SY0-401: Glossary, GSEC, SEC + 401 Study Guide COMBINED

¡Supera tus tareas y exámenes ahora con Quizwiz!

RDP

"Remote desktop protocol -- port 3389 TCP"

GECOS

'field' an entry in the /etc/passwd file

set-GID

's' displayed in place of 'x' (e.g. r-w-s) for group owner to show that program executes often used for printing

set-UID

's' displayed in place of 'x' (e.g. r-w-s) to show that program executes as the owner of the executable rather than the user e.g. 'passwd' (owned by root exec by user)

VPN security concerns

'trusted client' problem; third parties; IDS and AV can't inspect traffic

DHCP

(Dynamic Host Configuration Protocol) A set of rules that allow network client computers to find and use the Internet address that corresponds to a domain name dynamically assigns IP addresses from pool per request for the client needs

M2M

(Machine to Machine) enables connected devices to communicate with each other

3DES

(Triple Data Encryption Standard) A symmetric encryption algorithm that encrypts data by processing each block of data three times, using a different DES key each time.

TTLS

(Tunneled Transport Layer Security) Provides authentication like SSL/TLS, but does not require a certificate for each user Authenticates the server end of the connection by certificate Users are authenticated by password only

WSUS

(Windows Server Update Services) is a computer program that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment

Anomaly-based IDS

(also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline.

signature-based IDS

(also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline

DAC

(discretionary access control) model specifies that every object has an owner, and the owner has full, explicit control of the object

802.11ad

(very high speed in very short distance over 60 GHz)

raw disk

- partition type used when no file system is appropriate; not mounted in LFS

cron

/etc/crontab; runs as root; first - last

Linux Partitions

/etc/fstab; partitions better for stability and security, backups

logrotate

/etc/logrotate.conf

systemd

/etc/systemd The newer initialization system which uses systemd-based systems initialize services and processes in parallel and can support on-demand services.

messages log

/var/log/messages

TCP well-know ports

0 - 1023

init runlevels

0 - shut down 1 - single user mode 2 - multiuser mode 3 - multiuser with networking 5 - start display manager with graphics 6 - system reboot

Three Components as Kerberos

1. KDC or Key Distribution Center 2. TGS or Ticket-Granting Service 3. AS or Authentication Service

Incident handling

1. Preparation, 2. Identification, 3. Containment, 4. Eradication, 5. Recovery, 6 Lesions Learned (May optionally add Wait and See step). Steps from DOE (Department of energy)

WPA2

1.) WPA2-Personal: Protects unauthorized network access via a password 2.) WPA2-Enterpris: Verifies network users through a server Uses Advanced Encryption Standards (AES) WPA 2 is the latest and most secured wireless encryption standard.

TCP registered ports

1024 - 49151

AES Block Size

128 bits

Twofish

128-bit key length. Capable using cryptographic keys up to 256-bits in length. Twofish is a secure solution

SHA-1

160 bit hash 20-byte key length

Workgroup

2+ Windows machines that share info in the absence of a domain controller with individual machines called standalone computers In Windows, standalone computers where administration, resources, and security are distributed, without centralized management or security < 50, < 10 just standalone computers

Windows Server Nano

2016+ install option; 110 MB install; no GUI; headless, manage over network, not through console; only runs AS CONTAINER; no bare metal install or VM; for web or db apps; cannot be patched, but redeployed; cannot run domain controller

TCP dynamic ports

49152 - 65535

DES Block Size

64

Blowfish

64-bit key length. Alternative to DES and IDEA. Acceptable option for encryption, but only when you're using key lengths of at least 128 bits

bluetooth version 5

800 ft range 2Mbit transfers IoT-ready

Windows MOM

? log aggregation?

BIA (business impact analysis)

A BCP preparatory step that identifies present organizational risks and determines the impact to ongoing, business-critical operations if such risks actualize.

incremental backup

A Backup that backs up all files in a selected storage location that have changed since the last full or differential backup.

trust model

A CA hierarchy

Xmas Tree

A Christmas tree is a packet that makes use of certain options for the underlying protocol.

Double DES

A DES version that uses a 112-bit key length; encipher message; then encipher encrypted message

tail command

A Linux command used to display lines of text at the end of a file; by default, the tail command displays the last 10 lines of the file. -s sleep interval -c number of bytes displayed -n number of lines

PKCS#7-Cryptographic Message Syntax Standard

A PKCS that describes the general syntax used for cryptographic data such as digital signatures.

PKCS#10-Certification Request Syntax Standard

A PKCS that describes the syntax used to request certification of a public key and other information.

NAS (Network Access Server)

A RADIUS server configuration that uses a centralized server and clients.

PSH

A TCP flag indicating to Push data to application layer.

RST

A TCP flag meaning to Reset (tear down) a connection

White Hat

A Type of Hacker that is contracted to break into a company's system

C shell

A UNIX/Linux command interpreter designed for C programmers. csh

PPTP (Point-to-Point Tunneling Protocol)

A VPN protocol that is an extension of the PPP remote access protocol.

VPS

A Virtual Private Server is a part of a physical machine that is used as a server, many may exist on the same computer.

PC Reset

A Windows 8.1 feature that enables you to return your PC back to the original state it was in when you purchased it or first set it up

Scheduled Tasks

A Windows XP Control Panel applet for scheduling programs. It was replaced in later versions by the Task Scheduler MMC. (13)

Guest Account

A Windows account with few permissions and no password that allows a user to use a computer without requiring a unique user account. Disable and assign a user name and password.

Active Directory

A Windows server directory database and service that is used in managing a domain to allow for a single point of administration for all shared resources on a network, including files, peripheral devices, databases, Web sites, users, and services.

Domain Controller

A Windows server that has Active Directory installed and is responsible for allowing client computers access to domain resources.

Backup and Restore

A Windows utility that allows the user to create a duplicate copy of all the data on the hard drive and copy it to another storage device. dangerous - create separate OU group

differential backup

A backup that backs up all files in a selected storage location that have changed since the last full backup.

full backup

A backup that backs up all selected files regardless of the state of the archived bit.

CFB encryption (Cipher Feedback mode encryption)

A block encryption model that allows encryption of partial blocks rather than requiring full blocks for encryption.

PCBC encryption (Propagating or Plaintext Cipher Block Chaining encryption)

A block encryption model that causes minimal changes in the ciphertext while encrypting or decrypting.

OFB encryption (Output Feedback mode encryption)

A block encryption model that converts a block cipher into a stream cipher, which is fed back as input of a block cipher.

CTR encryption (counter mode encryption)

A block encryption model that is similar to OFB and uses a counter as input.

CBC encryption (Cipher Block Chaining encryption)

A block encryption model where before a block is encrypted, information from the preceding block is added to the block. In this way, you can be sure that repeated data is encrypted differently each time it is encountered.

ECB encryption (Electronic Code Block encryption)

A block encryption model where each block is encrypted by itself. Each occurrence of a particular word is encrypted exactly the same.

SLA (service-level agreement)

A business agreement that outlines what services and support will be provided to a client.

anti-malware software

A category of software programs that scan a computer or network for known viruses, Trojans, worms, and other malicious software.

RADIUS Remote Authentication Dial-in User Service.

A centralized authentication often deployed to provide an additional layer of security for a network by offloading authentication of remote access clients from domain controllers or even the remote access server itself to dedicated authentication server. UDP and uses 1812. AAA Authentication. Non Proprietary

Group Policy

A centralized configuration management feature available for Active Directory on Windows Server systems.

group policy

A centralized configuration management feature available for Active Directory on Windows Server systems.

virtualization

A class of technology that separates computing software from the hardware it runs on via an additional software layer, allowing multiple operating systems to run on one computer simultaneously.

Microsoft Intune

A cloud-based management solution that allows you to manage your computers when they are not inside your corporate network.

update

A collection of files for updating released software that fixes bugs or provides enhancements.

rollup

A collection of previously issued patches and hotfixes, usually meant to be applied to one component of a system, such as the web browser or a particular service.

baseline report

A collection of security and configuration settings that are to be applied to a particular system or network in the organization.

security baseline

A collection of security configuration settings that are to be applied to a particular host in the enterprise.

Account Lockout Policy

A collection of settings, such as lockout duration, that control account lockouts duration: 120 minutes lockout threshold: 5 attempts reset counter lockout: 45 minutes

cipher suite

A collection of symmetric and asymmetric encryption algorithms commonly used in SSL/TLS connections.

service pack

A collection of system updates that can include functionality enhancements, new features, and typically all patches, updates, and hotfixes issued up to the point of the release of the service pack.

Key Stretching

A collection of techniques that can potentially take a weak key or password and stretch it to become more secure.

dmesg command

A command that displays hardware-related messages generated by the Linux kernel and prints to standard output

sudo command

A command that is used to perform commands as another user via entries in the /etc/sudoers file. No root pwd is used, only specific commands allowed, and use is logged

ifconfig command

A command used to display and modify the TCP/IP configuration information for a network interface. Linux

modprobe command

A command used to insert a module into the Linux kernel.

PowerShell

A command-line interactive scripting environment that provides the commands needed for most management tasks in a Windows Server 2012/R2 environment. TCP 5985, 5986 only on Windows, .NET full

business partner

A commercial entity that has a relationship with another, separate commercial entity.

ping floods

A common name for ICMP flood attack. It is a type of DoS attack in which the attacker attempts to overwhelm the target system with ICMP Echo Requests (ping) packets.

Smurf attacks

A common name for ICMP flood attacks These are a type of DoS attack in which a ping message is broadcast to an entire network on behalf of a victim computer, flooding the victim computer with responses.

account management

A common term used to refer to the processes, functions, and policies used to effectively manage user accounts within an organization.

FTP (File Transfer Protocol)

A communications protocol that enables the transfer of files between a user's workstation and a remote host.

Ubuntu

A community-developed Linux-based operating system with a GUI similar to that of Windows. Derived from Debian. APT package manager; FW not enabled by default

Hybrid Cloud Infrastructure

A composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.

defense in depth

A comprehensive approach to layered security that is intended to slow an attack.

Zombie

A computer that has been infected with a bot and is being used by an attacker to mount a DDoS attack. Also called a drone.

failopen

A control that provides open access when a system fails.

failsecure

A control that provides security when a system fails.

failsafe

A control that provides user safety when a system fails.

identity theft

A crime that occurs when an individual's personal information or data is stolen and used by someone other than the authorized user.

computer crime

A criminal act that involves the use of a computer as a source or target, instead of an individual.

HSM (Hardware Security Module)

A cryptographic module that can generate cryptographic keys.

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)

A cryptographic protocol that is based on Diffie-Hellman and that provides for secure key exchange by using ephemeral keys and elliptic curve cryptography.

DHE (Diffe-Hellman Ephemeral)

A cryptographic protocol that is based on Diffie-Hellman and that provides for secure key exchange by using ephemeral keys.

decryption

A cryptographic technique that converts ciphertext back to cleartext.

Encryption

A cryptographic technique that converts data from plaintext (cleartext) into code (ciphertext)

DH (Diffie-Hellman)

A cyrptographic protocol that provides for secure key exchange.

tunneling

A data-transport technique in which a data packet in encrypted and encapsulated in another data packet in order to conceal the information of the packet inside.

certificate repository database

A database containing digital certificates.

registry

A database that Windows uses to store hardware and software configuration information, user preferences, and setup information. In AD, stores for domain. REGEDIT.EXE

NoSQL databas

A database that provides data storage and retrieval in a non-relational manner.

WEP (Wired Equivalent Privacy)

A deprecated protocol that provides 64-bit, 128-bit, and 256-bit encryption using the RC4 algorithm for wireless communication that uses the 802.11a and 802.11b protocols.

incident report

A description of the events that occurred during a security incident.

hardware-based encryption devices

A device or mechanism that provides encryption, decryption, and access control.

sniffer

A device or program that monitors network communications on the network wire or across a wireless network and captures data.

router

A device that connects multiple networks that use the same protocol.

STA (Station)

A device that contains an IEEE 802.11 conformant MAC interface to a wireless medium with an Ethernet-like driver interface.

Router

A device that forwards data packets between computer networks. Uses ACL's.

switch

A device that has multiple network ports and combines multiple physical network segments into a single logical network.

Load Balancers

A device that performs load balancing as its primary function.

hub

A device that uses its ports to connect devices (computers, printers, etc.) together and broadcasts all data on all channels

EMI (electromagnetic interference)

A disruption of electrical current that occurs when a magnetic field around one electrical circuit interferes with the signal being carried on an adjacent circuit.

account policy

A document that includes an organization's user account management guidelines.

back-out contingency plan

A documented plan that includes specific procedures and processes that are applied in the event that a change or modification made to a system must be undone.

Global Catalog Server

A domain controller that also contains a subset of active directory domain services objects from other domains in the forest.

802.11

A family of specifications developed by the IEEE for wireless LAN technology.

802.11a

A fast, secure, but relatively expensive protocol for wireless communication. It Supports speeds up to 54 Mbps in the 5 GHz frequency.

DLL (Dynamic Link Library)

A file of executable functions or data that can be used by a Windows application. Typically, a DLL provides one or more particular functions, and a program accesses the functions by creating links to the DLL.

archive bit

A file property that essentially indicates whether the file has been modified since the last back up.

web application-based firewalls

A firewall that is deployed to secure an organization's web-based applications and transactions from attackers.

IPv6 header

A fixed size of 40 Bytes.

vulnerability

A flaw or weakness that allows a threat agent to bypass security.

man-in-the-middle attack

A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

Fibre Channel

A form of network data storage solution or network that allows for high-speed fi le transfers at upward of 16Gbps

Whaling

A form of spear phishing that targets the wealthy.

security policy

A formalized statement that defines how security will be implemented within a particular organization.

GPG (GNU Privacy Guard)

A free open-source version of PGP that provides the equivalent encryption and authentication services.

Windows Update for Business

A free service for Windows 10 Pro, Enterprise, and Education editions that can provide updates to your users based on distribution rings

Blowfish

A freely available 64-bit block cipher algorithm that uses a variable key length.

hot site

A fully configured alternate network that can be online quickly after a disaster.

Trapdoor Function

A function that is easy to compute in one direction, yet believed to be difficult to compute in the opposite direction (finding its inverse) without special information, called the "trapdoor."

data

A general term for the information assets of a person or organization. In a computer system, data is generally stored in files.

recovery team

A group of designated individuals who implement recovery procedures and control the recovery operations in the even of an internal or external disruption to critical business processes.

Red Team

A group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. The Red Team's objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.

distribution group

A group used only for non-security functions, such as distributing email cannot be assigned permissions

hacktivist

A hacker motivated by the desire for social change.

cyberterrorist

A hacker that disrupts computer systems in order to spread fear and panic.

white hat

A hacker who exposes security flaws in applications and operating systems with an organization's consent so that they can fix them before the problems become widespread.

grey hat

A hacker who exposes security flaws in applications and operating systems without consent, and does so for the greater good instead of maliciously.

Black hat

A hacker who exposes vulnerabilities for financial gain or for some malicious purpose.

zero day exploit

A hacking attack that occurs immediately after a vulnerability is identified, when the security level is at its lowest.

network-based firewalls

A hardware / software combination that protects all the computers on a network behind the firewall.

MAC address

A hardware address of 48 bits, unique identifier similar to a serial number assigned to networking equipment at the time of manufacture; Media Access Control; aka ethernet address; .5 vendor / .5 NIC; L2

SHA (Secure Hash Algorithm)

A hash algorithm modeled after MD5 and considered the stronger of the two because it produces a 160-bit hash value.

tarpit

A honeypot that answers connection requests in such a way that the attacking computer is "stuck" for a period of time. Considered 'aggressive' defense using TCP flow control to set window size low to 0 to keep conn open and consume resources

tailgating

A human-based attack where the attacker will slip in through a secure area following a legitimate employee.

guessing

A human-based attack where the goal is to guess a password or PIN through brute force means or by using deduction.

shoulder surfing

A human-based attack where the goal is to look over the shoulder of an individual as he or she enters password information or a PIN.

dumpster diving

A human-based attack where the goal is to reclaim important information by inspecting the contents of trash containers.

spoofing

A human-based or software-based attack where the goal is to pretend to be someone else for the purpose of identity concealment. Spoofing can occur in IP addresses, MAC addresses, and email.

Multipartite

A hybrid of boot and program viruses. It first attacks a boot sector and then attacks system files or vice versa

PBKDF2 (Password-Based Key Derivation Function 2)

A key derivation function used in key stretching to make potentially weak cryptographic keys such as passwords less susceptible to brute force attacks.

Ephemeral Key

A key generated at the time of need for use in a short or temporary time frame.

bcrypt

A key-derivation function based on the Blowfish cipher algorithm.

CRL (Certificate Revocation List)

A list of certificates that are no longer valid.

Load Balancing

A load balancer is used to spread or distribute network traffic load across several network links or network devices

warm site

A location that is dormant or performs non critical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

subnet

A logical subset of a larger network, created by an administrator to improve network performance or to provide security.

superuser account

A login account that allows essentially unrestricted access to the application; UID of 0

Loop Protection

A major feature in Layer 2 managed switches is the Spanning Tree Protocol. Multiple active paths between stations cause loops in the network.

M of N scheme

A mathematical control that takes into account the total number of key recovery agents (N) along with the number of agents required to perform a key recovery (M).

Port Address Translation (PAT)

A means of translation between ports on a public and private network.Ports are selected at random for each inside address which generates a request

backdoor

A mechanism for gaining access to a computer that bypasses or subverts the normal method of authentication.

Exploit

A mechanism of taking advantage of an identified vulnerability

API (application programming interface)

A mechanism that defines how software elements interact with each other.

RIPEMD (RACE Integrity Primitives Evaluation Message Digest)

A message digest algorithm that is based on the design principles used in MD4.

CSR (certificate signing request)

A message sent to a certificate authority in which a resource applies for a certificate.

key escrow

A method for backing up private keys to protect them while allowing trusted third parties to access the keys under certain conditions.

ARP poisoning

A method in which an attacker, with access to the target network, redirects an IP address to the MAC address of a computer that is not the intended recipient.

OSI model (Open Systems Interconnection model)

A method of abstracting how different layers of a network structure interact with one another.

cloud computing

A method of computing that relies on the Internet to provide the resources, software, data, and media needs of a user, business, or organization.

penetration test

A method of evaluating security by simulating an attack on a system.

LDAPS (Lightweight Directory Access Protocol Secure)

A method of implementing LDAP using SSL/TLS encryption.

lockout

A method of restricting access to data on a device without deleting that data.

PGP (Pretty Good Privacy)

A method of securing emails created to prevent attackers from intercepting and manipulating email and attachments by encrypting and digitally signing the contents of the email using public key cryptography.

protected distribution

A method of securing the physical cabling of a communications infrastructure.

media

A method that connects devices to the network and carries data between devices.

IaaS (Infrastructure as a Service)

A method that uses the cloud to provide any or all infrastructure needs.

PaaS (Platform as a Service)

A method that uses the cloud to provide any platform-type services.

SaaS (Software as a Service)

A method that uses the cloud to provide applications services to users.

bluejacking

A method used by attackers to send out unwanted Bluetooth signals from smartphones, mobile phone, tablets, and laptops to other Bluetooth-enabled devices.

data wiping

A method used to remove any sensitive data from ma mobile device and permanently delete it.

HAMC (Has-based Message Authentication Code)

A method used to verify both the integrity and authenticity of a message by combining cryptographic hash functions, such as MD5 or SHA-1, with a secret key.

hot and cold aisle

A method used within data centers and server rooms as a temperature and humidity control method.

Redundant Servers

A mirror or duplicate of a primary server that receives all data changes immediately after they are made on the primary server

NFC (Near Field Communication)

A mobile device communication standard that operates at very short range, often through physical contact.

network tap

A monitoring device installed inline with network traffic. A network tap usually has three ports: two ports to send and receive all traffic and a third port that mirrors the traffic, sending it to a computer running monitoring software in promiscuous mode.

behavior-based monitoring

A monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.

anomaly-based monitoring

A monitoring system that uses a database of unacceptable traffic patterns identified by analyzing traffic flows.

signature-based monitoring

A monitoring system that uses a predefined set of rules provided by a software vendor to identify traffic that is unacceptable.

heuristic monitoring

A monitoring system that uses known best practices and characteristics in order to identify and fix issues within the network.

Secure Shell (SSH) Connections

A more secure replacement for the common command line terminal utility Telnet and FTP Allows you to securely remote into a router.

Triple DES (3DES)

A more-secure variant of DES that repeatedly encodes the message using three separate DES keys; 16 rounds per pass

Motion Detection

A motion detector, or motion sensor, is a device that senses movement or sound in a specific area

DoS attack (Denial of Service attack)

A network attack in which an attacker disables systems that provide network services by consuming a network link's available bandwidth, consuming a single system's available resources, or exploiting programming flaws in an application or operating system.

DDoS attack (Distributed Denial of Service attack)

A network attack in which an attacker hijacks or manipulates multiple computers (through the use of zombies or drones) on disparate networks to carry out a DoS attack.

eavesdropping attack

A network attack that uses special monitoring software to gain access to private communications on the network wire or across a wireless network. Also know as a sniffing attack.

sniffing attack (eavesdropping)

A network attack that uses special monitoring software to gain access to private communications on the network wire or across a wireless network. Also known as an eavesdropping attack.

DMZ

A network between the internal network and the Internet with a firewall on both sides.

application aware device

A network device that manages information about any application that connects to it.

load balancer

A network device that performs load balancing as its primary function.

directory service

A network service that stores identity information about all the objects in a particular network, including users, groups, server, client computers, and printers.

P2P (peer-to-peer)

A network that has a broadcast application architecture that distributes tasks between peer systems who have equal privileges, and in which resource sharing, processing, and communications controls are decentralized.

nmap

A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.

netcat

A network utility program that reads from and writes to network connections. Connects to TCP and UDP ports, transmit files, execute commands.

Read-Only Domain Controller (RODC)

A new feature of Active Directory Domain Services in Windows Server 2008, that provides the same authentication and authorization services as a standard domain controller, but administrators cannot make changes on an it directly. No multi-master replication

upgrade

A new version (Win 7 - 10) or edition (Pro - Enterprise) of a software program that includes new features or a change in the software design.

Rule-Based Access Control

A non-discretionary access control technique that is based on a set of operational rules or restrictions.

TCP/IP (Transmission Control Protocol / Internet Protocol)

A non-proprietary, routable network protocol suite that enables computers to communicate over all types of networks.

hash

A number generated by an algorithm from a text string. Also known as a message digest. Hashing is based on a file's binary composition, not its viewable ASCII characters.

Passive fingerprinting

A passive method of identifying the OS of a targeted computer or device. No traffic or packets are injected into the network attackers simply listen to and analyze existing traffic.

