’t make your security layers hard to understand or configure.

Very Non-Basic Security Concepts

Trust Analysis

The Moebius Defense / Defense in Depth