CHAPTER 10
Affects any organization that is publicly traded in the United States. It controls the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.
What is the Sarbanes-Oxley Act (SOX)?
Contains the information regarding a DNS zone's authoritative server
Start of Authority (SOA)
A port setting used in PVLANs that allows a port to communicate only with promiscuous ports and other ports in the same community.
community port
A predictable framework of procedures designed to identify all requirements with regard to functionality, cost, reliability, and delivery schedule and to ensure that each is met in the final solution.
SDLC
An open source SNMP-based utility that can monitor log and graph data retrieved from hosts, appliances, and other devices.
Cacti
Provides guidelines for securing all financial information and prohibits sharing financial information with third parties
Gramm-Leach-Bliley Act (GLBA) of 1999
This occurs when a lower-privilege user or application accesses functions or content reserved for higher-privilege users or applications.
vertical privilege escalation
The process of continuously working to improve an organization's security.
continual improvement
Analysis that involves converting source code into tokens of information to abstract the code and make it easier to manipulate for testing purposes.
lexical analysis
A suite of tools used for testing web applications. It can scan an application for vulnerabilities and can also be used to crawl an application (to discover content).
Burp suite
"An enterprise security architecture framework that uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual). It is a risk-driven architecture"
SABSA
Each organization subscribes to the standards of a third party
trusted third-party (or bridge) model
A concept in which one individual performs one part of a sensitive operation and another performs a second part.
dual control
The phase in the SDLC during which both the functionality and the security requirements of a solution are identified.
gather requirements phase
An open source interception proxy written in Java that is GUI based and runs on Linux, OS X, and Windows.
Vega
Affects financial institutions. It addresses minimum capital requirements, supervisory review, and market discipline. Its main purpose is to protect against risks that banks and other financial institutions face.
Basel II
A standard for an access control policy language using XML.
Extensible Access Control Markup Language (XACML)
A cipher that uses both symmetric and asymmetric algorithms.
hybrid cipher
A manual or systematic technical assessment of a system or an application. Best performed by a third party.
Audit
a collection of more than 70 tools that can be used for both troubleshooting and security issues.
Sysinternals
A security controls development framework developed by the NIST body of the U.S. Department of Commerce. Tt divides the controls into three classes: technical, operational, and management
NIST SP 800-53
A standard that defines a framework for centralized port-based authentication.
802.1x
Planning that involves identifying potential candidates to succeed key employees, with a specific plan to train these individuals so that they are ready to take over the position and perform well in the job.
succession planning
Recommended technical settings for operating systems, middleware and software applications, and network devices from the Center for Internet Security.
CIS benchmark
A set of mitigation tools by Microsoft that helps prevent vulnerabilities in software from been exploited.
Enhanced Mitigation Experience Toolkit (EMET)