OTP (one-time password)

A password that is generated for used in one specific session and becomes invalid after the session ends.

strong password

A password that meets the complexity requirements that are set by a system administrator and documented in a password policy.

hotfix

A patch that is often issued on an emergency basis to address a specific security flaw.

Penetration Testing

A penetration tests seeks to exploit vulnerabilities

mantrap

A physical security control system that has a door at each end of a secure chamber.

logic bomb

A piece of code that sits dormant on a target computer until it is triggered by the occurrence of specific conditions, such as a specific date and time. Once the code is triggered, the logic bomb "detonates," performing whatever action it was programmed to do.

device

A piece of hardware such as a computer, server, printer, or smartphone.

succession plan

A plan that ensures that all key business personnel have on or more designated backups who can perform critical functions when needed.

continuity of operations plan

A plan that includes best practices to mitigate risks and attacks and the best measures to recover from an incident.

Disaster Recovery Plan (DRP)

A plan that prepares (reactive) an organization to react appropriately if the worst were to happen.

DRP (disaster recovery plan)

A plan that prepares the organization to react appropriately in a natural or man-made disaster and provides the means to recover from a disaster.

VLAN (virtual local area network)

A point-to-point physical network that is created by grouping selected hosts together, regardless of their physical location.

BCP (business continuity plan)

A policy that defines how normal day-to-day business will be maintained in the event of a business disruption or crisis.

802.1x

A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

cold site

A predetermined alternate location where a network can be rebuilt after a disaster.

VPN (Virtual private network)

A private network that is configured within a public network, such as the Internet.

Fuzzing

A process by which semi-random data is injected into a program or protocol stack for detecting bugs. Looking for something out of the ordinary. It checks to see if common errors will crash a certain program/ application.

bluesnarfing

A process in which attackers gain access to unauthorized information on a wireless device using a Bluetooth connection.

Viruses

A program or piece of code that runs on your computer without your knowledge. Replicates when an infected file is executed or launched, requires action on the users part.

drive-by download

A program that is automatically installed on a computer when you access a malicious site, even without clicking a link or giving consent.

anti-spam

A program that will detect specific words that are commonly used in spam messages.

SQL (Structured Query Language)

A programming and query language common to many large-scale database systems.

perfect forward secrecy

A property of public key cryptographic systems that ensures that any session key derived from a set of long-term keys cannot be compromised if one of the keys is compromised at a future date.

WAP (Wireless Application Protocol)

A protocol designed to transmit data such as web pages, email, and newsgroup postings to and from wireless devices such as mobile phones, smartphones, and tablets over very long distances, and display the data on small screens in a web-like interface.

SSH (Secure Shell)

A protocol for secure remote logon and secure transfer of data.

FTPS (File Transfer Protocol Secure)

A protocol that combines the use of FTP with additional support for TLS and SSL.

HTTP (Hypertext Transfer Protocol)

A protocol that defines the interaction between a web server and a browser.

Fiber Channel

A protocol that implements links between data storage networks using special-purpose cabling to increase performance and reliability.

iSCSI (Internet Small Computer System Interface)

A protocol that implements the links between data storage networks using IP.

SCP (Secure Copy Protocol)

A protocol that is used to securely transfer computer files between a local and remote host, or between two remote hosts, using SSH.

SSTP (Secure Socket Tunneling Protocol)

A protocol that uses the HTTP over SSL protocol and encapsulates an IP packet with a PPP header and then with an SSTP header.

Internet Control Message Protocol (ICMP)

A protocol to test for connectivity and search for configuration errors in a network Ping Tracert

DHCP (Dynamic Host Configuration Protocol)

A protocol used to automatically assign IP addressing information to IP network devices.

Elliptic Curve Cryptography

A public-key cryptosystem based upon complex mathematical structures. Used for mobile and wireless device. Faster and consumes fewer resources. 160-bit key that is equivalent to the 1024-bit RSA Key.

high availability

A rating that expresses how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.

log

A record of significant events. In computing, it is using an operating system or application to record data about activity on a computer.

Single Sign-On SSO

A relationship between the client and the network wherein the client is allowed to log on one time

SQL Database

A relationship table based structuring scheme used in databases. Brings everything that is true and presents it to you.

S-box

A relatively complex key algorithm that when given the key, provides a substitution key in its place.

stream cipher

A relatively fast type of encryption that encrypts data one bit at a time.

PAP (Password Authentication Protocol)

A remote access authentication service that sends user IDs and passwords as cleartext.

Replay attacks

A replay attack is the re-transmission of captured communications in hope of gaining access to the targeted system

private root CA

A root CA that is created by a company for use primarily within the company itself.

public root CA

A root CA that is created by a vendor for general access by the public.

ping sweep

A scan of a range of IP addresses to locate active hosts within the range.

key storage

A secure repository for key assignment records.

FTP over SSH

A secure version of FTP that uses an SSH tunnel to encrypt files in transit. SFTP.

HTTPS (Hypertext Transfer Protocol Secure)

A secure version of HTTP that supports e-commerce by providing a secure connection between a web browser and a server.

Principle of Least Privilege

A security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job.

mutual authentication

A security mechanism that requires that each party in a communication verifies its identity.

Application Whitelisting

A security option that prohibits unauthorized software from being able to execute. Approves things to put on a device everything else deny by default.

TKIP (Temporal Key Integrity Protocol)

A security protocol created by the IEEE 802.11i task group to replace WEP.

TLS (Transport Layer Security)

A security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection.

SSL (Secure Sockets Layer)

A security protocol that uses certificates for authentication and encryption to protect web communication.

hardening

A security technique in which the default configuration of a system is altered to protect the system against attacks.

encryption

A security technique that converts data from plain, or cleartext form, into coded, or ciphertext form so that only authorized parties with the necessary decryption information can decode and read the data.

honeypot

A security tool used to lure attackers away from the actual network components. Also Called a decoy or sacrificial lamb.

virus

A self-replicating piece of code that spreads from computer to computer by attaching itself to different files.

worm

A self-replicating piece of code that spreads from computer to computer without attaching to different files.

Password Policy

A series of Group Policy settings that determine password security requirements, such as length, complexity, and age.

RC (Rivest Cipher)

A series of variable key-length symmetric encryption algorithms developed by Ronald Rivest.

CA (Certificate Authority)

A server that can issue digital certificates and the associated public/ private key pairs.

botnet

A set of computers that has been infected by a control program called a bot that enables attackers to exploit the computers to mount attacks

IPSec (Internet Protocol Security)

A set of open, non-proprietary standards that you can use to secure data through authentication and encryption as the data travels across the network or the Internet.

PKCS (Public Key Cryptography Standards)

A set of protocol standards developed by a consortium of vendors to send information over the Internet in a secure manager using a PKI.

protocol

A set of rules governing the exchange or transmission of data between devices Standardize comms format specify order and timing and determining meaning

schema

A set of rules in a directory service for how objects are created and what their characteristics can be.

RAID (Redundant Array of Independent Disks)

A set of vendor-independent specifications for fault tolerant configurations on multiple-disk systems.

Bluetooth

A short-range wireless radio network transmission medium usually used between two personal devices, such as between a mobile phone and wireless headset.

NAT (Network Address Translation)

A simple form of Internet security that conceals the internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.

LDAP (Lightweight Directory Access Protocol)

A simple network protocol used to access network directory databases, which store information about authorized users and their privileges as well as other organizational information.

NetBIOS

A simple, broadcast-based naming service.

CA hierarchy

A single CA or group of CAs that work together to issue digital certificates.

VPN concentrator

A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels.

Hierarchical CA Model

A single group of CAs that work together to issue digital certificates. Think of it as a platoon Sergeant who issues objectives to different teams.

all-in-one-security appliance

A single network device that is used to perform a number of security functions to secure a network.

session key

A single-use symmetric key used in encrypting messages that are in a series of related communications.

computer forensics

A skill that deals with collecting and analyzing data from storage devices, computer systems, networks, and wireless communications and presenting this information as a form of evidence in the court of law.

DMZ

A small network between the internal network and the Internet that provides a layer of security and privacy

cookie

A small piece of text saved on a computer by a web browser that consists of one or more name-value pairs holding bits of information useful in remembering user preferences.

DMZ (demilitarized zone)

A small section of a private network that is located between two firewalls and made available for public access.

patch

A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.

IP address

A software address, Internet Protocol; a unique string of numbers separated by periods that identifies each computer on a network; 32 bits / 4 bytes; NET_ID / HOST_ID

IDS (intrusion detection system)

A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.

firewall

A software or hardware device that protects a system or network by blocking unwanted network traffic.

web security gateway

A software program used primarily to block Internet access to a predefined list of websites or category of websites within an organization or business.

security incident

A specific instance of a risk event occurring whether or not it causes damage.

Keys

A specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption

Ciphers

A specific set of actions used to encrypt data

802.11g

A specification for wireless data throughput at the rate of up to 54 Mbps in the 2.4 GHz band that is a potential replacement for 802.11b

TPM (Trusted Platform Module)

A specification that includes the use of cryptoprocessors to create a secure computing environment.

RADIUS (Remote Authentication Dial-In User Service)

A standard protocol for providing centralized authentication and authorization services for remote users.

Office 365

A subscription service we receive that offers online apps and storage in the OneDrive. License is based on user, not device.

AES (Advanced Encryption Standard)

A symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.

3DES Triple Data Encryption Standard

A symmetric algorithm used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks.

DES (Data Encryption Standard)

A symmetric encryption algorithm that encrypts data in 64-bit blocks using a 56-bit key, with 8 bits used for parity.

Twofish

A symmetric key block cipher, similar to Blowfish, consisting of a block size of 128 bits and key sizes up to 256 bits.

Public Key Infrastructure (PKI)

A system composed of: Certificate Authority CA Registration Authority Certificates (OSCSP) Certificate Revocation List (CRL)

RBAC (Role-Based Access Control)

A system in which access is controlled based on a user's role. Users are assigned to roles, and network objects are configured to allow access only to specific roles. Roles are created independently of user accounts.

MAC (Mandatory Access Control)

A system in which objects (files and other resources) are assigned security labels of varying levels, depending on the object's sensitivity. Users are assigned a security level or clearance, and when they try to access an object, their clearance is compared to the object's security label. If there is a match, the user can access the object; if there is no match the user is denied access.

environmental controls

A system or device that is implemented to prevent or control environmental exposures or threats.

HVAC system (Heating, ventilation, and air conditioning)

A system that controls the air quality and flow inside a building.

PKI (Public Key Infrastructure)

A system that is composed of a CA, certificates, software, services, and other cryptographic components, for the purpose of enabling authenticity and validation of data and/ or entities.

proxy server

A system that isolates internal networks from the Internet by downloading and storing Internet files on behalf of internal clients.

certificate management system

A system that provides the software tools to perform the day-to-day functions of a PKI.

WIDS (wireless intrusion detection system)

A system that uses passive hardware sensors to monitor traffic on a specific segment of a wireless network.

NIDS (network intrusion detection system)

A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.

Active Asset Tracking (MOBILE DEVICES)

A system will push out a request for the device to respond

change management

A systematic way of approving and executing change in order to ensure maximum security, stability, and availability of information technology services.

Tabletop Exercises

A tabletop exercise is a discussion meeting focused on a potential emergency event

Spear Phishing

A targeted version of phishing. It involves going after a smaller group or specific individual.

router redundancy

A technique for employing multiple routers in teams to limit the risk of routing failure should a router malfunction.

Frequency Analysis

A technique that is based on how frequently certain letters appear in English versus others.

key strretching

A technique that strengthens potentially weak cryptographic keys, such as passwords or passphrases created by people, against brute force attacks.

IV (initialization vector)

A technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption.

Attack

A technique used to exploit a vulnerability

attackers

A term for users who gain unauthorized access to computers and networks for malicious purposes.

VoIP (Voice over IP)

A term used for a technology that enables you to deliver telephony communications over a network by using the IP protocol.

black box test

A test in which the tester is given no information about the system being tested.

white box test

A test in which the tester knows about all aspects of the systems and understands the function and design of the system before the test is conducted.

grey box test

A test in which the tester may have knowledge of internal architectures and systems, or other preliminary information about the system being tested.

fuzzing

A testing method used to identify vulnerabilities and weaknesses in applications, by sending the application a range of random or unusual input data and nothing failures and crashes.

key escrow agent

A third party that maintains a backup copy of private keys.

malicious insider threat

A threat originating from an employee in an organization who performs malicious acts, such as deleting critical information or sharing this critical information with outsiders, which may result in a certain amount of loss to the organization.

Hoaxes

A threat that doesn't really exist. Can consume a lot of resources.

flood guard

A tool used by network administrators and security professionals to protect resources from flooding attacks, such as DDoS attacks.

symmetric encryption

A two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.

asymmetric encryption

A two-way encryption scheme that uses paired private and public keys.

UDP flood

A type of DoS attack in which the attacker attempts to overwhelm the target system with UDP ping requests. Often the source IP address is spoofed, creating a DoS condition for the spoofed IP.

SYN flood

A type of DoS attack in which the attacker sends multiple SYN messages initializing TCP connections with a target host.

buffer overflow

A type of DoS attack that exploits fixed data buffer sizes in a target piece of software by sending data that is too large for the buffer.

permanent DoS attack

A type of DoS attack that targets the hardware of a system in order to make recovery more difficult. (phlashing)

reflected DoS attack

A type of DoS attack that uses a forged source IP address when sending requests to a large number of computers. This causes those systems to send a reply to the target system causing a DoS condition.

SYN flood

A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service.

ICMP flood

A type of Dos Attack that exploits weaknesses in ICMP. Specific attacks include Smurf attacks and ping floods.

site-to-site VPN

A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over a tunnel with other VPN gateways. Meanwhile, clients, servers, and other hosts on a site-to-site VPN communicate with the VPN gateway.

XSRF (cross-site request forgery)

A type of application attack where an attacker takes advantage of the trust established between an authorized user of a website and the website itself.

XSS (cross-site scripting)

A type of application attack where the attacker takes advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users.

backdoor attack

A type of attack where the attacker creates a software mechanism to gain access to a system and its resources. This can involve software or a bogus user account.

social engineering attack

A type of attack where the goal is to obtain sensitive data, including user names and passwords, from network users through deception and trickery.

keystroke authentication

A type of authentication that relies on detailed information that describes exactly when a keyboard key is pressed and released as someone types information into a computer or other electronic device.

IM (instant messaging)

A type of communication service which involves a private dialogue between two persons via instant text-based messages over the Internet.

phishing

A type of email-based social engineering attack, in which the attacker sends email from a spoofed source, such as a bank, to try to elicit private information from the victim.

quantum cryptography

A type of encryption based on quantum communication and quantum computation.

SCADA system (supervisory control and data acquisition)

A type of industrial control system that monitors and controls industrial processes such as manufacturing and fabrication, infrastructure processes such as power transmission and distribution, and facility processes such as energy consumption and HVAC systems.

replay attack

A type of network attack where an attacker captures network traffic and stores it for re transmission at a later time to gain unauthorized access to a network.

dictionary attack

A type of password attack that automates password guessing by comparing encrypted passwords against a predetermined list of possible password values.

birthday attack

A type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.

brute force attack

A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to try cracking encrypted passwords.

takeover attack

A type of software attack where an attacker gains access to a remote host and takes control of the system.

malicious code attack

A type of software attack where an attacker inserts malicious software into a user's system.

password stealer

A type of software that can capture all passwords and user names entered into the IM application or social networking site that it was deigned for.

impersonation

A type of spoofing in which an attacker pretends to be someone they are not, typically and average user in distress, or a help desk representative.

block cipher

A type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks, It is usually more secure, but is also slower, than stream ciphers.

MAC address (Media Access Control address)

A unique physical address assigned to each network adapter board at the time of manufacture.

User Acceptance

A user needs to sign this prior to On-boarding their device within the Enterprise. The User Acceptance will cover restrictions, security settings, and MDM tracking.

cracker

A user who breaks encryption codes, defeats software copy protections, or specializes in breaking into systems.

System Restore

A utility in Windows that restores system settings to a specific previous date when everything was working properly. Returns to 'restore point' using snapshots

PATH variable

A variable that stores a list of directories that will be searched in order when commands are executed without an absolute or relative pathname.

BSD (Berkeley Software Distribution)

A version of UNIX developed out of the original UNIX source code and given free to the University of California at Berkeley by AT&T.

Cloud Computing

A very general term which describes anything that involves delivering hosted computing service over the internet. It is a hard drive which you save stuff too over the internet.

Logic Bombs

A virus designed to execute malicious actions when a certain even occurs or time goes by.

polymorphic malware

A virus that is able to alter its decryption module each time it infects a new file.

armored virus

A virus that is able to conceal its location or otherwise render itself harder to detect by anti-malware programs.

captive portal

A web page that a client is automatically directed to when connecting to a network, usually through public Wi-Fi.

XML (eXtensible Markup Language)

A widely adopted markup language used in many documents, websites, and web applications.

pop-up

A window or frame that loads and appears automatically when a user connects to a particular web page.

802.11ac

A wireless communication protocol that improves upon 802.11n by adding wider channels to increase bandwidth.

WPA (Wi-Fi Protected Access)

A wireless encryption protocol that generates a 128-bit key for each packet sent. Superseded by WPA2.

802.11b

A wireless network standard that uses the 2.4 GHz band at a speed of up to 10 Mbps. (13)

802.11n

A wireless standard for home and business implementations that adds QoS features and multimedia support to 802.11a and 802.11b.

Access Control List

ACL; in Windows, list of permissions based on user and group SID

FVEK

AES 128 or 256 key that encrypts and decrypts all sectors on BitLocker protected drive

attack back

AKA active defense (retaliation). legal concerns great. AKA 'offensive countermeasures'. must have attribution.

Windows on ARM

ARM platform: medical devices, GPS, mobile, lower power, less heat, more battery life)

ARP Poisoning

ARP does not require any type of validation, as ARP requests are sent the requesting devices believe that the incoming ARP replies are from the correct devices

ARP Poisoning Attack

ARP poisoning attack, some Ethernet switches flood the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on VOIP traffic.

pfirewall.log

ASCII text file for writing Windows Firewall log data 32 MB maximum

Router Access Control List

Ability to filter packets, by source address, destination address, protocol, or port

ACE

Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS. If conflict, DENY gray-checked: inherited solid-checked: explicit to object C: explicit only inheritance is NOT mandatory

Role-Based Access Control

Access control based on a user's role. What role do you have? Are you the proper member of that group to inherent those rights?

Rule-Based Access Control

Access control list based on a set of rules. Non-Discretionary.

transitive access

Access given to certain members in an organization to use data on a system without the need for authenticating themselves.

AP

Access point, short for wireless access point (WAP). APs provide access to a wired network to wireless clients. Many APs support isolation mode to segment wireless uses from other wireless users.

Brute Force

Accomplished by applying every possible combination of characters that could be the key. 100% successful - time is the factor

ACK

Acknowledgment TCP flag; set on all headers after connection established

ADFS

Active Directory Federation Services installed on Windows Server to provide users with SSO access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity.

Malicious add-ons

Active content within websites offers an attractive attack space for aggressors, who might craft special "drivers" required for content access that are in fact Trojans or other forms of malware

Cross-Site Scripting

Adding a script to execute when users access it and it will then attack other websites on user's behalf. Can be used to get personal data using this method because the user is going to be trusted.

ARP

Address Resolution Protocol. An Internet protocol used to map an IP address to a MAC address. Defined in RFC 826.

ASLR

Address space layout randomization, randomizes memory addresses in use, which can help ensure that an attacker cannot predict where their shellcode will reside within memory in order to execute it. Can be bypassed by using a technique known as egg-hunting. Which involves executing a code stub that will ID where the attacker's malicious payload is located within memory.

Reporting

After containment has been established, the incident response team will fully document the incident and make recommendations about how to improve the environment to prevent recurrence

Hashing

Algorithm to provide a message digest

Key Management (MOBILE DEVICES)

Algorithms need to be strong. Always a concern when cryptography is involved.

Differential Backup

All Selected files that have changed since the last full backup are backed up

Unified Threat Management Device (UTM)

All in one appliance that has Web security gateway, Url Filter, and Malware Inspection Filter

Guards

All physical security controls, whether static deterrents or active detection and surveillance mechanisms, ultimately rely on personnel to intervene and stop actual intrusions and attacks

Access Lists

All secure entry points should have a readily available access list providing the permitted personnel and a black list, if applicable. The use of a black list can aid in the apprehension of suspects

Incremental Backup

All selected files that have changed since the last full or differential backup are back up

Authenticated Users group

All user accounts that have been authenticated to access the system except the Guest account. Compare to anonymous users. Have read, exe rights.

Infrastructure-as-a-Service (IaaS)

Allow the client to literally outsource everything that would normally be in a typical IT Department.

VPN

Allows a secure private connection over a public network, using an encrypted 'tunnel'. For example, a remote computer can securely connect to a LAN, as though it were physically connected.

Port Address Translation (PAT)

Allows a single public IP Address to host up to 65,536 simultaneous communications from internal clients. Uses TCP port numbers to host multiple simultaneous communications across each public IP address

NetBios

Allows applications on separate computers to communicate over LAN.

PaaS

Allows developers to create, test, and run their solutions on a cloud platform without having to purchase or configure the underlying hardware or software

Domain Name Service (DNS)

Allows host to resolve host-names (FQDN) to IP Addresses. Critical service must be protected.

Nat Overloading

Allows many IP's to be mapped to a single IP

Server clusttering

Allows servers to work together to provide access, ensuring minimal data loss from a server failure. Should one of the servers in the cluster fail, the remaining servers, or server, will assume the responsibilities, but with the possibility of decreased performance. The failed server can be repaired/replaced back into the cluster with minimal notice of performance shift.

Windows Event Collector Service

Allows you to configure a single server as a repository of Event Viewer information for multiple computers.

Proximity Readers

Also called "Prox Box". Can be passive, field-powered or transponder driven. A token stored in a carried device such as a smart card or security token is used in conjunction with the reader to control access to areas of importance

Smishing

Also known as sms phishing involves using phishing methods through a text message.

Recovery Time Objectives

Amount of time the business can be without the service, without incurring significant risks or significant losses

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)

An AES cipher-based encryption protocol used in WPA2. (as of this writing has not been cracked in any real world applications)

Centralized Management

An Advantage of virtualization server, database and office applications.

OCSP (Online Certificate Status Protocol)

An HTTP-based alternative to a certificate revocation list that checks the status of certificates.

802.1x

An IEEE standard used to provide a port based authentication mechanism over a LAN or WLAN

spim

An IM-based attack just like spam but which is propagated through instant messaging instead of through email.

ICMP (Internet Control Message Protocol)

An IP network service that report on connections between two hosts.

URL shortening service

An Internet service that makes it easier to share links on social networking sites by abbreviating URLs

IPv6 (IP version 6)

An Internet standard that increases the available pool of IP addresses by implementing a 128-bit binary address space.

IPv4 (IP version 4)

An Internet standard that uses a 32-bit number assigned to a computer on a TCP/IP network.

SAML (Security Assertion Markup Language)

An XML-based data format used to exchange authentication information between a client and a service.

Implicit Deny

An access control practice wherein resources availability is restricted to only those logons explicitly granted access, remaining unavailable even when not explicitly denied access.

NIPS (network intrusion prevention system)

An active, inline security device that monitors suspicious network and / or system traffic and reacts in real time to block it.

WIPS (wireless intrusion prevention system)

An active, inline security device that monitors suspicious network and/ or system traffic on a wireless network and reacts in real time to block it.

malicious add-on

An add-on that is meant to look like a normal add-on, except that when a user installs it, malicious content will be injected to target the security loopholes that are present in a web browser.

BPA (business partner agreement)

An agreement that defines how a business partnership will be conducted.

ISA (interconnection security agreement)

An agreement that focuses on securing technology in a business relationship.

HOTP (HMAC-based one-time password)

An algorithm that generates a one-time password using a has-based authentication code to verify the authenticity of the message.

IT contingency plan

An alternate plan that you can switch over to when faced with an attack or disruption of service.

Key Escrow

An alternate to key backups. Used to store keys securely

S-HTTP

An alternative to HTTPS which is developed to secure banking transactions

Simple Network Management Protocol (SNMP)

An application layer protocol whose purpose is to collect statistics from TCP/IP Devices. Used to monitor health of networked equipment.

Computer Management Console

An application that provides access to several of the most commonly used administrative tools such as Task Scheduler, Event Viewer, Local Users and Groups, Performance monitor, Device Manager,Services, and several others. compmgmt.msc get-help localuser

antivirus software

An application that scans files for executable code that matches specific patterns that are known to be common to viruses.

credential manager

An application that stores passwords in an encrypted database for easy retrieval by the appropriate user.

SNMP (Simple Network Management Protocol)

An application-layer service used to exchange information between network devices.

layered security

An approach to securing systems that incorporates man different avenues of defense.

identity management

An area of information security that is used to identify individuals within a computer system or network.

SSO (single sign-on)

An aspect of privilege management that provides users with one-time authentication to multiple resources, servers, or sites.

vulnerability scan

An assessment that identifies and quantifies weaknesses within a system, but does not test the security features of that system.

key generation

An asymmetric encryption process of generating a public and private key pair using a specific application.

ECC (elliptic curve cryptography)

An asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields.

integer overflow

An attack in which a computed result is too large to fit in its assigned storage space, leading to crashing, corruption, or triggering a buffer overflow.

pharming

An attack in which a request for a website, typically and e-commerce site, is redirected to a similar-looking, but fake, website.

sinkhole attack

An attack in which all traffic on a wireless network is funneled through a single node.

DNS poisoning

An attack in which an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker's choosing.

URL hijacking

An attack in which an attacker registers a domain name with a common misspelling of an existing domain, so that a user who misspells a URL they enter into a browser is take to the attacker's website. (typo squatting)

DNS hijacking

An attack in which an attacker sets up a rogue DNS server. This rogue DNS server responds to legitimate requests with IP addresses for malicious or non-existent websites.

ransomware

An attack in which an attacker takes control of a user's system or data and demands a payment for return of that control.

watering hole attack

An attack in which an attacker targets a specific group, discovers which websites that group frequents, then injects those sites with malware. At lease one member of the group will be infected, possibly compromising the group itself.

Cross-Site Request Forgery (CSRF)

An attack in which the end user executes unwanted actions on a web application while the user is currently authenticated

packet sniffing

An attack on wireless networks where an attacker captures data and registers data flows in order to analyze what data is contained in a packet.

directory traversal

An attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.

arbitrary code execution

An attack that exploits an applications vulnerability into allowing the attacker to execute commands on a user's computer.

clickjacking

An attack that forces a user to unintentionally click a link. An attacker uses opaque layers or multiple transparent layers to trick a user.

SQL injection

An attack that injects an SQL query into the input data directed at a server by accessing the client side of the application.

XML injection

An attack that injects corrupted XML query data so that an attacker can gain access to the XML data structure and input malicious code or read private data.

buffer overflow

An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.

MAC flood

An attack that sends numerous packets to the switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch and switch can downgrade to hub

bluejacking

An attack that sends unsolicited messages to Bluetooth-enabled devices.

Directory Traversal

An attack that takes advantage of a vulnerability in the Web application program or the Web server software so that a user can move from the root directory to other restricted directories.

transitive access attack

An attack that takes advantage of the transitive access given in order to steal or destroy data on a system.

hardware attack

An attack that targets a computer's physical components and peripherals, including its hard disk, motherboard, keyboard, network cabling, or smart card reader.

LDAP injection

An attack that targets web-based applications by fabricating LDAP statements that typically are created by user input.

hybrid password attack

An attack that utilizes multiple attack methods, including dictionary, rainbow table, and brute force attacks when trying to crack a password.

cookie manipulation

An attack where an attacker injects a meta tag in an HTTP header making it possible to modify a cookie stored in a browser.

stored attack

An attack where an attacker injects malicious code or links into a website's forums, databases, or other data.

port scanning attack

An attack where an attacker scans your systems to see which ports are listening in an attempt to find a way to gain unauthorized access.

attachment attack

An attack where the attacker can merge malicious software or code into a downloadable file or attachment on an application server so that users download and execute it on client systems.

session hijacking attack

An attack where the attacker exploits a legitimate computer session to obtain unauthorized access to an organization's network or services.

IV attack

An attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.

header manipulation

An attack where the attacker manipulates the header information that is passed between web servers and clients in HTTP requests.

reflected attack

An attack where the attacker poses as a legitimate user and sends information to a web server in the form of a page request or form submission.

Directory Traversal

An attacker is trying to gain access to restricted files by traversing thru your directories, like trying to find ways to get there, if one does not work maybe through here it might or through here

sql injection

An attacker issues a SQL command to a web server as part of the URL or as input to a form on a company's website; web server might pass the command onto the database which then allows potentially anything to be done to the database

Certificate-Based Authentication

An authentication method that uses a certificate instead of a password to establish an entity's identity.

NTLM (NT LAN Manager)

An authentication protocol created by Microsoft for used in its products.

Diameter

An authentication protocol that allows for a variety of connection types, such as wireless.

EAP (Extensible Authentication Protocol)

An authentication protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.

Kerberos

An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users.

Kerberos

An authentication system in which authentication is based on a time-sensitive ticket-granting system. It uses an SSO method where the user enters access credentials that are then passed to the authentication server, which contains the allowed access credentials.

RA (Registration Authority)

An authority in a PKI that processes requests for digital certificates from users.

DoS

An availability attack, to consume resources to the point of exhaustion; Denial of Service; flood of ICMP requests targets router takes down server

SFTP (Simple File Transfer Protocol)

An early unsecured file transfer protocol that has since been declared obsolete.

digital certificate

An electronic document that associates credentials with a public key.

hoax

An email-based or web-based attack that tricks the user into performing undesired actions, such as deleting important system files in an attempt to remove a virus, or sending money or important information via email or online forms.

spam

An email-based threat that floods the user's inbox with emails that typically carry unsolicited advertising material for products or other spurious content, and which sometimes deliver viruses. It can also be utilized within social networking sites such as Facebook and Twitter.

tabletop exercise

An emergency planning exercise that enables disaster recovery team members to meet and discuss their roles in emergency situations, as well as their responses in particular situations.

digital signature

An encrypted has value that is appended to a message to identify the sender and the message.

CHAP (Challenge Handshake Authentication Protocol)

An encrypted remote access authentication method that enables connections from any authentication method requested by the server, except for PAP and SPAP unencrypted authentication.

honeynet

An entire dummy network used to lure attackers.

security architecture review

An evaluation of an organization's current security infrastructure model and security measures.

code reviews

An evaluation used in identifying potential weaknesses in an application.

Threat

An event or action that could potentially result in a security violation

XTACACS

An extension to the original TACACS protocol.

PMI (Privilege Management Infrastructure)

An implementation of a particular set of privilege management technologies.

Compliancy and Security Posture

An important part of the long-term success of a security endeavor. Includes validating compliance and security posture

TOTP (timed HMAC-based one-time password)

An improvement on HOTP that forces one-time passwords to expire after a short period of time.

recovery agent

An individual with the necessary credentials to decrypt files that were encrypted by another user.

script kiddie

An inexperienced hacker with limited technical knowledge who relies on automated tools to hack.

MOU (Memorandum of understanding)

An informal business agreement that is not legally binding and does not involve the exchange of money.

risk

An information security concept that indicates exposure to the chance of damage or loss, and signifies the likelihood of a hazard or dangerous threat.

IPS (intrusion prevention system)

An inline security device that monitors suspicious network and/ or system traffic and reacts in real time to block it.

Initialization Vector (IV) Attack

An input to a cryptographic algorithm, which is essentially a random number. Unique and unpredictable

WPS (Wi-Fi Protected Setup)

An insecure feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN. (Turn this off to increase security)

TFTP (Trivial File Transfer Protocol)

An insecure, limited version of FTP used primarily to automate the process of configuring boot files between computers.

Trojan horse

An insidious type of malware that hides itself on an infected system and can pave the way for a number of other types of attacks.

intrusion

An instance of an attacker accessing your computer system without the authorization to do so.

PowerShell ISE

An integrated scripting environment that includes a text editor.

application whitelisting

An inventory of applications and associated components (libraries, configuration files, etc.) that have been pre-approved and authorized to be active and present on the device.

guideline

An official recommendation or advice that indicates policies, standards, or procedures for how something should be accomplished.

snort

An open source network intrusion detection system (IDS) utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods can detect data-driven attacks like buffer overflow

Vulnerability

An opening or weakness

static environment

An operating system or other environment that is not updated or changed.

Security Policy

An organization should have a clear outline that is created by senior management that addresses all areas of security

Acceptable Use Policy (AUP)

An organization's acceptable use policy must provide details that specify what users can do on the network

Advanced Persistent Threat (APT)

An organized group of attackers who are highly motivated, skilled, and patient. They are often sponsored by a government, are focused on a specific target, and will continue attacking for a very long time until they achieve their goal.

policy statement

An outline of the plan for an individual security component.

rogue access point

An unauthorized wireless access point on a corporate or private network, which allows unauthorized individuals to connect to the network.

rogue machine

An unknown or unrecognized device that is connected to a network, often for nefarious purposes.

Implicit Deny

An unwritten access-control entry

Frequency Analysis

Analyzing blocks of an encrypted message to determine if any common patterns exist by using common occurrences in the English language

ARO

Annualized Rate of Occurrence | estimated frequency at which the threat is expected to occur

anomaly analysis based IDS

Anomaly analysis-based IDS looks for changes to the normal patterns of traffic using inclusive analysis which means the IDS vendor identifies and defines anomalous behavior

Bcrypt

Another example of a key-stretching technology. It's based on the Blowfish cipher. It uses salting, and it includes an adaptive function to increase iterations over time

TACAS

Another example of an AAA Server. Cisco proprietary. Runs on TCP port 49. Begins with T so TCP port 49. Entire packet is encrypted unlike RADIUS.

subordinate CAs

Any CAs below the root in the hierarchy.

software attack

Any attack that targets software resources, including operating systems, applications, protocols, and files.

multi-factor authentication

Any authentication scheme that requires validation of at least two of the possible authentication factors.

vulnerability

Any condition that leaves a system open to harm.

Hardware

Any element in your IT infrastructure, component in your physical environment, or person on your staff can be a single point of failure

key exchange

Any method by which cryptographhic keys are transferred among users, thus enabling the use of cryptographic algorithm.

wireless security

Any method of securing your wireless LAN to prevent unauthorized access and data theft while ensuring that authorized users can connect to the network.

personal identification verification card

Any physical token like a smart card that is used in identification and authentication. (CAC)

multi-function network device

Any piece of network hardware that is meant to perform more than one networking task without having to be reconfigured.

Static IT Environment

Any system that is intended to remain unchanged by users and administrators. The goal is to prevent or at least reduce the possibility of a user implementing change that could result in reduced security or functional operation

attack

Any technique that is used to exploit a vulnerability in any application on a computer system without the authorization to do so.

input validation

Any technique used to ensure that the data entered into a field or variable in an application is within acceptable bounds for the object that will receive the data.

password attack

Any type of attack in which the attacker attempts to obtain and make use of passwords illegitimately.

resource

Any virtual or physical components of a system that have limited availability. A physical resource can be any device connected directly to a computer system. A virtual resource refers to any type of file, memory location, or network connection.

Provides the rules that indicate how the certificate will be used and its purpose

Anything that was taken away or revoked before its expiration date. Each CA has its own CRL that can be accessed through directory services of the network operating system

Backdoors

Application code functions created intentionally or unintentional that enable unauthorized access. Often placed through malware.

Wireshark

Application that captures and analyzes network packets; can sniff wired, wifi, VoIP and bluetooth

Key Generation

Application that generates a pair of public and private key. Key pair has a mathematical relationship which can not be spoofed

Penetration tests

Are almost always considered active

Transitive Trust / Authentication

Are potential backdoor or ways to work around traditional means of access control

Clustering

Array of 4 server to accomplish one task

Spyware

Associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Key loggers are an example of this

Sniff and Crack

Attack on NTLM (especially v1) where attacker captures traffic, then cracks weakly protected passwords

Zero-day

Attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer

P2P attacks

Attacks that are launched by malware propagating within a P2P architecture to launch DoS attacks.

application attacks

Attacks that are targeted at web-based and other client-server applications.

client-side attacks

Attacks that exploit the trust relationship between a client and the server it connects to.

segmentation fault

Attempt by a program to access memory not its own. A segfault may be caused by a dereferencing an uninitialized pointer, going past the end of an array, etc.

Phishing

Attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email

IPSec Security Association SA

Authenticates and negotiates end users and manages secret keys

IPsec Services

Authentication and encapsulation standard is widely used to establish secure VPN communications

Internet Protocol Security (IPsec)

Authentication and encapsulation standard is widely used to establish secure VPN communications

biometrics

Authentication schemes based on individuals' physical characteristics.

Captive Portals

Authentication technique that redirects a newly connected wireless web client to a portal access control page.

XSRF Cross Site Forgery Prevention

Authentications should be protected and encrypted. Technic used to try to act as you and act in your behalf.

Mean Time To Restore (MTTR)

Average time that it will take to recover from any failure

BITS

Background Intelligent Transfer Service; runs in background to update Windows; can set up custom groups

Full Backup

Backs up all selected files regardless of the stat of archived bit

Bio-metrics

Based on an individuals' physical characteristics. Who you ARE

NoSQL

Based system uses hierarchical structuring rather than relationship

Hypertext Transport Protocol over Secure Sockets Layer (HTTPS)

Basic web connectivity using Hypertext Transport Protocol HTTP. An alternative that involves the use of TLS and SSL

User Rights and Permissions Reviews

Be sure to review user rights and permissions to make sure they meet your needs for confidentiality.

Types of Network Monitoring Systems

Behavior Based, Signature Based, Anomaly-Based and Heuristic.

Data Encrypted Standard (DES)

Block-cipher, Will encrypt 64-bit blocks or chunks of data at a time, Uses a 56-bit Key, and Short key length makes it weak

BEHN

Bluetooth Network Encapsulation Protocol (wifi hostspot)

port 67 and 8

Bootp

Grey Hat

Both ethical and unethical at times. A fence sitter.

on-boarding

Bringing new employees or business partners up to speed on security protocols.

Session hijacking

Browser traffic is easily identifiable by an attacker who may elect to hijack legitimate user credentials and session data for unauthorized access to secured resources

WPS attacks

Brute force attacks were used to exploit the access codes used during WPS connection negotiation without the need to physically press the button to connect

Birthday Attack

Built on the premise that if 23 people are in a room, there is a probability that 2 people will have the same birthday

BPA

Business Partners Agreement

BCP

Business continuity plan. last line of defense predict and plan for potential outages of critical services or functions. includes DRP elements to return critical BUSINESS functions to operation. BIA is under BCP and drives decisions to create redundancies such as failover clusters or alternate sites.

CCMP

CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality Replaced TKIP in WPA

Polymorphic

Can change form each time it is executed. It was developed to avoid detection by antivirus software

netstat command

Can display a variety of information about IP-based connections on a Windows or UNIX host. -a all ports -l listening ports -at all tcp -au all udp -s stats

Proxy Server

Can limit a users access to external websites

Kerberos

Can prevent man in the middle attacks. A centralized authentication solution. Contains the KDC or Key Distribution Center. Uses TCP Port 88.

Sniffers

Capture network traffic from low level packets. Can be used by network administrators to troubleshoot but can also be used for malicious reasons.

Incident Management

Carried out immediately after a security breach was detected

CSMA / CD

Carrier Sense Multiple Access with Collision Detection. It is the method for multiple hosts to communicate on a Ethernet.

CIS

Center for Internet Security; hardening guides and other tools

Syslog-ng

Centralized syslog collector and syslog replacement

CA

Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

chgrp

Change group ownership

XSS Prevention

Checks for the input of embedded scripts. Validates the input prior to storing. XSS Scripting is when you are on a website and you click on a link, than that link will forward you to a virus.

CDP

Cisco Discovery Protocol; transmits in the clear; manipulation attack; disable this protocol

IOS

Cisco Internetwork Operating System Software that provides the majority of a router's or switch's features, with the hardware providing the remaining features.

LEAP

Cisco Proprietary authentication

LEAP (Lightweight Extensible Authentication Protocol)

Cisco Systems' proprietary EAP implementation.

TACACS+

Cisco's extension to the TACACS protocol that provides multi-factor authentication.

bluetooth classes

Class 1 has a maximum transmission range of 100 meters; Class 2 (the most common) has a range of 10 meters; Class 3 is short range and hardly used at 1 meter. Bluetooth version 1 has a maximum data transfer rate of 721 kb/s; Version 2 is 2.1 Mb/s; Version 3 is 24 Mb/s

Video Surveillance

Closed Circuit Television (CCTV)Often many different cameras networked together

Private Cloud

Cloud Service within a corporate network isolated from the internet.

Clustering

Clustering means deploying two or more duplicate servers in such a way as to share the workload of a mission-critical application

big data

Collections of data that are so large and complex that they cannot be managed using traditional database management tools.

Hash-Based Message Authentication HMAC

Combines a hash with a secret key

C2

Command and control (by attacker)

airodump-ng

Command used to collect RF; available wireless networks and clients

CIFS

Common Internet File System TCP Port 445, UDP Port 137, 138, 139 - Dialect of Server Message Block (SMB) protocol. - Enables the sharing of folders/files, printers and ports over a network.

Availability

Company that purchased an HVAC system is most concerned with this

Signature Based Detection

Compares event patterns against known attack patterns.

Baseline reporting

Compares existing implementations against expected baselines

ZigBee

Competes with Bluetooth in non consumer markets | short-range low-power network technology used for the Internet of Things product tracking etc

IT contingency planning

Component of the Business Continuity Plan (BCP) that specifies alternate IT contingency procedures that you can switch over to when you are faced with an attack or disruption of service leading to a disaster for an organization.

TCP / IP

Comprised of four main protocols: 1.)Internet Protocol IP 2.)Transmission Control Protocol TCP 3.)User Datagram Protocol UDP 4.)Internet Control Message Protocol ICMP

Standalone Computer

Computer that is not connected to other computers and that uses software applications and data stored on its local disks.

ALE

Concept requires an organization to determine the number of failures per year.

Encryption

Confidentiality

CIA Triad

Confidentiality, Integrity, Availability

CIA

Confidentiality, Integrity, Availability (triad)

CIA triad

Confidentiality, integrity, availability. The three principles of security control and management. Also know as the information security triad or triple.

Windows security policies

Configuration settings within the Windows operating system that control the overall security behavior of the system.

UDP

Connection-less

Architecture Review

Considers the entire system

Cryptosystem

Consists of the algorithm (cipher) and cryptovariable (key), as well as all the possible plaintexts and ciphertexts produced by the cipher and key.

Mitigation steps

Containment prevents the further spread of a problem to other systems

Kerberos ticket

Contains information linking it to the user User presents ticket to network for a service Difficult to copy Expires after a few hours or a day

/usr/bin

Contains the executable programs installed by your Linux distribution

CFA

Controlled folder Access; also works as app whitelisting run in audit only mode to test

detection controls

Controls that are implemented to monitor a situation or activity, and react to any irregular activities by bringing the issue to the attention of administrators.

prevention controls

Controls that can react to anomalies by blocking access completely, thereby preventing damage to a system, building, or network.

correction controls

Controls that help to mitigate a consequence of a threat or attack from hazardously affecting the computer system.

Port Mirroring/Spanning

Copies the traffic from one, a group, or all ports to a single port and disallows bidirectional traffic on that port. Used to view traffic on other ports in a switched environment.

John the Ripper

Cracks encrypted password files. John's Cracking Modes: Single Crack Mode (uses variations of account name, GECOS, and more) Wordlist Mode (Uses Dictionary and Hybrid) Incremental Mode (uses brute force guessing) External Mode (uses an external program to generate guesses. John Autodetects passwords in: *standard & double length DES *BSDI exetended DES *FreeBSD Md5 *OpenBSD Blowfish * LANMAN

Mozilla Firefox

Created by Mozilla Corporation. It is a free and open source Web browser and its use has expanded rapidly in recent years. about:config (and other options) ESR versions supports containers to isolate different activities UAC compatible

CSC

Critical Security Controls (20) formerly SANS now maintained by Center for Internet Security (CIS) generally technical and preferably automated | offense informs defense automate control must map to attack

Reporting

Critical to the overall health and security of an organization.

Job Rotation

Cross training

CSRF

Cross-Site Request Forgery--Third-party redirect of static content within the security context of a trusted site.

XSS

Cross-site scripting. Attacker redirects users to malicious websites, steal cookies. E-mail can include an embedded HTML image object or a JavaScript image tag as part of a malicious cross-site scripting attack. Prevent with input validation.

Quantum Cryptography

Cryptography that does not rely upon mathematics

data fragmentation

DDBMS can divide and manage a logical object among various locations under its control

port 53

DNS

port 53 (UDP)

DNS

DNS Attacks

DNS Poisoning and DNS Hijacking

DNS Record Keeping

DNS records are kept in various places depending on the application

RPO Deals with what?

Data Loss

Data Loss Prevention (DLP)

Data Loss Prevention is the idea of systems specifically implemented to detect and prevent unauthorized access

DLP

Data Loss Prevention; Systems that monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed

Sensitivity of Data

Data has different sensitivities

Which is a security risk regarding the use of public P2P method of collaboration

Data integrity is susceptible to being compromised

What is a security risk regarding the use of public P2P as a method of collaboration

Data integrity is susceptible to being compromised.

Data backups

Data ownership needs to be addressed when dealing with backups Essential to data recovery in the event of loss or corruption

LSO (locally shared object)

Data stored on a user's computer after visiting a website that uses Adobe Flash Player. These can be used to track a user's activity.

ciphertext

Data that has been encoded with a cipher and is unreadable.

Written Security

Deals with management control

Succession planning

Deals with people. Ensures that all key business personnel have one or more designated back-ups who can perform critical functions when needed

Application Hardening

Default application admin accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required

Layered Security/ Defense in Depth

Defense in depth is the use of multiple types of access controls in literal or theoretical concentric circle or layers.

Purpose of an MOU

Defines onboard/offboard procedures

X.509 Standard

Defines the format of required data for Digital Certificate

standards

Definitions of how adherence to a policy will be measured.

DDoS

Denial of service attack committed using many computers, usually zombies on a botnet.

HIPS

Deploy on a machine to prevent malicious form entering systems.

VPN Concentrators

Deployed where the requirement is for a single device to handle a very large number of VPN tunnels

Application Patch Management

Describes the method for keeping computers up-to-date with new software releases that are developed after an original software product is installed

Temporal Key Integrity Protocol (TKIP)

Designed as the replacement for WEP without requiring replacement of legacy wireless hardware

Intrusion Detection System (IDS)

Designed to analyze data, identify attack and respond to the intrusion (Passive)

DaaS

Desktop as a Service; see AutoPilot

Error and Exception Handling

Determines how your computer handles errors.

PKIX

Develops Internet standards based on X.509

smart cards

Devices similar to credit cards that can store authentication information, such as a user's private key, on an embedded microchip. (CAC)

Soft data

Digital

DFIR

Digital Forensics and Investigation Response

Digital Certificates

Digitally signed block of data by the Issuing CA

Certificates

Digitally signed electronic documents that bind a public key with a user identity.

DMA

Direct memory access (DMA) is a feature which allows for the accessing of memory and controllers (video and network cards), without utilizing the CPU such

DAS (Directly attached Storage)

Directly connected

DRP

Disaster recovery plan part of BCP. A document designed as a RESPONSE for the tactical recovery of IT systems in the event of disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. Recovered systems are tested before returning them to operation, and this can include a comparison to baselines. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan. (IT focused), usually tactical, response; data center; biz ops; biz location' biz procs

tcpdump -e

Display Ethernet header data

Denial of Service (DOS)

Disrupt the resources or services that a user would expect to have access to. Taking away something you'd expect to have access to. Overwhelming your computer to shut down. Ping of death is a DOS attack. Is one to one

separation of duties

Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records. Mitigate fraud

Data labeling, handling and disposal

Document and label everything. Disposal becomes a legal issue

Financial Server

Does not belong in a DMZ

Perform Routine Audits

Double checking policies are being audited. Might need to bring a third party.

BitLocker Drive Encryption

Drive encryption software offered in high-end versionsof Windows. BitLocker requires a special chip to validate hardware status and to ensure that the computer hasn't been hacked. AES 128 or 256

IPv4 versus IPv6

Due to the increased demand of devices IP addresses, IPv4 was not able to keep up with such an expansive demand. IPv4 32 bits IPv6 128 bits

NULL algorithm

ESP w/o message encryption

Windows Server sequence

Edition - version - interface (graphical or no) - roles

ECC

Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods

Port Security

Enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port. Disable unused ports.

ESP

Encapsulated Security Payload Ipsec protocol confidentiality through encryption of message contents but also message integrity origin authN and can use NULL algorithm support (plaintext)

ESP

Encapsulating Security Payload IPsec protocol confidentiality through encryption of message contents but also message integrity origin authN and can use NULL algorithm support (plaintext)

Block Cipher

Encrypt in fixed-length blocks of data. 64-bit, 128-bit, 256-bit. Pads the data to fill up a block

Stream Cipher

Encrypt one bit or byte at a time. High speed

Session Key

Encrypted key that is used for a communication session like SSL/ TLS.4

feature update

Enhancements to the software to provide new or expanded functionality, but do not address security vulnerability. Requires more testing. Windows 1709 (Sept 2017) twice a year

M of N Control

Ensures no single administrator can abuse the key recovery process

Availability

Ensures systems operate continuously and that authorized persons can access the data that they need

Integrity

Ensures that data isn't altered while in transit or while at rest

Confidentiality

Ensures that data remains private while at rest or in motion

Data Loss Prevention (DLP)

Ensuring that data does not get outside of your organization or in the hands of people who should not have access to that data

off-boarding

Ensuring that employees or partners leaving an organization or business relationship do not pose a security risk.

EOI

Event of interest; IDS decides if alert necessary

Wi-Fi Protected Access (WPA)

Every packet gets a unique encryption key. Uses RC4 Stream Cipher. Two different modes. 1.) WPA - PSK 2.) WPA-802.1x

Public key

Everyone has access to your Public Key. (located on the CA)

ALE (Annual Loss Expectancy)

Expected amount to lose annually from resources failing. Monetary measure of how much loss you can expect in a year. ALE = SLE * ARO

EF

Exposure Factor (0 - 100% asset loss)

Wireless Authentication: EAP

Extensible Authentication Protocol (EAP)

EAP

Extensible Authentication Protocol; use with AD, LDAP and RADIUS

Fibre Channel communication over Ethernet (FCoE)

FCoE is used to encapsulate Fibre Channel communications over Ethernet networks

TCP port 21

FTP File Transfer Protocol

File Transfer Protocol over SSL (FTPS)

FTP is unsecure protocol that sends username and password in plain- text form. User port 20 and 21

Fault Tolerance

Fault tolerance is the ability of a system to smoothly handle or respond to failure

FCoE (Fiber Channel over Ethernet)

Fiber Channel implementations that use high-speed Ethernet networks to transmit and store data.

FIC

File Integrity Checking uses crypto hashes to fingerprint files and alert administrators to changes

port 79

Finger (Unix program) (TCP/UDP)

host/personal firewalls

Firewalls installed on a single or home computer.

Firewall

First line of defense for a network. Uses packet filtering but doe not inspect content of packets.

Fencing

First line of defense in physical security. Entry points should be strategically located for both control and safety

Incidence Response Team

First people to be contacted in the event of a security breach

Business Impact Analysis (BIA)

Focuses on the relative impact on critical business functions due to the loss of operational capability due to threats. Used to determine the maximum allowable downtime for any system. Once a calculation is determined on how much revenue is lost during an outage, the maximum allowable downtime is used calculate how much downtime an organization can endure before revenue is affected. Useful to develop a disaster recovery plan; however, the calculation of the maximum allowable downtime is mostly used for calculating the Business Impact Analysis.

Tailgating

Following behind someone to gain access to a secured area

Mandatory Vacations

For audits, stress relieve and Job rotation

Local Users and Groups

For business and professional editions of Windows, a Windows utility console (lusrmgr.msc) that can be used to manage user accounts and user groups.

Microsoft Cloud Services (categories)

Free Hybrid Full

GPG

Free software that is based on the OpenPGP standard like PGP but uses open standards; encrypt / decrypt / sign / verify for confidentiality integrity and non repud

FHSS

Frequency-Hopping Spread Spectrum; method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver; many consumer devices in 2.4 GHz

FQDN

Fully Qualified Domain Name complete domain name for a host on the internet consists of the hostname and the domain name FQDN for a mail server might be mymail.somecollege.edu hostname is mymail, and the host is located within the domain somecollege.edu

Backup Techniques and Practices

Fundamental to any disaster recovery plan is the need to provide for regular backups of key information. Without a regular backup process, loss of data through accidents or directed attack could severely impair business processes

GPA

GNU Privacy Assistant

GPT

GUID partition table is a newer partition type that is used to create drives larger than 2 TB.

data leakage

Gaining access to data through unintentional methods that could lead to data loss or theft.

Patches

Generally used to add new functionality, update existing code operation, or to extend existing application capabilities. Update compatibility.

First Responders

Get the right people in place

Azure roles

Global Admin Admin Units (AU) like OU log in should be through hardened workstation or VM

Change Management

Good change management practices can mitigate unintentional internal risks caused by inappropriate alterations to systems, tools, or the environment Must be approved before any work happens!

Social Media Networks and or Applications

Great risk of exposure or negative reflection upon your organization is involved with social media.

GPMC

Group Policy Management console; used to edit GPO on domain controllers

HEAD / HTTP/1.0

HEAD method is identical to GET except that the server MUST NOT return a message-body in the response

inclusive analysis

HIDS, uses a list of keywords and phrases that define EOI alert if event matches list entry

exclusive analysis

HIDS, uses a list of keywords and phrases to ignore alert if event does not match list entry

procedure

HOW derived from policy and used for operations and therefore tactical operational mandatory

port 80

HTTP

POST

HTTP Method submits some data for the server to accept or process.

port 443

HTTPS

Electronic Activists ("Hacktivists")

Hack into government systems are ideologically driven

Footprinting

Hacker gathers information that is available.

Enumerating

Hacker tries to gain access to resources or other information such as users, groups, and network shares. May use social engineering

Black Hat

Hacker who exposes vulnerabilities for financial gain or malicious purpose

Collisions

Happen when two messages produce the same hash value

HSM

Hardware Security Module managed private encryption keys in HSM hosted at MS datacenter

network adapter

Hardware that translates the data between the network and a device.

Proper Lighting

Having well lit areas near access points can provide aid to cameras and guards alike

Data Classification

Helps apply proper security control of information

Steganography

Hide data within other data. Embedded in pictures, audio, document files

Mainframe

High-end computer systems used to perform highly complex calculations and provide bulk data processing

Mantraps

Holding area between two entry points that gives security personnel time to view a person before allowing access

HIPS

Host Based Intrusion Prevention System. A security application designed to monitor and analyze the local computer system for malicious or anomalous activity. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems that are restricted to a passive response (such as recording an event or sending notification to the manager's console) intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected by terminating processes or sessions, or by implementing network configuration changes on the fly (e.g instructing a firewall to reject IP traffic from certain address).

Samhain

Host-based intrusion detection system (HIDS) for file integrity checking can centrally monitor logs

HIDS

Host-based intrusion detection system. An IDS used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files.

ARO (annual rate of occurrence)

How many times per year a particular loss is expected to occur.

Measure Risks

How much is this going to affect my operations and what my cost vs risk is going to be

AGULP

How privileges and permissions should be applied Accounts (AD, person = acct) Global Groups (domain, RBAC); inner Universal Groups - forest; inner Local Groups - outer Permissions & Rights (up) inheritance is outer to inner

HVAC

Humidity and temperature control Overcooling causes condensation on equipment

HTML

Hypertext Markup Language, a standardized system for tagging text files to display data

HTTP

Hypertext Transfer Protocol; stateless; header

Firewall Benefits

ID; protection; NAT; detection

false positive

IDS alert no malicious activity analyst interprets

false negative

IDS fails to detect malicious activity no alert for real threat

true negative

IDS functions as designed anomalous activity detected alert is generated for analyst

true postive

IDS functions as designed anomalous activity detected alert is generated for analyst

Alarms

IDSs are systems designed to detect an attempted intrusion, breach or attack. Physical IDSs, known as burglar alarms, detect unauthorized activities and notify the authorities

SAM

IIS user account database for authN if AD not used

ISAKMP

IKE uses Internet Security Association and Key Management Protocol for key management

Oakley

IKE uses this protocol for key exchange

footprinting (authN)

IP, software / signature / system config to ascertain id of user or device requesting access

AH (IPsec)

IPsec Authentication Header adds key hashed authN Integrity Check Value (ICV) info to each packet to validate origin does not provide confidentiality but protects against replay

Internet Protocol Security (IPsec)

IPsec provides security for the Internet Protocol (IP) via its open framework.

Private cloud (internal or corporate cloud)

IT infrastructures that can be accessed only by a single entity or by an exclusive group of related entities that share the same purpose

Whaling

Identical to spear phishing except for the "size of the fish". Goes after high profile targets.

IAAA

Identification, authentication, authorization, accountability

Incident handling phase 2

Identification; alert early, primary handler, id witnesses, legal?

Risk Acceptance

Identifying residual risk is most important to this concept

Risk Mitigation

Identifying residual risk is most important to this concept

Windows Recovery Environment

If a Windows 8 computer fails to start, or if it crashes repeatedly, a technician can launch this. Which is simply another name given to Windows PE on a computer with Windows 8 already installed

Password Policy

Implemented in order to minimize data loss or theft.

physical security controls

Implemented security measures that restrict, detect, and monitor access to specific physical areas or assets.

DAC (Discretionary Access Control)

In DAC, access is controlled based on a user's identity. Objects are configured with a list of users who are allowed access to them. An administrator has the discretion to place the user on the list or not. If a user is on the list, the user is granted access; if the user is not on the list, access is denied.

access control

In IT security terms, the process of determining and assigning privileges to various resources, objects, and data.

authorization

In IT security terms, the process of determining what rights and privileges a particular entity has.

accounting

In IT security terms, the process of tracking and recording system activities and resource access.

MLS

In SELinux Multi-Level Security uses data classification and access levels, Bell LaPadula model

Access Control Lists (ACL)

In a DAC (discretionary access control) access control scheme, this is the list that is associated with each object, specifying the subjects that can access the object and their levels of access.

Barricades

In addition to fencing, are used to control both foot traffic and vehicles

Header Manipulation

In cases where a developer chooses to inspect and use the incoming headers, it is important to note that the headers originate at the client. Changes the header of the packet

strings program

In computer software, strings is a program in Unix-like operating systems that finds and prints text strings embedded in binary files such as executables. It can be used on object files and core dumps.

key

In cryptography, a specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption.

qubit

In quantum cryptography, a unit of data that is encrypted by entangling data with a sub-atomic particle such as a photon or electron that has a particular spin cycle. It is the equivalent of a bit in computing technology.

identification

In security terms, the process of attacking a human element to an authentication.

accountability

In security terms, the process of determining who to hold responsible for a particular activity or event.

authentication

In security terms, the process of validating a particular individual or entity's unique credentials.

evil twin attack

In social networking, an attack where an attacker creates a social network account to impersonate a genuine user, becoming friends with others and joining groups, and thus getting access to various types of personal and professional information. In wireless networking, a type of rogue access point at a public site that is configured to look like a legitimate access point in order to tempt a user to choose to connect to it.

account phishing

In social networking, and attack where an attacker creates an account and gets on the friends list of an individual just to try to obtain information about the individual and their circle of friends or colleagues.

IoC

Indicator of compromise - a data point that is extracted from security data and can be used as high fidelity predictor of system compromise; attack signatures, tampered logs; unauthZ access attempts

Program

Infects and executable program

IaaS

Infrastructure as a Service. A cloud computing technology useful for heavily utilized systems and networks. Organizations can limit their hardware footprint and personnel costs by renting access to hardware such as servers. Compare to PaaS and SaaS.

Security Posture

Initial baseline configuration, Continuous security monitoring, and remediation.

IV

Initialization vector. An provides randomization of encryption keys to help ensure that keys are not reused. WEP was susceptible to IV attacks because it used relatively small IVs. In an IV attack, the attacker uses packet injection, increasing the number of packets to analyze, and discovers the encryption key. WEP IV keyspace is 2**24

Macro

Inserted into a Microsoft Office document and emailed to unsuspected users.

SQL injection

Inserts malicious code into strings which are later passed to a database server. The SQL Server then passes and executes this code. This injection looks for a true statement. Tries to attack a database server.

stateful firewall

Inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, the stateful firewall permits that traffic. The process of inspecting traffic to identify unique sessions is called stateful inspection.

dpkg

Installs, removes, updates, queries or verifies packages on a Debian-based Linux distribution.

procedures

Instructions that detail specifically how to implement a policy.

Hashing

Integrity

ICV

Integrity Check Value keyed hash added to Authentication Header in Ipsec includes each field that doesn't change in transit

IPC

Inter Process Communications- file share that facilitate communication between processes or threads

ISA

Interconnection Security Agreement

IIS

Internet Information Services. A Microsoft Windows web server. IIS comes free with Microsoft Windows Server products. Use version >= 8.5 deploy in a separate forest for public exposure deploy on a standalone server

IKE

Internet Key Exchange IPsec uses this protocol to create a secure channel and document with Security Associations (SA) with key management (ISAKMP) and Oakley for key exchange

IPSec

Internet Protocol Security. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.

IP (not intellectual property)

Internet Protocol; L3; TCP/IP internet layer; core routing; packets; addressing

iSCSI

Internet Small Computer System Interface (iSCSI) is a networking storage standard based on IP.

IDS

Intrusion detection system. A detective control used to detect attacks after they occur. A signature-based IDS (also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline. An IDS can be either host-based (HIDS) or network-based (NIDS). In contrast, a firewall is a preventative control that attempts to prevent the attacks before they occur. An IPS is a preventative control that will stop an attack in progress.

IPS

Intrusion prevention system. A preventative control that will stop an attack in progress. It is similar to an active IDS except that it's placed in line with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress.

War Driving

Involves driving around with a laptop system configured to listen for open Access Points (APs)

Risk Awareness

Involves evaluating assets, vulnerabilities, and threats in order to clearly define an organization's risk level

Avoidance

Involves identifying the risk and making the decision to no longer engage in the actions associated with that risk

Damage and Loss Control

Involves methodologies in order to protect assets from damage

Deterrence

Involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you

aggressive mode

Ipsec IKE mode doe not check the id of connection participants (if PKI used then id is inferred) contrast with main mode

main mode

Ipsec IKE mode that checks id of connection participants

Cygwin

Is a Unix-like environment and command-line interface for Microsoft Windows. Cygwin provides native integration of Windows-based applications, data, and other system resources with applications, software tools, and data of the Unix-like environment. It is not Linux and is not an emulator.

Blind SQL injection

Is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The results are usually not visible to the attacker.

Challenge Handshake Authentication Protocol (CHAP)

Is a means of authentication based on a random challenge number combined with the password hash to computer a response.

Tripwire

Is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.

Password Authentication Protocol (PAP)

Is an insecure plaintext password-logon mechanism.

Authentication

Is the act of verifying or proving the claimed identity.

Identification

Is the claiming of an identity. A network element goes through a process to recognize a valid user's identity.

Authorization

Is the mechanism that controls what a subject can and can't do. Authorization is commonly called access control or access restriction.

TCP

It guarantees delivery, or at least notification of undelivered packets

Data Ownership

It is important to clearly establish rules and restrictions regarding data ownership

Near field communication

It lets you perform a type of automatic synchronization and association between devices by touching them together or bringing them within inches of each other

Null user

It's a user that does not have a username or password. SMB user sessions

NIST SP 800-53

Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.

incremental mode

John the Ripper brute force mode; can run indefinitely, as will hash and compare all possible combinations of chars in a particular algorithm

single mode

John the Ripper uses GECOS field data from /etc/passwd

wordlist mode

John the Ripper uses a wordlist or dictionary provided by the user

JEA

Just Enough Administration configured on host blocks all commands (PS remote) by default and only allows commands explicitly permitted

AppArmor

Kernel module that restricts the capabilities of specific programs

KDC

Key Distribution Center. All AD DC are KDC | Part of the Kerberos protocol used for network authentication. The KDC issues time-stamped tickets that expire.

White Box

Know everything he is now attacking the system to find holes in it and test the security mechanism

Grey Box

Know some info, but requires more to get into the network

Vishing

Known as voice phishing, fake caller ID appears from a trusted organization and attempts to get the individual to enter account details via the phone.

Black Box

Knows nothing about the system.

cryptsetup

LUKS utility to set up disk encryption based on DMCrypt kernel module includes TrueCrypt

Physical Layer

Layer 1 of the OSI model. Protocols in this layer generate and detect signals so as to transmit and receive data over a network medium. These protocols also set the data transmission rate and monitor data error rates, but do not provide error correction.

Data Link Layer

Layer 2 in the OSI model. This layer bridges the networking media with the Network layer. Its primary function is to divide the data it receives from the Network layer into frames that can then be transmitted by the Physical layer.

network layer

Layer 3 in the OSI model. Protocols in the Network layer translate network addresses into their physical counterparts and decide how to route data (packets) from the sender to the receiver.

Transport Layer

Layer 4 of the OSI model. In this layer protocols ensure that data are transferred from point A to point B reliably and without errors. this layer services include flow control, acknowledgment, error correction, segmentation, reassembly, and sequencing.

session layer

Layer 5 in the OSI model. This layer establishes and maintains communication between two nodes on the network. It can be considered the "traffic cop" for network communications.

Session

Layer 5 of the OSI Model

presentation layer

Layer 6 of the OSI model, it is responsible for the formatting of data being exchanged and securing the data with encryption.

application layer

Layer 7 of the OSI model. Application layer protocols enable software programs to negotiate formatting, procedural, security, synchronization, and other requirements with the network.

LSB

Least Significant Bit graphics color tables | the bits that have the list impact on shifting color and can accommodate the message

Hard Drive

Least volatile when performing incidence response procedures.

Alerts

Less critical does not require immediate reaction.

Secure Router Configuration

Let's you know who is able to log on to a router and configure it. Don't allow everyone to log on to your routers or switches. Implement access list to allow only certain users.

LDAP

Lightweight Directory Access Protocol TCP/389/636/3268/3269 plaintext/secure

Wireless Authentication

Lightweight EAP Protected EAP

Risk Calculation

Likelihood (ARO), Singe Loss Expectancy (SLE), and Annual Loss Expectancy (ALE).

LUKS

Linux Unified Key Setup disk encryption and key management

Kismet

Linux WLAN sniffer completely passive used for vulnerability assessment and intrusion detection

sysctl

Linux command used to modify kernel parameters at runtime; /etc/sysctl.conf; -w changes w/o commit

LXC

Linux containers with groups / namespaces; process isolation and allocation of resources; OS-level containers

syslogd

Linux daemon syslogd utility reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file rules found in /etc/syslog.conf; often found in routers

xxd

Linux tool that dumps contents of a file in hex

DACL

List of Access Control Entries (ACEs) in Microsoft's NTFS Each ACE (individual permissions) includes a security identifier (SID) and a permission. ALWAYS ENFORCED BY THE OS NO MATTER HOW ACCESSED

Risk Associated with Virtualization

Little control over VM to VM communication Virtualization server contains VMs that have different security profiles.

Hot site

Location that is already running and available 24/7. Minimal downtime, but expensive

Bastion Host

Locked Down to provide maximum security; commonly reside in DMZ

Log Analysis

Logging is the process of collecting data to be used for monitoring and auditing purposes.

VLAN Management

Logically can separate voice from data. Helps separate traffic on a switch. VLAN's cannot communicate to each other without a router.

Media Access Control Filter

MAC filtering is a security access control method whereby the MAC address is used to determine access to the network Vulnerable to spoofing attacks

Google Chrome

MSI installer; auto update; SafeBrowsing API; UAC compatible

IV Attacks

Main weakness in WEP : Randomization is crucial for encryption schemes to achieve security.

Community Cloud

Maintained, used and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange.

High Availability

Maintaining an onsite stash of spare parts can reduce downtime. Strive to achieve the 5 "9s"

Service packs

Major revisions of functionality or service operation in an installed application. Large files that can contain hotfixes and patches.

Subnetting

Makes efficient use of network address space and controls network traffic.

Virtual Firewall

Makes sure all traffic is properly analyzed when two guest machines on the same physical host communicate

malware

Malicious code, such as viruses, Trojans, or worms, which is designed to gain unauthorized access to, make unauthorized use of, or damage computer systems and networks.

chkconfig

Manages xinetd scripts via the configuration files in /etc/xinetd.d

MAC

Mandatory Access Control model that uses labels to determine access. NTFS uses DAC instead of MAC and is set by the system

Mandatory Access Control or MAC

Mandatory Access Control or MAC Most basic form of access control. Involves the assignment of labels to resources accounts. Think labels.

Risk Control

Mandatory vacations implemented

One-way Function

Mathematical operation that easily produces an output for each possible combination of inputs but makes it impossible to retrieve input values

Flood Guards

May be part of firewall or IDS/IPS A network device, firewall/router that has the ability to prevent some flooding Dos Attacks.

MTBF

Mean time between failures means how long before it will or could fail

MTTF

Mean time to failure means how long is this product or system is going to last (Life expectancy)

MTTR

Mean time to restore means how long is it going to take to repair

MOU

Memorandum of Understanding

Cold site

Merely a prearranged request to use facilities if needed. Cheapest option, but most downtime

MD5

Message Digest 5. A hashing function used to provide integrity. MD5 uses 128 bits. A hash is simply a number created by applying the algorithm to a file or message at different times. The hashes are compared to each other to verify that integrity has been maintained.

Software exploitation

Method of searching for specific problems, weaknesses, or security holes in software code

cryptoprocessors

Microprocessors that provide cryptographic functions.

MAAD

Microsoft Azure Active Directory user and device authN at massive scale can perform 3rd party authN; Azure Cloud Shell; no support for NTLM Kerberos etc rather supports SAML Oauth

MBSA

Microsoft Baseline Security Analyzer (MBSA) is software developed and used by Microsoft to check the security of an operating system by assessing missing security updates and less secure areas of the operating system. User must be member of the administrators group. Local and remote machines can be scanned.

EFS (Encrypting File System)

Microsofty Windows NTFS-based public key encryption.

DHCP spoofing attack

MitM attack listens for DHCP traffic then sends attacker IP address as default gateway

Geo-tagging

Mobile devices with GPS support enable the embedding of geographical location in the form of latitude and longitude as well as date/time information on photos taken with these devices.

Secure Hash Algorithm (SHA)

Modeled after MD5 but considered the stronger of the two

Data Loss Prevention DLP

Monitor the contents of systems to make sure key content is not deleted or removed. They also monitor who is using the data and transmitting the data

NIDS

Monitor the packet flow and try to locate packets that have gotten through the firewall.

HIDS

Monitors host to host connections. Intrusion prevention system. Always active.

ROT 13

Monoalphabetic cipher that shifts characters 13 characters. Stands for Rotate 13. A would become N, B would become O, etc.

Trends

More like behavior patterns

Vulnerability scans

Most often passive attempts to identify weaknesses

Message Digest 5 (MD5)

Most widely used hashing algorithm in the world and will remain so for at least several more years to come. Is coded into operating systems and popular software products. Does not have strong collision resistance

MCS

Multi-category Security CompanyConfidential Patient Record Unclassified Top Secret

MPLS

Multiprotocol Label Switching is a type of data-carrying technique for high-performance telecommunications networks. MPLS directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table

S/MIME

Multipurpose internet Mail Extensions (S/MIME). Internet standard for encrypting and digitally signing email.

Private key

Must keep private (located on your CAC)

SMB Relay Attack

NTLM v2 vulnerable;

RSA Algorithm

Named after inventors Rivest, Shamir, and Adelman, RSA is a system for encrypting and decrypting a message using a pair of keys, both of which contain the product of two prime numbers. SSL; asymmetric

Preparation

Necessary to ensure a successful outcome of unplanned downtime, security breaches, or disasters

Least Privilege

Need to know, only what they need to perform their job

NFS

Network File System (UNIX); uses UDP port 2049

NLA

Network Level Authentication is a technology used in Remote Desktop Services or Remote Desktop Connection that requires the connecting user to authenticate themselves before a session is established with the server.

Nova

Network Obfuscation and Virtualized Anti-Recon can launch VMs called haystacks (honeypots)

NTP

Network Time Protocol; UDP port 123

NAC

Network access control. Inspects clients for health and can restrict network access to unhealthy clients to a remediation network. Clients run agents and these agents report status to a NAC server. NAC is used for VPN and internal clients. MAC filtering is a form of NAC.

NIDS

Network-based intrusion detection system used to identify events of interest on the network. It can detect network-based attacks, such as smurf attacks. A NIDS cannot monitor encrypted traffic, and cannot monitor traffic on individual hosts. Snort is an example of an open source NIDS

NIPS

Network-based intrusion prevention system. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. Deployed inline at the perimeter in front of or behind firewalls (usually between ISP and FW) can be single point of failure due to being inline false positive drops legit traffic

NTLM

New Technology LANMAN. Authentication protocol intended to improve LANMAN. The LANMAN protocol stores passwords using a hash of the password by first dividing the password into two seven-character blocks, and then converting all lowercase letters to uppercase. This makes LANMAN easy to crack. NTLM stores passwords in LANMAN format for backward compatibility, unless the passwords are greater than fifteen characters. NTLMv1 is older and has known vulnerabilities. NTLMv2 is newer and secure.

NSE

Nmap Scripting Engine; written in LUA

Digital Signatures

Non-Repudiation

NDA

Non-disclosure agreement. Ensures that third parties understand their responsibilities. It is commonly embedded as a clause in a contract with the third party. Most NDAs prohibit sharing data unless you are the data owner.

Personally Identifiable Information (PII)

Not everyone understands the importance of PII

Script Kiddie

Not hackers just call themselves hackers. Use programs to hack for themselves.

Keyspace

Number of values that are valid for use as a key for a specific algorithm

TCP application layer

OSI app, presentation, session layers

TCP network layer

OSI data link and physical layers

TCP internet layer

OSI network

TCP transport layer

OSI transport layer

Organizational Unit

OU; in Windows a local set of computers/users/groups with Group Policy

object storage

Objects (files) are stored with additional metadata (content type, redundancy required, creation date, etc.). These objects are accessible through APIs and potentially through a web user interface. (e.g. Dropbox)

Intrusion

Occurs when attacker accesses your system without authorization

Data Breach

Occurs when nonpublic data is read, copied or destroyed during an incident

Buffer Overflows

Occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory

Network Access Control (NAC)

Offers a method of enforcement that helps ensure computers are properly configured

Virtualization

Offers cost benefits by decreasing the number of physical machines required within an environment.

Password Authentication Protocol (PAP)

Offers no true security. Sends user IDs and passwords in cleartext

NTFS

Often referred to as a "journaling" file system because it keeps track of transactions performed when working with files and directories.

Acceptance

Often the choice made when implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition

Bluesnarfing

Once paired, the user's data becomes available for unauthorized access, modification, or deletion

Forest

One or more AD domains with trust

hashing encryption

One-way encryption that transforms cleartext into a coded form that is never decrypted.

OCSP

Online Certificate Status Protocol. An alternative to using a CRL and meant to replace it allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

GNU Privacy Guard (GPG)

Open Source

OSSEC

Open Source HIDS Security

OSI model

Open System Interconnection: Application, Presentation, Session, Transport, Network, Data Link, Physical

Switch

Operates at Layer 2 Data Link Layer. Can be used to create VLANS. Seperates broadcast domains.

Replay

Packets are captured using sniffers. After the pertinent information is extracted the packets are placed back on the network.

one time password

Password generated by a security token, which expires as soon as it is used.

Public key

People encrypt data using

security auditing

Performing an organized technical assessment of the security strengths and weaknesses of a system.

Transport Layer Security (TLS)

Performs a similar function to SSL. Both are used for secure connections over the Internet.

mandatory vacations

Periods of time in which an employee must take time off from work so that their activities may be subject to a security review.

account privileges

Permissions granted to users that allow them to perform various actions such as creating, deleting, and editing files, and also accessing systems and services on the network.

PAN

Personal Area Network (bluetooth)

Pharming

Pharming does not require the user to be tricked into clicking on a link Pharming redirects victims to a bogus website, even if the user correctly. Entered the intended site. To accomplish this, the attacker employs another attack, such as DNS cache poisoning

Physical Security

Physical access to a system or network creates many avenues for a breach in security

tokens

Physical or virtual objects that store authentication information.

ping -n

Pings a host a specific amount of times ping -n 10 www.google.com (Windows)

ping -c

Pings a host a specific number of times ping -c 10 www.google.com (Linux)

NAC

Place a computer into a restricted VLAN until the computers virus definitions

Border Router

Placed between your ISP and your external firewall

Boot Sector

Placed into the first sector of the hard drive so that when the computer boots virus loads into memory

ethical hacking

Planned attempts to penetrate the security defenses of a system in order to identify vulnerabilities.

PAM

Pluggable authentication module -service plugin for apps, code, or scripts for user authentication and session management (resource choke) /etc/pam.d - auth, password, sessions, accounts

PPTP

Point-to-Point Tunneling Protocol. Tunneling protocol used with VPNs. PPTP uses TCP port 1723.

Port 53

Port that uses DNS

Get-Process

PowerShell command to return a list of running processes. Can use with | format-list *

Get-FileHash

PowerShell command, computes hashes for designated files. Include -Algorithm SHA256 (e.g.)

Get-Content

PowerShell command, displays the contents of a designated file

Select-Object

PowerShell command, removes object properties apart from those specified

Restart-Service

PowerShell command, sditops and then starts one or more services.

Out-GridView

PowerShell command, sends output to an interactive table in a separate window.

GetWmiObject

PowerShell command, talks to WMI service using SQL-like queries

Cain

Powerful multipurpose tool for Windows that can sniff and crack passwords, perform RDP, VoIP capture and RTP stream replay

GetWinEvent

Powershell command, used to query Windows event logs

incident management

Practices and procedures that govern how an organization will respond to an incident in progress.

System-Specific Policy

Presents the management's decisions that are specific to the actual computers, networks, and applications

Impersonation

Pretending to be someone you are not. Using information from other attack.

Secure Socket Layer (SSL)

Primarily used for secure online transactions such as online shopping or banking. Public desire for a completely open-source alternative finally found fruition in TLS, discussed next

Data Security

Primary security concern when deploying a mobile device on a network

Hard data

Printed out

password

Private combination of characters associated with a user name that allows access to certain computer resources.

user assigned privileges

Privileges that are assigned to a system user and can be configured to meet the needs of a specific job function or task.

group based privileges

Privileges that are assigned to an entire group of users within an organization.

management controls

Procedures implemented to monitor the adherence to organizational security policies.

SHA-1

Produces a 160-bit hash value and is used in DSS

Privilege Escalation

Programming errors can result in system compromise, allowing someone to gain unauthorized privileges

Trojan horse

Programs disguised as useful applications. Do not replicate themselves like viruses, but they can be just as destructive. Hides itself as a real program

spam filters

Programs used to read and reject incoming messages that contain target words and phrases used in known spam messages.

Pretty Good Privacy (PGP)

Proprietary

PEAP

Protected Extensible Authentication Protocol. PEAP provides an extra layer of protection for EAP. PEAP-TLS uses TLS to encrypt the authentication process by encapsulating and encrypting the EAP conversation in a Transport Layer Security (TLS) tunnel. Since TLS requires a certificate, PEAP-TLS requires a certification authority (CA) to issue certificates.

Protected distribution (cabling)

Protected distribution or protective distribution systems (PDSs) are the means by which cables are protected against unauthorized access or harm

VPN protocols

Protocols that provide VPN Functionality

TACACS (Terminal Access Controller Access Control System)

Provides centralized authentication and authorization services for remote users.

Elliptic Curve Cryptography (ECC)

Provides more security than other algorithms when both are used with keys of the same length. Used for mobile devices.

Digital Policies

Provides the rules that indicate how the certificate will be used and its purpose

Public Cloud Infrastructure

Provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

PKCS

Public Key Cryptography Standards Defacto cryptography message standards

PKI

Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

Artillery

Python-based cross platform tool for honeypot file system monitoring threat intelligence mainly event warning

Incident isolation

Quarantine separates an entity apart from the rest of an environment to provide protection

Redundancy and Fault Tolerance

RAID on Hard Drives. Hot-swapping of failed drives and redundant power supplies so that replacement hardware can be installed without ever taking the server offline

Rivest Cipher (RC)

RC4 uses a variable key-length. RC4 is a stream cipher (only RC that is a stream cipher) One Tim Past (OTP) Are the strongest encryption.

Substitution Cipher

ROT 13

Jamming / Interference

Radio waves can be disrupted. Can cause DoS conditions.

RPO

Recovery point objectives how much can we lose and how much do we have backed up. Deals with data loss.

RTO

Recovery time objectives how long is it going to take to get it back operational or to a certain level (can be of use but not fully operational)

Fedora

Red Hat Linux distro; used rpm and yum for package management; FW enabled by default, with GUI

Ansible

Red Hat; scalable; a controlled machine is called a node, primary is called main controller machine

RAID

Redundant Array of Independent Disc. Different versions are RAID 0 Fault tolerance, RAID 1 That has mirroring with minimum disk of two, and RAID 5 stripping with parity. RAID prevents data loss.

Privacy Policy

Referred to as personally identifiable information (PII)

Design Review

Refers more specifically to the components of the architecture at a more micro level

Hardening

Refers to reducing security exposure and strengthening defenses against unauthorized access attempts and other forms of malicious attention

Rogue Access Points

Refers to situations in which an unauthorized wireless access point has been set up

Determine the attack surface

Refers to the amount of running code, services, and user-interaction fields and interfaces

Remote Access

Remote Access Services (RAS) lets you connect your computer from a remote location, such as your home or an on-the-road location, to corporate network.

RDP

Remote Desktop Protocol Port 3389 use PKI, not self-signed TLS only available if cert signed

RDS

Remote Desktop Services; role on Windows Server; used for remote assist, same protocol MSTSC.EXE

RD

Remote Desktop; must have thin client

RPC

Remote Procedure Call. TCP 135 over HTTP 80/443/593 over SMB 139/445

Remote Desktop Protocol

Remote access protocol used by many systems as a means of remotely configuring another via a GUI. Uses TCP port 3389

Remote Wiping (MOBILE DEVICES)

Removes all data from your mobile device if your phone cannot be found.

Hashing

Represent data as a short string of text (fixed-length). Also called Message digest, checksum, hash value

GET (HTTP Method)

Requests a specific web page or data.

Alarms

Require immediate response.

need to know

Requirement of access to data for a clearly defined purpose remove when no longer needed

token-based authentication

Requires a computer user to physically hold a device called a token.

Public Cloud

Requires a subscription and is open and offered to the public

Registration Authority (RA)

Responsible for verifying users' identities and approving or denying requests for digital certificates. RA's do not issue certificates.

ROI

Return of investment or return on investment. A performance measure used to identify when an investment provides a positive benefit to the investor. It is sometimes considered when evaluating the purchase of new security controls. ROI(%) = (gain - expenditure)/(expenditure) x 100

RMS

Rights Management Services Azure based DLP

AGUDLP the AGULP (Accounts, Global Groups, Universal Groups, Local Groups, Permissions and Rights} model

Rights and permissions should only be granted to Local Group

Risk Calculation

Risk = Threat x Vulnerability

Botnets

Robot network. Once a machine is infected it becomes a bot or zombie. Used for Disturbed Denial of Service.

puppet

Ruby-based configuration manager with some Windows support

BearTrap

Ruby-based tool contained in ADHD opens up ports to deceive attackers and actively block their IPs

Deny Tcp any any port 53

Rule that denies DNS zone transfers on a firewall

Rule-Based Management

Rules an organization incorporates into their network.

Firewall rules

Rules can be created for either inbound traffic or outbound traffic. Three actions allow connection, allow the connection if it is secured or block the connection. Firewalls go off of a top down process. As soon as a network packet matches a rule, that rule is applied.

SID (well known)

S-1-1-0 Everyone S-1-5-11 Authenticated Users group S-1-5-32-544 Local administrations group

rkhunter

SHA-1 hashes of critical files to compare against system; must update db

Simple Mail Transfer Protocol

SMTP

port 25

SMTP (mail)

port 22

SSH

Service Set Identifier (SSID) Management

SSID is used to identify wireless access points on a network.

3-way handshake

SYN; SYN/ACK; ACK

Safety

Safety of the facility and personnel should always be the top priority of a security effort

How to defeat Rainbow Table Attacks

Salting the hash

Warm site

Scaled-down version of a hot site. Generally configured with power, phone, and network jacks

Scanning

Scans for vulnerabilities. Port scan and ping sweep.

Dumpster Diving

Scavenging for discarded equipment and documents

grep

Search file(s) for lines that match a given pattern

Failsafe

Secure

SHA

Secure Hashing Algorithm

SSP

Secure Simple Pairing; PK crypto, PIN, in bluetooth after 2.1 +

HTTPS

Secure form of the ever-popular HTTP

Secure Shell (SSH)

Secure replacement for Telnet uses port 22.

Sandbox

Secure test environment.

Diffie-Hellman Key Exchange

Secure way to exchange keys

Monitoring System Logs

Securing logs is important; they contain sensitive information and may be used in the forensic process if needed. Used to log important auditing. Can show you incorrect authentications.

SAT

Security Access Tokens; ticket issued to user includes acct number, SID number, list of privileges whoami.exe /all/fo/list

SAML

Security Assertion Markup Language. Based on XML. Uses a third party service to authenticate the user. Can also be referred to as FIM.

SA (IPsec)

Security Association documents security services of connection (transforms) | unidirectional required for each IPsec connection | generates the encryption and authentication keys that are used by IPsec.

SCA

Security Configuration and Analysis snap in for GPMC; apply templates to system (local only)

time of day restrictions

Security controls that restrict the periods of time when users are allowed to access systems, which can be set using a group policy.

Windows Server 2008

Security features added in this Windows version: Component modularization, Server Core, Read-only domain controllers, Network Access Protection (NAP), Secure Socket Tunneling Protocol (SSTP), RDP Virtualization, R2: DNSSEC, AppLocker, DirectAccess, AD Recycling Bin, Enhanced Audit Policy Control; only available in 64-bit

SID

Security identifier. Unique set of numbers and letters used to identify each user and each group in Microsoft environments. permissions and privileges attached to user unique - not reused if deleted

Incident Management

Security incidents will occur. Good management strategies mitigate the severity of damage caused by risks

Wireless Transport Layer Security WTLS

Security layer for WAP applications Provides authentication, encryption and data integrity for wireless devices.

safety controls

Security measures implemented to protect personnel and property from physical harm.

testing controls

Security measures that verify whether or not certain security techniques meet the standards set for them.

SELinux

Security-Enhanced Linux. A trusted operating system platform that prevents malicious or suspicious code from executing on both Linux and UNIX systems. It is one of the few operating systems that use the MAC model.

Spoofing

Seeks to bypass IP address filters by setting up a connection from a client and sourcing the packets with an IP address that is allowed through the filter

Worms

Self-replicating virus that repeats with no user intervention. Built to take advantage of a security hole in existing application or OS.

SYN Flood

Sends a flood of synchronization (SYN) requests and never sends the final acknowledgment (ACK)

SMB

Server Message Block Full Control, Change (compare to Modify in NTFS), Read; $ indicates hidden

SNI

Server Name Indication and is an extension of the TLS protocol. It indicates which hostname is being contacted by the browser at the beginning of the 'handshake'-process.

SLA

Service Level Agreement

SSID

Service Set Identifier. Identifies the name of a wireless network. Disabling SSID broadcast can hide the network from casual users but an attacker can easily discover it with a wireless sniffer. It's recommended to change the SSID from the default name.

rainbow tables

Sets of related plaintext passwords and their hashes.

hping3

Sets up connections to visible IPs can spoof IP addresses and craft packets to id open ports and OS | Fully scriptable using TCL language command line TCP/IP assembler/analyzer -A --ack set ACK flag -p --destport -c -- number of packets to send -i --interval between each packet example: hping3 -A 192.168.1.100 -p80

Transference

Share some of the burden of the risk with someone else, such as an insurance company

PNAC

Shutdown, Protect, Restrict

Digital Signatures

Similar in function to a standard signature on a document. Sender signs with their Private key. Receiver decrypts the hash and verifies the data with the sender's Public key

PEAP (protected Extensible Authentication Protocol)

Similar to EAP-TLS, PEAP is an open standard developed by a coalition made up of Cisco Systems, Microsoft, and RSA Security.

Fraggle

Similar to a smurf attack. Uses UPD rather than ICMP. The attacker sends spoofed UDP packet to broadcast addresses as in the Smurf Attack.

SNMP

Simple Network Management Protocol

SNMP

Simple Network Management Protocol; query network for monitoring and troubleshooting; UDP port 161/2

Trivial File Transfer Protocol (TFTP)

Simple protocol to transfer files. Only reads and write files from /to a remote server Uses UDP port 69

SLE

Single loss expectancy | $ measure the cost of a single occurrence of a threat exploiting a vulnerability

Separation of Duties

Single point of failure, it's also subject for an inside threat. Easier to manage

Web Security Gateway

Single point of policy control and management for web-based content access. Blocks websites based on URL.

SSO

Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.

honeypot

Single, hardened and secure system with no legitimate purpose. A computer system that's set up to attract unauthorized users by appearing to be a key part of a network or a system that contains something of great value. focus on what attacker does to discover new vulns

Proxy Server

Sits between users and external networks. Used for load balancing, internet connectivity, content filtering, and hiding IP Addresses. Can hide users IP address.

Hotfixes

Small and specific-purpose updates that alter the behavior of installed applications in a limited manner. Need to be installed as soon as possible.

LSO (Local Shared Objects)

Small files or data sets that websites may store on a visitor's computer through the Adobe Flash Player. Generally used to store user preferences and settings, but can be a form of tracking cookie

Ettercap

Sniffers. A suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

SDN

Software Defined Network | split network into subnets with software | allows for micro-segmentation and traffic analysis between two endpoints

SaaS

Software as a Service; a subscription service where you purchase licenses for software that expire at a certain date. Office 365, OneDrive

source code

Software code that is generated by programming languages, which is then compiled into machine code to be executed by a computer. Access to source code enables a programmer to change how a piece of software functions.

Rootkits

Software hidden on a computer to get escalated privileges such as administrative rights. Can be invisible to the OS

adware

Software that automatically displays or downloads advertisements when it is used.

protocol

Software that controls network communications using a set of rules.

network operating systme

Software that controls network traffic and access to network resources.

host-based firewall

Software that is installed on a single system to specifically guard against networking attacks.

rootkit

Software that is intended to take full or partial control of a system at the lowest levels.

anti-spyware

Software that is specifically designed to protect systems against spyware attacks.

pop-up blockers

Software that prevents pop-ups from sites that are unknown or untrusted and prevents the transfer of unwanted code to the local system.

DLP (data loss/leak prevention)

Software that stops data in a system from being stolen.

type 2 hypervisor

Software to manage virtual machines that is installed as an application in an operating system. (e.g. Virtual Box)

antivirus software

Software used to detect and eliminate computer viruses and other types of malware.

LDAP injection

Some websites perform LDAP queries based upon data provided by the end user. LDAP injection involves changing the LDAP input so that the web app runs with escalated privileges. Will work off of port 389. Lightweight Directory Access Portal.

Malicious Insiders

Someone who attacks from inside an organization

Data Thief (Corporate Espionage)

Someone who goes around and tries to steal information from a company or people

Cyberterrorist

Someone who uses the Internet or network to destroy or damage computers for political reasons.

Wrappers

Something used to enclose or contain something else. Some wrappers might have Trojan horses inside them.

TCP header

Source Port, Destination Port, Sequence Number, Acknowledgment Number, Header Number, Reserved, Code Bits, Window, Checksum, Urgent, Options, Data; 20 bytes

STP

Spanning Tree Protocol. Protocol enabled on most switches that protects against switching loops. A switching loop can be caused if two ports of a switch are connected together, such as those caused when two ports of a switch are connected together.

SMART

Specific, Measurable, Attainable, Realistic, Timely

tcpdump -i

Specify which interface tcpdump listens on

Log Aggregators

Splunk, Kiwi, Snare, WinSyslog, ArcSight, LogRythm; encrypt logs and transfer to SIEM; formattingL

Sarbanes-Oxley Act

Standard to when people break regulations and or policies

Cipher Suites

Standardized collection of authentication, encryption, and hashing algorithms used to define the parameters for a security network communication.

systemctl

Start, stop, enable, disable, and view the status of services; systemd (BSD does not use)

packet-filtering firewall

Stateless; A firewall that examines each packet and determines whether to let the packet pass. To make this decision, it examines the source address, the destination addresses, and other data.

Risk Based Controls

Strategy that will allow an admin to enforce least privilege principles

Rivest Shamir Adelman (RSA)

Strength depends on the difficulty of factoring the product of prime numbers The most commonly used public key algorithm on the market

guidelines

Suggestions for meeting a policy standard or best practices.

Non-Repudiation

Supplemental to the CIA Triad. Ensures parties have sent transmission.

Advanced Encryption Standard (AES)

Supports key sizes of 128, 192, 256 bit keys.

spyware

Surreptitiously installed malicious software that is intended to track and report the usage of a target system or collect other data the author wishes to obtain.

CCTV (closed-circuit television)

Surveillance cameras that do not openly broadcast signals.

Azure AD Connect

Sync DC with Azure AD; SSO 365

Supervisory control and data acquisition (SCADA)

System can operate as a stand-alone device, be networked together with.

data classification

System of organizing data according to its sensitivity. Common classifications include public, highly confidential, and top secret.

configuration management

Systems are configured based on standards, and changes are made as part of a disciplined change management process

TACAS +

TACAS + not backwards compatible with TACAS. Uses TCP.

SMB Port

TCP 139 with CIFS; TCP 445 without CIFS for file and printer sharing

Citrix port

TCP 1494

FTP data port

TCP Port 20

FTP Command Port

TCP Port 21

URG

TCP flag indicating a Packet contains urgent data

SYN

TCP flag; request connection

TCP flow control

TCP provides flow control by having the sender maintain a variable called the receive window. The size of this window is important. Set low to 0 in tarpit to keep attacker connections open and consume system resources

MS SQL Server port

TCP/UDP 1433/4

Kerberos port number

TCP/UDP 88

DNS port

TCP/UDP port 53. TCP port 53 is used for zone transfers, whereas UDP port 53 is used for queries.

Transitive Access

Takes advantage of trust, gives unauthorized access to other domain users

Man in the Middle

Takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.

bluebugging

Taking control of a phone to make calls, send text messages, listen to calls, or read text messages.

Risk Control Types

Technical, Management and Operational

biometric authentication

Technology for authenticating system users that compares a person's unique characteristics such as fingerprints, face, or retinal image, against a stored set profile of these characteristics.

telephony

Technology that provides voice communications through devices over a distance.

CTI (computer telephony integration)

Telephony technology that incorporates telephone, email, web, and computing infrastructures.

TKIP

Temporal Key Integrity Protocol. Wireless security protocol introduced to address the problems with WEP. TKIP was used with WPA but many implementations of WPA now support CCMP, 802.11i. Can be used with most existing hardware

Cookies

Temporary files stored in the client's browser cache to maintain settings across multiple pages, servers, or sites.

/usr/bin/sbin

The /usr/local tree is where programs that are not included with your distribution but are intended for system-wide use are installed.

/usr/local

The /usr/local tree is where programs that are not included with your distribution but are intended for system-wide use are installed.

Bourne Again Shell (bash)

The Bourne again shell (Bash) is a common application to offer a shell command line; other common shell applications are the C shell, the Bourne shell, and the Kern shell.

802.11i

The IEEE standard for wireless network encryption and authentication that uses the EAP authentication method, strong encryption, and dynamically assigned keys, which are different for every transmission. 802.11i specifies AES encryption and weaves a key into each packet.

802.1x

The IEEE standard that defines port-based security for wireless network access control

802.1x

The IEEE standard that defines port-based security for wireless network access control. Keeps network port disconnected until authentication is complete

ISN

The Initial Sequence Number of a TCP connection is the sequence number chosen by the client ( resp. server) that is placed in the SYN (resp. SYN+ACK) segment during the establishment of the TCP connection.

IPv4

The Internet Protocol version 4 is the dominant protocol for routing traffic on the Internet, specifying "to" and "from" addresses using a dotted decimal such as "122.45.255.0". 32-bit addressing

IPv6

The Internet Protocol version 6 provides a large number of new addresses to route Internet traffic, using "from" and "to" addresses written as colon-hexadecimal notation, such as "fe80::42:acff:feaa:1bf0". 128-bit addressing; authN, encryption and traffic prioritization

PUT

The PUT method requests that the enclosed entity be stored under the supplied Request-URI.

Telephony

The Transmission of data through equipment in a telecommunications environment.

PPP (Point-to-Point Protocol)

The VPN protocol that is an Internet standard for sending IP datagram packets over serial point-to-point links.

REGEDIT.EXE

The ____ tool allows a user to connect to the active registry database and make changes that are effective immediately.

/etc/login.defs

The ________________ file contains parameters that set the default location for: e-mail, password expiration information, minimum password length and the range of UIDs and GIDs available for use. It also determines whether home directories will be automatically made during user creation as well as the password hash algorithm used to store passwords within /etc/shadow.

host availability

The ability of a host to remain accessible despite any system changes it needs to adapt to. Also call host elasticity.

fault tolerance

The ability of a network or system to withstand a foreseeable component failure and continue to provide an acceptable level of service.

remote access

The ability to connect to systems and services from an offsite or remote location using a remote access method.

Arbitrary code execution

The ability to run any software on a target system. Often combined with privilege escalation and other attacks to perform a local attack remotely

logging

The act of creating a log.

detection

The act of determining if a user has tried to access unauthorized data, or scanning the data and networks for any traces left by an intruder in any attack against the system.

recovery

The act of recovering vital data present in files or folders from a crashed system or data storage devices when data has been compromised or damage.

war driving

The act of searching for instances of wireless LAN networks while in motion, using wireless tracking devices like mobile phones, smartphones, tablets, or laptops.

Recovery Point Objectives

The age of files that must be recovered from backup storage for normal operations to resume

Smurf/Smurfing

The attacker sends ping packets to the broadcast address of the network, replacing the original source address in the ping packets with the source address of the victim, thus causing a flood of traffic to be sent to the unsuspecting network device.

Differential Cryptanalysis

The attacker takes two messages of plaintext and follows the changes that take place to the blocks as they go through the different S-boxes, each message is encrypted with same key

MTTR (mean time to recovery)

The average time taken for a business to recover from an incident or failure.

chroot command

The chroot command changes its current and root directories to the provided directory and then run command, if supplied, or an interactive copy of the user's login shell. Please note that not every application can be chrooted.

site survey

The collection of information on a location for the purposes of building the most ideal infrastructure.

NAC (Network Access Control)

The collection of protocols, policies, and hardware that govern access on devices to and from a network.

top command

The command used to give real-time information about the most active processes on the system; it can also be used to restart or kill processes.

ps command

The command used to obtain information about processes currently running on the system. -ef all running -C proc_name --sort=pcpu

public key

The component of asymmetric encryption that can be accessed by anyone.

private key

The component of asymmetric encryption that is kept secret by on party during two-way encryption.

Continuity of Operations (CooP)

The component of the BCP that provides best practices to mitigate risks, and best measure to recover from the impact of an incident

Linux Kernel

The core component of the Linux operating system is called the___. It is written almost entirely in the C programming language.

controls

The countermeasures that you need to put in place to avoid, mitigate, or counteract security risks due to threats or attacks.

Privilege Management

The creation and use of policies defining the users and groups that access company resources.

L2TP (Layer Two Tunneling Protocol)

The de facto standard VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.

Platform-as -a service (PaaS)

The delivery of a computing platform, often an operating system with associated services, that is delivered over the internet without downloads or installation.

Software-as-a-Service (SaaS)

The delivery of a licensed application to customers over the Internet for use as a service on demand On demand software, no local installation

Passive Asset Tracking (MOBILE DEVICES)

The device will attempt to contact the management service on a regular basis

Open Directory

The directory service that ships as part of Mac OS X Server.

subnetting

The division of a large network into smaller logical networks.

ports

The endpoints of a logical connection that client computers use to connect to specific server programs.

attacking

The final phase of a hack in which the attacker steals data, disrupts traffic, or damages systems.

Lessons learned

The final step in incident response. Involves planning and procedures to improve mitigation strategies. It is the AAR to make improvements.

SLE (single loss expectancy)

The financial loss expected from a single adverse event.

Mac OS

The first commercially available operating system to incorporate a graphical user interface (GUI) with user-friendly point-and-click technology. Build on BSD and XNU kernel. Offers sandboxing, and many network options not enabled.

first responder

The first person or team to respond to an accident, damage site, or natural disaster in an IT company.

802.11b

The first specification to be called Wi-Fi, it is the least expensive wireless network protocol used to transfer data among computers with wireless network cards, or between a wireless computer or device and a wired LAN. It provides for an 11 Mbps transfer rate in the 2.4 GHz frequency.

Fire Suppression

The first step in a fire-safety program is fire prevention

Incident identification

The first step in incident response. Without detection, incidents would be false negatives

RSA

The first successful algorithm to be designed for public key encryption. It is named for its designers, Rivest, Shamir, and Adelman.

integrity

The fundamental security goal of ensuring that electronic data is not altered or tampered with.

availability

The fundamental security goal of ensuring that systems operate continuously and that authorized persons can access data that they need.

confidentiality

The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.

TCB (Trusted Computing Base)

The hardware, firmware, and software components of a computer system that implement the security policy of a system.

physical security

The implementation and practice of various control mechanisms that are intended to restrict physical access to facilities.

URL filtering

The inspection of files and packets to block restricted websites or content.

MTTF (mean time to failure)

The length of time a device or component is expected to remain operational.

RTO (recovery time objective)

The length of time within which normal business operations and activities must be restored following a disturbance.

MTD (maximum tolerable downtime)

The longest period of time a business can be inoperable without causing the business to fail irrecoverably.

data exfiltration

The malicious transfer of data from one system to another.

Maximum Tolerable Downtime (MTD)

The maximum length of time a business function can be discontinued without causing irreparable harm to the business.

Authentication

The mechanism by which a person proves their identity to the system.

ARP (Address Resolution Protocol)

The mechanism by which individual hardware MAC addresses are matched to an IP address on a network.

data snaitization

The method used to repeatedly delete and overwrite any traces or bits of sensitive data that may remain on a device after data wiping has been done.

Wired Equivalent Privacy (WEP)

The most basic form of encryption can be used on 802.11 based wireless networks. 64-Bit or 128 bit key size. WEP is no longer used.

X.509

The most widely accepted format for digital certificates as defined by the International Telecommunication Union (ITU).

Blue Team

The network defenders in a blind (or black box) penetration test. Don't have knowledge of the attack.

TOS (Trusted Operating System)

The operating system component of the TCB that protects the resources from applications.

order of volatility

The order in which volatile data should be recovered from various storage locations and devices following a security incident.

threat vector

The path or means by which an attacker compromises security.

scanning

The phase of the hacking process in which the attacker uses specific tools to determine an organization's infrastructure and discover vulnerabilities.

PII (personally identifiable information)

The pieces of information that a company uses or prefers to use to identify or contact an employee.

RPO (recovery point objective)

The point in time, relative to a disaster, where the data recovery process begins.

attack surface

The portion of a system or application that is exposed and available to attackers.

security posture

The position an organization takes on securing all aspects of its business.

Network Segmentation

The potential for damage greatly increases if one compromised system on the network could spread to other networks.

BYOD (bring your own device)

The practice in which employees bring their own personal devices (usually mobile) into the office and use them for work-related purposes.

Application Whitelisting

The practice of allowing approved programs to run on a computer, computer network, or mobile device.

application whitelisting

The practice of allowing approved programs to run on a computer, computer network, or mobile device.

steganography

The practice of attempting to obscure the fact that information is present.

compliance

The practice of ensuring that the requirements of legislation, regulations, industry codes and standards, and organizational standards are met.

auditing

The practice of examining logs of what was recorded in the accounting process.

sandboxing

The practice of isolating an environment from a larger system in order to conduct security tests safely.

account federation

The practice of linking a single account across many different management systems.

risk management

The practice of managing risks from the initial identification to mitigation of those risks.

patch management

The practice of monitoring for, evaluating, testing, and installing software patches and updates.

application blacklisting

The practice of preventing undesirable programs from running on a computer, computer network, or mobile device.

load balancing

The practice of spreading out the work among the devices in a network.

implicit deny

The principle that establishes that everything that is not explicitly allowed is denied.

separation of duties

The principle that establishes that no one person should have too much power or responsibility.

job rotation

The principle that establishes that no one person stays in a vital job role for too long a time period.

least privilege

The principle that establishes that users and software should only have the minimal level of access that is necessary for them to perform the duties required of them.

On-Boarding

The process of adding new employees to the identity and access management (IAM) system of an organization

Salting

The process of adding random data to the hashed value.

enciphering

The process of applying a cipher.

risk awareness

The process of being consistently informed about the risks in one's organization or specific department.

UTM (unified threat management)

The process of centralizing various security techniques into a single device.

Data Normalization

The process of decomposing relations with anomalies to produce smaller, well-structured relations.

storage segmentation

The process of dividing data storage along certain predefined lines.

geolocation

The process of identifying the real-world geographic location of an object, often by associating a location such as a street address with an IP address, hardware address, Wi-Fi positioning system, GPS coordinates, or some other form of information.

Threat Intelligence

The process of investigating and collecting information about emerging threats and threat sources. Where to look? Visibility?

port forwarding

The process of redirecting traffic from its normally assigned port to a different port, either on the client or server. In the case of using SSH, port forwarding can send data exchanges that are normally insecure through encrypted tunnels.

Recovery

The process of removing any damaged elements from the environment and replacing them

deciphering

The process of reversing a cipher

information security

The protection of available information or information resource from unauthorized access, attacks, thefts, or data damage.

TCP

The protocol is reliable and connection orientated

Extranet

The public portion of the company's IT infrastructure that allows resources to be used by authorized partners and re-sellers that have proper authorization and authentication

reputation

The public's opinion of a particular company based on certain standards.

Mean Time Between Failures (MTBF)

The rating on a device or devices that predicts the expected time between failures

MTBF (mean time between failures)

The rating on a device or devices that predicts the expected time between failures.

chain of custody

The record of evidence history from collection, to presentation in court, to disposal.

gain

The reliable connection range and power of a wireless signal, measured in decibels.

Multi-factor Authentication

The requirement a user must use two or more authentication factors to authenticate to a device or system.

Off-Boarding

The reverse of this process in that it is the removal of an employee's identity from the IAM system On-Boarding is like in processing Off-Boarding the opposite

cipher

The rule, system, or mechanism used to encrypt or decrypt data.

Cryptanalysis

The science of breaking codes and ciphers

cryptography

The science of hiding information.

SHA-2

The second revision of SHA, also designed by the NSA, which supports a variety of hash sizes, the most popular of which are SHA-256 and SHA-512.

secure log file

The secure log file contains information regarding the last user to log in to a system.

prevention

The security approach of blocking unauthorized access or attacks before they occur.

data security

The security controls and measures taken in order to keep an organization's data safe and accessible and to prevent unauthorized access.

non-repudiation

The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

WTLS (Wireless Transport Layer Security)

The security layer of a wireless AP and the wireless equivalent of TLS in wired networks

risk analysis

The security management process for addressing any risk or economic damages that affect an organization.

IRP (Incident Response Policy)

The security policy that determines the actions that an organization will take following a confirmed or potential security breach.

Two-Way Transitive Trust

The security relationship between domains in the same domain tree in which one domain grants every other domain in the tree access to its resources and, in turn, that domain can access other domains' resources. When a new domain is added to a tree, it immediately shares a two-way trust with the other domains in the tree.

MAC Filtering

The security technique of allowing or denying specific MAC addresses from connecting to a network device.

MAC limiting

The security technique of defining exactly how many different MAC addresses are allowed access to a network device.

Spim

The sending of unsolicited Instant Messages.

Spam

The sending of unsolicited commercial email.

Certificate Authority (CA)

The server that issues and signs digital certificates and generates the public/private key pair. Key pair is based on a mathematical relationship that can not be spoofed. You can only trust a certificate if you can trust the CA that issued it

DNS (Domain Name System/server/service)

The service that maps names to IP addresses on most TCP/IP networks, including the internet.

key length

The size of a key, usually measured in bits or bytes, which a cryptographic algorithm used in ciphering or deciphering protected information.

footprinting

The stage of the hacking process in which the attacker chooses a target organization or network and begins to gather information that is publicly available. Also called Profiling.

enumerating

The stage of the hacking process in which the attacker will try to gain access to users and groups, network resources, shares, applications, or valid user names and passwords.

Active Directory

The standards-based directory service from Microsoft that runs on Microsoft Windows servers.

snapshot

The state of a virtual system at a specific point in time.

Integer overflow

The state that occurs when a mathematical operation attempts to create a numeric value that is too large to be contained or represented by the allocated storage space or memory structure

Credential Management

The storage of credentials in a central location.

TLS

The successors to SSL Uses stronger encryption methods.

privilege bracketing

The task of giving privileges to a user only when needed and revoking them as soon as the task is done.

transport encryption

The technique of encrypting data that is in transit, usually over a network like the Internet.

root CA

The top-most CA in the hierarchy and consequently, the most trusted authority in the hierarchy.

ALE (annual loss expectancy)

The total cost of a risk to an organization on an annual basis.

XOR

The truth table for the ____ gate indicates that the output is 1 only when the inputs are different.

bluesnarfing

The unauthorized access of information from a wireless device through a Bluetooth connection.

cleartext

The unencrypted form of data. Also known as plaintext.

privilege management

The use of authentication and authorization mechanisms to provide an administrator with centralized or decentralized control of user and group role-based privilege management.

rule-based management

The use of operational rules or restrictions to govern the security of an organization's infrastructure.

Server-Side Validation

The user submits a form to a web server. Web server looks over form and will let you know if you have forgotten something. It will review and make corrections.

ipconfig

The utility used to display TCP/IP addressing and domain name information in the Windows client operating systems.

hash

The value that results from hashing encryption. Also known as hash value or message digest.

Port Numbers

There are 65,536 TCP and UDP Ports on which a computer can communicate. The ports are divided in three ranges.

Network Administration Security Methods

There are many tools that can be implemented within an organization to secure the networking infrastructure

LDAP or Lightweight Directory Access Protocol

Think active directory. Has a hierarchy of services and allows your system to navigate through directory services.

Confidentiality

Think encryption. Keeps information and communications private and protected from unauthorized access

Integrity

Think hashing. Keeps organization information accurate, free of errors and without unauthorized modifications

N of M Control

This access-control mechanism creates a PIN number during the archive process and splits the number into two or more parts (N is the number of parts)

Ping Flood/Ping of Death

This attack attempts to block service or reduce activity on a host by sending ping requests directly to the victim

Teardrop

This attack sends fragmented UDP packets to the victim with odd offset values in subsequent packets. Since come systems cannot handle the error of fragmented packets it will cause them to crash or reboot.

FAT 32

This file system retains some features of the original FAT while reducing the maximum size limit of the file cluster so the space on the disk can be more efficient. < 400 MB and no audit, access controls

MD4 (Message Digest 4)

This has algorithm, based on RFC 1320, produces a 128-bit has value and is used in message integrity checks for data authentication.

MD5 (Message Digest 5)

This has algorithm, based on RFC 1321, produces a 128-bit has value and is used in IPSec policies for data authentication.

Computer Forensic

This is the evidence gathered when incident happens, to try to figure out what the issue was and or to defend your business against other

Collision (cryptographic attacks)

This type of attack is where two different inputs yield the same output of a hash function. Through manipulation of data, creating subtle changes that are not visible to the user yet create different versions of a digital file and the creation of many different versions, then using the birthday attack to find a _____ between any two of the many versions, an attacker has a chance to create a file with changed visible content but identical hashes.

protocol analyzer

This type of diagnostic software can examine and display data packets that are being transmitted over a network.

TTL

Time To Live; # router hops before drop; decrement to 0; prevent router loops; Windows = 128 Linux, Mac OS = 64 BSD = 255

Why would a technician use a password cracker?

To change users passwords if they have forgotten them.

Capture the system image

To ensure proper evidence collection this step should be performed first.

Physical Security

To ensure proper physical security, you should design the layout of your physical environment with security in mind

Mandatory Vacations

To help detect fraud among st the organization

Windows Account lockout duration setting

To increase the time it takes for someone to guess a password, The purpose is to increase the time it takes for a brute-force password guessing attack to be effective.

Storage Segmentation (MOBILE DEVICES)

To segregate data on a disk from other sectors. An example on a mobile device would be to logically segment the OS from the Apps

Token-Based Access Control

Token based access control associates a list of objects and their privileges with each user. (The opposite of list based.) Privileges are called 'capabilities'

Network Address Translation NAT

Translates a private address into a public address. Hides devices in a private network

TCP

Transmission Control Protocol provides reliable, ordered and error checked delivery of a stream of packets in the internet; L4 / Session

Two modes of IPSec

Transport mode, Tunnel Mode

TFTP

Trivial FTP; UDP port 69; no authN

TFTP

Trivial File Transfer Protocol: UDP 69 Uses UDP for transferring smaller amounts of data, especially when communicating with network devices

cross-forest trust

Trust type that allows resources to be shared between Active Directory forests. No replication; transitive; can be 1 or 2-way

TPE

Trusted Path Execution grsecurity security option Trusted Path Execution (TPE) is a protection which restricts the execution of files under certain circumstances determined by their path

TPM

Trusted Platform Module. This is a hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and it can generate and store other keys used for encryption, decryption, and authentication. TPM provides full disk encryption.

Mutual Authentication

Two way authentication.

Symmetric Encryption

Two-way encryption. A single, shared key, secret-key, private-key encryption. Encrypt and decrypt with the same key

Authentication Types

Type 1= something you Know (Password, Usernames, Pins) Type 2= something you Have (Tokens, CAC) Type 3= Something your Are (Fingerprint, Retina Scan)

Code review

Typically conducted using automated software programs designed to check code

self-signed certificate

Typically done to provide SSL functionality in temporary test or development servers. Not used for public/production.

Malicious Insider Threat

Typically motivated by financial gain, sabotage, and theft in order to gain a competitive advantage

IPsec port

UDP 500

syslog

UDP 514; plaintext, so no confidentiality; vulnerable to replay attacks, DoS (because accepts any/all logs); syslog.conf

port 123

UDP NTP Network Time Protocol

port 69

UDP. TFTP. Trivial File Transfer Protocol

Active Defense Harbinger Distribution (ADHD)

Ubuntu-based Linux distro focused on active defense and offensive countermeasures and has many tools for deception and attack-back

plaintext

Un-encoded data. Also known as cleartext.

VLAN

Unites network nodes logically into the same broadcast domain regardless of their physical attachment to the network.

/usr

Unix folder path containing primary OS files. READ ONLY except for patches and installs. Includes binaries tools and libraries.

SSH FTP (SFTP)

Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network.

Failopen

Unsecure

Internet

Unsecured zone

Bluejacking

Unsolicited text and message broadcast spam sent from a nearby Bluetooth device Goal is to pair to the victim's device

Triple-DES (3DES)

Upgraded DES, Uses 168-bit key and Processes each block of data three times using a different day each time

SSL Secure Sockets Layer

Used by millions of websites in the protection of their online transactions with their customers. Uses certificates for authentication and encryption for message integrity and confidentiality

POP3 and IMAP

Used for Email

RSA

Used for digital signatures

Hybrid Cloud

Used for the extranet it is a mixture of a private and public cloud.

Challenge Handshake Authentication Protocol (CHAP)

Used over dial-up connections a mean to provide secure transport mechanism for logon credentials.

Web-Security Gateway

Used to intentionally block a predefined list of websites or categories of websites

PII Handling

Used to minimize data loss or theft

File Transfer Protocol (FTP)

Used to move files between one system to another with no true security.

Telnet

Used to remote into routers. Runs on TCP port 23. Because it is a clear text protocol and service it should be avoided and replaced with SSH (PORT 22)

Nslookup

Used to resolve web addresses to IP address and vice versa

Forensics

Used to uncover issues and increase investigation.

Elliptic Curve Cryptography

Used with mobile devices

Corporate Policies

User Acceptance

UAC

User Account Control allows users to install run programs as low-privileged and elevate as needed

UDP

User Datagram Protocol; multimedia, VoIP; know ports; 4 fields

orphaned accounts

User accounts that remain active even after the employees have left the organization.

/etc/passwd file

Username | PWD location | UID | primary group | GECOS field | home directory | login action

hackers

Users who excel at programming or managing and configuring computer systems, and have the skills to gain access to computer systems through unauthorized or unapproved means.

Dictionary Attack

Uses a dictionary of common words to reveal the users password

PBKDF2

Uses a hashing operation, an encryption cipher function, or an HMAC operation

Analytic Cryptanalysis

Uses algorithms and mathematics to deduce key or reduce key space to be searched

Heuristic Based Monitoring

Uses algorithms to analyze network traffic over time

Social Engineering

Uses deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.

XML injection

Uses malicious code to compromise XML applications, typically web services.

Secure Copy Protocol (SCP)

Uses port 22. Protects the authenticity and confidentiality of the data in transit

Statistical Cryptanalysis

Uses statistical characteristics of langauges or weaknesses in keys

Stealth

Uses techniques to avoid detection such as temporarily removing itself from infected file

VPN

Uses the public internet as a backbone for a private interconnection between locations. It allows you to connect to something as if you were there locally

Encrypting Email

Uses these two programs to do this S/MIME and PGP/GPG

port scanning

Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).

Command Injections

Using malicious code injection, attackers can perform a variety of attacks upon systems. These attacks can result in the modification or theft of data

Identifying vulnerability

Using software to test systems for known vulnerabilities or weaknesses

war chalking

Using symbols to mark off a sidewalk or wall to indicate that there is an open wireless network which may be offering Internet access.

Virtual Private Network

VPN is a communications "tunnel" between two devices across an intermediary, usually untrusted network

SSL VPN (Secure Socket Layer VPN)

VPN used with a web browser and protects against casual eavesdropping | installing a separate client is not necessary; cheaper, requires open ports on firewall

Authentication

Verifies the claimed identity of a user. Is a major component of a cryptosystem.

IPv4 header

Version, length, TTL, Protocol, Source / Target. 20 - 60 Bytes

VLAN

Virtual LAN split network on a switch into multiple networks software-split networks; control visibility, access

.vmx

Virtual Machine primary Configuration File

Hyper-V

Virtualization software developed by Microsoft that can be included with most versions of Windows Server 2008.

vishing

Voice phishing, a human-based attack where the attacker extracts information while speaking over the phone or leveraging IP based voice messaging services. (VoIP)

WEP/WPA attacks

WEP and WPA attacks can focus on either password guessing or encryption key discovery

Windows Defender Firewall

WF.MSC; NETSH.EXE IPsec driver integration no IDS or central logging

standards

WHAT specific hardware / software technology to use - mandatory for the whole organizations and strategic

DoublePulsar

WannaCry malware that runs in kernel mode allows privileged access on compromised systems for remote code execution

Signs

Warning signs provide a layer of security with notification of prohibited access or briefly outlining site information. Can be used to declare areas as off limits

Client-Side Validation

Web form will make on the spot corrections in real time. After making corrections the user can submit the form to the web server.

security template

What is a collection of configuration settings stored as a text file with an .inf extension?

Input Validation

What is the expected input is. Validates the actual input vs expected. Prevents XSS Scripting and SQL Injections.

Server Manager

What is used to install IIS on Windows Server 2008 R2?

Identify Risks

What risks could or will this risks bring to my business

Hop Limit, TTL

What two fields below are used by IPv4 and IPv6 respectively to limit the number of times that a packet can be forwarded on a network?

multi-master replication

When a domain has multiple domain controllers, all domain controllers are capable of making changes to the security domain database they share. The changes are replicated from one domain controller to another.

transitive trust

When a trust relationship between entities extends beyond its original form.

Distributed Denial of Service

When an attacker infects a bunch of machine to take down one device on the network. Is many to one.

spear phishing

When attackers target a specific individual or institution.

IntelliSense

When entering a criterion expression, which of the following tools helps suggest a list of possible values?

Mitigation

When steps are taken to reduce the risk

Get-Service

When using PowerShell, what cmdlet can be utilized to retrieve a list of services?

Authentication

Whenever possible, use a password, provide a PIN, offer your eyeball or face for recognition, scan your fingerprint, or use a proximity device such as an NFC or RFID ring or tile.

shoulder surfing

Where other people secretly peek at your monitor screen as you work to gain valuable information.

Bourne shell (sh)

Which UNIX shell is the most compact and is often used for writing shell scripts?

ls -a

Which command can be used to list all file (include hidden files) inside current directory? a) ls * b) ls -a c) ls -l d) show -a

Default Domain Policy

Which feature affects all users in the domain, including domain controllers?

Global Catalog

Which of the following does an Active Directory client use to locate objects in another domain?

tcpdump

Which of the following is a command line packet analyzer similar to GUI-based Wireshark?

Aircrack-ng

Which wireless hacking tool attacks WEP and WPA-PSK?

Escalation and Notification

Who to notify?

WPA 2

Wifi Protected Access. Based on the IEEE 802.11i standard. Uses AES with CCMP to provide for enhanced confidentiality, integrity and authentication. CCMP requires new NIC and AP

SAN (Storage area Network)

Will go thru network to the storage

NAS (Network Attached Storage)

Will go to the file server and from there to storage

AutoPilot

Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats

Windows server OS

Windows NT 2000 2003 (XP/Vist) 2008 (8) 2012 2016 Hyper-V

Windows Server Backup

Windows Server 2008 feature that allows you to perform one-time and recurring scheduled backups of a Windows server. ROBOCOPY.EXE

R2

Windows Server major version every 4 years, R2 every 2; should be regarded as new version

WSL

Windows Subsystem Linux

CCB

Windows compares configuration against template using SCA

AppLocker

Windows software restriction (whitelisting) feature. Can import and export configs, audit configs, apply rules based on Group Policy. Available only in Enterprise

process hacker

Windows tool for monitoring running processes, services, device drivers, listening TCP ports, disk activity, etc

secedit.exe

Windows tool that allows for the application of security templates .inf

WEP

Wired Equivalent Privacy uses RC4 which produces weak Initialization Vector (IV), preshared secret on all connected devices DO NOT USE

WIDS

Wireless IDS

WLAN

Wireless Local Area Network

Wireless Encryption

Wireless NICs are radio transmitters and receivers. Signals can be intercepted and eavesdropped on Solution Encrypt Data

bluetooth

Wireless PAN technology that transmits signals over short distances between cell phones, computers, and other devices and does not need line of sight as IR capable of 7 simultaneous connections

WPA

Wireless Protected Access; uses TKIP; AES CCMP

802.11n

Wireless networking standard that can operate in both the 2.4-GHz and 5-GHz bands and uses multiple in/multiple out (MIMO) to achieve a theoretical maximum throughput of 100+ Mbps.

802.11g

Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 54 Mbps and is backward compatible with 802.11b.

802.11ac

Wireless networking standard that operates in the 5-GHz band and uses multiple in/multiple out (MIMO) and multi-user MIMO (MU-MIMO) to achieve a theoretical maximum throughput of 1 Gbps.

802.11a

Wireless networking standard that operates in the 5-GHz band with a theoretical maximum throughput of 54 Mbps.

interference

Within wireless networking, the phenomenon by which radio waves from other devices interfere with the 802.11 wireless signals.

Protocol Analyzers

Work on Layer 3 the network layer to troubleshoot network issues by gathering packet label info

Full Device Encryption (MOBILE DEVICES)

You are encrypting the hard disk itself. If you are sending something over the web you are not encrypting the disk

Identify Vulnerabilities

You can use software, footprints and/or third party companies

Private key

You decrypt that data with

Discretionary Access Control (DAC)

You give the right to who you think should have access to that data. The owner assigns security levels based on objects and subjects and can make his own data available to others at will.

John the Ripper

You want to check a server for user accounts that have weak passwords. Which tool should you use?

Windows Server Core (2012+)

____ is a minimum server configuration, designed to function in a fashion similar to traditional UNIX and Linux servers. Not a version, but an installation option; default install only powershell and notepad; 2 - 4 GB install

Intranet

a company's private network of computers

honeynet

a group of honeypots used to more accurately portray an actual network intended to slow down attacker make the attack more expensive and risky

rotation of duties

a policy that requires an employee to alternate jobs periodically; mitigate collusion

deep packet inspection

a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers

Trojan Horse

a program designed to breach the security of a computer system while ostensibly performing some innocuous function.

Windows Insider program

a program that allowed users to sign up for early builds of the Windows operating system which has been expanded to include enterprise testers and advanced users

cookie

a short line of text that a web site puts on your computer's hard drive when you access the web site; often sets authN and session state

UEFI

a software layer that replaces the BIOS and sits between the OS and the system firmware

ethernet

a system for connecting a number of computer systems to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems.

thin client

a terminal that looks like a desktop but has limited capabilities and components

sniffer

a type of eavesdropping program that monitors information traveling over a network; puts NIC in promiscuous mode; usually software

Windows Server

a version of Windows that has been specially designed and configured for server use; comes in Datacenter, Enterprise and Standard; after 2012 no Enterprise

snapshot

a view of data at a particular moment in time; baseline for comparison; also useful for forensics automate; plaintext; store to NTFS with README threat hunting; needs human analysis

chain of custody

a written record of all people who have had possession of an item of evidence

onboarding

account administration; setting up user account and access management

Penetration Testing

active analysis of a system through simulated attacks and may involve exploit of live vulns | does not include maintaining access and covering tracks

threat

activities that represent danger to info or operations | agent of risk

logs

activity recorded on a system

Issue-specific policy

address specific needs of the org - password, Internet use not system specific NDA and copyright

Cumulative Update

addresses many bugs at one time

AES

advanced encryption standard, a symmetric 128-bit block data encryption technique; also 192 or 256 bit keys

rsyslog

advanced filtering and directing (to central log server, Splunk)

bridge

aggregates two physical networks or segments together contrast with routing of independent networks

Active Defense (goals)

aka Defensive Countermeasures slow down attacker; positive id (attribution); more time to respond to attack

Microsoft site license

aka Software Assurance License

Windows Embedded

aka Windows IoT, stripped down to kernel designed primarily for consumer and industrial devices that are not personal computers; aka Windows IoT

protocol analysis

aka application analysis IDS examines the entirety of protocols and how they operate and can detect known and unknown attacks

carrier file

aka host file | the file in which the data is hidden | message is the hidden data

privilege

aka right; not specific to object; general capability, machine specific (vs permission, 1:1 with object) listed in SAT

Symmetric Key Encryption

aka secret key, single or 1-key encryption, single key is used for encryption and decryption | fast | PRIVACY | no non repudiation, AES, Blowfish, IDEA

permutation

aka transposition, use same chars, just change position

database activity monitoring

all SQL transactions and policy violations

domain

all users, groups and computers in Active Directory

Quantitative

allows for the clearest measure of relative risk and expected return on investment or risk reduction on investment.

Diffie-Hellman

allows two users to share a secret key securely over a public network; asymmetric

Upstart

alternative to init for Linux startup

Transport mode

an IPSec mode in which only the IP data is encrypted, not the IP headers

incident

an adverse event in an information system and/or network or the threat of such an event

disaster

an incident, so needs DRP

data classification scheme

an information scheme used throughout an organization that helps secure confidentiality and integrity of information that is typically used by corporations

nikto

an open source web server scanner which performs comprehensive tests against web servers for multiple items including over 6400 potentially dangerous files, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers

threat

any potential damage to an asset.

danger

anything that can negatively impact to CIA of systems and services

Wireless benefits

anywhere; lower costs; raise productivity; better in historic buildings, etc.

Notification Alarms

are often silent from the intruder but record data about the incident and notify administrators, security and law enforcement

BCP steps

assess - threat id; damage (potential impact) eval - cost benefit, risk assessment prep - contingent operations, management of plan, testing of plan mitigate - id preventive to reduce risks respond - minimize impact recover - return to normal ops

Honey Badger

attack back tool determines physical location of system with geolocation wifi and IP address

VM escapes

attack to escape guest OS compromise hypervisor

Birthday Attack

attacker can take a collision and substitute one message for another at will (as they produce the same hash)

central logging server

attacker can't cover tracks - only legit machines can send log files - valuable target; should be protected with FW

hyperjumping

attacker compromises one guest OS and jumps to another | lateral compromise

flushing the logs

attacker dumps data on log files to cover tracks

TCP reset

attacker sniffs target traffic the spoofs packet with RST flag set to end session

activity summary report - quarterly

audit report; long term trends; review infra changes; review log mgt system performance

essential log elements

authN - fail and success change report network activity resource access malware activity system failures analytics reports NBS - never before seen

AuthN

authentication, or validate an identity claim: know, have, are, geo

monitoring (access)

authentications and authorizations must be monitored | log access transactions, including both successful and failed login attempts

AuthZ

authorization; what can subject do to object; principle of least privilege

Trust

automatic in forest, two-way transitive; must have trust for SSO, privilege and permissions assignment and desktop log in cross domain

type 1 hypervisor

bare metal hypervisor it is a software program that acts as an operating system and also provides the ability to perform virtualization of other operating systems using the same computer (e.g. Hyper V)

border router

between ISP and org firewall; prefilters traffic before org firewall and uses and ACL; aka edge router

SAFER+

bluetooth with authN, 128 bit key

kernel

brains of the OS; loaded into memory at boot

FIDO

browser MFA?

B2B

business to business

Windows Edition

business, pro and enterprise have AD other (but only ent has AppLocker)

SECEDIT.exe

cannot be used over the network; See MMC; MMC.EXE GPO configurations

packet sniffing

capture network traffic for analysis | no longer requires physical access to network due to prevalence of wifi

logging considerations

centralize; normalize; correlate; time server (UTC, use same time zone); detect log tampering

BOOTP

centrally managed allocates addresses for networked machines based upon pre-configured MAC:IP, UDP Ports 67 and 68

CRL

certificate revocation list - a list of certificate revocations not updated in real time and must be downloaded regularly

chmod

change permission modifiers

sysctl -w variable=<value>

change variable, commits on reboot

chrootkit

checks for rootkits

Form-Based Authentication

cleartext unless SSL; authN errors minimal; acct lockouts

SSL / TLS (PKI)

client knows server, but not inverse; client is anonymous; certificates used for key exchange, session key used to encrypt

Windows OS classes

client server embedded

client-to-site VPN

clients, servers, and other hosts establish tunnels with a private network using a VPN gateway at the edge of the private network. Each remote client on a client-to-site VPN must run VPN software to connect to the VPN gateway, and a tunnel is created between them to encrypt and encapsulate data. This is the type of VPN typically associated with remote access.

CFEngine

cloud-based focused on local datacenters

virus

code that attaches itself to an executable and infects systems when the exe is run it is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data

logging activities

collect; store; search; correlate / alert

log file

collection of messages

diff

command compares files and prints their differences

Linux shell

command line, allows for interactions with the kernel, OS

binding

communications path between a netowrking component service or protocol and a physical network adapter card IP + TCP + hostname

cloud resistance

compliance; multi tenancy; vendor lock; logging

pivot point

compromise in one element in system can lead to another; registry keys in windows, start up files, running processes

lateral movement

compromise one system, then another

hyperjacking

compromise the hypervisor to gain access to the VMs and their data typically launched against type 2 hypervisors that run over a host OS

crypto (goals)

confidentiality, integrity, authentication, non repudiation

jailed environment

configured to look like real environment no real data all traffic permitted

CLOSED

connection state in which server accepts no connections

Windows Logging

consider what to log; logs slow performance, consume disk space check temp folders for attacker plants

Incident handling phase 3

containment; stabilize, secure area, backups (forensics), copies (one for evidence, one for analysis); change passwords; pull from network?

log preprocessing

convert logs from one format to another

Log normalization

converts data to structured form (e.g.: a database table) thus enabling experts analyze data from different sources and gain deep insight about the whole system.

CCMP

counter mode with cipher block chaining messaging authentication code protocol - a wrapper that uses 128-bit AES encryption with a 48-bit initialization vector

CREATOR_OWNER

creator is owner, can delete, modify admins own objects created during OS install

Equifax

credit bureau; hacked through unpatched Java Struts vuln CI attack

PowerShell Core

cross platform, .NET Core framework

active summary report

daily; weekly; monthly; quarterly; annual

Azure

data centers that implement MS could services everything is built on (IaaS PaaS)

Security Updates Guide

database of CVEs, etc. for Microsoft

system call interception

deny/permit requests; HIDS sits between apps and system resources, OS

logical design

depicts how data flows across different devices in network | detailed, rather than abstract network diagram | services, application names | for developers and security architects | shows servers workstations routers firewalls...

honeycreds

deploy decoy usually privileged accounts

captive web portal

deployed for hotspots, higher ed, etc.

bogus DNS

descriptive but deceptive DNS domain names redirect attackers to jailed env or honeypot

security controls (types)

detective corrective and preventive

SmartScreen Filter

detects threats on Web sites, such as phishing attacks and malware downloads, and prevents them from running

router

device that connects different networks together internal and external | forwards data packets between computer networks | operates at OSI L3, handles packets

/dev

device; hardware

intellectual property (IP)

dictated by logical architecture | key is reduce number or locations where present; subject to copyright

communications flow

dictated by logical design, shows how data flows in and out of the network | informs threat model; attack surface and vectors; estimate impact; determines defense

policy

directive that defines the 'what'; reduces liability for people; supports org mission and accomplishment of objectives; mandatory | execs $ users make jobs easier 3 - 5 pages

Decloak

discover attacker IP even if through proxy

df

disk free space command

network profile

domain - AD, least strict public - most strict private - home or office

Global users and group

domain user with account in AD

Complete Trust Domain

domains in a forest always have two-way transitive trusts with multi-master replication

tcpdump -n

don't resolve hostnames

tcpdump -nn

don't resolve hostnames or well known port numbers to their services

Threat hunting metrics

dwell time; lateral movement; reinfection

Rotation Substitution

e.g. Caesar cipher, swapping out one character for another, rotate by n chars | predictable | if one mapping discovered, all is lost

Threat Hunting goals

early and accurate detection control and reduce impact improve defenses understand org weaknesses

qualitative analysis

easier and can identify high-risk areas and produces more subjective results (low, medium, high)

tractable

easy crypto problem

Top 5 Wireless attacks

eavesdropping; masquerading; DoS; rogue AP; wireless phishing

digital signature

electronically signing a document with data that cannot be forged; NON REPUDIATION INTEGRITY sender signs with private key for non repudiation recipient decrypts with sender public key

PKI uses

email disk encryption code and driver signing user authN Ipsec and VPN authN wireless authN NAC digital signatures

Defense in Depth

employ multiple layers of controls in order to avoid having a single point of failure

Revocation Certificate

employee termination; new role in org; email address change; key compromise

hypervisor

emulation software for virtualization; allows a single computing device to run multiple operating systems through hardware emulation

virtualization

emulation software for virtualization| allows a single computing device to run multiple operating systems through hardware emulation | accesses virtualized hardware, not physical

MMC (Microsoft Management Console)

enables an administrator to customize management tools by picking and choosing from a list of snap-ins. Available snap-ins include Device Manager, Users and Groups, and Computer Management.

Volume Storage Encryption

encryption of virtual hard drives in cloud environment

network mapping

enumerating hosts responding on a network. NMAP

Incident handling phase 4

eradication; repair before restore; remove backdoors; vulnerability analysis after recovery; improve security (ok to fix in prod if necessary)

baseline document

establish a known baseline configuration and managing that condition with a baseline document instrument to detect and change management

0-day

exploit that is not publicly know or available

Shallow Packet Inspection

fast evaluates at offset predictable offset locations

dictionary attack

fast password attack method that automates password guessing by comparing encrypted passwords against a predetermined list of possible password values.

deception

fewer legal issues; delays attacker so more time to respond; more likely to id attacker

injection (steganography)

file size can tip off; adding hidden data to carrier file

OneDrive

file storage on Azure (SaaS)

john.pot

file where John the Ripper stores cracked passwords

honeytoken

files and folders set up to deceive attacker and allow for detection of the attack

FIN

finish TCP flag; request tear down of connection

Egress filtering

firewall filters packets when they are leaving the network, prevents replies to probe packets from leaving the network and prevents a firm's infected hosts from attacking other firms

log system prioritization

firewalls and network devices, security devices, servers, databases, applications and desktops

network security devices (3)

firewalls prevention NIDS detection NIPS prevention

init

first process to start PID 1 checks and starts services mounts file systems

Firewall concerns

gap at app layer; encrypted bypass; mgt sees as solution

File generation (steganography)

generate from hidden data; carrier not needed before; produced by stego program; each new input produces new output

endpoint security

goal is to control damage by reducing attack surface needs: asset management, configuration management, change control includes AV, local FW

data classification primary categories

government / military and commercial

grsecurity

gradm utility to manage RBAC set of patches to enhance Linux kernel security MAC with RBAC support file system hardening; kernel audit PaX memory management Trusted Path Execution (TPE)

histogram

graphical representation of the number of occurrences of data in a given distribution of such data

servicing ring

group of computers assigned particular servicing channel with specific update deferral period

intractable

hard crypto problem (factor large integers into two prime factors) also encompasses discrete logarithm problem (el gamal)

rowhammer

hardware exploit; escalate privileges, escape VM, flipping bits in memory

diode data

hardware focused; military / govt; one direction data flow; input anode; output cathode

technical controls

hardware or software installations that are implemented to monitor and prevent threats and attacks to computer systems and services.

vertical market

healthcare, education, IoT, etc

Steganography

hide data in a 'carrier' file or medium; disguise encrypted data; SECRECY

Windows 10 Pro for workstations

high end, 3D, video editing

conceptual design

high level design that includes core components of network architecture | 'black box' I/O | legal, environmental safety | customer experience | multidisciplinary

Program Policy

high level policy sets tone for org security and provides guidance to enact other types of policies and delineates responsibility

detection (stego)

histogram; high entropy = encryption; no universal method to detect stego

/home

home directory for user physically found in /export/home

physical topology

how a network is wired together; includes wifi

threat agents (3)

human or not | organized crime | espionage | hactivist

attribution

id attacker; block country? legal concerns. attacker can defeat with relay attacks and spoofed IPs

data classification steps

id roles | classification and labeling criteria | owner classifies | exceptions | controls | declass destruction procedures | awareness program

vector-oriented defense

identify attack vectors; mitigate or eliminate

Risk Management goals

identify measure control and minimize/eliminate the likelihood of an attack, reduce risk to an acceptable level

algorithm group

if cipher is in a 'group' multiple rounds of encryption does not increase security

Active Directory Global admin

in AD, one for each domain in a forest (ALL POWERFUL IN THAT DOMAIN)

HTTP authN

in headers; basic (base 64 encode) digest: MD5

cut command

in linux cut shows 'cut' of line

Privacy considerations

in relation to integrated systems and data with third parties should be taken seriously Should be outlined in the organization Privacy Policy

message

indicates a system event has occurred

Secure Coding

initialize vars; input validation; error management; least priv; vuln notifications; check 3rd party code; no secrets in code; no admin for server, db access | includes performance and load testing

anode

input in diode system

attacker actions

install programs run daemons and services make outbound connections

ReFS

intended for large storage volumes in RAID array does not support compression

PKI problems

interoperability; certification of CAs; outsource of trust

WDAG

is a feature that allows you to isolate Microsoft Edge at the hardware level using Hyper-V technology to protect your device and data from malware and zero-day attacks like sandbox with no data persistence and no usual browser features

docker

is an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud.

auditd

kernel level, does not use syslog can monitor all network traffic and file access logs with SELinux

key escrow

key back up keys are managed by a third party, such as a trusted CA.

client-to-client VPN

key distribution problem and difficult to configure, but very secure

reversible encryption

key required to decrypt

Windows Registry

keys - folders | values - files | type data | disable remote registry access

Korn Shell (ksh)

ksh

physical design

last before implementation | all known details | physical components and connections | OS versions

layer independence

layers unaware of each other; security must have visibility into all layers

decoy ports

lead attacker to believe many ports open. more scanning needed. deploy on network device

false headers

leave blank or include incorrect information to deceive attackers about systems

Incident handling phase 6

lessons learned; incident handler reports; meet to review, achieve consensus, report to management, including costs

Caesar Cypher

letter-by-letter method to make a cipher. For each letter, substitute another letter 4 letters ahead. For "a", write "d".

threat hunting plan

limit scope specific goals document effort, outcomes metrics

A ptr record

links a IPv4 address to a FQDN

wtmp

linux log maintains the logs of all logged in and logged out users (in the past). The 'last' command uses this file to display listing of last logged in users

List Based Access Control

list of users and their privileges with access to object

threat enumeration

list threat agents | list attack methods | list system-level objectives

ls -l

lists all contents in long format

LKM

loadable kernel modules; /lib/modules; disable or blacklist modules not needed; dynamically load after boot; disable as risky

blue pill

logical exploit; create false hypervisor with root access

elevate to root (3 ways)

login as root; su to root (no accountability) sudo

btmp

logs failed login attempts

activity summary report - monthly

long term trends; minor policy violation summary; resource usage reports; security tech measurement

network threat hunting

look for lateral movement; assume compromised; C2 (command and control)

vulnerability scanning

look for vulnerabilities associated with discovered systems ports and services

Windows Server (roles)

major piece of functionality: domain controller, IIS, Hyper-V, RDS, VPN, File, Print, DHCP, DNS, RADIUS

bluetooth defenses

make non discoverable; pair in secure environment

session ID

makes stateful; inclues: form element; URL; cookie long and random sign / hash IDs new issued on authN expire / timeout

packet misroute

malware on router sends traffic to evil location or causes routing loops DoS or network congestion

Logical File System

manages metadata - manages the directory structure to provide the file-organization module with the information the latter needs, given a symbolic file name - maintains file structure via file-control blocks - protection

security

managing risk to critical assets; not all risk can be eliminated; track, manage and mitigate

lynis

matches Linux security configuration to regulatory standards e.g. SOX, PCI, etc.

Deterrent Alarms

may engage additional locks or shut doors in efforts to increase intrusion difficulty

alert

message to notify system owner or operator

LISTEN

mode where server has no active connections but listens for client requests

RBAC (Role Based Access Control)

model in which access is based on a user's job function within the organization and determined by role or group assignment

hybrid attack (pwd)

modifies dictionary words in guessing attempts

content discovery

monitor data for restricted info

virtual machine introspection

monitor hypervisor and all VMs

quality update

monthly; aka hot fixes or patches

quantitative analysis

more powerful because based on metrics and typically yields an objective numeric value (often $)

baseline

more specific implementation of a standard; specific mandatory; e.g. hardening guide

Signature Analysis

most common method of identifying EOI on network uses a series of rules and pattern matching to detect and alert

substitution (steganography)

most popular; file size remains same

MIMO

multiple input multiple output (802.11ac); can transmit to many receivers

OS virtual machine

multiple operating systems run independently on the same hardware

Microsoft patching

must patch due to anti trust settlement

ICMP

network layer protocol for diagnostics such as ping. Many DoS attacks use ICMP. block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked. network info (ping); L3; v 4 of 6 (like IP); 3 fields

protected enclave defense

network segmentation with VLANs and ACLs

Nmap

network vulnerability scanner; can perform ping sweeping; TCP/UDP port scans, OS fingerprinting, application version scanning, and script execution

switch

networking device that connects computers together to form physical and virtual networks | handles frames at OSI L2

Edge Browser

no Active X, Java, Flash; HTML 5 SmartScreen filter of phishing, malware sites InPrivate window

windows admin account best practices

no NTLM 1 or LANMANAGER 2 accounts - one for regular activity, one for admin rename 'admin' account

End of Custom support

no further support or update options unless directly negotiated with MS

hash function

no key; one-way function (trapdoor); MD2 - 5; aka 'message digest'; INTEGRITY

virtual sprawl

number of VMs / guest systems too big to manage

tcpdump -c

number of packets to capture before stopping

event

observable and verifiable occurrence

Cryptanalysis

obtaining the plaintext or key from ciphertext to obtain valuable information or pass on altered, fake messages to intended recipients

firewalld

offers trust zones and levels; inbound and outbound rules, IPv4, 6; application whitelisting; puppet integration

password cracking

offline password guessing from exfiltrated file or database of usernames and passwords get plaintext given only encrypted

irreversible encryption

one-way function (hash); hash is stored, not plain text

Windows S

only MS Store apps; can change to full, but not back

Long Term Channel

only available in Enterprise; limits to monthly quality updates never gets features updates (must upgrade entire OS)

session cookie

only for current session; stored in memory; close browser, exits

Debug Programs

only local admin; dangerous (Cain)

Transport mode (IPSec)

only the payload of the IP packet is encrypted and or authenticated

Chef

open source CM; offers more Windows support than Puppet

nodev

option in Unix ignores special device files. Used in areas outside /dev folder to prevent unauthorized system device access

nosuid

option in Unix ignores the set-UID and set-GID bits on executables

cathode

output in diode system

Threat hunting maturity model

p 185

unidirectional gateway

p 72

APT

package manager for ubuntu; install, remove, update, upgrade

firewall types

packet filtering (stateless), stateful, proxy (nextgen)

NTLM

password hash storage system used on Microsoft Windows

Cisco Type 7

password, easily cracked by readily available tools

activity summary report - weekly

perimeter and internal log trends; account activity; host/network device changes; critical attack summary

maintenance (access)

periodic review of user accounts and access | must perform when user changes roles responsibilities

default allow

permissive firewall ruleset in that all traffic is allowed unless it has been specifically blocked. NOT RECOMMENDED

air gap

physical separation of hardware (servers)

telnet

plain text; port 23

file activity monitoring

policy violations

activity summary report - annual

policy; retention; trends; budget; new regulations

ESTABLISHED

port / socket state in which there is an active connection

SSL/TLS

port 443 | encryption protects confidentiality and integrity, verification of server id | client/server agree on best encryption; uses symmetric keys; RSA/Diffie; new key for each request

John the Ripper - incremental mode

powerful, slow; all combinations and lengths attempted can run indefinitely

Rainbow Tables

pre calculated hashes

Incident handling phase 1

preparation; management support; policy; legal and law enforcement, compliance, id team, communications

Firewall

preventive; hardware and software; ENFORCE ORG SEC POLICY; router with filtering; between NIC and PC or public / internal networks

End of Sales

product no longer sold to retailers or OEMs

offboarding

prompt revocation of access

crypto (3 components)

protect data at rest protect data in transit protect keys

PaX

protection against corruption of memory (part of grsecurity)

data dispersion

protects data without encryption through fragmentation

copyright

protects owner; includes year, owner; registration not req'd but good

Authentication Header (AH):

provides assurance of message integrity and non-repudiation. Also provides authentication and access control and prevents replay attacks

Encapsulating Security Payload (ESP)

provides confidentiality and integrity of packet contents. Provides encryption and limited authentication and also prevents replay attacks.

SaltStack

provides public cryptography between configuration server and clients; highly suitable for cloud environments

Steganography (3 types)

provides secrecy by hiding data within data | injection; substitution; file generation

Log correlation

provides the ability to discover and apply logical associations among disparate individual raw log events in order to identify, respond, validate, measure, report

asymmetric key encryption

public key crypto | two keys are used: a public key used only to encrypt data, and a private key used only to decrypt it. key exchange, authN, non repudiation

public internet

publicly accessible system of networks that connects computers around the world

Controls

put in place to close vulnerabilities, prevent exploitation, reduce the threat potential, and/or reduce the likelihood of a risk or its impact

system()

python function that allows for commands to run on the target system

symbolic permissions

r - 4 w - 2 x - 1

precomputation attack

rainbow tables calculated

salt

random value added to plaintext password before hashing to produce unique values, eliminate collisions

WannaCry

ransomware, spread as worm NOT VIRUS; SMB vuln; uses ping, kill, exec commands CIA attack using Eternal Blue and DoublePulsar

semi-public internet

reachable from internet; may have internet access

ro

read only option causes the Unix operating system to prevent writes or updates

reconnaissance

recon: step one; google hacking; find IPs, ports, services, map network (casing a house)

Application behavior monitoring

record normal activity for app, alert when anomaly; detect zero days and worms

accountability

record of subject / object transactions or who did what when

john.log

records how long John the Ripper took to crack passwords

Incident handling phase 5

recovery; do not restore bad code; system owner makes decision to return to ops; monitor closely after redeployment

PC refresh

reinstalls Windows and keeps your personal files and settings

permission

related to a particular object like read access to file

Eternal Blue

remote code execution against Microsoft SMB

absolute permissions

represented in octal (755) and binary (111, 101) - if flag set (1) if flag note set (0) e.g. rwx = 111

swap space

reserved for the full virtual memory space of a process not mounted to LFS

rbash

restricted shell that limits commands available so as to contain users to specific areas of the file system and prevent running certain commands. Often cannot tab complete.

Default deny policy

restrictive firewall ruleset policy whereby access is denied unless it is specifically allowed protect against previously unknown attacks and vulns

risk

risk = threat x vulnerability

fragmentation

router splits packet into smaller packets and sends on | 16-bit flag

routing table poisoning

routers exchange data to build tables; attacker injects bad data

RSBAC (RBAC)

ruleset based access control (e.g. firewall rules)

application-level virtual machine

run an app on its own VM so if compromised cannot compromise other systems

Bastille

runs scripts to harden Linux machines to industry standards; good auditing tool; however, only targets local machine

service branch

same as channel

Symmetric

same key to encrypt / decrypt data

Cryptology

science of interpreting secret writings and codes and encompasses cryptography and cryptanalaysis

scratch data

scratch and intermediate data written to /var/tmp and similar directories

Normal user account

second type of user account after superuser

confidentiality

secure from unauthz access; opposite disclosure; government and healthcare

SSH

secure shell; port 22; user certs, preshared keys

loss controls

security measures implemented to prevent key assets from being damaged.

operation controls

security measures implemented to safeguard all aspects of day-to-day operations, functions, and activities.

transform

security services documented in IPsec | see security association

End of extended support

security updates and paid support no longer available unless custom support

protected enclave

segment of internal network defined by common security policies

layer flow

sender(app -> physical); receiver(physical->app)

middleware

separate private DMZ from private network

umask command

set default permissions for users - deny = allow either with absolute or symbolic notation | (UNIX 666 is default file and 777 for directory)

servicing channel

set delay for application of updates; quality updates up to 30 days; feature update up to 365

claim

set of AD attributes included in Kerberos ticket

Rootkit

set of binaries that gives attacker backdoor to system and helps evade detection often installed in /usr/bin and /sbin dirs. Does not provide root access

NetBIOS

set of connectionless and connection-oriented protocols that make comps accessbile by human-readable names rather than IP *disable - recon threat*

swapon -s

sets the swap area to the file or block device specified by path. swapoff() stops swapping to the file or block device specified by path.

Group Policy Object

settings that define what a system will look like and how it will behave for a defined group of users. You can think of _____ as policy documents that apply their settings to the computers and users within their control.

tcpdump -X

show packet contents in hex and ASCII

tcpdump -XX

show packet contents in hex, ASCII, with Ethernet header

Cold boot attack

side-channel attack related to removing RAM from computer while it still contains encryption key, then reading it on a different computer

Workgroup benefits

simplicity low initial cost isolation local admin for owners

full duplex

simultaneous send / receive for two nodes; Any device that can send and receive data simultaneously.

Hash Collision

situation that occurs when two distinct inputs into a hash function produce identical outputs

NextGen Firewalls

slow; difficult to manage; best security; tears down each layer of packet; process tables aka proxy or application gateway

Windows Server (feature)

smaller functionality, e.g. disk encryption

Ingress Filtering

sniffing incoming packets and discarding those with source IP addresses outside a given range

device

source of security-relevant logs

tcpdump- s

specify number of bytes to capture per packet. default 65535

VLAN hop

spoof 802.1Q tags, attacker can frames to diff VLAN w/o router

Windows mass client upgrade

start 2 years before end of support

cover tracks

step five; delete logs, or - more advanced: modify logs, clear bash history, browser history, registry, temp net files

maintain access

step four; ultimate goal; backdoor, create accounts, covert channels for exfil

gain access

step three; get the shell; social and physical attacks included; system, software, IP blocks, vulns (no one home)

scanning

step two; (knock on door anybody home); ping, nikto, netcat, nmap tools; find ports, protocols and services

messages log

stores valuable nondebug and noncritical messages located in /var/log/messages

sed

stream editor; filter and transform text; supports regex; implicit vs explicit?

Adware

supported software or adware is a form of spyware. Reports general surfing habits and which sites you have visited

AADDS

supports Kerberos, NTLM, traditional DC services

Arbitrary Substitution

swap one character for another arbitrarily; cannot derive key by mapping just one character (as with rotation substitution); vulnerable to freq analysis

su

switch user command; can change to any user with password; /usr/bin/su or /bin/su

DES

symmetric; 64 bit block cipher (56 key + 8 for parity) vulnerable due to small key size

UIDs 1-500 are usually reserved for what kind of users?

system accounts; e.g. NFS nobody; attackers favor these for backdoors

exTended C Shell

tcsh

port 23

telnet

persistent cookie

text file on disk; need expiration date; browser deletes

cryptography

the art of protecting information by transforming (plaintext) into an unreadable format, called cipher text

Tunnel Mode (IPSec)

the entire IP packet is encrypted and or authenticated.

brute force attack

the password cracker tries every possible combination of characters will always recover password given time

Keyspace

the range of all possible values for a key in a cryptosystem the larger the better

utmp

the who of Linux logging

awk

this command can be used to specify the exact record to match based on a particular pattern

uniform protection defense

threats, and protections, treated equally (e.g. FW, VPN, AV) most common approach

Redundancy

to remove the single point of failure

capabilities

token based access privileges

aireplay-ng

tool to attempt to inject and capture traffic from WiFi networks

TTP

tools, techniques, procedures

government data classification scheme

top secret, secret, classified, sensitive but unclassified, unclassified

Endpoint firewall

treat local machine as trusted includes packet filter (stateful) and application control, OS control; file integrity checking (FIC)

collision

two different files produce an identical hash

ICMP fields

type; code; checksum; payload

activity summary report - daily

unauthZ config; service disrupt; intrusion evidence; suspicious login fails; minor malware

OS injection

unauthZ user sends commands to server OS; defend with input validation, define valid inputs

Threat hunting activities

understand threats know network critical data and business processes normal vs abnormal system behavior threat intel indicators of compromise analysis seek root cause respond correlation is critical

Active Directory Enterprise admin

universal (not global), all powerful group with full control over every domain in the forest

mobility disaster recovery kit

unlocked phones sim cards charged batts solar

Network Monitoring

use HIDS to monitor traffic on each network node; costly; myopic; can stop known and unknown attacks

snmp-check

use target IP address and SNMP community string to enumerate system details

private internet

used exclusively within an organization is called an

chown command

used on Unix-like systems to change the owner of file system files, directories

ping

used to enumerate systems during the scanning phase | ICMP command line

Workgroup drawbacks

users bad chaos difficult to manage no centralization (policy and auditing) no SSO no consistent permissions

Asymmetric

uses a key pair to encrypt / decrypt data

John the Ripper - external mode

uses an external program (modules) to generate guesses for algorithms not natively supported

John the Ripper - word list mode

uses dictionary and hybrid can perform substitutions and transformations

Qualitative

uses processes to determine asset worth and valuation to the organization

John the Ripper - single crack mode

uses variations of account name, GECOS, and more faster and used first

Risk Management

using strategies to reduce the amount of risk to an acceptable level

Repellent Alarms

usually sound an audio siren or bell and turn lights on

AV

value of an asset in dollars

info-centric defense

value of info determines defense

cryptographic key

values used to initialize a particular algorithm must be protected at all costs uniqueness and length matters protection growth is exponential not linear

/var

variable, malleable content, including logging, web, etc. set as separate partition for security

Volume Storage

virtual hard drive; data dispersion and/or encryption

Tunnel Mode (IPSec)

virtual tunnel between GATEWAYS Encrypts the entire IP packet sent to gateway (destination) where it is unpacked and routed on

decoy IP

visible but unused IP appear active with open port and vulnerable service appear as real systems to attackers

integrity

vs alteration; banking and finance

availability

vs destruction; e-commerce

Penetration Testing Techniques

war dialing war driving sniffing eavesdropping dumpster diving social engineering

End of mainstream support

warranties expire for the product and it is no longer improved only security patching

sticky bit

was previously used on files in the past to lock them in memory. However, they are currently applicable to directories. This ensures that a user can only delete his/her own files in a directory.

baselining for endpoint security

what is normal? traffic type, volume logs access time, length system config

identity

who you claim to be

ncpa.cpl

windows cmd for network configuration

/tmp

writable directory; good practice is to set sticky bit, or otherwise avoid their use


Conjuntos de estudio relacionados

Kin 236 Exam #2 Learning Objectives and Study Guide

View Set

PNC 1- Exam 3: Collaboration, Leadership, and Health Promotion

View Set

Molecular Bio Test 2: Multiple Choice Questions:

View Set

LUOA World History II - Module 4: Absolutism, Reason, & Revolution

View Set

Completing the Application, Underwriting, and Delivery Policy

View Set

Porth Patho Chapter 35 Chapter 35: Somatosensory Function, Pain, and Headache

View Set